fix(cdk): dont try to create a new publickey if it exits. cdk bug

shellscape · shellscape · commit 491c66ec9f57 · 2025-02-17T15:35:01.000-05:00
diff --git a/packages/cdk/src/methods/signing.ts b/packages/cdk/src/methods/signing.ts
@@ -5,7 +5,7 @@ import { PublicKey } from 'aws-cdk-lib/aws-cloudfront';
 import { type DotStack } from '../constructs/Stack';
 
 import { addSecret } from './secret';
-import { addParam } from './ssm';
+import { addParam, getParamValue } from './ssm';
 
 const generateRsaKeyPair = () => {
   const { privateKey, publicKey } = generateKeyPairSync('rsa', {
@@ -22,7 +22,19 @@ const generateRsaKeyPair = () => {
   return { privateKey, publicKey };
 };
 
-export const addSigningKey = (scope: DotStack) => {
+export const addSigningKey = async (scope: DotStack) => {
+  const baseName = 'signing-pubkey';
+  const paramName = `${scope.ssmPrefix}/id/${baseName}`;
+  const existingKeyId = await getParamValue(paramName);
+
+  if (existingKeyId) {
+    return PublicKey.fromPublicKeyId(
+      scope,
+      `PublicKey-fromPublicKeyId-${+new Date()}`,
+      existingKeyId
+    );
+  }
+
   // FIXME: We have to not run this for additional deploys to prod
   // because for some reason it fails if the public key exists already
   // https://github.com/aws/aws-cdk/issues/15301
@@ -35,7 +47,6 @@ export const addSigningKey = (scope: DotStack) => {
     value: JSON.stringify(keyPair)
   });
 
-  const baseName = 'signing-pubkey';
   const publicKeyName = scope.resourceName(baseName);
   const cfKey = new PublicKey(scope, publicKeyName, {
     encodedKey: keyPair.publicKey,
@@ -46,8 +57,10 @@ export const addSigningKey = (scope: DotStack) => {
 
   addParam({
     id: `${publicKeyName}-id`,
-    name: `${scope.ssmPrefix}/id/${baseName}`,
+    name: paramName,
     scope,
     value: cfKey.publicKeyId
   });
+
+  return cfKey;
 };
diff --git a/packages/cdk/src/methods/ssm.ts b/packages/cdk/src/methods/ssm.ts
@@ -7,6 +7,18 @@ import { nanoid } from 'nanoid';
 
 import { DotStack } from '../constructs/Stack';
 
+export const getParamValue = async (name: string) => {
+  try {
+    const client = new SSMClient({ region: DotStack.awsRegion });
+    const command = new GetParameterCommand({ Name: name });
+    const result = await client.send(command);
+
+    return result.Parameter?.Value;
+  } catch (error: any) {
+    return void 0;
+  }
+};
+
 export const paramExists = async (name: string): Promise<boolean> => {
   try {
     const client = new SSMClient({ region: DotStack.awsRegion });
