Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use s3ObjectKey or randomize S3 object name when uploading Cloudformation template #524

Open
fischaz opened this issue Jun 28, 2023 · 0 comments
Open

Use s3ObjectKey or randomize S3 object name when uploading Cloudformation template #524

fischaz opened this issue Jun 28, 2023 · 0 comments

Comments

@fischaz
Copy link

fischaz commented Jun 28, 2023

Is your feature request related to a problem? Please describe.

I'm trying to use a "Common" Azure devops asset s3 bucket to store (temporarily) all CF template when I use the task CloudFormationCreateOrUpdateStack@1

to avoid creating too many buckets and all, I created a shared bucket in the CICD AWS account and shared it with my ORG, and then each account Azure Devops deployment role has read/write access to teh bucket to temporarily use it to store the CF template if required...

This makes my task look like this:

          - task: CloudFormationCreateOrUpdateStack@1
            name: DeployTransitGateway
            displayName: "Deploy Transit Gateway"
            inputs:
              awsCredentials: 'AzureDevopsSecurityDeploymentRole'
              regionName: 'ap-southeast-2'
              stackName: 'transit-gateway'
              templateSource: 'file'
              templateFile: 'templates/transit-gateway.yaml'
              templateParametersFile: 'configs/ap-southeast-2/transit-gateway.yaml'
              s3BucketName: 'azuredevops-assets-xxxxxxxxx-ap-southeast-2'
              s3ObjectKey: '437044670697/ap-southeast-2/transit-gateway.yaml'

Sadly, with this model, the upload of the CF template does work in the specified bucket, but uses the "basename" of the file to upload as the S3 object Key...

this poses a risk that someone / something, may use the same "template name" in a Different Azure Devops project / repository, and may break S3/CF deployment due to a race condition:

  • Pipeline 1 uploads transit-gateway.yaml
  • Pipeline 2 (Project B) uploads transit-gateway.yaml
  • Pipline 1 tries to create/update stack using S3 object "transit-gateway.yaml" (which now points to pipeline 2 project file, so it's likely to break).

Describe the solution you'd like

I have 2 options in mind:

  • Either randomly generate a checksum / UUID of the template to generate the S3 object Key.
  • Use the s3ObjectKey parameter as the upload key name to override the default of the task during upload.

Describe alternatives you've considered

Yes - I know I could add a pre-task to do the S3 Upload to whatever path I need and then change the CloudFormationCreateOrUpdateStack@1 task to set templateSource: s3 and specify the key. But this is just too much work at this time for something that CloudFormationCreateOrUpdateStack@1 almost does.

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fischaz