Skip to content

feat(aws): add configurable tagging API resource resolver#913

Open
tom-groves wants to merge 3 commits intonitrictech:mainfrom
tom-groves:fix/replace-ssm-with-tagging-api
Open

feat(aws): add configurable tagging API resource resolver#913
tom-groves wants to merge 3 commits intonitrictech:mainfrom
tom-groves:fix/replace-ssm-with-tagging-api

Conversation

@tom-groves
Copy link

@tom-groves tom-groves commented Mar 14, 2026

Description

Add a resource-resolver: tagging stack config option that allows the AWS provider to skip SSM Parameter Store for runtime resource discovery and use the AWS Resource Groups Tagging API instead.

Problem: The AWS provider stores a JSON resource index in SSM Parameter Store so Lambda functions can discover peer resources (buckets, topics, secrets, etc.) at runtime. SSM Standard tier has a 4,096-character limit. A prior fix auto-selects Advanced tier (8KB limit), but this is still a ceiling that gets hit with larger stacks (e.g. 22 topics, 14 secrets, 7 buckets, 6 KV stores produces ~9KB of JSON).

Solution: The runtime already has a fully working AwsTaggedResourceResolver using the Resource Groups Tagging API, selectable via NITRIC_AWS_RESOURCE_RESOLVER=tagging env var. Resources are already tagged at deploy time with x-nitric-<stackId>-name and x-nitric-<stackId>-type tags. The tag:GetResources and apigateway:GET IAM permissions are already granted unconditionally to Lambda and Batch roles. This PR simply wires up a config option to skip SSM creation and pass the env var through.

GCP and Azure don't have this problem — they use tag/label-based resolution by default with no stored index. This change aligns the AWS provider with that pattern (opt-in for now).

Stack file usage:

# nitric-aws.yaml
provider: nitric/aws@latest
region: us-east-2
resource-resolver: tagging  # default: ssm

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Changes by file

File Change
cloud/aws/common/config.go Add ResourceResolver field, ResourceResolverSSM/ResourceResolverTagging constants, default to "ssm", validate against known values
cloud/aws/common/config_test.go Unit tests for config validation (default, explicit ssm, tagging, invalid values)
cloud/aws/deploy/resources.go Early return when "tagging" — skip SSM parameter creation
cloud/aws/deploy/service.go Set NITRIC_AWS_RESOURCE_RESOLVER env var on Lambda when "tagging"
cloud/aws/deploy/batch.go Set NITRIC_AWS_RESOURCE_RESOLVER env var on Batch jobs when "tagging"
cloud/aws/deploytf/resources.go Early return when "tagging" — skip SSM parameter creation
cloud/aws/deploytf/service.go Set NITRIC_AWS_RESOURCE_RESOLVER env var on CDKTF services when "tagging"
docs/docs/providers/pulumi/aws.mdx Document resource-resolver option in stack config reference
docs/docs/providers/terraform/aws.mdx Document resource-resolver option in stack config reference

What is NOT changed

  • Runtime code — already handles the env var toggle between SSM and tagging resolvers
  • IAM policiestag:GetResources and apigateway:GET already granted unconditionally
  • Tags infrastructure — resources already tagged at deploy time
  • Default behavior — existing stacks without this config option are completely unaffected

Testing

Unit tests

=== RUN   TestConfigFromAttributes_ResourceResolver
=== RUN   TestConfigFromAttributes_ResourceResolver/defaults_to_ssm_when_not_specified
=== RUN   TestConfigFromAttributes_ResourceResolver/accepts_ssm_explicitly
=== RUN   TestConfigFromAttributes_ResourceResolver/accepts_tagging
=== RUN   TestConfigFromAttributes_ResourceResolver/rejects_invalid_value
=== RUN   TestConfigFromAttributes_ResourceResolver/rejects_arbitrary_string
--- PASS: TestConfigFromAttributes_ResourceResolver (0.00s)

Existing runtime resource resolver tests also pass unchanged.

Live deployment — Pulumi Provider (nitric/aws@0.0.1)

Built both provider binaries from this branch and deployed a test project with a bucket, topic, secret, and API to us-east-2 with resource-resolver: tagging. 7/7 verification tests passed:

Test Result
No SSM parameter created ParameterNotFound confirmed
Resources tagged via Tagging API ✅ 7 resources found (bucket, topic, SNS, SFN, API, secret, Lambda, ECR)
Lambda NITRIC_AWS_RESOURCE_RESOLVER=tagging ✅ Confirmed on tagging-test_services-api-5b01437
Health check (runtime resolver = tagging) {"status":"ok","resolver":"tagging"}
Bucket write+read (resource resolved via tags) ✅ Write and read succeeded
Topic publish (resource resolved via tags) ✅ Published successfully
Secret put+access (resource resolved via tags) ✅ Put and access succeeded

Generated Terraform inspection — CDKTF Provider (nitric/awstf@0.0.1)

Test Result
No SSM parameter module in generated Terraform ✅ Module list: api, bucket, policy×3, secret, service, stack, topic — no parameter
NITRIC_AWS_RESOURCE_RESOLVER=tagging in service env ✅ Present in cdk.tf.json service module

@tom-groves
feat(aws): add configurable tagging API resource resolver via stack c…
8fbce5b 
…onfig

Add `resource-resolver: tagging` stack config option that skips SSM
parameter creation and tells the runtime to use the Resource Groups
Tagging API for resource discovery. This avoids the SSM 4KB/8KB size
limit that breaks large stacks. Default behaviour (SSM) is unchanged.
@tom-groves
docs(aws): document resource-resolver config option
8facf40 
Add resource-resolver option to both Pulumi and Terraform AWS provider
stack configuration reference. Explains the 'ssm' (default) vs 'tagging'
modes and the SSM size limit motivation.
@tom-groves
fix(aws): validate resource-resolver config and use named constants
7616e7a 
Address code review feedback:
- Validate resource-resolver accepts only "ssm" or "tagging", rejecting
  typos with a clear error at deploy time
- Extract ResourceResolverSSM and ResourceResolverTagging constants to
  eliminate magic string duplication across 7 call sites
- Add unit tests for config validation (default, explicit ssm, tagging,
  and invalid values)
@vercel
Copy link

vercel bot commented Mar 14, 2026

@tom-groves is attempting to deploy a commit to the Nitric Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jyecusch jyecusch Awaiting requested review from jyecusch jyecusch is a code owner

@tjholm tjholm Awaiting requested review from tjholm tjholm is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tom-groves