Reputation: 507
Cloudformation: Passing parameters from a file and on the command line
I've got a question around using parameters in Cloudformation and more generally best practices around using secrets in Clouformation.
I have a template that defines our CI servers in an autoscaling group. We could in theory stand up many of these stacks. The templates are stored in source control along with parameters.json files use to specify the details of the stack (e.g. instance type, autoscaling conditions etc.). One of those parameters is a token that allows the CI server to interact with our CI provider, I don't want to store the token in source control. I want someone to be prompted for it or be forced to pass it when creating or updating the stack.
Ideally what I'm imagining is something like this, but obviously this is invalid
aws cloudformation create-stack --stack-name <name> --template-body file://<template> --parameters file://<parameters-file.json> TokenParameter=xxxyyyzzz
Does anyone have any suggestions?
Many Thanks
Upvotes: 3
Views: 2798
Answers (2)
Reputation: 611
Hopefully this helps someone 2+ years later...
I solved this will a little help of jq. I'm on a mac, so that's a simple brew install jq
My goal was to use a default file of parameters, but wanted to pass my github oauth as a secret this one time. To the point above of storing secrets in other / better places, that's ideal, but I believe can be overkill for all situations. Mine for example was just lab based work.
aws cloudformation create-stack --stack-name "codepipeline-test"
--template-body file://codepipeline-test.yml
--parameters $(cat codepipeline-test-params.json | jq -r '.[]
| "ParameterKey=" + .ParameterKey + ",ParameterValue=" + .ParameterValue')
ParameterKey="GitHubOAuthToken",
ParameterValue="1234567890826xxxxxxxxxx753dde68858ac2169"
--tags '[{"Key": "Name","Value": "codedepipeline-test"},
{"Key": "Owner","Value": "username"}]' --capabilities CAPABILITY_NAMED_IAM
FYI in the CF Template I define the github oath param to be a secret (hide in GUI) as follows:
GitHubOAuthToken:
Description: A valid access token for GitHub that has admin access to the GitHub Repo you specify
Type: String
NoEcho: true
MinLength: 40
MaxLength: 40
AllowedPattern: '[a-z0-9]*'
Upvotes: 4
Reputation: 1447
For any sort of token/secret type interaction, I would actually go on the side of recommend using Systems Manager Parameter Store. The advantage is it centralizes your credential store so that if you need to rotate credentials for any reason it's just one place to change. You can also encrypt the creds for additional security.
As this is an AWS service you can use the SDK/CLI to pull the value. This could either be a user data script with an IAM role that allows systems manager access (as well as all other access) to pull the parameter and place it in the respective file. Another option is to utilize the SDK to pull down credential on demand, though that would require support in your CI code for pulling that off.
One caveat to this is that you would need the parameter setup ahead of time before launching the auto scaling group, which would make including the parameter as part of the CF template a bit difficult.
Upvotes: 0
Related Questions
- How to pass parameter as a file in AWS CloudFormation deploy?
- Can you pass a parameter into a bash script in Cloudformation?
- CloudFormation for multiple parameter files and a single template
- AWS CloudFormation CLI - parameters issue
- CloudFormation Template to accept parameter from external file
- Passing multiple parameters from external file to cloudformation template and using values with ref
- AWS cloudformation pass parameters to EC2 environment
- How to Pass the Output of Cloudformation to the shell script
- CloudFormation passing parameters from CodePipeline
- Take input from CloudFormation parameter and pass it to script being downloaded from S3