refactor lambda ssm param resolution to use cdk.Lazy, refresh ssm params on schedule (#982)

Author: edwardfoyle

.changeset/kind-keys-travel.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-function': minor
+---
+
+Refactor secret fetcher and support node 16 ssm shim

package-lock.json

@@ -26,6 +26,7 @@
     "@aws-amplify/backend-platform-test-stubs": "^0.3.2",
     "@aws-amplify/platform-core": "^0.4.3",
     "@aws-sdk/client-ssm": "^3.465.0",
+    "aws-sdk": "^2.1550.0",
     "uuid": "^9.0.1"
   },
   "peerDependencies": {

packages/backend-function/package.json

@@ -233,7 +233,7 @@ void describe('AmplifyFunctionFactory', () => {
       });
     });
 
-    void it('defaults to oldest runtime', () => {
+    void it('defaults to oldest LTS runtime', () => {
       const lambda = defineFunction({
         entry: './test-assets/default-lambda/handler.ts',
       }).getInstance(getInstanceProps);

packages/backend-function/src/factory.test.ts

@@ -13,7 +13,6 @@ import * as path from 'path';
 import { getCallerDirectory } from './get_caller_directory.js';
 import { Duration } from 'aws-cdk-lib';
 import { Runtime } from 'aws-cdk-lib/aws-lambda';
-import fs from 'fs';
 import { createRequire } from 'module';
 import { FunctionEnvironmentTranslator } from './function_env_translator.js';
 
@@ -227,42 +226,36 @@ class AmplifyFunction
     backendSecretResolver: BackendSecretResolver
   ) {
     super(scope, id);
-    const functionEnvironmentTranslator = new FunctionEnvironmentTranslator(
-      scope,
-      props['environment'],
-      backendSecretResolver
-    );
-    const environmentRecord =
-      functionEnvironmentTranslator.getEnvironmentRecord();
-    const secretPolicyStatement =
-      functionEnvironmentTranslator.getSecretPolicyStatement();
+
+    const runtime = nodeVersionMap[props.runtime];
 
     const require = createRequire(import.meta.url);
-    const bannerCodeFile = require.resolve('./resolve_secret_banner');
-    const bannerCode = fs
-      .readFileSync(bannerCodeFile, 'utf-8')
-      .replaceAll('\n', '')
-      .replaceAll('\r', '')
-      .split('//#')[0]; // remove source map
 
-    const cjsShimRequire = require.resolve('./cjs_shim');
+    const shims =
+      runtime === Runtime.NODEJS_16_X
+        ? // this shim includes the cjs shim because it's required for the v2 sdk to work
+          [require.resolve('./lambda-shims/resolve_ssm_params_sdk_v2_shim')]
+        : [
+            require.resolve('./lambda-shims/cjs_shim'),
+            require.resolve('./lambda-shims/resolve_ssm_params_shim'),
+          ];
 
     const functionLambda = new NodejsFunction(scope, `${id}-lambda`, {
       entry: props.entry,
-      environment: environmentRecord as { [key: string]: string }, // for some reason TS can't figure out that this is the same as Record<string, string>
       timeout: Duration.seconds(props.timeoutSeconds),
       memorySize: props.memoryMB,
       runtime: nodeVersionMap[props.runtime],
       bundling: {
-        banner: bannerCode,
         format: OutputFormat.ESM,
-        inject: [cjsShimRequire], // replace require to fix dynamic require errors with cjs
+        inject: shims,
       },
     });
 
-    if (secretPolicyStatement) {
-      functionLambda.grantPrincipal.addToPrincipalPolicy(secretPolicyStatement);
-    }
+    new FunctionEnvironmentTranslator(
+      functionLambda,
+      props['environment'],
+      backendSecretResolver
+    );
 
     this.resources = {
       lambda: functionLambda,

packages/backend-function/src/factory.ts

@@ -7,9 +7,11 @@ import {
   BackendSecretResolver,
   ResolvePathResult,
 } from '@aws-amplify/plugin-types';
-import { SecretValue } from 'aws-cdk-lib';
+import { App, SecretValue, Stack } from 'aws-cdk-lib';
 import assert from 'node:assert';
 import { ParameterPathConversions } from '@aws-amplify/platform-core';
+import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { Template } from 'aws-cdk-lib/assertions';
 
 const testStack = {} as Construct;
 
@@ -47,23 +49,31 @@ class TestBackendSecret implements BackendSecret {
   };
 }
 
-void describe('functionEnvironmentTranslator', () => {
+void describe('FunctionEnvironmentTranslator', () => {
   const backendResolver = new TestBackendSecretResolver();
 
   void it('translates env props that do not contain secrets', () => {
     const functionEnvProp = {
       TEST_VAR: 'testValue',
     };
 
-    const functionEnvironmentTranslator = new FunctionEnvironmentTranslator(
-      testStack,
+    const testLambda = getTestLambda();
+
+    new FunctionEnvironmentTranslator(
+      testLambda,
       functionEnvProp,
       backendResolver
     );
 
-    assert.deepEqual(functionEnvironmentTranslator.getEnvironmentRecord(), {
-      AMPLIFY_SECRET_PATHS: '{}',
-      TEST_VAR: 'testValue',
+    const template = Template.fromStack(Stack.of(testLambda));
+    template.resourceCountIs('AWS::Lambda::Function', 1);
+    template.hasResourceProperties('AWS::Lambda::Function', {
+      Environment: {
+        Variables: {
+          AMPLIFY_SSM_ENV_CONFIG: '{}',
+          TEST_VAR: 'testValue',
+        },
+      },
     });
   });
 
@@ -73,35 +83,141 @@ void describe('functionEnvironmentTranslator', () => {
       TEST_SECRET: new TestBackendSecret('secretValue'),
     };
 
-    const functionEnvironmentTranslator = new FunctionEnvironmentTranslator(
-      testStack,
+    const testLambda = getTestLambda();
+
+    new FunctionEnvironmentTranslator(
+      testLambda,
       functionEnvProp,
       backendResolver
     );
 
-    assert.deepEqual(functionEnvironmentTranslator.getEnvironmentRecord(), {
-      AMPLIFY_SECRET_PATHS: JSON.stringify({
-        '/amplify/testBackendId/testBranchName-branch-e482a1c36f/secretValue': {
-          name: 'TEST_SECRET',
-          sharedPath: '/amplify/shared/testBackendId/secretValue',
+    const template = Template.fromStack(Stack.of(testLambda));
+
+    template.resourceCountIs('AWS::Lambda::Function', 1);
+    template.hasResourceProperties('AWS::Lambda::Function', {
+      Environment: {
+        Variables: {
+          AMPLIFY_SSM_ENV_CONFIG: JSON.stringify({
+            '/amplify/testBackendId/testBranchName-branch-e482a1c36f/secretValue':
+              {
+                name: 'TEST_SECRET',
+                sharedPath: '/amplify/shared/testBackendId/secretValue',
+              },
+          }),
+          TEST_SECRET: '<value will be resolved during runtime>',
+          TEST_VAR: 'testValue',
         },
-      }),
-      TEST_SECRET: '<value will be resolved during runtime>',
-      TEST_VAR: 'testValue',
+      },
     });
   });
 
   void it('throws if function prop contains a reserved env name', () => {
     const functionEnvProp = {
-      AMPLIFY_SECRET_PATHS: 'test',
+      AMPLIFY_SSM_ENV_CONFIG: 'test',
     };
+
     assert.throws(
       () =>
         new FunctionEnvironmentTranslator(
-          testStack,
+          getTestLambda(),
           functionEnvProp,
           backendResolver
         )
     );
   });
+
+  void it('does not add SSM policy if no ssm paths are present', () => {
+    const functionEnvProp = {
+      TEST_VAR: 'testValue',
+    };
+
+    const testLambda = getTestLambda();
+
+    new FunctionEnvironmentTranslator(
+      testLambda,
+      functionEnvProp,
+      backendResolver
+    );
+
+    const template = Template.fromStack(Stack.of(testLambda));
+    template.resourceCountIs('AWS::IAM::Policy', 0);
+  });
+
+  void it('grants SSM read permissions for secret paths', () => {
+    const functionEnvProp = {
+      TEST_VAR: 'testValue',
+      TEST_SECRET: new TestBackendSecret('secretValue'),
+    };
+
+    const testLambda = getTestLambda();
+
+    new FunctionEnvironmentTranslator(
+      testLambda,
+      functionEnvProp,
+      backendResolver
+    );
+
+    const template = Template.fromStack(Stack.of(testLambda));
+
+    template.resourceCountIs('AWS::IAM::Policy', 1);
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Effect: 'Allow',
+            Action: 'ssm:GetParameters',
+            Resource: [
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    'arn:',
+                    {
+                      Ref: 'AWS::Partition',
+                    },
+                    ':ssm:',
+                    {
+                      Ref: 'AWS::Region',
+                    },
+                    ':',
+                    {
+                      Ref: 'AWS::AccountId',
+                    },
+                    ':parameter/amplify/testBackendId/testBranchName-branch-e482a1c36f/secretValue',
+                  ],
+                ],
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    'arn:',
+                    {
+                      Ref: 'AWS::Partition',
+                    },
+                    ':ssm:',
+                    {
+                      Ref: 'AWS::Region',
+                    },
+                    ':',
+                    {
+                      Ref: 'AWS::AccountId',
+                    },
+                    ':parameter/amplify/shared/testBackendId/secretValue',
+                  ],
+                ],
+              },
+            ],
+          },
+        ],
+      },
+    });
+  });
 });
+
+const getTestLambda = () =>
+  new Function(new Stack(new App()), 'testFunction', {
+    code: Code.fromInline('test code'),
+    runtime: Runtime.NODEJS_20_X,
+    handler: 'handler',
+  });