feat(ssm): reference latest version of secure string parameters (#18187)

Supported by CF since April 2021 but not yet ported to CDK.

See https://aws.amazon.com/about-aws/whats-new/2021/04/now-reference-latest-aws-systems-manager-parameter-values-in-aws-cloudformation-templates-without-specifying-parameter-versions/

Close #17091


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: jogold

packages/@aws-cdk/aws-ssm/lib/parameter.ts

@@ -311,9 +311,11 @@ export interface StringParameterAttributes extends CommonStringParameterAttribut
  */
 export interface SecureStringParameterAttributes extends CommonStringParameterAttributes {
   /**
-   * The version number of the value you wish to retrieve. This is required for secure strings.
+   * The version number of the value you wish to retrieve.
+   *
+   * @default - AWS CloudFormation uses the latest version of the parameter
    */
-  readonly version: number;
+  readonly version?: number;
 
   /**
    * The encryption key that is used to encrypt this parameter
@@ -365,7 +367,8 @@ export class StringParameter extends ParameterBase implements IStringParameter {
    * Imports a secure string parameter from the SSM parameter store.
    */
   public static fromSecureStringParameterAttributes(scope: Construct, id: string, attrs: SecureStringParameterAttributes): IStringParameter {
-    const stringValue = new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, `${attrs.parameterName}:${Tokenization.stringifyNumber(attrs.version)}`).toString();
+    const version = attrs.version ? Tokenization.stringifyNumber(attrs.version) : '';
+    const stringValue = new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, `${attrs.parameterName}:${version}`).toString();
 
     class Import extends ParameterBase {
       public readonly parameterName = attrs.parameterName;

packages/@aws-cdk/aws-ssm/test/parameter.test.ts

@@ -589,6 +589,19 @@ test('StringParameter.fromSecureStringParameterAttributes with encryption key cr
   });
 });
 
+test('StringParameter.fromSecureStringParameterAttributes without version', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+
+  // WHEN
+  const param = ssm.StringParameter.fromSecureStringParameterAttributes(stack, 'MyParamName', {
+    parameterName: 'MyParamName',
+  });
+
+  // THEN
+  expect(stack.resolve(param.stringValue)).toEqual('{{resolve:ssm-secure:MyParamName:}}');
+});
+
 test('StringListParameter.fromName', () => {
   // GIVEN
   const stack = new cdk.Stack();

packages/@aws-cdk/core/README.md

@@ -223,7 +223,9 @@ Using AWS Secrets Manager is the recommended way to reference secrets in a CDK a
 `SecretValue` also supports the following secret sources:
 
  - `SecretValue.plainText(secret)`: stores the secret as plain text in your app and the resulting template (not recommended).
- - `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM Parameter Store.
+ - `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM
+ Parameter Store. If you don't specify the exact version, AWS CloudFormation uses the latest
+ version of the parameter.
  - `SecretValue.cfnParameter(param)`: refers to a secret passed through a CloudFormation parameter (must have `NoEcho: true`).
  - `SecretValue.cfnDynamicReference(dynref)`: refers to a secret described by a CloudFormation dynamic reference (used by `ssmSecure` and `secretsManager`).
 

packages/@aws-cdk/core/lib/secret-value.ts

@@ -67,11 +67,11 @@ export class SecretValue extends Intrinsic {
    * Parameter Store. The parameter name is case-sensitive.
    *
    * @param version An integer that specifies the version of the parameter to
-   * use. You must specify the exact version. You cannot currently specify that
-   * AWS CloudFormation use the latest version of a parameter.
+   * use. If you don't specify the exact version, AWS CloudFormation uses the
+   * latest version of the parameter.
    */
-  public static ssmSecure(parameterName: string, version: string): SecretValue {
-    const parts = [parameterName, version];
+  public static ssmSecure(parameterName: string, version?: string): SecretValue {
+    const parts = [parameterName, version ?? ''];
     return this.cfnDynamicReference(new CfnDynamicReference(CfnDynamicReferenceService.SSM_SECURE, parts.join(':')));
   }
 

packages/@aws-cdk/core/test/secret-value.test.ts

@@ -119,6 +119,17 @@ describe('secret value', () => {
 
   });
 
+  test('ssmSecure without version', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const v = SecretValue.ssmSecure('param-name');
+
+    // THEN
+    expect(stack.resolve(v)).toEqual('{{resolve:ssm-secure:param-name:}}');
+  });
+
   test('cfnDynamicReference', () => {
     // GIVEN
     const stack = new Stack();

packages/aws-cdk-lib/README.md

@@ -254,7 +254,9 @@ Using AWS Secrets Manager is the recommended way to reference secrets in a CDK a
 `SecretValue` also supports the following secret sources:
 
  - `SecretValue.plainText(secret)`: stores the secret as plain text in your app and the resulting template (not recommended).
- - `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM Parameter Store.
+ - `SecretValue.ssmSecure(param, version)`: refers to a secret stored as a SecureString in the SSM
+ Parameter Store. If you don't specify the exact version, AWS CloudFormation uses the latest
+ version of the parameter.
  - `SecretValue.cfnParameter(param)`: refers to a secret passed through a CloudFormation parameter (must have `NoEcho: true`).
  - `SecretValue.cfnDynamicReference(dynref)`: refers to a secret described by a CloudFormation dynamic reference (used by `ssmSecure` and `secretsManager`).