A convoluted combination of Bash and CloudFormation that induced unpleasantly difficult errors
I spent method an extreme period of time attempting to find out simple strategies to go a KMS key description with areas to a CloudFormation stack with parameter overrides.
It doesn’t help that AWS seems to have completely totally different and what appear to be flawed options all over the place.
Someplace inside the documentation I found an occasion like this:
aws cloudformation deploy [...] --parameter-overrides key=value key2=value
I be taught all these pages that say it’s finest to be succesful to go parameters by quoting the essential factor and price like this:
"key=value"
Nonetheless, that was not very clear. What you in all probability have a lot of parameters to override? Do quotes go spherical all parameters like this?
"key=value key2=value"
or just each key, value pair like this?
"key=value" "key2=value"
[And why is it called “override” anyway instead of just parameters — that doesn’t really make sense. I’m not overriding anything I’m passing in parameters…but I digress]
I tried every strategies and acquired errors saying my stack couldn’t deploy and/or the home was throwing one factor out of whack, so every phrase in my string with areas was used for every key-value pair. None of those codecs merely labored for me.
So I tried this:
"key='one factor with areas' key2='one factor else'"
With the earlier format, after I regarded inside the CloudFormation console for parameters, single quotes had been included in my parameters, which isn’t what I would really like. It seems to be like like the one quotes are on the price instead of surrounding it.
The reply proper right here didn’t work each, although it apparently works in SAM:
I’ve tried a bunch of variations of the reply on the bottom of this publish, nonetheless I’m attempting to not go a JSON string. YAML is cleaner and avoids JSON as so much as potential.
This downside has been reported time and again. And in the long term utterly not one of many options had been proper in my case… nonetheless be taught on as I’ve a selected case. In spite of everything certain.
I merely found this publish which is attention-grabbing:
the issue is that every key-value pair is enclosed in single quotes apart from the one with areas:
"TAG2='Check out Problem'"
I was inserting quotes throughout the full parameter string, not each specific individual key value pair. Let’s try.
Successfully, not lower than I get a novel error:
JSON handed to --parameter-overrides must be one in every of many codecs: ["Key1=Value1","Key2=Value2", ...] , ["ParameterKey": "Key1", "ParameterValue": "Value1", ...] , ["Parameters": "Key1": "Value1", "Key2": "Value2", ...]
East?
parameters="["EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc"]"
No. How about this?
parameters="["EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc"]"
No. Presumably this?
parameters=""EncryptArnParam=$encryptarn","DecryptArnParam=$decryptarn","KeyAliasParam=$keyalias","DescParam=$desc""
When all else fails… be taught the documentation. I found this web page:
This occasion reveals inserting after a value with areas in it.
--parameter-overrides ParameterKey=MaximumExecutionFrequency,ParameterValue=TwentyFour_Hours,Twelve_Hours
Successfully that’s completely totally different. Let’s try. The occasion shouldn’t be for the deploy command, nonetheless you’d depend on consistency for switches named “parameter overrides” for CloudFormation, correct? Nope.
it doesn’t work
This doesn’t work:
On account of then I get this:
East:
It tells me that just a few of my parameters don’t have any values.
Okay, I’ve this working elsewhere. Wanting the place it actually works I’ve this:
In order that must work, nonetheless it doesn’t seem to work with areas. Let’s analysis the above error message but yet one more time. It contradicts documentation elsewhere on account of the documentation I found had areas between key value pairs and no sq. brackets. He moreover had no keys.
I found nonetheless the primary occasion inside the error message above easy ample to duplicate.
This “seems” to work.
I don’t get an error, nonetheless I imagine it’s on account of I moved the problematic parameter to the tip I imagine. Presumably not after I found a remaining decision. After I am going to the AWS CloudFormation console, the define solely has the first phrase:
What I noticed after printing my parameter string is that the parameter inside the parameter string in two completely totally different options was fast. I am going the variable that accommodates the price with areas proper right into a carry out that formulates the parameter string. I then go the parameter string to a unique carry out.
That’s what occurred with that. The value was truncated from the beginning in bash when passing it to the alternative carry out. I needed to position quotes throughout the price of the variable inside the preliminary carry out title on account of bash moreover encloses arguments in quotes.
So this:
deploy_key $profile $encryptarn $decryptarn $keyalias $desc
turn into this:
deploy_key $profile $encryptarn $decryptarn $keyalias "$desc"
I already knew that I wanted to place values into the handed arguments inside the following carry out, nonetheless in the end all through the check out I eradicated them. So this:
deploy_key(){ profile=$1 encryptarn=$2 decryptarn=$3 keyalias=$4 desc=$5
It needed to be this:
deploy_key(){profile=$1 encryptarn=$2 decryptarn=$3 keyalias=$4 desc="$5"
After I add the quotes above, now one among my parameter values has areas in it and CloudFormation croaks in some methods. As a substitute of attempting to restore my already overly troublesome parameter string, I pressured my value to have single quotes like this:
desc="'$desc'"
Then when added to my parameter string, the price is single quoted inside this pretty convoluted development and I haven’t acquired to aim to kind and escape any additional quotes proper right here:
parameters="["EncryptArnParam="$encryptarn'","DecryptArnParam='$decryptarn'","KeyAliasParam='$keyalias'","DescParam='$desc'"]'
Subsequent, I moreover should put quotes throughout the parameter variable that I am going to the subsequent carry out:
deploy_stack $profile $keyalias $resourcetype $template "$parameters"
And finally… I’ve in order so as to add quotes throughout the argument that I retrieved inside the remaining carry out (I quoted all of these arguments out of frustration in the end, nonetheless solely the parameters argument has areas).
deploy_stack () {
profile="$1"
resourcename="$2"
resourcetype="$3"
template="$4"
parameters="$5"
And I do one other points in between, nonetheless lastly I title and use my parameters. I quoted this value as correctly.
aws cloudformation deploy
--profile $profile
--stack-name $stackname
--template-file $template
--parameter-overrides
"$parameters"
Then after I look at CloudFormation I can see that my value with strings is present.
PHEW!!!
I was sure I might not be succesful to make this work within the midst of all this. The first issue he helped was a helpful if significantly difficult error message. The one downside is that it took me a really very long time and a wide range of prodding to get that error message. Presumably there’s a fashion to supply a larger error message sooner based mostly totally on the alternative inputs. Presumably AWS can add these and one other kinds of troublesome quote combos to their check out circumstances.
Teri Radichel
In case you want this story please applaud and proceed:
Medium: Teri Radichel or E mail Guidelines: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests corporations by the use of LinkedIn: Teri Radichel or IANS Evaluation
© second sight lab 2022
____________________________________________
Author:
Cybersecurity for executives inside the cloud interval at Amazon
Would you like cloud security teaching? 2nd Sight Lab Cloud Security Teaching
Is your cloud protected? Lease 2nd Sight Lab for a penetration check out or security analysis.
Do you’ve gotten a question about cybersecurity or cloud security? Ask Teri Radichel by scheduling a reputation with IANS Evaluation.
Cybersecurity and Cloud Security Sources by Teri Radichel: Cybersecurity and cloud security programs, articles, white papers, exhibits, and podcasts
