feat(aws-ssm): add decryption support for SecureString parameters (#1241)

Signed-off-by: Giovanni De Giorgio <[email protected]>

Author: gdegiorgio

assets/aws-ssm/create-param.png

@@ -30,9 +30,41 @@ OpenFeature.setProvider(
   })
 );
 ```
+
+# AWS SSM Provider Configuration
+
+## AwsSsmProviderConfig
+
+| Property         | Type               | Description                                  | Default |
+|-----------------|--------------------|----------------------------------------------|---------|
+| `ssmClientConfig` | `SSMClientConfig` | AWS SSM Client configuration options.       | See [here](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ssm/)    |
+| `enableDecryption`      | `boolean`   | Enable decryption for SecureString parameters      | false |
+| `cacheOpts`      | `LRUCacheConfig`   | Configuration for the local LRU cache.      | See below |
+
+## LRUCacheConfig
+
+| Property  | Type    | Description                                    | Default |
+|-----------|--------|------------------------------------------------|---------|
+| `enabled` | `boolean` | Whether caching is enabled.                 | `false`  |
+| `ttl`     | `number`  | Time-to-live (TTL) for cached items (in ms). | `300000` (5 minutes) |
+| `size`    | `number`  | Maximum number of items in the cache.       | `1000`  |
+
+
+
+
 ## Retrieve Feature Flag!
 
-Create a new SSM Param called 'my-feature-flag' in your AWS Account and then retrieve it via OpenFeature Client!
+Open your AWS Management Console and go to AWS System Manager service  
+
+![SSM-Menu](../../../assets/aws-ssm/search.png)  
+
+Go to Parameter Store  
+
+![Parameter-Store](../../../assets/aws-ssm/ssm-menu.png)  
+
+Create a new SSM Param called 'my-feature-flag' in your AWS Account and then retrieve it via OpenFeature Client!  
+
+![Create-Param](../../../assets/aws-ssm/create-param.png)  
 
 ```
 const featureFlags = OpenFeature.getClient();

assets/aws-ssm/search.png

@@ -22,7 +22,7 @@ export class AwsSsmProvider implements Provider {
   cache: Cache;
 
   constructor(config: AwsSsmProviderConfig) {
-    this.service = new SSMService(config.ssmClientConfig);
+    this.service = new SSMService(config.ssmClientConfig, config.enableDecryption);
     this.cache = new Cache(config.cacheOpts);
   }
 

assets/aws-ssm/ssm-menu.png

@@ -8,10 +8,10 @@ export class Cache {
   private enabled: boolean;
   constructor(opts: LRUCacheConfig) {
     this.cache = new LRUCache({
-      maxSize: opts.size,
+      maxSize: opts.size ?? 1000,
       sizeCalculation: () => 1,
     });
-    this.ttl = opts.ttl;
+    this.ttl = opts.ttl ?? 300000;
     this.enabled = opts.enabled;
   }
 

libs/providers/aws-ssm/README.md

@@ -1,4 +1,10 @@
-import { GetParameterCommand, SSMClient, SSMClientConfig } from '@aws-sdk/client-ssm';
+import {
+  GetParameterCommand,
+  SSMClient,
+  SSMClientConfig,
+  GetParameterCommandInput,
+  DescribeParametersCommand,
+} from '@aws-sdk/client-ssm';
 import { ResponseMetadata } from '@smithy/types';
 import {
   FlagNotFoundError,
@@ -11,9 +17,10 @@ import {
 
 export class SSMService {
   client: SSMClient;
-
-  constructor(config: SSMClientConfig) {
+  enableDecryption: boolean;
+  constructor(config: SSMClientConfig, enableDecryption?: boolean) {
     this.client = new SSMClient(config);
+    this.enableDecryption = enableDecryption ?? false;
   }
 
   async getBooleanValue(name: string): Promise<ResolutionDetails<boolean>> {
@@ -78,10 +85,34 @@ export class SSMService {
     }
   }
 
+  async _isSecureString(name: string): Promise<boolean> {
+    const res = await this.client.send(
+      new DescribeParametersCommand({
+        ParameterFilters: [
+          {
+            Key: 'Name',
+            Values: [name],
+          },
+        ],
+      }),
+    );
+
+    if (!res.Parameters) {
+      throw new FlagNotFoundError(`Unable to find an SSM Parameter with key ${name}`);
+    }
+    return res.Parameters[0].Type === 'SecureString';
+  }
+
   async _getValueFromSSM(name: string): Promise<{ val: string; metadata: ResponseMetadata }> {
-    const command: GetParameterCommand = new GetParameterCommand({
+    const param: GetParameterCommandInput = {
       Name: name,
-    });
+    };
+
+    if (this.enableDecryption) {
+      param.WithDecryption = await this._isSecureString(name);
+    }
+
+    const command: GetParameterCommand = new GetParameterCommand(param);
 
     const res = await this.client.send(command);
 

libs/providers/aws-ssm/src/lib/aws-ssm-provider.ts

@@ -3,10 +3,11 @@ import { SSMClientConfig } from '@aws-sdk/client-ssm';
 export type AwsSsmProviderConfig = {
   ssmClientConfig: SSMClientConfig;
   cacheOpts: LRUCacheConfig;
+  enableDecryption?: boolean;
 };
 
 export type LRUCacheConfig = {
   enabled: boolean;
-  ttl: number;
-  size: number;
+  ttl?: number;
+  size?: number;
 };