fix: MapConfig SSM param → Tier: Intelligent-Tiering (v20.6.5, plan-PR #50) (#55)

hyunsies · Chris Hyu · claude · web-flow · commit 6d5eeead0b29 · 2026-04-26T11:13:57.000+09:00
§1.60 — Standard-tier 4KB wall silently fails at ~240 accounts. The
MapConfig SSM parameter had no explicit Tier, so CFN defaulted to
Standard (4KB Value limit). A customer with ~240+ accounts listed in
scoped_account_ids generates a Value &gt; 4KB; stack create failed with
ParameterMaxSizeExceeded and no actionable error message.

Intelligent-Tiering stays in the free Standard tier until the Value
actually crosses 4KB, at which point AWS auto-upgrades to Advanced
($0.05/parameter/month, $0.60/year for that one parameter). Zero cost
impact for normal-sized deployments; graceful auto-upgrade at the
boundary. Mirrored in both YAML and configurator inline template.

No new IAM required — the tier upgrade is driven by CloudFormation's
deploy-time role at stack create, not by the Lambda. Runtime
ssm:GetParameter grant covers both tiers.

Co-authored-by: Chris Hyu &lt;chhyu@amazon.com&gt;
Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,16 @@ All notable changes to the MAP 2.0 Auto-Tagger.
 
 ## v20 — Resilient SQS Pipeline + Open Source
 
+### v20.6.5 — SSM parameter Intelligent-Tiering (plan-PR #50)
+
+PATCH. Closes audit item §1.60.
+
+**§1.60 — SSM Standard-tier 4KB wall silently fails at ~240 accounts.** `MapConfig` (the JSON configuration that the Lambda reads on every invocation) had no explicit `Tier` on its `AWS::SSM::Parameter` resource, so CFN defaulted it to Standard (4KB Value limit). A customer with ~240+ accounts listed in `scoped_account_ids` generates a Value > 4KB; stack create failed with `ParameterMaxSizeExceeded` and no actionable CFN error message. Added `Tier: Intelligent-Tiering` to both YAML (`map2-auto-tagger-optimized.yaml`) and the configurator's inline template. Intelligent-Tiering stays in the free Standard tier until the Value actually crosses 4KB, at which point AWS auto-upgrades to Advanced ($0.05/parameter/month, $0.60/year for that one parameter). Zero cost impact for normal-sized deployments; graceful auto-upgrade at the 4KB boundary.
+
+No new IAM required — the Intelligent-Tiering upgrade is driven by CloudFormation's deploy-time role at stack create, not by the Lambda. The Lambda's runtime `ssm:GetParameter` grant (scoped to `/auto-map-tagger/${MpeId}/config`) covers both tiers.
+
+---
+
 ### v20.6.4 — IAM completeness + CI gate (plan-PR #42)
 
 Tooling + IAM PATCH. YAML runtime Lambda is byte-identical to v20.6.3 except the version stamps and one added IAM row. Closes audit item §1.99; partially addresses §1.64 (introduces the methodology to prevent future siblings).
diff --git a/VERSIONING.md b/VERSIONING.md
@@ -21,7 +21,7 @@
 
 The version lives in exactly two places:
 
-1. **`configurator.html`** — `const TEMPLATE_VERSION = 'v20.6.4';` (one occurrence)
+1. **`configurator.html`** — `const TEMPLATE_VERSION = 'v20.6.5';` (one occurrence)
 2. **`map2-auto-tagger-optimized.yaml`** — Description header, `MapVersion` SSM parameter default, Lambda `TEMPLATE_VERSION` constant, `TemplateVersion` CFN output (all four must equal the configurator constant)
 
 `.github/scripts/sync-check.py` enforces this invariant. Any drift between references is a sync-check failure.
diff --git a/configurator.html b/configurator.html
@@ -1141,15 +1141,22 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
 
     <script>
         // Template version — single source of truth for the SemVer constant.
-        // Must match `TEMPLATE_VERSION = 'v20.6.4'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
-        const TEMPLATE_VERSION = 'v20.6.4';
+        // Must match `TEMPLATE_VERSION = 'v20.6.5'` in map2-auto-tagger-optimized.yaml (sync-check enforces this).
+        const TEMPLATE_VERSION = 'v20.6.5';
 
         // Version history surfaced in the Update flow. Bullets are intentionally English-only —
         // translating release notes across 7 languages for every PR is unsustainable. Labels
         // (titles, buttons) go through i18n; change bullets stay in source form.
         // Tags: bugfix, coverage, breaking, security, perf, other.
         // sync-check.py enforces that the newest entry's version matches TEMPLATE_VERSION.
         const VERSION_HISTORY = [
+            {
+                version: 'v20.6.5',
+                date: '2026-04-26',
+                changes: [
+                    { tag: 'bugfix', text: 'MapConfig SSM parameter now uses Tier: Intelligent-Tiering instead of the default Standard tier. Customers with ~240+ accounts in scoped_account_ids generate a Value > 4KB (the Standard-tier limit); prior behavior silently failed stack create with ParameterMaxSizeExceeded. Intelligent-Tiering stays free for normal-sized deployments and auto-upgrades to Advanced ($0.05/parameter/month) only when the Value actually crosses the threshold. Closes §1.60.' },
+                ],
+            },
             {
                 version: 'v20.6.4',
                 date: '2026-04-26',
@@ -5925,6 +5932,11 @@ <h3 style="margin:20px 0 8px;font-size:14px;" data-i18n="ui_editor_script_previe
     Type: AWS::SSM::Parameter
     Properties:
       Name: /auto-map-tagger/${mpe}/config
+      # Tier: Intelligent-Tiering — see §1.60 comment in map2-auto-tagger-optimized.yaml.
+      # Customers with ~240+ accounts in scoped_account_ids produce a Value > 4KB; AWS
+      # auto-upgrades to Advanced tier ($0.05/parameter/month) instead of failing stack
+      # create with ParameterMaxSizeExceeded. Zero cost impact below the threshold.
+      Tier: Intelligent-Tiering
       # SECURITY NOTE: Type: String is intentional. The stored values (MPE ID, agreement
       # dates, account/VPC scope lists) are non-sensitive operational configuration — not
       # credentials, secrets, or PII. SecureString would require KMS decrypt permissions
diff --git a/map2-auto-tagger-optimized.yaml b/map2-auto-tagger-optimized.yaml
@@ -3,7 +3,7 @@
 
 AWSTemplateFormatVersion: '2010-09-09'
 Description: >
-  MAP 2.0 Auto-Tagger v20.6.4 - Auto-tags AWS resources with map-migrated for MAP 2.0
+  MAP 2.0 Auto-Tagger v20.6.5 - Auto-tags AWS resources with map-migrated for MAP 2.0
   credit eligibility. 190+ resource types. Deploy once; tagging happens within 60-90 s
   of resource creation. Daily reconciliation Lambda (RGTA-based) catches any tags the
   live Lambda missed. Three-path error classifier + TagFailureByClass CloudWatch metric
@@ -64,13 +64,20 @@ Resources:
       Name: !Sub '/auto-map-tagger/${MpeId}/version'
       Type: String
       Description: MAP 2.0 Auto-Tagger template version pinned at deploy time
-      Value: v20.6.4
-
-  # SSM Parameter Store - single source of truth for config
+      Value: v20.6.5
+
+  # SSM Parameter Store - single source of truth for config.
+  # Tier: Intelligent-Tiering leaves the parameter in the free Standard tier
+  # (4KB limit) until the Value crosses the threshold, at which point AWS
+  # auto-upgrades to Advanced (8KB limit, $0.05/parameter/month). Closes
+  # §1.60: customers with ~240+ accounts in `scoped_account_ids` generate a
+  # Value > 4KB; prior behavior (default Standard) silently failed stack
+  # create with `ParameterMaxSizeExceeded`.
   MapConfig:
     Type: AWS::SSM::Parameter
     Properties:
       Name: !Sub '/auto-map-tagger/${MpeId}/config'
+      Tier: Intelligent-Tiering
       Type: String
       Description: MAP 2.0 Auto-Tagger configuration
       Value: !Sub
@@ -374,7 +381,7 @@ Resources:
           # Template version pinned at deploy time. Surfaced in CloudWatch Logs on
           # every cold start so ops can trace which version processed an event
           # without reading the CFN stack or SSM parameter.
-          TEMPLATE_VERSION = 'v20.6.4'
+          TEMPLATE_VERSION = 'v20.6.5'
           print(f'auto-map-tagger {TEMPLATE_VERSION} cold start')
 
           ssm = boto3.client('ssm')
@@ -2407,7 +2414,7 @@ Outputs:
     Value: !Ref MapConfig
   TemplateVersion:
     Description: MAP 2.0 Auto-Tagger template version (pinned at deploy time)
-    Value: v20.6.4
+    Value: v20.6.5
   AlertTopicArn:
     Description: SNS topic for tagger alerts - subscribe your email here
     Value: !Ref AlertTopic
