fix(deploy): pass cron secret via CFN parameter, not ssm-secure resolve

CloudFormation rejects {{resolve:ssm-secure}} inside AWS::Scheduler::Schedule HttpInvokeArgs.HeaderParameters (documented property-allowlist limitation). Add a NoEcho CronSharedSecret parameter and fetch the SSM SecureString in CI, then pass via --parameter-overrides. Lambda runtime SSM-fetch flow unchanged.
2026-06-09 02:14:56 +00:00 · 2026-05-18 13:04:30 +07:00
parent c70b9d0c24
commit 585d99633f
2 changed files with 28 additions and 9 deletions
@@ -43,17 +43,23 @@ jobs:
      - name: SAM deploy
        env:
          ALERT_EMAIL: ${{ secrets.ALERT_EMAIL }}
+          STACK_ENV: prod
        run: |
+          set -euo pipefail
+          # EventBridge Scheduler can't resolve {{resolve:ssm-secure}} in
+          # HttpInvokeArgs.HeaderParameters; fetch and pass as a NoEcho param.
+          CRON_SECRET=$(aws ssm get-parameter \
+            --name "/miti99bot/${STACK_ENV}/cron-shared-secret" \
+            --with-decryption --query Parameter.Value --output text)
+          echo "::add-mask::$CRON_SECRET"
+          OVERRIDES="CronSharedSecret=$CRON_SECRET"
          if [ -n "$ALERT_EMAIL" ]; then
-            sam deploy --template-file template.yaml \
-              --no-confirm-changeset \
-              --no-fail-on-empty-changeset \
-              --parameter-overrides "AlertEmail=$ALERT_EMAIL"
-          else
-            sam deploy --template-file template.yaml \
-              --no-confirm-changeset \
-              --no-fail-on-empty-changeset
+            OVERRIDES="$OVERRIDES AlertEmail=$ALERT_EMAIL"
          fi
+          sam deploy --template-file template.yaml \
+            --no-confirm-changeset \
+            --no-fail-on-empty-changeset \
+            --parameter-overrides "$OVERRIDES"

      - name: Smoke test (Function URL responds)
        run: |
@@ -40,6 +40,19 @@ Parameters:
    Default: ""
    Description: Email for $1 budget alert. Leave empty to skip the budget resource.

+  # CFN does not allow {{resolve:ssm-secure:...}} inside
+  # AWS::Scheduler::Schedule HttpInvokeArgs.HeaderParameters (documented
+  # CloudFormation limitation — secure-string dynamic refs have a fixed
+  # property allowlist that excludes Scheduler header parameters). CI fetches
+  # /miti99bot/${StackEnv}/cron-shared-secret from SSM at deploy time and
+  # passes it here via --parameter-overrides. NoEcho masks the value in the
+  # CloudFormation console.
+  CronSharedSecret:
+    Type: String
+    NoEcho: true
+    Default: ""
+    Description: Shared secret EventBridge Scheduler attaches as the X-Cron-Token header. Sourced from SSM by CI.
+
 Conditions:
  HasAlertEmail: !Not [!Equals [!Ref AlertEmail, ""]]

@@ -199,7 +212,7 @@ Resources:
          EndpointUrl: !Sub "${BotFunctionUrl.FunctionUrl}cron/lolschedule_daily_push"
          HttpMethod: POST
          HeaderParameters:
-            X-Cron-Token: !Sub "{{resolve:ssm-secure:/miti99bot/${StackEnv}/cron-shared-secret}}"
+            X-Cron-Token: !Ref CronSharedSecret

  # --- Cost guard -----------------------------------------------------------