https://serverless-stack.com/ logo
#help
Title
# help
r

Robin

02/23/2022, 1:32 PM
We have an SSM parameter that is called at build. We've updated it. It's changed - really. It is. Yet, every time we attempt a deploy or build the old SSM parameter is used. We can't figure out where it's coming from. Has anyone else had this issue? Does SST cache SSM parameters?
r

Ross Coundon

02/23/2022, 1:35 PM
Are you using a specific version of the parameter?
t

thdxr

02/23/2022, 1:47 PM
And how are you referencing the ssm parameter
r

Robin

02/23/2022, 1:48 PM
Copy code
import { StringParameter } from "@aws-cdk/aws-ssm";

const api = StringParameter.valueFromLookup(
      this,
      "/thingy/api/url"
    );
In a
sst.Stack
class constructor
Are you using a specific version of the parameter?
No. But, we have removed it and added again to ensure there is no history. Good thought.
t

thdxr

02/23/2022, 1:55 PM
So I believe valueFromLookup writes it to your cdk.context.json file - can you check if it's there?
You normally want to use
StringParameter.fromStringParameterName
which will pass in a token which gets resolved during the cfn deploy
r

Robin

02/23/2022, 1:57 PM
Oh! That's helpful! Thanks. I'm looking for the
cdk.context.json
is that in he
.build
directory?
t

thdxr

02/23/2022, 2:04 PM
it should be next to your sst.json
One of my earliest posts in here πŸ˜„
r

Ross Gerbasi

02/23/2022, 4:55 PM
@thdxr curious how you are handling non string secrets with this. I would like to use a simpler solution like you all have mentioned,
fromStringParameterName
as it seems to not require the full secret ID. For now I've been using this little helper utility, but maybe there is a better way?
Copy code
getRef(secretName: string, field?: string) {
      const SecretId = `arn:aws:secretsmanager:${region}:${account}:secret:${secretName}`
      return SecretValue.secretsManager(SecretId, {
        jsonField: field,
      }).toString()
    },
t

thdxr

02/23/2022, 4:55 PM
I don't use secrets I only use SSM
I think what you have there is what I'm aware of
r

Ross Gerbasi

02/23/2022, 4:58 PM
Wow πŸ€¦β€β™‚οΈ all this time I thought SSM was secrets manager. There is a whole separate thing haha
t

thdxr

02/23/2022, 4:59 PM
Yeah it's confusing lol - SSM is way easier
r

Ross Gerbasi

02/23/2022, 5:05 PM
Well what the heck haha ok but it does look like SSM can only be a string, where a secret can be json and have fields. So is it best to just store one value per SSM param, or do folks parse strings into json? This is confusing. I guess maybe if you don't need secret rotation SSM is a better option. secrets have a monthly storage cost as well.
t

thdxr

02/23/2022, 5:08 PM
Yeah you do one value per SSM parameter. And if you prefix them like
/app/stage/<KEY>
there's an API for pulling all of them by prefix
there's an api for multi-get as well
We're gonna bake all this into SST (been saying that forever lol) so that you can set hand managed secrets in the console scoped to your app+stage
r

Ross Gerbasi

02/23/2022, 5:09 PM
ah i gotcha, so you fake structure with string
Well, now i get to go swap secrets for SSM params haha. So how does versioning work here with SST. If you update the SSM param (i assume this means a new version exists now) will SST deploy pick it up or does something need to be done on the JS side. Like updating a version number for the param?
r

Ross Coundon

02/23/2022, 5:48 PM
Until recently CDK forced you to specify a version of the parameter that you wanted to grant access to but now if no version is provided, the latest is assumed
and it’ll continue to pick up the latest as that parameter changes over time
r

Ross Gerbasi

02/23/2022, 5:58 PM
@Ross Coundon (great name btw) πŸ™‚, so if i login to AWS and change a SSM param, then do
sst deploy
it will somehow get the latest param? Isn't the data in CF just a reference? Trying to make sure i understand what the "update a param and get it into production" workflow looks like, if you are using build time params and not runtime.
r

Ross Coundon

02/23/2022, 5:59 PM
Likewise πŸ˜‰ I believe the function is being granted access to the latest alias for the parameter, therefore, as the latest alias points to different versions, the code still retains the right access privileges
r

Ross Gerbasi

02/23/2022, 6:12 PM
hmm... it doesnt look like
fromStringParameterName
is async though, I am guessing it doesnt actually call out to AWS to get latest info. I would think this is making a token for CF to pick up the latest on deploy... Guess i need to do some tests here, see if i have the same trouble here as i did with secrets where the secret updated but the SST deploy was unware so there was no delta and thus no updates.
r

Ross Coundon

02/23/2022, 7:08 PM
What I'm describing is happening at runtime rather than deploy time. I've only granted privileges to a lambda based on a retrieved parameter in the stack, rather than retrieving the value of that parameter
6 Views