Cloudformation: Outputs - Can you return a value from a file

Question

Cloudformation appears to have an "Outputs" section where you can have a value referenced for other stacks, or to display back to the user, etc.

The limited doc is here.

Is it possible to use this to make the contents of a file available?

e.g. I've got a Jenkins install where the initial admin password is stored within:

/var/lib/jenkins/secrets/initialAdminPassword

I'd love to have that value available after deploying our Jenkins Cloudformation stack without having to then SSH into the server.

Is this possible with the outputs section, or any other way with cloudformation templates?

Answer 1

I know this question has been answered but I wanted to offer another solution.

I found myself wanting to do exactly what you (the, OP) were trying to do: use Cloudformation to install Jenkins on an EC2 instance and then print the initial admin password to the Cloudformation outputs.

I ended up working around trying to read the file with the password and instead used the Jenkins CLI from the UserData section to update the admin user with a password that I specified.

Here’s what I did (showing snippets from the template in YAML):

Added a parameter to the template inputs to get the password:

Parameters:
  KeyName:
    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
    Description: Name of an existing EC2 KeyPair for SSH access
    Type: AWS::EC2::KeyPair::KeyName
  PassWord:
    AllowedPattern: '[-_a-zA-Z0-9]*'
    ConstraintDescription: A complex password at least eight chars long with alphanumeric characters, dashes and underscores.
    Description: Password for the admin account
    MaxLength: 64
    MinLength: 8
    NoEcho: true
    Type: String

In the UserData section, I used the PassWord parameter in a call to the jenkins-cli to update the admin account :

  UserData: !Base64
    Fn::Join:
      - ''
      - - "#!/bin/bash -x\n"
        - "exec > /tmp/user-data.log 2>&1\nunset UCF_FORCE_CONFFOLD\n"
        - "export UCF_FORCE_CONFFNEW=YES\n"
        - "ucf --purge /boot/grub/menu.lst\n"
        - "export DEBIAN_FRONTEND=noninteractive\n"
        - "echo \"deb http://pkg.jenkins-ci.org/debian binary/\" > /etc/apt/sources.list.d/jenkins.list\n"
        - "wget -q -O jenkins-ci.org.key http://pkg.jenkins-ci.org/debian-stable/jenkins-ci.org.key\n\
          apt-key add jenkins-ci.org.key\n"
        - "apt-get update\n"
        - "apt-get -o Dpkg::Options::=\"--force-confnew\" --force-yes -fuy upgrade\n"
        - "apt-get install -y python-pip\n"
        - "pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz\n"
        - "apt-get install -y nginx\n"
        - "apt-get install -y openjdk-8-jdk\n"
        - "apt-get install -y jenkins\n"
        - "# Wait for Jenkins to Set Up\n
        - until [ $(curl -o /dev/null --silent\
          \ --head --write-out '%{http_code}\n' http://localhost:8080) -eq 403\
          \ ]; do sleep 1; done\nsleep 10\n# Change the password for the admin\
          \ account\necho 'jenkins.model.Jenkins.instance.securityRealm.createAccount(\"\
          admin\", \""
        - !Ref 'PassWord'
        - "\")' | java -jar /var/cache/jenkins/war/WEB-INF/jenkins-cli.jar -s\
          \ \"http://localhost:8080/\" -auth \"admin:$(cat /var/lib/jenkins/secrets/initialAdminPassword)\"\
          \ groovy =\n/usr/local/bin/cfn-init --resource=Instance --region="
        - !Ref 'AWS::Region'
        - ' --stack='
        - !Ref 'AWS::StackName'
        - "\n"
        - "unlink /etc/nginx/sites-enabled/default\nsystemctl reload nginx\n"
        - /usr/local/bin/cfn-signal -e $? --resource=Instance --region=
        - !Ref 'AWS::Region'
        - ' --stack='
        - !Ref 'AWS::StackName'
        - "\n"

Using this method, when Jenkins starts up, I don’t get the “enter the initial admin password” screen but instead I get a screen where i can just log in as admin with the password used in the parameters.

In terms of adding something to the outputs from a file on the system, I think there is a way to do it using WaitCondition and and passing data back using a cfn-signal command. But once I figured out that all I needed to do was set the password I didn’t pursue the WaitCondition method.

Again, I know you have your answer, but I wanted to share in case anyone else happens to be searching for a way to do this. This way worked for me! :D

Answer 2

The Outputs section Cloud Formation template are meant to help you find your resource easily.

For any resource you create, you can output the properties defined in Fb::GetAtt Documentation.

For example, to get the connection string for the RDS Instance which was created using Cloud formation template, you can use the following

"Outputs" : {
    "JDBCConnectionString": {
        "Description" : "JDBC connection string for the master database",
        "Value" : { "Fn::Join": [ "", 
            [ "jdbc:mysql://",
            { "Fn::GetAtt": [ "MyDatabase", "Endpoint.Address" ] },
            ":",
            { "Fn::GetAtt": [ "MyDatabase", "Endpoint.Port" ] },
            "/",
            { "Ref": "MyDBName" }]
        ]}
    }
}

It is not possible to output contents from a file. Moreover, outputs are visible to all the users having access to your AWS account. So, having password as an output is not recommended.

I would suggest you to upload your secrets to a private S3 bucket after the cloud formation create stack operation is successful and download the secrets whenever required.

Hope this helps.