fix(cdk): resolve publickey deletion on stack update

Author: shellscape

packages/cdk/src/methods/secret.ts

@@ -1,11 +1,13 @@
 import { SecretsManagerClient, ListSecretsCommand } from '@aws-sdk/client-secrets-manager';
 import { IGrantable } from 'aws-cdk-lib/aws-iam';
-import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
+import { ISecret, Secret } from 'aws-cdk-lib/aws-secretsmanager';
 import { SecretValue } from 'aws-cdk-lib';
 import { nanoid } from 'nanoid';
 
 import { DotStack } from '../constructs/Stack';
 
+export { ISecret, Secret, SecretValue };
+
 interface AddSecretOptions {
   consumers?: IGrantable[];
   name: string;

packages/cdk/src/methods/signing.ts

@@ -1,66 +1,89 @@
-import { generateKeyPairSync } from 'crypto';
-
-import { PublicKey } from 'aws-cdk-lib/aws-cloudfront';
+import { IPublicKey, PublicKey } from 'aws-cdk-lib/aws-cloudfront';
+import { Provider } from 'aws-cdk-lib/custom-resources';
+import { CfnOutput, CustomResource, RemovalPolicy } from 'aws-cdk-lib';
+import { InlineCode, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
 
 import { type DotStack } from '../constructs/Stack';
 
 import { addSecret } from './secret';
 import { addParam, getParamValue } from './ssm';
 
-const generateRsaKeyPair = () => {
-  const { privateKey, publicKey } = generateKeyPairSync('rsa', {
-    modulusLength: 2048,
-    privateKeyEncoding: {
-      format: 'pem',
-      type: 'pkcs8'
-    },
-    publicKeyEncoding: {
-      format: 'pem',
-      type: 'spki'
-    }
+export const getKeyPair = (scope: DotStack) => {
+  const keyGenFunction = new Function(scope, 'KeyGen', {
+    code: new InlineCode(`
+          exports.handler=async e=>{
+            if(e.RequestType!='Delete'){
+              const k=require('crypto').generateKeyPairSync('rsa',{
+                modulusLength:2048,
+                privateKeyEncoding:{format:'pem',type:'pkcs8'},
+                publicKeyEncoding:{format:'pem',type:'spki'}
+              });
+              return{Data:{publicKey:k.publicKey,keyPair:JSON.stringify(k)}};
+            }
+            return{};
+          }`),
+    handler: 'index.handler',
+    runtime: Runtime.NODEJS_20_X
+  });
+
+  const customResource = new CustomResource(scope, 'KeyGenResource', {
+    serviceToken: new Provider(scope, 'KeyGenProvider', {
+      onEventHandler: keyGenFunction
+    }).serviceToken
   });
-  return { privateKey, publicKey };
+
+  return {
+    keyPair: customResource.getAttString('keyPair'),
+    publicKey: customResource.getAttString('publicKey')
+  };
 };
 
 export const addSigningKey = async (scope: DotStack) => {
   const baseName = 'signing-pubkey';
+  const publicKeyName = scope.resourceName(baseName);
   const paramName = `${scope.ssmPrefix}/id/${baseName}`;
   const existingKeyId = await getParamValue(paramName);
+  const secretName = `${scope.ssmPrefix}/key/signing`;
+  const keys = getKeyPair(scope);
+  let publicKey: IPublicKey;
 
   if (existingKeyId) {
-    return PublicKey.fromPublicKeyId(
+    publicKey = PublicKey.fromPublicKeyId(
       scope,
       `PublicKey-fromPublicKeyId-${+new Date()}`,
       existingKeyId
-    );
+    ) as any;
+  } else {
+    publicKey = new PublicKey(scope, publicKeyName, {
+      encodedKey: keys.publicKey,
+      publicKeyName
+    });
+    scope.overrideId(publicKey as any, publicKeyName);
+    publicKey.applyRemovalPolicy(RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE);
   }
 
-  // FIXME: We have to not run this for additional deploys to prod
-  // because for some reason it fails if the public key exists already
-  // https://github.com/aws/aws-cdk/issues/15301
-  const keyPair = generateRsaKeyPair();
-
-  addSecret({
+  const { secret: publicKeySecret } = addSecret({
     name: `${scope.env}-signing-key-pair`,
     scope,
-    secretName: `${scope.ssmPrefix}/key/signing`,
-    value: JSON.stringify(keyPair)
+    secretName,
+    value: keys.keyPair
   });
 
-  const publicKeyName = scope.resourceName(baseName);
-  const cfKey = new PublicKey(scope, publicKeyName, {
-    encodedKey: keyPair.publicKey,
-    publicKeyName
-  });
-
-  scope.overrideId(cfKey, publicKeyName);
-
-  addParam({
+  const publicKeyParam = addParam({
     id: `${publicKeyName}-id`,
     name: paramName,
     scope,
-    value: cfKey.publicKeyId
+    value: publicKey.publicKeyId
+  });
+
+  // Note: We HAVE to output this, or else CDK will think we're
+  // not using the result of PublicKey.fromPublicKeyId and will discard it
+  // which effectively deletes the publicKey that was created in an initial
+  // deploy (but not in subsequent deploys)
+  // eslint-disable-next-line no-new
+  new CfnOutput(scope, 'cloudfrontPublicKeyId', {
+    value: publicKey.publicKeyId
   });
 
-  return cfKey;
+  return { publicKey, publicKeyParam, publicKeySecret };
 };