AWS SAM template - using sam local, how to fix environment variables with value '}'

Question

I have a sam template with environment variable with value }. This is causing an issue when running sam local due to parsing error.

template.yaml

Environment:
  Variables:
     AWS_ACCESS_KEY_ID: REDACTED
     AWS_SECRET_ACCESS_KEY: REDACTED
     DB_NAME: REDACTED_DB_NAME
     DB_USER: REDACTED_USER
     DB_PASS: }reDactedStringOfPW
     DB_DIALECT: mysql
     DB_HOST: REDACTED_HOST
     DB_PORT: REDACTED_PORT

Everything works fine if the password used is not prefixed with }. I could change the password as an easy fix but how do we proceed with this error - provided that I'm not allowed to change the value?

Below is the exact error when running sam local

$ sam local invoke --skip-pull-image --event ./devfiles/event.json --template ./devfiles/template.yaml
Error: Failed to parse template: while parsing a block node
expected the node content, but found '}'
  in "<unicode string>", line 42, column 20:
              DB_PASS: }reDactedStringOfPW
                       ^

Answer 1

To avoid such kinds of syntax issues and ensure security best practice of your Infra As Code operations, you can create a SSM Parameter Store to store your password credential.

With CloudFormation or AWS SAM, you can dynamically resolve your password with {{resolve:ssm:<PARAMETER_NAME>:<PARAMETER_VERSION>}} method.

Environment:
  Variables:
     AWS_ACCESS_KEY_ID: REDACTED
     AWS_SECRET_ACCESS_KEY: REDACTED
     DB_NAME: REDACTED_DB_NAME
     DB_USER: REDACTED_USER
     DB_PASS: {{resolve:ssm:MyDatabasePassword:1}}
     DB_DIALECT: mysql
     DB_HOST: REDACTED_HOST
     DB_PORT: REDACTED_PORT

References:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
• https://aws.amazon.com/blogs/mt/using-aws-systems-manager-parameter-store-secure-string-parameters-in-aws-cloudformation-templates/