fix: consolidate backend secret custom resources #2011
Conversation
awsluja
added
the
run-e2e
🦋 Changeset detectedLatest commit: ad0a911 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
| ) { | ||
| BackendSecretFetcherFactory.registerSecret(secretName); | ||
| } |
There was a problem hiding this comment.
This doesn't look like a healthy data flow.
Could we move this detail into factory (since we do receive reference to factory in this ctor already)?
For example.
Change scope of these variables
amplify-backend/packages/backend/src/secret.ts
Lines 30 to 33 in 8dd7286
Use cdk.Lazy to accumulate secret names inside factory?
There was a problem hiding this comment.
These are singleton factories, except they do not use DI system like other factories, they use the scope.node.tryFindChild('')
There was a problem hiding this comment.
can registerSecret become internal detail of the factory then ?
| @@ -25,34 +25,31 @@ void describe('getOrCreate', () => { | |||
| const providerFactory = new BackendSecretFetcherProviderFactory(); | |||
| const resourceFactory = new BackendSecretFetcherFactory(providerFactory); | |||
|
|
|||
| beforeEach(() => { | |||
| BackendSecretFetcherFactory.clearRegisteredSecrets(); | |||
There was a problem hiding this comment.
Instead of using static methods, we should rather control scope of variables and make the factory an effective singleton in the code, but not in tests.
| ): CustomResource => { | ||
| const secretResourceId = `${secretName}SecretFetcherResource`; | ||
| ): SecretFetcherCustomResource => { | ||
| const secretResourceId = `SecretFetcherResource`; |
There was a problem hiding this comment.
| const secretResourceId = `SecretFetcherResource`; | |
| const secretResourceId = `AmplifySecretFetcherResource`; |
just in case.
There was a problem hiding this comment.
updated (AmplifySecretFetcherCustomResource)
There was a problem hiding this comment.
I meant resource id not the class name.
| for (const secretName of props.secretNames) { | ||
| let secretValue: string | undefined = undefined; | ||
| try { | ||
| const resp = await secretClient.getSecret( |
There was a problem hiding this comment.
An optimization idea:
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/secrets-manager/command/BatchGetSecretValueCommand/
since we're fetching multiple secrets.
There was a problem hiding this comment.
may be a good optimization as separate item, it would be https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ssm/command/GetParametersCommand/ since we don't use secrets manager ; but we have custom try-catch logic for each secret here, so it would be something like batching all secrets with one command, then batch the retries, and aggregate errors
Problem
This consolidates secret fetcher custom resources into one.
A single custom resource will be created, instead of a resource for each secret.
Issue number, if available:
#1797
#1825
Changes
Corresponding docs PR, if applicable:
Validation
Checklist
run-e2elabel set.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.