Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IT-3860: Pass secure parameter to automation script #1259

Merged
merged 26 commits into from
Oct 17, 2024
Merged

IT-3860: Pass secure parameter to automation script #1259

merged 26 commits into from
Oct 17, 2024

Conversation

brucehoff
Copy link
Contributor

@brucehoff brucehoff commented Oct 15, 2024
edited
Loading

While CloudFormation allows invoking SSM Parameter look up when passing parameters , Organization Formation fails with the error:

SSM Secure reference is not supported in: [AWS::Lambda::Function/Properties/Environment/Variables/ScriptParameters]

The fix is instead to simply pass the SSM Parameter name to the Automation script and update the Lambda to retrieve the secure parameter(s) to pass to the Automation Document.

This PR also updates the documentation to explain how to use the script.

brucehoff and others added 23 commits September 24, 2024 15:57
@brucehoff
IT-3860: Add automation to run Stack Armor agent installation script …
a250cbe 
…on instances tagged appropriately
@brucehoff
IT-3860: CF template fixes
2f76395
@brucehoff
IT-3860: updated Py version and fixed cron expression
54e705f
@brucehoff
IT-3860: run every hour, for testing, after which we'll back off to o…
fe0c5d8 
…nce per day
@brucehoff
IT-3860: feedback from review
36a1d60
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
a64f78c 
for more information, see https://pre-commit.ci
@brucehoff
IT-3860: feedback from review
3de298f
@brucehoff
IT-3860: feedback from review
a387ca3
@brucehoff
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
a80d0e5 
…izations-infra into IT-3860
@brucehoff
Merge branch 'IT-3860' of https://github.com/brucehoff/organizations-…
7045662 
…infra into IT-3860
@brucehoff
IT-3860: typo
d6e57c5
@brucehoff
IT-3860: valid CF but triggers InvalidAutomationExecutionParametersEx…
166ce9f 
…ception
@brucehoff
IT-3860: Changed document type from 'Command' to 'Automation' to be c…
cd74be9 
…ompatible with SSM Automation
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
b94397e 
for more information, see https://pre-commit.ci
@brucehoff
IT-3860: Add AutomationAssumeRole parameter to SSM Document
17dfa4c
@brucehoff
IT-3860: Add AutomationAssumeRole parameter to SSM Document
af0feda
@brucehoff
Merge branch 'IT-3860' of https://github.com/brucehoff/organizations-…
f5308fb 
…infra into IT-3860
@brucehoff
IT-3860: Generalize execution role to run multiple automations
4a384ee
@brucehoff
IT-3860: Removed illegal parameters from AWS-RunShellScript
114feef
@brucehoff
IT-3860: Document parameter names are case sensitive
c5a928c
@brucehoff
IT3860: Update comment
19ed9e6
@brucehoff
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
35eb99e 
…izations-infra into IT-3860
@brucehoff
IT-3869: Retrieve SSM Parameters in Automation execution Lambda
7d57425
@brucehoff brucehoff requested a review from a team as a code owner October 15, 2024 21:20
zaro0508
zaro0508 requested changes Oct 16, 2024
View reviewed changes
org-formation/090-systems-manager/Scheduled-Script-Automation.yaml Show resolved Hide resolved
org-formation/090-systems-manager/Scheduled-Script-Automation.yaml
envVarName=envParamNamePair[0]
ssmParamName=envParamNamePair[1]
envVarValue = client.get_parameter(Name=ssmParamName, WithDecryption=True)['Parameter']['Value']
keyValuePair=envVarName+":"+envVarValue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if envVarValue returns None or empty? should we check for that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so then the script will get a blank value for the given env var. That will only happen if someone enters an empty value in SSM Parameter Store.

Copy link
Contributor

@zaro0508 zaro0508 Oct 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if they forget to define the parameter in the AWS SSM? or they define it with an parameter name that doesn't match the one that's passed in to these templates?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case line 196 will raise an exception, i.e., get_parameter will fail.

org-formation/090-systems-manager/Scheduled-Script-Automation.yaml Show resolved Hide resolved
@zaro0508 zaro0508 requested a review from a team October 16, 2024 17:13
@brucehoff brucehoff requested a review from zaro0508 October 16, 2024 19:21
@brucehoff brucehoff merged commit 2536fb7 into Sage-Bionetworks-IT:master Oct 17, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zaro0508 zaro0508 zaro0508 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brucehoff @zaro0508