2 Answers
- Newest
- Most votes
- Most comments
0
As I answered here, I think you need to do the following.
https://repost.aws/ja/questions/QUMP7MdW-FQuW8sD6g8BhQ8Q/how-to-create-a-dynamic-secret-key-pair-and-pass-it-to-the-user-data-whose-name-is-also-dynamic-in-cloudformation
UserData:
Fn::Base64:
!Sub
- |-
#!/bin/bash
timedatectl set-timezone America/New_York
yum -y update
yum install -y jq
export LOAD_BALANCER_DNS=${LoadBalancerDNS}
run_env=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .run_env)
enc_key=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .enc_key)
eureka_password=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .eureka_password)
echo "127.0.0.1 ${LOAD_BALANCER_DNS}" >> /etc/hosts
- LoadBalancerDNS: !GetAtt 'ELBCloud1C.DNSName'
0
Attached is the CloudFormation template I am using for my verification.
AWSTemplateFormatVersion: "2010-09-09"
Description: test Stack
Parameters:
# ------------------------------------------------------------#
# Parameters
# ------------------------------------------------------------#
BuildEnvironment:
Default: BuildEnvironment
Type: String
VolumeSize:
Default: 8
Type: Number
Ec21InstanceType:
Default: t2.micro
Type: String
Vpcid:
Type: AWS::EC2::VPC::Id
Description: Enter VPC ID
PublicSubnet1:
Type: AWS::EC2::Subnet::Id
Description: Enter Subnet ID
# ------------------------------------------------------------#
# secrets
# ------------------------------------------------------------#
Resources:
MHCSecret:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub MHSecret-${BuildEnvironment}
Description: This secret has a hardcoded password in SecretString (use GenerateSecretString instead)
SecretString:
!Sub |-
{
"run_env": "${BuildEnvironment}",
"enc_key": "3?kdfjs",
"eureka_password": "devadmin"
}
# ------------------------------------------------------------#
# IAM
# ------------------------------------------------------------#
Ec2SsmRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
RoleName: EC2SsmRole
Ec2IamInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: Ec2InstanceProfile
Roles:
- !Ref Ec2SsmRole
# ------------------------------------------------------------#
# Security Group
# ------------------------------------------------------------#
Ec2Sg:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: for EC2
GroupName: ec2-sg
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
FromPort: -1
IpProtocol: -1
ToPort: -1
SecurityGroupIngress:
- FromPort: 80
IpProtocol: tcp
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: ec2-sg
VpcId: !Ref Vpcid
# ------------------------------------------------------------#
# EC2
# ------------------------------------------------------------#
Ec2:
Type: AWS::EC2::Instance
Properties:
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: true
Encrypted: true
Iops: 3000
VolumeSize: !Ref VolumeSize
VolumeType: gp3
IamInstanceProfile: !Ref Ec2IamInstanceProfile
ImageId: ami-06a0cd9728546d178
InstanceType: !Ref Ec21InstanceType
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref Ec2Sg
SubnetId: !Ref PublicSubnet1
Tags:
- Key: Name
Value: ec2
UserData:
Fn::Base64:
!Sub
|-
#!/bin/bash
timedatectl set-timezone America/New_York
yum -y update
yum install -y jq
run_env=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .run_env)
enc_key=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .enc_key)
eureka_password=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHSecret-${BuildEnvironment} --query SecretString --output text | jq .eureka_password)
echo $eureka_password > /var/log/echoSecret.txt
Relevant content
- asked a year ago
- asked 4 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
UserData: Fn::Base64: !Sub - |- #!/bin/bash timedatectl set-timezone America/New_York yum -y update yum install -y jq run_env=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHCSecret-${BuildEnvironment} --query SecretString --output text | jq .run_env) enc_key=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHCSecret-${BuildEnvironment} --query SecretString --output text | jq .enc_key) eureka_password=$(aws secretsmanager get-secret-value --region us-east-1 --secret-id MHCSecret-${BuildEnvironment} --query SecretString --output text | jq .eureka_password)
i get this error now: Template error: One or more Fn::Sub intrinsic functions don't specify expected arguments. Specify a string as first argument, and an optional second argument to specify a mapping of values to replace in the string
i think the Fn::Sub is having issues with the bash where we have $(aws secretmanager then inside it we have ${ }.
That error occurs when there is only one argument. If there is only one argument, the "-" can be deleted as above.
its showing the original error: Template error: variable names in Fn::Sub syntax must contain only alphanumeric characters, underscores, periods, and colons
I do not get that error in my environment. EC2 can also be started with this UserData. I also checked "/var/log/echoSecret.txt" and found the proper secret.