Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: consolidate backend secret custom resources #2011

Open
wants to merge 13 commits into
base: main
Choose a base branch
from

Conversation

awsluja
Copy link
Contributor

@awsluja awsluja commented Sep 17, 2024

Problem

This consolidates secret fetcher custom resources into one.

A single custom resource will be created, instead of a resource for each secret.

Issue number, if available:
#1797
#1825

Changes

Corresponding docs PR, if applicable:

Validation

Checklist

  • If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • If this PR requires a docs update, I have linked to that docs PR above.
  • If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@awsluja awsluja added the run-e2e Label that will include e2e tests in PR checks workflow label Sep 17, 2024
@awsluja awsluja requested a review from a team as a code owner September 17, 2024 01:00
Copy link

changeset-bot bot commented Sep 17, 2024

🦋 Changeset detected

Latest commit: 63efabb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@aws-amplify/backend Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Comment on lines 21 to 23
) {
BackendSecretFetcherFactory.registerSecret(secretName);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look like a healthy data flow.

Could we move this detail into factory (since we do receive reference to factory in this ctor already)?

For example.
Change scope of these variables

const secretProviderFactory = new BackendSecretFetcherProviderFactory();
const secretResourceFactory = new BackendSecretFetcherFactory(
secretProviderFactory
);
and promote them to global scope (to make factory a singleton)
Use cdk.Lazy to accumulate secret names inside factory?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are singleton factories, except they do not use DI system like other factories, they use the scope.node.tryFindChild('')

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can registerSecret become internal detail of the factory then ?

Copy link
Member

@sobolk sobolk Sep 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@awsluja this is what I have in mind 9816f17 .

(I haven't touched tests, but they should be covered by different scoping of factories).

@@ -25,34 +25,31 @@ void describe('getOrCreate', () => {
const providerFactory = new BackendSecretFetcherProviderFactory();
const resourceFactory = new BackendSecretFetcherFactory(providerFactory);

beforeEach(() => {
BackendSecretFetcherFactory.clearRegisteredSecrets();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using static methods, we should rather control scope of variables and make the factory an effective singleton in the code, but not in tests.

sobolk
sobolk previously approved these changes Sep 18, 2024
): CustomResource => {
const secretResourceId = `${secretName}SecretFetcherResource`;
): SecretFetcherCustomResource => {
const secretResourceId = `SecretFetcherResource`;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const secretResourceId = `SecretFetcherResource`;
const secretResourceId = `AmplifySecretFetcherResource`;

just in case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated (AmplifySecretFetcherCustomResource)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant resource id not the class name.

for (const secretName of props.secretNames) {
let secretValue: string | undefined = undefined;
try {
const resp = await secretClient.getSecret(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may be a good optimization as separate item, it would be https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ssm/command/GetParametersCommand/ since we don't use secrets manager ; but we have custom try-catch logic for each secret here, so it would be something like batching all secrets with one command, then batch the retries, and aggregate errors

sobolk
sobolk previously approved these changes Sep 18, 2024
* feed pr base sha and ref into envs before scripts

* removing empty file
@sobolk sobolk requested a review from a team as a code owner December 3, 2024 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
run-e2e Label that will include e2e tests in PR checks workflow
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants