aws_ssm: StringListParameter.ValueForTypedListParameter to support shared parameters

[anthony-keller]

Describe the feature

Now that parameter sharing between accounts is a feature, the CDK constructs should support ARN parameter names so that a shared parameter from a different account can be retrieved.

Use Case

I'm attempting to create the required Route53 resources in a multi-account organization. The DNS architecture we're using is:

• domain-account : contains the registered domain and a hosted zone.
• workload-account : contains workloads and has a sub-domain of the main domain in domain-account

In order for the CDK to create the required resources, I'm trying to use the following stacks:

WorkloadAccountStack - this stack creates a hosted zone, e.g. dev.domain.com, and creates a StringListParameter with a value of the NS entry of the new hosted zone. The parameter name is _dns_DevNameServers and is in the ADVANCED tier. Additionally, a CfnResourceShare is created to share the parameter with the domain-account.

DomainAccountStack - this stack creates a NS record in the domain.com hosted zone. To do this, the stack must get the value of the _dns_DevNameServers parameter from the workload-account.

AWS docs state that accessing a parameter is done by passing the ARN as the parameter name.

In 2.130 of CDK, I'm using the following code:

    public static string[] ValueForTypedListParameter(Construct scope, string id, string parameterName, Environment environment)
    {
        var parameterArn = Arn.Format(new ArnComponents
        {
            ArnFormat = ArnFormat.COLON_RESOURCE_NAME,
            Partition = AwsArnPartitions.Aws,
            Account = environment.Account,
            Region = environment.Region,
            Service = AwsArnServices.Ssm,
            Resource = AwsArnResources.Parameter,
            ResourceName = parameterName
        });

        var parameter = StringListParameter.FromListParameterAttributes(scope, id, new ListParameterAttributes
        {
            ParameterName = parameterArn
        });

        return parameter.StringListValue;
    }

When attempting to deploy the stack, I get the following error:

Could not determine the resource name from arn: arn:aws:ssm:ap-southeast-2:xxxxxxxxxxxxxx:parameter:_dns_DevNameServers

I believe this is due to using COLON_RESOURCE_NAME as the ArnFormat. I would like to use SLASH_RESOURCE_NAME, however, when using that, the synth process throws an error:

Error: Parameter names must be fully qualified (if they include "/" they must also begin with a "/")

Proposed Solution

At this stage I'm not sure where to start with a solution for this problem.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.130

Environment details (OS name and version, etc.)

Windows 11

[pahud]

StringListParameter.ValueForTypedListParameter actually creates dynamic reference if you look at its implementation. Based on the answer from Amazon Q, dynamic references do support cross-account access so I think it should be possible for cross account secret reference.

Self-assigned for now. I'll investigate and try to provide some working samples here.

[anthony-keller]

Thanks @pahud . I may be able to use SecretManager rather than Parameter Store. From what I can tell, a secret can be created and can have read permission granted to other accounts. I can then use Secret.FromSecretCompleteArn() to retrieve the value. Using secrets has a cost, so I'm keen to avoid that if possible.

Alternatively, since I'm using Octopus Deploy, any outputs from a CloudFormation template are made available in Powershell. I could write a script to retrieve the value and then use the AWS CLI to create the required NS record in the domain.com hosted zone. Not as elegant as using CDK and CloudFormation stacks, but would achieve the desired result.

I'm actively working on this so will post any progress.

[anthony-keller]

CloudFormation docs suggest that it might not be possible to dynamically resolve a parameter using an ARN.

Additional considerations to note when using the ssm dynamic reference pattern:

• Currently, CloudFormation doesn't support cross-account SSM parameter access.

[marksieczkowski]

I got StringParameter.valueFromLookup to work with a shared parameter.

    const parameterValue = ssm.StringParameter.valueFromLookup(this, Arn.format({
      account: host_account_id,
      partition: 'aws',
      region: this.region,
      resource: 'parameter',
      resourceName: 'parameter_name',
      service: 'ssm',
    }));

But I found it clunky to use because I had to do a synth before I used the value anywhere for it to seed the cdk.context.json with a value or else doing a synth would error on the dummy value.

It would be nice if StringParameter.valueForStringParameter would accept an Arn.

[aarcro]

Here's my use case for this feature. We're in an AWS Organization with a central account that builds AMIs, those AMIs are published to our many accounts, and the ARNs for the current versions of the AMIs are populated in SSM parameters that are shared to all accounts. I would like to call ec2.MachineImage.fromSsmParameter(ssmParameterArn, {cachedInContext: false}) with ssmParameterArn already specified as a full ARN since it is shared from a different account.