(aws-cdk-lib.aws_cloudfront): CachePolicy TTL value from SSM parameter not resolved correctly

[enpatrik]

Describe the bug

CloudFront CachePolicy min/max/default TTL settings does not work with tokenized values (like SSM parameter).

Expected Behavior

The CachePolicy settings to be set with the value from the SSM parameter.

Current Behavior

The SSM parameter references are not resolved correctly.

Reproduction Steps

Example1 (only using SSM parameter for defaultTtl):

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ssm from 'aws-cdk-lib/aws-ssm';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';

export class BugStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const defaultTtl = cdk.Token.asNumber(ssm.StringParameter.valueForStringParameter(this,'/Default'))

    new cloudfront.CachePolicy(this, 'CachePolicy', {
      defaultTtl: cdk.Duration.seconds(defaultTtl),
    })
  }
}

Result1:

"CachePolicy": {
 "Type": "AWS::CloudFront::CachePolicy",
 "Properties": {
  "CachePolicyConfig": {
   "DefaultTTL": 0, // Should reference SSM parameter
   "MaxTTL": 31536000,
   "MinTTL": 0,
   // ...

---

Example2 (using SSM parameters for all ttl values):

const minTtl = cdk.Token.asNumber(ssm.StringParameter.valueForStringParameter(this,'/Min'))
const maxTtl = cdk.Token.asNumber(ssm.StringParameter.valueForStringParameter(this,'/Max'))
const defaultTtl = cdk.Token.asNumber(ssm.StringParameter.valueForStringParameter(this,'/Default'))

new cloudfront.CachePolicy(this, 'CachePolicy', {
    minTtl: cdk.Duration.seconds(minTtl),
    maxTtl: cdk.Duration.seconds(maxTtl),
    defaultTtl: cdk.Duration.seconds(defaultTtl),
})

Result:

"CachePolicy": {
 "Type": "AWS::CloudFront::CachePolicy",
 "Properties": {
  "CachePolicyConfig": {
   "DefaultTTL": {
    "Ref": "SsmParameterValueMin...Parameter" // Min
   },
   "MaxTTL": {
    "Ref": "SsmParameterValueMin...Parameter" // Min
   },
   "MinTTL": {
    "Ref": "SsmParameterValueMin...Parameter" // Min
   },
   // ...

Possible Solution

No response

Additional Information/Context

Suspected issue: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudfront/lib/cache-policy.ts#L143

Looks like Math.max() usage with tokenized number results in "random"(depending on the definition order) SSM parameter being picked.

// props.defaultTtl token will be a negative number, e.g. -1.8881545897088877e+289
const defaultTtl = Math.max((props.defaultTtl ?? Duration.days(1)).toSeconds(), minTtl);
// props.maxTtl token will be a negative number, e.g. -1.8881545897088894e+289
const maxTtl = Math.max((props.maxTtl ?? Duration.days(365)).toSeconds(), defaultTtl); 

CDK CLI Version

2.81.0 (build bd920f2)

Framework Version

No response

Node.js Version

v18.16.0

OS

MacOS

Language

Typescript

Language Version

Typescript 5.0.4

Other information

No response

[peterwoodworth]

Thanks for reporting this, you're right about this. We don't provide a way to handle this scenario.

You can work around this by overriding the template where you need this parameter like so:

const cachePolicy = new cf.CachePolicy(this, 'CachePolicy');
const ssmParam = ssm.StringParameter.valueForStringParameter(this, 'defaultTtl');

(cachePolicy.node.defaultChild as cf.CfnCachePolicy).addPropertyOverride('CachePolicyConfig.DefaultTTL', ssmParam);

[enpatrik]

Thanks for the quick response and workaround @peterwoodworth! The workaround should work for us in this case.

Since we are utilizing SSM parameters quite heavily to configure resources in different accounts. We're wondering if this might be problematic in other cases with the CDK. Or should it normally work using SSM parameters for any kind of resource property?

---

Searching specifically for Math.max(...) usages, I suspect that the AutoScalingGroup properties might have a similar issue:

const minCapacity = props.minCapacity ?? 1;
const maxCapacity = props.maxCapacity ?? desiredCapacity ?? Math.max(minCapacity, 1);

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-autoscaling/lib/auto-scaling-group.ts#L1333

[peterwoodworth]

If the constructs try to do any sort of logic with the values passed in without first checking if its a token, then there's a decent chance it won't work with SSM Parameters. We may be able to patch these on an individual basis if you run into them

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.