wip: other ssmprovider features

dreamorosi · dreamorosi · commit fa7deb731291 · 2022-12-21T17:46:24.000+01:00
diff --git a/packages/parameters/src/BaseProvider.ts b/packages/parameters/src/BaseProvider.ts
@@ -101,30 +101,30 @@ abstract class BaseProvider implements BaseProviderInterface {
     return values;
   }
 
-  /**
-   * Retrieve parameter value from the underlying parameter store
-   * 
-   * @param {string} name - Parameter name
-   * @param {unknown} sdkOptions - Options to pass to the underlying AWS SDK
-   */
-  protected abstract _get(name: string, sdkOptions?: unknown): Promise<string | undefined>;
-
-  protected abstract _getMultiple(path: string, sdkOptions?: unknown): Promise<Record<string, string|undefined>>;
-
   /**
    * Check whether a key has expired in the cache or not
    * 
    * It returns true if the key is expired or not present in the cache.
    * 
    * @param {string} key - Stringified representation of the key to retrieve
    */
-  private hasKeyExpiredInCache(key: string): boolean {
+  public hasKeyExpiredInCache(key: string): boolean {
     const value = this.store.get(key);
     if (value) return value.isExpired();
     
     return true;
   }
 
+  /**
+   * Retrieve parameter value from the underlying parameter store
+   * 
+   * @param {string} name - Parameter name
+   * @param {unknown} sdkOptions - Options to pass to the underlying AWS SDK
+   */
+  protected abstract _get(name: string, sdkOptions?: unknown): Promise<string | undefined>;
+
+  protected abstract _getMultiple(path: string, sdkOptions?: unknown): Promise<Record<string, string|undefined>>;
+
 }
 
 // TODO: revisit `value` type once we are clearer on the types returned by the various SDKs
diff --git a/packages/parameters/src/SSMProvider.ts b/packages/parameters/src/SSMProvider.ts
@@ -1,17 +1,100 @@
-import { BaseProvider, DEFAULT_PROVIDERS } from './BaseProvider';
-import { SSMClient, GetParameterCommand, paginateGetParametersByPath } from '@aws-sdk/client-ssm';
-import type { SSMClientConfig, GetParameterCommandInput, GetParametersByPathCommandInput } from '@aws-sdk/client-ssm';
-import type { SSMGetMultipleOptionsInterface, SSMGetOptionsInterface } from 'types/SSMProvider';
+import { BaseProvider, DEFAULT_PROVIDERS, transformValue } from './BaseProvider';
+import { GetParameterError } from 'Exceptions';
+import { DEFAULT_MAX_AGE_SECS } from './constants';
+import { SSMClient, GetParameterCommand, paginateGetParametersByPath, GetParametersCommand } from '@aws-sdk/client-ssm';
+import type {
+  SSMClientConfig,
+  GetParameterCommandInput,
+  GetParametersByPathCommandInput,
+  GetParametersCommandInput,
+  GetParametersCommandOutput,
+} from '@aws-sdk/client-ssm';
+import type {
+  SSMGetMultipleOptionsInterface,
+  SSMGetOptionsInterface,
+  SSMGetParametersByNameOutputInterface,
+  SSMGetParametersByNameOptionsInterface,
+  SSMSplitBatchAndDecryptParametersOutputType,
+  SSMGetParametersByNameFromCacheOutputType,
+} from 'types/SSMProvider';
 import type { PaginationConfiguration } from '@aws-sdk/types';
 
 class SSMProvider extends BaseProvider {
   public client: SSMClient;
+  protected errorsKey = '_errors';
+  protected maxGetParametersItems = 10;
 
   public constructor(config: SSMClientConfig = {}) {
     super();
     this.client = new SSMClient(config);
   }
 
+  /**
+   * Retrieve multiple parameter values by name from SSM or cache.
+   * 
+   * `ThrowOnError` decides whether to throw an error if a parameter is not found:
+   * - A) Default fail-fast behavior: Throws a `GetParameterError` error upon any failure.
+   * - B) Gracefully aggregate all parameters that failed under "_errors" key.
+   * 
+   * It transparently uses GetParameter and/or GetParameters depending on decryption requirements.
+   * 
+   * ```sh
+   *                                ┌────────────────────────┐
+   *                            ┌───▶  Decrypt entire batch  │─────┐
+   *                            │   └────────────────────────┘     │     ┌────────────────────┐
+   *                            │                                  ├─────▶ GetParameters API  │
+   *    ┌──────────────────┐    │   ┌────────────────────────┐     │     └────────────────────┘
+   *    │   Split batch    │─── ┼──▶│ No decryption required │─────┘
+   *    └──────────────────┘    │   └────────────────────────┘
+   *                            │                                        ┌────────────────────┐
+   *                            │   ┌────────────────────────┐           │  GetParameter API  │
+   *                            └──▶│Decrypt some but not all│───────────▶────────────────────┤
+   *                                └────────────────────────┘           │ GetParameters API  │
+   *                                                                     └────────────────────┘
+   * ```
+   * 
+   * @param {Record<string, unknown>[]} parameters - List of parameter names, and any optional overrides
+   * 
+   */
+  public async getParametersByName(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, options: SSMGetParametersByNameOptionsInterface): Promise<Record<string, unknown>> {
+    const configs = { ...{
+      decrypt: false,
+      maxAge: DEFAULT_MAX_AGE_SECS,
+      throwOnError: true,
+    }, ...options };
+
+    let response: Record<string, unknown> = {};
+
+    // NOTE: We fail early to avoid unintended graceful errors being replaced with their '_errors' param values
+    SSMProvider.throwIfErrorsKeyIsPresent(parameters, this.errorsKey, configs.throwOnError);
+
+    const { batch, decrypt } = SSMProvider.splitBatchAndDecryptParameters(parameters, configs);
+    // NOTE: We need to find out whether all parameters must be decrypted or not to know which API to use
+    // Logic:
+    // GetParameters API -> When decrypt is used for all parameters in the the batch
+    // GetParameter  API -> When decrypt is used for one or more in the batch
+    if (Object.keys(decrypt).length !== Object.keys(parameters).length) {
+      const { response: decryptResponse, errors: decryptErrors } = await this.getParametersByNameWithDecryptOption(decrypt, configs.throwOnError);
+      const { response: batchResponse, errors: batchErrors } = await this.getParametersBatchByName(batch, configs.throwOnError, false);
+      
+      response = { ...decryptResponse, ...batchResponse };
+      // Fail-fast disabled, let's aggregate errors under "_errors" key so they can handle gracefully
+      if (!configs.throwOnError) {
+        response[this.errorsKey] = [ ...decryptErrors, ...batchErrors ];
+      }
+    } else {
+      const { response: batchResponse, errors: batchErrors } = await this.getParametersBatchByName(decrypt, configs.throwOnError, true);
+      
+      response = batchResponse;
+      // Fail-fast disabled, let's aggregate errors under "_errors" key so they can handle gracefully
+      if (!configs.throwOnError) {
+        response[this.errorsKey] = [...batchErrors];
+      }
+    }
+
+    return response;
+  }
+
   protected async _get(name: string, options?: SSMGetOptionsInterface): Promise<string | undefined> {
     const sdkOptions: GetParameterCommandInput = {
       Name: name,
@@ -68,6 +151,205 @@ class SSMProvider extends BaseProvider {
 
     return parameters;
   }
+
+  protected async _getParametersByName(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, throwOnError: boolean, decrypt: boolean): Promise<SSMGetParametersByNameOutputInterface> {
+    const results: SSMGetParametersByNameOutputInterface = {
+      response: {},
+      errors: [],
+    };
+
+    const sdkOptions: GetParametersCommandInput = {
+      Names: Object.keys(parameters),
+    };
+    if (decrypt) {
+      sdkOptions.WithDecryption = true;
+    }
+    
+    const result = await this.client.send(new GetParametersCommand(sdkOptions));
+    results.errors = SSMProvider.handleAnyInvalidGetParameterErrors(result, throwOnError);
+    results.response = this.transformAndCacheGetParametersResponse(result, parameters, throwOnError);
+
+    return results;
+  }
+
+  /**
+   * Slice batch and fetch parameters using GetPrameters API by max permissible batch size
+   */
+  protected async getParametersBatchByName(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, throwOnError: boolean, decrypt: boolean): Promise<SSMGetParametersByNameOutputInterface> {
+    const results: SSMGetParametersByNameOutputInterface = {
+      response: {},
+      errors: [],
+    };
+
+    // Fetch each possible batch param from cache and return if entire batch is cached
+    const { cached, toFetch } = await this.getParametersByNameFromCache(parameters);
+    if (Object.keys(cached).length > Object.keys(parameters).length) {
+      results.response = cached;
+
+      return results;
+    }
+
+    // Slice batch by max permitted GetParameters call and retrieve the ones that are not cached
+    const { response: batchResponse, errors: batchErrors } = await this.getParametersByNameInChunks(toFetch, throwOnError, decrypt);
+    results.response = { ...cached, ...batchResponse };
+    results.errors = batchErrors;
+
+    return results;
+  }
+
+  /**
+   * Fetch each parameter from batch that hasn't expired from cache
+   */
+  protected async getParametersByNameFromCache(parameters: Record<string, SSMGetParametersByNameOptionsInterface>): Promise<SSMGetParametersByNameFromCacheOutputType> {
+    const results: SSMGetParametersByNameFromCacheOutputType = {
+      cached: {},
+      toFetch: {},
+    };
+
+    for (const [ parameterName, parameterOptions ] of Object.entries(parameters)) {
+      const cacheKey = [ parameterName, parameterOptions.transform ].toString();
+      if (!super.hasKeyExpiredInCache(cacheKey)) {
+        results.cached[parameterName] = super.store.get(cacheKey);
+      } else {
+        results.toFetch[parameterName] = parameterOptions;
+      }
+    }
+
+    return results;
+  }
+
+  protected async getParametersByNameInChunks(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, throwOnError: boolean, decrypt: boolean): Promise<SSMGetParametersByNameOutputInterface> {
+    const results: SSMGetParametersByNameOutputInterface = {
+      response: {},
+      errors: [],
+    };
+    
+    // Slice object into chunks of max permissible batch size
+    const chunks = Object.entries(parameters).reduce((acc, [ parameterName, parameterOptions ], index) => {
+      const chunkIndex = Math.floor(index / this.maxGetParametersItems);
+      if (!acc[chunkIndex]) {
+        acc[chunkIndex] = {};
+      }
+      acc[chunkIndex][parameterName] = parameterOptions;
+
+      return acc;
+    }, [] as Record<string, SSMGetParametersByNameOptionsInterface>[]);
+
+    // Fetch each chunk and merge results
+    for (const chunk of chunks) {
+      const { response: chunkResponse, errors: chunkErrors } = await this._getParametersByName(chunk, throwOnError, decrypt);
+      results.response = { ...results.response, ...chunkResponse };
+      results.errors = [ ...results.errors, ...chunkErrors ];
+    }
+
+    return results;
+  }
+
+  protected async getParametersByNameWithDecryptOption(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, throwOnError: boolean): Promise<SSMGetParametersByNameOutputInterface> {
+    const results: SSMGetParametersByNameOutputInterface = {
+      response: {},
+      errors: [],
+    };
+
+    for (const [ parameterName, parameterOptions ] of Object.entries(parameters)) {
+      try {
+        results.response[parameterName] = await this._get(parameterName, parameterOptions);
+      } catch (error) {
+        if (throwOnError) {
+          throw error;
+        }
+        results.errors.push(parameterName);
+      }
+    }
+
+    return results;
+  }
+
+  /**
+   * Handle any invalid parameters returned by GetParameters API
+   * GetParameters is non-atomic. Failures don't always reflect in exceptions so we need to collect.
+   */
+  protected static handleAnyInvalidGetParameterErrors(result: GetParametersCommandOutput, throwOnError: boolean): string[] {
+    const errors: string[] = [];
+    if (result.InvalidParameters && result.InvalidParameters.length > 0) {
+      if (throwOnError) {
+        throw new GetParameterError(`Failed to fetch parameters: ${result.InvalidParameters.join(', ')}`);
+      }
+      errors.push(...result.InvalidParameters);
+    }
+
+    return errors;
+  }
+
+  /**
+   * Split parameters that can be fetched by GetParameters vs GetParameter.
+   */
+  protected static splitBatchAndDecryptParameters(parameters: Record<string, SSMGetParametersByNameOptionsInterface>, configs: SSMGetParametersByNameOptionsInterface): SSMSplitBatchAndDecryptParametersOutputType {
+    const splitParameters: SSMSplitBatchAndDecryptParametersOutputType = {
+      batch: {},
+      decrypt: {},
+    };
+
+    for (const [ parameterName, parameterOptions ] of Object.entries(parameters)) {
+      const overrides = parameterOptions || {};
+      overrides.transform = overrides.transform || configs.transform;
+
+      if (!overrides.hasOwnProperty('decrypt')) {
+        overrides.decrypt = configs.decrypt;
+      }
+      if (!overrides.hasOwnProperty('maxAge')) {
+        overrides.maxAge = configs.maxAge;
+      }
+
+      if (overrides.decrypt) {
+        splitParameters.decrypt[parameterName] = overrides;
+      } else {
+        splitParameters.batch[parameterName] = overrides;
+      }
+    }
+
+    return splitParameters;
+  }
+
+  /**
+   * Throw a GetParameterError if fail-fast is disabled and `_errors` key is in parameters list.
+   * 
+   * @param {Record<string, unknown>} parameters 
+   * @param {string} reservedParameter 
+   * @param {boolean} throwOnError 
+   */
+  protected static throwIfErrorsKeyIsPresent(parameters: Record<string, unknown>, reservedParameter: string, throwOnError: boolean): void {
+    if (!throwOnError && parameters.hasOwnProperty(reservedParameter)) {
+      throw new GetParameterError(`You cannot fetch a parameter named ${reservedParameter} in graceful error mode.`);
+    }
+  }
+
+  protected transformAndCacheGetParametersResponse(response: GetParametersCommandOutput, parameters: Record<string, SSMGetParametersByNameOptionsInterface>, throwOnError: boolean): Record<string, unknown> {
+    const results: Record<string, unknown> = {};
+
+    for (const parameter of response.Parameters || []) {
+      // If the parameter is present in the response, then it has a Name
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      const parameterName = parameter.Name!;
+      const parameterValue = parameter.Value;
+      const parameterOptions = parameters[parameterName];
+
+      let value;
+      // NOTE: if transform is set, we do it before caching to reduce number of operations
+      if (parameterValue && parameterOptions.transform) {
+        value = transformValue(parameterValue, parameterOptions.transform, throwOnError);
+      }
+
+      if (value) {
+        const cacheKey = [ parameterName, parameterOptions.transform ].toString();
+        super.addToCache(cacheKey, value, parameterOptions.maxAge || DEFAULT_MAX_AGE_SECS);
+      }
+
+      results[parameterName] = value;
+    }
+
+    return results;
+  }
 }
 
 const getParameter = (name: string, options?: SSMGetOptionsInterface): Promise<undefined | string | Record<string, unknown>> => {
diff --git a/packages/parameters/src/types/SSMProvider.ts b/packages/parameters/src/types/SSMProvider.ts
@@ -1,4 +1,5 @@
 import type { GetParameterCommandInput, GetParametersByPathCommandInput } from '@aws-sdk/client-ssm';
+import { ExpirableValue } from 'BaseProvider';
 import type { TransformOptions } from 'types/BaseProvider';
 
 /**
@@ -27,7 +28,33 @@ interface SSMGetMultipleOptionsInterface {
   throwOnTransformError?: boolean
 }
 
+interface SSMGetParametersByNameOptionsInterface {
+  maxAge?: number
+  throwOnError?: boolean
+  decrypt?: boolean
+  transform?: TransformOptions
+}
+
+type SSMSplitBatchAndDecryptParametersOutputType = {
+  batch: Record<string, SSMGetParametersByNameOptionsInterface>
+  decrypt: Record<string, SSMGetParametersByNameOptionsInterface>
+} & { [key: string]: SSMGetParametersByNameOptionsInterface };
+
+interface SSMGetParametersByNameOutputInterface {
+  response: Record<string, unknown>
+  errors: string[]
+}
+
+type SSMGetParametersByNameFromCacheOutputType = {
+  cached: Record<string, ExpirableValue | undefined>
+  toFetch: Record<string, ExpirableValue | undefined>
+} & { [key: string]: SSMGetParametersByNameOptionsInterface };
+
 export {
   SSMGetOptionsInterface,
   SSMGetMultipleOptionsInterface,
+  SSMGetParametersByNameOptionsInterface,
+  SSMSplitBatchAndDecryptParametersOutputType,
+  SSMGetParametersByNameOutputInterface,
+  SSMGetParametersByNameFromCacheOutputType,
 };
