Using StringParameter.valueForTypedStringParameter() with SecureString fails during deployment

[matsev]

Attempt to read secure string from SSM using StringParameter.valueForTypedStringParameter() and ParameterType.SECURE_STRING fails during CDK deployment:

Error [ValidationError]: Template format error: Unrecognized parameter type: SecureString

Reproduction Steps

1. Create a CDK project with the following files:

cdk.json

{
  "app": "npx ts-node bin/test-app.ts",
}

bin/test-app.ts

#!/usr/bin/env node
import * as cdk from '@aws-cdk/core';
import { TestStack } from '../lib/test-stack';

const app = new cdk.App();
new TestStack(app, 'TestStack', {
  env: { 
    account: '[some account]', 
    region: '[some region]',
  },
});

lib/test-stack.ts

import * as cdk from '@aws-cdk/core';
import { ParameterType, StringParameter } from '@aws-cdk/aws-ssm';
import { ApiKey, CfnApiKey, MockIntegration, RestApi } from '@aws-cdk/aws-apigateway';

export class TestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const restApi = new RestApi(this, 'RestApi');
    restApi.root.addMethod('GET', new MockIntegration(), {
      apiKeyRequired: true,
    });

    const apiKeyValue = StringParameter.valueForTypedStringParameter(this, '/some/service/api-key', ParameterType.SECURE_STRING);
    const apiKey = new CfnApiKey(this, 'ApiKey', {
      value: apiKeyValue,
      enabled: true,
      stageKeys: [{
        restApiId: restApi.restApiId,
        stageName: restApi.deploymentStage.stageName.toString(),
      }]
    });
  }
}

2. Attempt to deploy

$  npx cdk deploy

Expected result:

The stack should deploy successfully

Actual result

Deployment fails

Error [ValidationError]: Template format error: Unrecognized parameter type: SecureString

Error Log

TestStack: creating CloudFormation changeset...

 ❌  TestStack failed: Error [ValidationError]: Template format error: Unrecognized parameter type: SecureString
    at Request.extractError (/Users/test/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/Users/test/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/Users/test/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/Users/test/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/Users/test/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/Users/test/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /Users/test/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/Users/test/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/Users/test/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/Users/test/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  message: 'Template format error: Unrecognized parameter type: SecureString',
  code: 'ValidationError',
  time: 2020-03-18T09:55:03.657Z,
  statusCode: 400,
  retryable: false,
  retryDelay: 123.2426434718625
}
Template format error: Unrecognized parameter type: SecureString

Environment

$ npx cdk --version
1.28.0 (build 5f2bbc6)

$  aws --version
aws-cli/2.0.0 Python/3.8.2 Darwin/19.3.0 botocore/2.0.0dev7

• OS: macOS Catalina 10.15.3
• language: "typescript": "~3.7.2"

---

This is 🐛 Bug Report

[MrArnoldPalmer]

So Cloudformation doesn't support referencing SecureString ssm params. This has been a known issue for awhile and we aren't sure if/when support will come.

Docs

SSM Parameter Types

AWS CloudFormation doesn't currently support the SecureString Systems Manager parameter type.

If you can store this value in SecretsManager you should be able to workaround this.

I'll keep this ticket open because we should better handle limiting the use of SecureString wherever Cfn doesn't support it.

[MrArnoldPalmer]

Closing in favor of #6819