AWS requires with_decryption when creating values in secrets manager

[moodwrench]

cookbook version: 8.3.0
chef_version: 14.13.11
gems:
aws-sdk-core 3.109.1
aws-sdk-ssm 1.95.0

sample code:

  aws_ssm_parameter_store "adding" do
    path  '/aws/reference/secretsmanager/path/to/my/secret'
    description 'testing'
    value       'removed'
    with_decryption true  # this doesnt seem to do anything
    sensitive   true

    key_id 'removed'
    region 'removed'

    action :create
end

             ================================================================================
             Error executing action `create` on resource 'aws_ssm_parameter_store[adding Test Application token to secrets_manager]'
             ================================================================================
             
             Aws::SSM::Errors::ValidationException
             -------------------------------------
             WithDecryption flag must be True for retrieving a Secret Manager secret.

           Cookbook Trace:
           ---------------
           /tmp/kitchen/cache/cookbooks/aws/resources/ssm_parameter_store.rb:136:in `write_parameter'
           /tmp/kitchen/cache/cookbooks/aws/resources/ssm_parameter_store.rb:97:in `block in class_from_file'

[majormoses]

I'd have to dig closer but if I am not mistaken secrets manager and ssm parameter store are very similar but just different enough to cause these types of issues. Not sure if we should create a new resource for it.

Regarding the second issue (not able to pass that attribute) I have only used this resource for retrieving credentials so I did not notice but it seems that while the property exists on the resource it is not exposed to the that action and was only given for the get* actions, again I suspect that this is a nuance of ssm param store vs secrets manager.

Defined in the resource: https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L15

Defined for :get: https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L48

Defined for :get_parameters: https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L59

Defined for :get_parameters_by_path: https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L76

Request does not contain this value for :create:
https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L98-L106

However...this is my guess where the "bug" might be, can you try setting the type on the resource and see if it works?:
https://github.com/chef-cookbooks/aws/blob/v8.3.0/resources/ssm_parameter_store.rb#L133

[moodwrench]

no luck

with:

  aws_ssm_parameter_store "adding" do
    path  '/aws/reference/secretsmanager/path/to/my/secret'
    description 'testing'
    value       'removed'
    with_decryption true  # this doesnt seem to do anything
    sensitive   true
    type        'SecureString'

    key_id 'removed'
    region 'removed'

    action :create
end

             Aws::SSM::Errors::ValidationException
             -------------------------------------
             An error occurred while calling one AWS dependency service.
             
             Cookbook Trace:
             ---------------
             /tmp/kitchen/cache/cookbooks/aws/resources/ssm_parameter_store.rb:136:in `write_parameter'
             /tmp/kitchen/cache/cookbooks/aws/resources/ssm_parameter_store.rb:97:in `block in class_from_file'

[moodwrench]

It may not be possible to write secrets manager secrets though put_parameter. From what I can infer from https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html, it can be used as a pass though for reading values, but not for adding them.

[majormoses]

That makes sense after reading the link, its a pass through a ref that only can retrieve it can not insert, delete, or even describe. I would say based on that that we would likely need a new resource for secrets manager to implement the "missing methods".