aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

(lambda): ParamsAndSecretsVersions should return the latest, or new versions should be made available

Open tomHaum opened this issue 1 year ago • 2 comments

Describe the feature

calling

cdk.aws_lambda.ParamsAndSecretsLayerVersion.fromVersion(cdk.aws_lambda.ParamsAndSecretsVersions.V1_0_103)

will always return the lambda layer with a version of 4 for us-east-1. the CDK documentation states that this is the latest version, while the documentation in lambda shows that 14 is the latest in this region.

Can new parameter versions be added to track the latest deployed versions in all regions?

Use Case

we want to stay current with the latest code, ensuring there are no vulnerabilities in old code that is known not to be latest

Proposed Solution

add an additional versions or potentially a LATEST that tracks the lambda latest release per region

Other Information

No response

Acknowledgements

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

CDK version used

2.151.0

Environment details (OS name and version, etc.)

Ubuntu 22.04.3 LTS x86

tomHaum avatar Oct 16 '24 00:10 tomHaum

added a draft PR to show my approach of implementation. I can update with more docs/unit tests if this approach is acceptable and would get this merged in sooner

tomHaum avatar Oct 16 '24 01:10 tomHaum

Hey @tomHaum , Thanks for reaching out and submitting a PR. You could reach out to community reviewer to review your PR , by mentioning in cdk.dev community channel.

khushail avatar Oct 17 '24 00:10 khushail

Any update on this issue? We are getting hit with CVE-2024-24790 in Security Hub for go/stdlib in our Lambdas that are using this extension. The latest version in Lambda console is 17. Please advise.

Thanks!

einstein-aws avatar May 14 '25 15:05 einstein-aws

@einstein-aws not sure if this is still an issue for you, but there's a monkey patch around it.

  1. With trial and error find the latest available version of the params and secrets Lambda layer. As of now, the latest version I could find is version 19.
aws lambda get-layer-version-by-arn \
 --region eu-central-1 \
 --arn arn:aws:lambda:eu-central-1:187925254637:layer:AWS-Parameters-and-Secrets-Lambda-Extension:<VERSION> \
 --query 'Content.Location' \
 --output text
  1. In CDK code, use the ARN instead of the version tag. You just need to replace ParamsAndSecretsLayerVersion.fromVersion(ParamsAndSecretsVersions.V1_0_103) with ParamsAndSecretsLayerVersion.fromVersionArn('arn:aws:lambda:eu-central-1:187925254637:layer:AWS-Parameters-and-Secrets-Lambda-Extension:19')

FYI: The ParamsAndSecretsVersions.V1_0_103 internally points to arn:aws:lambda:eu-central-1:187925254637:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4

fschaeffler avatar Sep 04 '25 12:09 fschaeffler

Thanks, @fschaeffler! That helped.

einstein-aws avatar Sep 04 '25 16:09 einstein-aws