Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate that SSM params have leading '/' #53

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Validate that SSM params have leading '/' #53

wants to merge 1 commit into from

Conversation

aengelas
Copy link
Contributor

@aengelas aengelas commented Jun 6, 2024

A value like 'ssm://foo/bar' will currently get picked up as a parameter named 'foo/bar', but then the lookup in AWS will fail. These changes add a simple validation that the path has a leading '/'.

@aengelas
Validate that SSM params have leading '/'
4cbfae7 
A value like 'ssm://foo/bar' will currently get picked up as a parameter
named 'foo/bar', but then the lookup in AWS will fail. These changes add
a simple validation that the path has a leading '/'.
@aengelas aengelas requested a review from isobit June 6, 2024 22:00
@aengelas
Copy link
Contributor Author

aengelas commented Jun 6, 2024

@michsa

isobit
isobit reviewed Jun 6, 2024
View reviewed changes
main.go
Comment on lines +191 to +193
if !strings.HasPrefix(*parameter, "/") {
return fmt.Errorf("SSM parameters must have a leading '/' (ssm:///<path>): %s", envvar)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this respect nofail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know. I thought the intention behind nofail was to bypass aws lookups, not validation. We've already got some other checks like this:

ssm-env/main.go

Lines 183 to 187 in 4cbfae7

parameter, err := e.parameter(k, v)
if err != nil {
// TODO: Should this _also_ not error if nofail is passed?
return fmt.Errorf("determining name of parameter: %v", err)
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the question is "what does nofail actually mean?"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The arg docs say "Don't fail if error retrieving parameter", which to me implies that this should fail.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Subjective of course but I would interpret that to mean this shouldn't fail...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isobit isobit isobit left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aengelas @isobit