How best to retrieve AWS SSM parameters from the AWS CDK?

Question

Apologies if this is a duplicate, I'm going a bit snowblind with blogs and articles trying to find a solution.

I'm trying to use the AWS CDK to deploy a Stack - specifically a CloudFront Distribution layered over an S3 Bucket. I want to retrieve a cert from Cert Manager, and I also want to update a Hosted Zone in R53.

I want to put the zone ID and cert ARN in SSM Parameter Store, and have my CDK app pull the correct ID/ARN from there, so as not to leave it in my code.

I'm currently pulling the values like this in my Go code:

certArn := awsssm.StringParameter_ValueFromLookup(stack, certArnSSM)
certificate := awscertificatemanager.Certificate_FromCertificateArn(stack, wrapName("certificate"), certArn)

Where certArnSSM is the path to the parameter.

However, when I run the synth I get this:

panic: "ARNs must start with \"arn:\" and have at least 6 components: dummy-value-for-/dev/placeholder/certificateArn"

From some reading, this is expected. However, I'm not sure on the 'best practice' approach to solving it. I'm not totally clear on how to use Lazy to solve this - do I need to create a type and implement the Produce() method?

What is the cached `certArn` parameter value in `cdk.context.json`? — fedonev, Jan 19 '22 at 15:22
When it fails, it doesn't get that far - no `cdk.context.json` is created. — shearn89, Jan 19 '22 at 16:22

score 1 · Accepted Answer · answered Jan 19 '22 at 16:49

I was unable to replicate your error. The following synths and deploys without error, correctly retrieving the certArn param from ssm as a valid certificate arn lookup input:

func NewCertLookupStack(scope constructs.Construct, id string, props *awscdk.StackProps) awscdk.Stack {
    stack := awscdk.NewStack(scope, &id, &props)

    certArn := awsssm.StringParameter_ValueFromLookup(stack, jsii.String("/dummy/certarn"))
    certificate := awscertificatemanager.Certificate_FromCertificateArn(stack, jsii.String("Certificate"), certArn)

    awscdk.NewCfnOutput(stack, jsii.String("ArnOutput"), &awscdk.CfnOutputProps{
        Value: certificate.CertificateArn(), // demonstrate it works: the correct cert arn storeed as a stack output
    })

    return stack
}

Yes - I also created a simple function just to test it, and got the same result. It may be because I was passing the value in to a CloudFront Distribution, and at some point whilst the value of the Cert ARN is still `dummy-value`, there's some validation that fails. I'm not sure. I'll take another look this weekend if I get time! — shearn89, Jan 20 '22 at 08:25
I've redone the required code and can't replicate the problem. Who knows what's going on, this drove me mad for about an hour the other day... — shearn89, Jan 20 '22 at 08:44

score 0 · Answer 2 · answered Jan 19 '22 at 16:24

I worked around the issue by making the UUID of the cert a variable in my code, and then constructing an ARN manually. It feels like the wrong way to solve the problem though.

createdArn := jsii.String(fmt.Sprintf("arn:aws:acm:us-east-1:%s:certificate/%s", *sprops.Env.Account, certUuid))
certificate := awscertificatemanager.Certificate_FromCertificateArn(stack, wrapName("certificate"), createdArn)

How best to retrieve AWS SSM parameters from the AWS CDK?

2 Answers2

Linked