fix: internally paginate list secret calls (#2113)

aws-amplify · Oct 15, 2024 · f87cc87 · f87cc87
1 parent 39ea5a0
commit f87cc87
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 17 deletions.
diff --git a/.changeset/chilly-snakes-accept.md b/.changeset/chilly-snakes-accept.md
@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-secret': patch
+---
+
+fix: internally paginate list secret calls
diff --git a/packages/backend-secret/src/ssm_secret.test.ts b/packages/backend-secret/src/ssm_secret.test.ts
@@ -1,6 +1,7 @@
 import { beforeEach, describe, it, mock } from 'node:test';
 import {
   GetParameterCommandOutput,
+  GetParametersByPathCommandInput,
   GetParametersByPathCommandOutput,
   InternalServerError,
   ParameterNotFound,
@@ -306,6 +307,7 @@ void describe('SSMSecret', () => {
       assert.deepStrictEqual(
         mockGetParametersByPath.mock.calls[0].arguments[0],
         {
+          NextToken: undefined,
           Path: testBranchPath,
           WithDecryption: true,
         }
@@ -337,13 +339,76 @@ void describe('SSMSecret', () => {
       assert.deepStrictEqual(
         mockGetParametersByPath.mock.calls[0].arguments[0],
         {
+          NextToken: undefined,
           Path: testSharedPath,
           WithDecryption: true,
         }
       );
       assert.deepEqual(secrets, [testSecretListItem]);
     });
 
+    void it('lists all secrets by internally paginating calls', async () => {
+      const mockGetParametersByPath = mock.method(
+        ssmClient,
+        'getParametersByPath',
+        (input: GetParametersByPathCommandInput) => {
+          let nextToken: string | undefined = undefined;
+          if (!input.NextToken) {
+            nextToken = '1';
+          } else if (input.NextToken === '1') {
+            nextToken = '2';
+          } else if (input.NextToken === '2') {
+            nextToken = undefined;
+          }
+          return Promise.resolve({
+            NextToken: nextToken,
+            Parameters: [
+              {
+                Name: testSharedSecretFullNamePath.concat(
+                  input.NextToken ?? ''
+                ),
+                Value: testSecretValue,
+                Version: testSecretVersion,
+                LastModifiedDate: testSecretLastUpdated,
+              },
+            ],
+          } as GetParametersByPathCommandOutput);
+        }
+      );
+
+      const secrets = await ssmSecretClient.listSecrets(testBackendId);
+      assert.deepStrictEqual(mockGetParametersByPath.mock.calls.length, 3);
+      assert.deepStrictEqual(
+        mockGetParametersByPath.mock.calls[0].arguments[0],
+        {
+          NextToken: undefined,
+          Path: testSharedPath,
+          WithDecryption: true,
+        }
+      );
+      assert.deepStrictEqual(
+        mockGetParametersByPath.mock.calls[1].arguments[0],
+        {
+          NextToken: '1',
+          Path: testSharedPath,
+          WithDecryption: true,
+        }
+      );
+      assert.deepStrictEqual(
+        mockGetParametersByPath.mock.calls[2].arguments[0],
+        {
+          NextToken: '2',
+          Path: testSharedPath,
+          WithDecryption: true,
+        }
+      );
+      assert.deepEqual(secrets, [
+        { ...testSecretListItem, name: testSecretName },
+        { ...testSecretListItem, name: testSecretName + '1' },
+        { ...testSecretListItem, name: testSecretName + '2' },
+      ]);
+    });
+
     void it('lists an empty list', async () => {
       const mockGetParametersByPath = mock.method(
         ssmClient,
@@ -359,6 +424,7 @@ void describe('SSMSecret', () => {
       assert.deepStrictEqual(
         mockGetParametersByPath.mock.calls[0].arguments[0],
         {
+          NextToken: undefined,
           Path: testBranchPath,
           WithDecryption: true,
         }

diff --git a/packages/backend-secret/src/ssm_secret.ts b/packages/backend-secret/src/ssm_secret.ts
@@ -68,24 +68,29 @@ export class SSMSecretClient implements SecretClient {
     const result: SecretListItem[] = [];
 
     try {
-      const resp = await this.ssmClient.getParametersByPath({
-        Path: path,
-        WithDecryption: true,
-      });
+      let nextToken: string | undefined;
+      do {
+        const resp = await this.ssmClient.getParametersByPath({
+          Path: path,
+          WithDecryption: true,
+          NextToken: nextToken,
+        });
 
-      resp.Parameters?.forEach((param) => {
-        if (!param.Name || !param.Value) {
-          return;
-        }
-        const secretName = param.Name.split('/').pop();
-        if (secretName) {
-          result.push({
-            name: secretName,
-            version: param.Version,
-            lastUpdated: param.LastModifiedDate,
-          });
-        }
-      });
+        resp.Parameters?.forEach((param) => {
+          if (!param.Name || !param.Value) {
+            return;
+          }
+          const secretName = param.Name.split('/').pop();
+          if (secretName) {
+            result.push({
+              name: secretName,
+              version: param.Version,
+              lastUpdated: param.LastModifiedDate,
+            });
+          }
+        });
+        nextToken = resp.NextToken;
+      } while (nextToken);
       return result;
     } catch (err) {
       throw SecretError.createInstance(err as Error);