Avoiding Naming Conflicts in CloudFormation Template Outputs
ACM.399 Making sure output names are unique across stacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: AWS Security | DevOps
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I wrote about the problems limiting access to change a specific Service Control Policy with the policy itself. It’s also challenging to do this if you give a user both IAM and SCP permissions. I hope to resolve that in another post.
I also inserted a missing post number into my story list since I should have written about this earlier.
In this post, I’m going to adjust my CloudFormation output names to address issues I’ve noticed with name conflicts.
I mentioned that I wanted to make the name of a CloudFormation output match the passed in parameter name going forward so I always know what the output is that has the ARN or the ID.
So since doing that, I’ve had a couple of issues and I need to tweak my naming convention. Sometimes there’s an ARN and an ID for a resource. Sometimes you might need or want both. I can resolve that by prefixing the output name with id- or arn-.
Why not put that at the end? Well, you might have someone put -id or -arn in a name and for reasons I’m not going to delve into here it might cause problems. Putting prefixes on which you want to base policies or decisions at the beginning is best.
Next, I had a conflict where a user and an account both had the same name and I can’t use the same name for two different outputs. That’s easy enough to solve. I can add the resource category and type.
So my output name looks like this:
This pretty much aligns with the CloudFormation stack naming convention except we’re not using the username and environment. Might we have multiple users deploying the template in the same environment with the same output? Perhaps. What about a dev environment? Developers might have their own copy of a stack. But then the resource name should be different, right?
What about the environment? The environment should be in the name of the resource, governed by the single deployment function that deploys all my resources.
Note that I’m doing something a bit odd with the name here. I want this SCP to always have a particular name, but I also want to use NameParam in the outputs so I don’t have typos. I can allow passing in a value, but only allow one value like this:
Now the name parameter is optional, enforced, and I can still use it in my outputs.
So now I need to take a minute and fix all my outputs in my revised directory structure.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
