Get CloudFormation stack output into GitHub Actions

Question

Build my AWS stacks from CloudFormation templates. Some stacks produce outputs for example security keys and/or endpoints. For example, my analytics stack creates a user for analytics API server and makes a couple of AWS keys: CubeJsUserAccessKey and CubeJsUserSecretAccessKey.

Outputs:
  Endpoint:
    Description: Endpoint
    Value: !Join ['', ['https://', !Ref DNSRecord]]

  CubeJsUserAccessKey:
    Description: "CubeJS user stagin access key id"
    Value: !Ref CubeJsUserAccessKey
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-cubejs-access-id"

  CubeJsUserSecretAccessKey:
    Description: "CubeJS user access key id"
    Value: !GetAtt
      - CubeJsUserAccessKey
      - CubeJsSecretAccessKey

This works great. Now, I am using GitHub Actions. I would like to be able to reference those things in my pipelines like secrets.

    id: build-image
    env:
      ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
      ECR_REPOSITORY: analytics-staging
      IMAGE_TAG: latest
      NODE_ENV: staging
      AWS_ACCESS_KEY_ID: ${{ stack-name.outputs.CubeJsUserAccessKey }}
      AWS_SECRET_ACCESS_KEY: ${{ stack-name.outputs.CubeJsSecretAccessKey }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

I understand that this can be done with steps.{step-id}. However, I don't want to have to switch to terraform or delete-stack and create-stack, when there is a perfectly working stack that needs only a task definition update.

Say that the stack already exists. I only build and tag the container from the pipeline. To build the container, I need the output values. Can I easily retrieve AWS stack outputs using some plugin or something?

Answer 1

I was looking for just the same today. Found the answer across a few resources. We can get at this via AWS CLI output then export what we need into the github workflow.

This example will return the first Output value from the stack example and works on the command line locally:

CF_OUTPUT_1=`aws cloudformation --region us-west-2 describe-stacks --stack-name stackname --query "Stacks[0].Outputs[0].OutputValue"`
echo $CF_OUTPUT_1

This is the version that works within my github actions to export a value from an existing stack then immediately use it in another step:

      - name: Get outputs from the stack just created
        id: get-outputs
        run: >-
          echo "::set-output name=ECRURI::$(
            aws cloudformation \
            --region us-west-2 describe-stacks \
            --stack-name $(echo ${GITHUB_REF##*/}) \
            --query "Stacks[0].Outputs[0].OutputValue"
          )"
      - name: Docker build image
        shell: bash
        run: |
          docker buildx build \
            -f ./Dockerfile \
            --platform=linux/amd64 \
            -t ${{ steps.get-outputs.outputs.ECRURI }} \
            .

For a little more depth on the subject... We can return Without the --query, we see the whole Cloudformation stack information

{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-west-2:#############:stack/ep1-122/335b18e0-####-11ed-b288-06a8abe09281",
            "StackName": "ep1-122",
            "ChangeSetId": "arn:aws:cloudformation:us-west-2:#############:changeSet/samcli-deploy1660747439/692f3efb-####-4d02-930a-f9d1b4c1dc59",
            "Parameters": [
                {
                    "ParameterKey": "InfoSlackChannelID",
                    "ParameterValue": "###########"
                }
            ],
            "CreationTime": "2022-08-17T06:09:49.541000+00:00",
            "LastUpdatedTime": "2022-08-17T14:44:10.185000+00:00",
            "RollbackConfiguration": {},
            "StackStatus": "UPDATE_COMPLETE",
            "DisableRollback": false,
            "NotificationARNs": [],
            "Capabilities": [
                "CAPABILITY_AUTO_EXPAND",
                "CAPABILITY_IAM",
                "CAPABILITY_NAMED_IAM"
            ],
            "Outputs": [
                {
                    "OutputKey": "ECRURI",
                    "OutputValue": "##########.dkr.ecr.us-west-2.amazonaws.com/erc-repo-name",
                    "Description": "Location of the ECR Repository to commit images",
                    "ExportName": "ECRURI"
                }
            ],
            "RoleARN": "arn:aws:iam::##############:role/some-role-CloudFormationExecutionR-U4GJ10T26U21",
            "Tags": [],
            "EnableTerminationProtection": false,
            "DriftInformation": {
                "StackDriftStatus": "NOT_CHECKED"
            }
        }

Hat tip to these previous answers:

• https://stackoverflow.com/a/41629516/642507
• https://stackoverflow.com/a/31699657/642507
• https://github.com/jbranchaud/til/blob/master/github-actions/capture-an-output-value-for-use-in-a-later-step.md