How can I update a CloudFormation stack with masked parameters using Ansible?

Question

I have a CloudFormation stack that was created using the Ansible cloudformation module, and then I have some masked parameters that was updated manually by a separate operations team.

Now I would like to update the stack to perform a version upgrade, and while this is easily done in the AWS Console and through the AWS CLI, I can't seem to find a way to do this through the Ansible module.

Based on another post here, it was noted that upgrades are not possible, and the only way was to simply not use Ansible.

I have tried using the Ansible cloudformation_facts module to try and fetch the parameters to no avail. Is there any other method to fetch this data from CloudFormation, or will I have to accept that I cannot use Ansible?

Thank you in advance.

Answer 1

You can fetch all the parameters from cloudformation using Ansbile with something like the below:

---
- name: Get CloudFormation stats
  cloudformation_facts:
    stack_name: "{{ stack_name }}"
    region: "{{ region }}"
  register: my_stack

If you had a parameter called "subnet-id", you could view what the return would like look like this:

---
- name: Get CloudFormation stats
  cloudformation_facts:
    stack_name: "{{ stack_name }}"
    region: "{{ region }}"
  register: my_stack

- debug: msg="{{ my_stack.ansible_facts.cloudformation[stack_name].stack_parameters.subnet-id }}"

The return would look like this:

ok: [localhost] => {
    "msg": "subnet12345"
}

If values are hashed out however, you won't be able to see what their value was - so the answer is that in that case, you shouldn't be updating cloudformation directly if you're trying to move over to Ansbile. Rather have the values updated in an encrypted file on your source control, and build from there with Ansible.