(ssm): Retrieve secure string without version number

[fire015]

General Issue

Ability to retrieve secure string without version number

The Question

I am using ECS fargate and the secrets property to retrieve secret env vars from SSM.

    new ApplicationLoadBalancedFargateService(this, "ECSService", {
      taskImageOptions: {
        secrets: {
          API_KEY: this.getSecret("API_KEY", 1),
        },
      },
    });

  private getSecret(parameterName: string, version: number): ecs.Secret {
    return ecs.Secret.fromSsmParameter(
      ssm.StringParameter.fromSecureStringParameterAttributes(this, `SecretParameter-${parameterName}`, { parameterName, version })
    );
  }

The problem is you have to define the version number to retrieve a secure string (unlike a regular string) and this gets difficult when you deploy the same stack to different environments and the version of the secret may differ between environments.

Is there a better way of doing this or can I suggest this as a new feature request? It's not clear why you don't have to define a version for a regular string but you do for a secure one...

CDK CLI Version

1.107.0

Framework Version

No response

Node.js Version

12

OS

No response

Language

Typescript

Language Version

No response

Other information

No response

[jumic]

Referencing the latest version of a secure string is not possible in the underlying CloudFormation function. The documentation for property version describes this limitation:

An integer that specifies the version of the parameter to use. You must specify the exact version. You can't currently specify that AWS CloudFormation use the latest version of a parameter.

For string parameters, this limitation doesn't exist in CloudFormation. Therefore there is a different behavior for String and Secure String.

From my point of view, you have to create a parameter for the version number to pass different values for each environment.

[peterwoodworth]

Thanks @jumic

Since this is limited by cloudformation, the chance of this being a feature worked on by the team is pretty low. I could still convert it to a feature request if you want though @fire015, just let me know

[fire015]

@peterwoodworth thanks, I will open as a feature request on the CF github repo!