Summary

Teri Radichel discusses a method for streamlining the retrieval of AWS resource IDs and ARNs from CloudFormation stacks using a consistent naming convention and a single function.

Abstract

In an effort to simplify and standardize the process of looking up IDs and Amazon Resource Names (ARNs) from CloudFormation outputs, Teri Radichel proposes a system that leverages a consistent naming convention for CloudFormation stacks. By ensuring that stack names follow a specific format, which includes the owner profile, resource type, and resource name, Radichel suggests that a single function can be created to retrieve the necessary identifiers for any resource. This approach eliminates the need for multiple, similar functions and reduces the potential for inconsistency and duplication in code. Radichel illustrates the concept with examples of how to refactor existing functions to adhere to this new, streamlined method, which can be applied across various AWS resources, whether they use IDs or ARNs.

Opinions

Radichel emphasizes the importance of consistency in naming CloudFormation stacks and exports to facilitate the use of a single function for ID/ARN retrieval.
She acknowledges the potential for inconsistency in her own previous work, which led to the realization that a more standardized approach was necessary.
The author believes that by adhering to a strict stack naming format, the value to use for the export in any stack becomes clear and predictable.
Radichel suggests that most AWS resources have either an ID or an ARN, and by using the resource name for the output, a unified retrieval function can be implemented.
She posits that if the naming conventions are followed, many smaller functions for retrieving resource identifiers can be replaced with a single, more efficient function.

Simplifying ID Lookups from CloudFormation Outputs

ACM.275 Single function to look up IDs and ARNS From CloudFormation Stacks

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: S3 Bucket | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I create a VPC with a public and private subnet. The route table associated with the subnet is what makes it public or private.

Deploy a Public and Private Subnet in an AWS VPC

ACM.274 Creating multiple subnets with different route tables

medium.com

As I was writing that code I found myself using stack exports to get IDs for resources and once again I found myself writing what felt like duplicate code. I also had to try to remember the export name. Initially when I started this series I was tacking on “Export” to export names for clarity but then sometimes I found myself being inconsistent.

I started thinking that if I could be very consisted I could use one function to get the ID or ARN for any resource.

An ID is an identifier that is used to retrieve or represent an option. For example, in the last post, I was using route table IDs, VPC IDs, and subnet IDs.

Some resources on AWS do not have an ID. They have ARNs or an “Amazon Resource Name.” For example, an AWS IAM Role does not have an ID it has an ARN.

I was trying to think of a resource that has both an ARN and an ID but I can’t think of one. Perhaps there is one. But all I can think of are resources that have one or the other.

If we presume that pretty much every resource has one or the other, and we can give pretty much every resource a Name, then what if create an export for every cloudformation stack — where possible — that returns either the resource ID or ARN for the output with the same name as the resource?

We also have that name in the cloudformation stack name. The stack names are supposed to be in this format (except I may have inadvertently deviated in a few places):

owner profile - resource type - resource name

If we know that is always the format of the stack and we always use the resource name for the ID or ARN, then we can look at any stack and we know the value to use for the export for that stack. It is the last value after the profile and resource type.

A single function can return the ID or ARN for any stack

If I can keep myself consistent on those points, then I can create a single function to return the ID or ARN for the resource created by any CloudFormation stack.

If I can consistently name stacks and outputs then I can get bunch of a whole bunch of other little functions. Consider this function:

What if I write a function like this instead:

I could modify the get_role_arn() function (which should possibly indicate that it requires a cloudformation stack) to look like this:

But really the above function is so simple now I could replace the line that calls it with the second line in the function above. Now I can use my new function anywhere I need to get an ID or ARN from a CloudFormation stack, presuming I followed my own naming conventions.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab