Automatically Displaying the Reason A CloudFormation Stack Failed Using AWS CLI

ACM.251 Develop CloudFormation faster by getting information you need to resolve errors more quickly

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Application Security | Secure Code | AWS Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I keep trying to finish this S3 bucket deployment but hitting glitches. In the last post I explained how to get the actual path of a file that is sourced in your bash scripts in an attempt to simplify my code.

I’m always trying to not just fix the current error but do everything faster in the future. As I hit the next error while developing the S3 bucket script, I decided I’m tired of running separate commands to look up the reason a stack failed. I just want to output those errors when I get them so I can resolve them more quickly. I don’t know why the AWS CLI doesn’t do this in the first place. #awswishlist.

If you’ve ever used AWS CloudFormation from the command line you’ve seen this failure message:

In order to run the above command you may need to use the same profile you were using and region which are not listed above. It’s not just a matter of copying and pasting the command — which also takes time.

I thought, well, I’ll just add that command to my function. No problem. I’ve got that information from the command that caused the error.

Ah, not so simple is it, Grasshopper?

The problem is that I’m using -e with my bash scripts to stop on error so things don’t get into a wonky state when commands run after a failure and resources are missing due to the prior failure. But the command that I run before I want to get this output throws an error. So the script stops. It never gets to the command that runs the error output.

Just catch that exception, you think. Oh, but there’s no try-catch construct in bash, unfortunately.

There is a way to fake a try-catch type statement in bash. You can concatenate two commands with an or which is two pipes like this:

command1 || command2

Command2 will run if command1 fails.

Great but I’m executing my command by concatenating all the relevant bits to a string named “c”. Then execute “c” like this:

$(c)

So I tried to concatenate in various ways such as formulating my error command in variable e and then doing something like this:

c="$c || $e"
$($c)

Guess what. You can’t use a pipe in the string executed in that manner. I didn’t realize that was the source of my problems until I had spent a decent amount of time fiddling with it.

I end up writing something like this which sort of worked:

 { ($c) } || { ($e) }

except that the value of “e” was:

aws cloudformation describe-stack-events --stack-name $stackname --max-items 5 --profile $profile | grep -i "status"

Yet, again, I have a pipe in my string for the value or “e”. The wonky error I got which was not at all clear about invalid values in the command led me to crop off the pipe and everything after it and then my or statement worked. Hmm… is it the pipe? A bit of Googling indicated that was the problem.

Great but I want to limit the output to the status messages so I need that pipe and my handy grep command. Now what?

I moved my error command to a function so there would be no pipe in my error command:

Then I can run the command like this:

Look ma, no pipes!

And cool with that I get the status output on error to show me what the error of my ways is while trying to deploy a CloudFormation stack:

In this case, I was trying to grant access to use a key to a role, but the role creation stack exists in a different account, so I cannot reference the CloudFormation stack output to get the role name. And that is the next issue I need to resolve to get you the S3 bucket stack…coming shortly.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab