A convoluted mixture of Bash and CloudFormation that triggered obnoxiously complicated errors
I spent approach, approach too lengthy making an attempt to determine cross a KMS Key description with areas right into a CloudFormation stack with parameter overrides.
It doesn’t assist that AWS appears to have totally different and what appear to be incorrect solutions all over.
Someplace within the documentation I got here throughout an instance like this:
aws cloudformation deploy [...] --parameter-overrides key=worth key2=worth
I learn all these pages that say it’s best to have the ability to cross in parameters by quoting the important thing and worth like this:
"key=worth"
Nevertheless, that wasn’t actually clear. What you probably have a number of parameters to override? Do the quotes go round all of the parameters like this?
"key=worth key2=worth"
or simply every key, worth pair like this?
"key=worth" "key2=worth"
[And why is it called “override” anyway instead of just parameters — that doesn’t really make sense. I’m not overriding anything I’m passing in parameters…but I digress]
I attempted each methods and received errors saying my stack couldn’t deploy and/or the house threw one thing out of whack so every phrase in my string with areas was used for every key-value pair. Neither a kind of codecs alone labored for me.
Then I attempted this:
"key='one thing with areas' key2='one thing else'"
With the above format once I appeared within the CloudFormation console on the parameters the only quotes received included in my parameters which isn’t what I need. It seems the only quotes are within the worth as an alternative of surrounding it.
The answer right here didn’t work both although apparently it really works in SAM:
I attempted a complete bunch of variations of the answer on the backside of this submit, however I’m making an attempt to not cross in a JSON string. YAML is cleaner and avoiding JSON as a lot as attainable.
This drawback has been reported again and again. And in the long run completely not one of the solutions have been proper in my case…however learn on as I’ve particular case. In fact I do.
I simply discovered this submit which is attention-grabbing:
the factor is that every key worth pair is in single quotes besides the one with areas:
"TAG2='Check Mission'"
I used to be placing quotes round the entire string of parameters not every particular person key worth pair. Let’s strive it.
Properly at the least I get a special error:
JSON handed to --parameter-overrides should be one of many codecs: ["Key1=Value1","Key2=Value2", ...] , [{"ParameterKey": "Key1", "ParameterValue": "Value1"}, ...] , ["Parameters": {"Key1": "Value1", "Key2": "Value2", ...}]
This?
parameters="["EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc"]"
Nope. How about this?
parameters="{["EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc"]}"
Nope. Perhaps this?
parameters='"EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc"'
When all else fails…learn the documentation. I discovered this web page:
This instance exhibits placing after a worth with areas in it.
--parameter-overrides ParameterKey=MaximumExecutionFrequency,ParameterValue=TwentyFour_Hours,Twelve_Hours
Properly that’s totally different. Let’s strive it. The instance isn’t for the deploy command however you’d anticipate consistency for switches named “parameter-overrides” for CloudFormation, no? No.
It doesn’t work.
This doesn’t work:
As a result of then I get this:
This:
Tells me that a few of my parameters don’t have values.
Okay I’ve this working elsewhere. Taking a look at the place it really works I’ve this:
So that ought to work however it doesn’t appear to work with areas. Let’s revisit that error message above as soon as once more. It contradicts documentation elsewhere as a result of the documentation I discovered had areas between key worth pairs and no brackets. It additionally didn’t have curly braces.
I discovered however the first instance within the above error message straightforward sufficient to copy.
This “seems” to work.
I don’t get an error however I believe that’s as a result of I moved the problematic parameter to the top I believe. Perhaps not after I discovered a remaining answer. After I go to the AWS CloudFormation console the outline solely has the primary phrase:
What I noticed after printing out my parameter string is that the parameter within the parameter string in two totally different capabilities was brief. I cross the variable holding the worth with areas right into a perform that formulates the parameter string. Then I cross the parameter string to a different perform.
Right here’s what occurred with that. The worth received truncated proper from the beginning in bash when passing it to the opposite perform. I wanted to place quotes across the worth of the variable within the preliminary perform name as a result of bash additionally delineates arguments by quotes.
So this:
deploy_key $profile $encryptarn $decryptarn $keyalias $desc
turned this:
deploy_key $profile $encryptarn $decryptarn $keyalias "$desc"
I already knew that I needed to put values are the handed in arguments within the subsequent perform however in some unspecified time in the future whereas testing I had eliminated them. So this:
deploy_key(){ profile=$1
encryptarn=$2
decryptarn=$3
keyalias=$4
desc=$5
Wanted to be this:
deploy_key(){profile=$1
encryptarn=$2
decryptarn=$3
keyalias=$4
desc="$5"
After I add the above quotes, now one among my parameter values has areas in it and CloudFormation croaks in might methods. Moderately than attempt to repair my already overly-complicated parameter string I pressured my worth to have single quotes round it like this:
desc="'$desc'"
Then when it will get added to my parameter string the worth has single quotes in it inside this beautiful convoluted construction and I don’t should attempt to kind out and escape extra quotes right here:
parameters='["EncryptArnParam='$encryptarn'","DecryptArnParam='$decryptarn'","KeyAliasParam='$keyalias'","DescParam='$desc'"]'
Subsequent, I additionally have to put quotes across the parameters variable I cross into the subsequent perform:
deploy_stack $profile $keyalias $resourcetype $template "$parameters"
And eventually….I’ve so as to add quotes across the argument I retrieve within the final perform (I had in some unspecified time in the future quoted all these arguments in frustration in some unspecified time in the future however solely the parameters argument has areas in it.
deploy_stack () {
profile="$1"
resourcename="$2"
resourcetype="$3"
template="$4"
parameters="$5"
And, I do another issues in between however lastly I name and use my parameters. I quoted this worth as effectively.
aws cloudformation deploy
--profile $profile
--stack-name $stackname
--template-file $template
--parameter-overrides
"$parameters"
Then once I verify CloudFormation, I can see that my worth with strings is current.
PHEW!!!
I believed for certain I’d not have the ability to get this working in the course of all this. The principle factor that helped was a helpful, although considerably complicated, error message. The one drawback is that it took me a very long time and loads of poking and prodding to get that error message. Maybe there’s a approach to supply a greater error message earlier based mostly on the opposite inputs. Perhaps AWS can add these and another method of convoluted combos of quotes to their check instances.
Teri Radichel
When you favored this story please clap and comply with:
Medium: Teri Radichel or Electronic mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts
