Fix SSM parameter reads (#79)

* More verbose SSM logging

* Add more logging context

* Get param inside handler

* Bump param sidecar log level back to info

* Read directly instead of via layer

Author: samshadwell

Cargo.lock

@@ -22,9 +22,10 @@ path = "src/bin/add_subscriber.rs"
 anyhow = "1.0"
 email_address = "0.2"
 askama = "0.15"
-aws-config = { version = "1.1.7", features = ["rustls"] }
-aws-sdk-dynamodb = "1.16.0"
-aws-sdk-sesv2 = "1.14.0"
+aws-config = { version = "1.8.12", features = ["rustls"] }
+aws-sdk-dynamodb = "1.103.0"
+aws-sdk-sesv2 = "1.111.0"
+aws-sdk-ssm = "1.102.0"
 chrono = { version = "0.4", features = ["serde"] }
 futures = "0.3"
 lambda_http = "1.0.2"

Cargo.toml

@@ -27,12 +27,13 @@ resource "aws_lambda_function" "hndigest" {
   environment {
     variables = merge(
       {
-        RUST_LOG       = "info"
-        DYNAMODB_TABLE = each.value.table_name
-        EMAIL_FROM     = each.value.from_email
-        EMAIL_REPLY_TO = each.value.reply_to_email
-        RUN_HOUR_UTC   = tostring(var.run_hour_utc)
-        BASE_URL       = "https://${each.value.domain}"
+        AWS_LAMBDA_LOG_FORMAT = "json"
+        RUST_LOG              = "info"
+        DYNAMODB_TABLE        = each.value.table_name
+        EMAIL_FROM            = each.value.from_email
+        EMAIL_REPLY_TO        = each.value.reply_to_email
+        RUN_HOUR_UTC          = tostring(var.run_hour_utc)
+        BASE_URL              = "https://${each.value.domain}"
       },
       each.value.subject_prefix != "" ? { SUBJECT_PREFIX = each.value.subject_prefix } : {}
     )
@@ -64,17 +65,15 @@ resource "aws_lambda_function" "hndigest_api" {
   memory_size = var.lambda_memory_size
   timeout     = var.lambda_timeout
 
-  layers = [var.params_secrets_extension_arn]
-
   environment {
     variables = {
-      RUST_LOG                               = "info"
-      DYNAMODB_TABLE                         = each.value.table_name
-      BASE_URL                               = "https://${each.value.domain}"
-      EMAIL_FROM                             = each.value.from_email
-      EMAIL_REPLY_TO                         = each.value.reply_to_email
-      TURNSTILE_SECRET_KEY_PARAM             = aws_ssm_parameter.turnstile_secret_key[each.key].name
-      PARAMETERS_SECRETS_EXTENSION_LOG_LEVEL = "warn"
+      AWS_LAMBDA_LOG_FORMAT      = "json"
+      RUST_LOG                   = "info"
+      DYNAMODB_TABLE             = each.value.table_name
+      BASE_URL                   = "https://${each.value.domain}"
+      EMAIL_FROM                 = each.value.from_email
+      EMAIL_REPLY_TO             = each.value.reply_to_email
+      TURNSTILE_SECRET_KEY_PARAM = aws_ssm_parameter.turnstile_secret_key[each.key].name
     }
   }
 

infrastructure/lambda.tf

@@ -76,13 +76,6 @@ variable "turnstile_site_key" {
   default     = "0x4AAAAAACTuSJcLuENs4joL"
 }
 
-variable "params_secrets_extension_arn" {
-  description = "Full ARN of the AWS Parameters and Secrets Lambda Extension layer (region- and architecture-specific)"
-  type        = string
-  # This is for us-west-2, x86. See: https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html#ps-integration-lambda-extensions-add
-  default = "arn:aws:lambda:us-west-2:345057560386:layer:AWS-Parameters-and-Secrets-Lambda-Extension:24"
-}
-
 ###
 # Hosting config
 ###

infrastructure/variables.tf

@@ -8,6 +8,7 @@ use askama::Template;
 use aws_config::BehaviorVersion;
 use aws_sdk_sesv2::Client as SesClient;
 use aws_sdk_sesv2::types::{Body as SesBody, Content, Destination, EmailContent, Message};
+use aws_sdk_ssm::Client as SsmClient;
 use email_address::EmailAddress;
 use hndigest::storage_adapter::StorageAdapter;
 use hndigest::strategies::DigestStrategy;
@@ -68,19 +69,6 @@ struct TurnstileVerifyResponse {
     success: bool,
 }
 
-/// Response from the AWS Parameters and Secrets Lambda Extension.
-#[derive(Debug, Deserialize)]
-struct SsmExtensionResponse {
-    #[serde(rename = "Parameter")]
-    parameter: SsmParameterValue,
-}
-
-#[derive(Debug, Deserialize)]
-struct SsmParameterValue {
-    #[serde(rename = "Value")]
-    value: String,
-}
-
 // ============================================================================
 // HTTP Response Helpers
 // ============================================================================
@@ -160,18 +148,28 @@ async fn main() -> Result<(), Error> {
         .map_err(|_| Error::from("EMAIL_REPLY_TO environment variable must be set"))?;
     let base_url = env::var("BASE_URL")
         .map_err(|_| Error::from("BASE_URL environment variable must be set"))?;
+
+    // I'd love to pass this as an environment variable, but using AWS secrets manager is expensive
+    // and this is effectively free
+    let ssm_client = SsmClient::new(&config);
     let turnstile_secret_key_param = env::var("TURNSTILE_SECRET_KEY_PARAM")
         .map_err(|_| Error::from("TURNSTILE_SECRET_KEY_PARAM environment variable must be set"))?;
+    let turnstile_secret_key = ssm_client
+        .get_parameter()
+        .name(&turnstile_secret_key_param)
+        .with_decryption(true)
+        .send()
+        .await?
+        .parameter()
+        .and_then(|p| p.value.clone())
+        .ok_or_else(|| {
+            anyhow::format_err!(
+                "SSM parameter value not found for name {}",
+                turnstile_secret_key_param
+            )
+        })?;
 
     let http_client = reqwest::Client::new();
-    let turnstile_secret_key = fetch_ssm_parameter(&http_client, &turnstile_secret_key_param)
-        .await
-        .map_err(|e| {
-            Error::from(format!(
-                "Failed to fetch SSM parameter {}: {}",
-                turnstile_secret_key_param, e
-            ))
-        })?;
     let storage = Arc::new(StorageAdapter::new(dynamodb_client, dynamodb_table));
     let state = Arc::new(AppState {
         storage,
@@ -305,27 +303,6 @@ async fn handle_unsubscribe_post(
     }
 }
 
-/// Fetch a parameter from SSM via the AWS Parameters and Secrets Lambda Extension.
-/// The extension runs as a Lambda layer and serves requests on localhost:2773.
-async fn fetch_ssm_parameter(
-    http_client: &reqwest::Client,
-    parameter_name: &str,
-) -> Result<String, Box<dyn std::error::Error>> {
-    let session_token = env::var("AWS_SESSION_TOKEN")?;
-    let response: SsmExtensionResponse = http_client
-        .get(format!(
-            "http://localhost:2773/systemsmanager/parameters/get?name={}&withDecryption=true",
-            urlencoding::encode(parameter_name)
-        ))
-        .header("X-Aws-Parameters-Secrets-Token", &session_token)
-        .send()
-        .await?
-        .error_for_status()?
-        .json()
-        .await?;
-    Ok(response.parameter.value)
-}
-
 /// Verify a Cloudflare Turnstile CAPTCHA token.
 async fn verify_turnstile_token(
     http_client: &reqwest::Client,
@@ -385,6 +362,7 @@ async fn handle_subscribe_post(state: &Arc<AppState>, body: &str) -> Response<Bo
         warn!("Missing Turnstile CAPTCHA token");
         return json_response(400, r#"{"error": "CAPTCHA verification required"}"#);
     }
+
     match verify_turnstile_token(
         &state.http_client,
         &state.turnstile_secret_key,