clareliguori
commented
3 years ago Hi @hine0088 I assume you're referring to CloudFormation dynamic references, for example: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-secretsmanager
Both CloudFormation dynamic references and Jinja use the same special characters {{ and }} to indicate something that should be resolved:
{{resolve:secretsmanager:MySecret:SecretString:password:EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE}}
During the Jinja compilation phase of the Proton deployment, Jinja is attempting to interpret that dynamic reference because it is between {{ and }}, and replaces it with an empty string as it is not a valid Jinja expression.
You can use Jinja escaping to escape those characters so that they end up in the final CloudFormation template: https://jinja.palletsprojects.com/en/2.11.x/templates/#escaping
For example:
{{ '{{resolve:secretsmanager:MySecret:SecretString:password:EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE}}' }}Or:
{% raw %}
MyRDSInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: MyRDSInstance
AllocatedStorage: '20'
DBInstanceClass: db.t2.micro
Engine: mysql
MasterUsername: '{{resolve:secretsmanager:MyRDSSecret:SecretString:username}}'
MasterUserPassword: '{{resolve:secretsmanager:MyRDSSecret:SecretString:password}}'
{% endraw %}
hine0088
rafavallina
While using dynamic referencing in a template, it seems that the secret value isn't resolved correctly and results in an empty string. The file uploaded to S3 while creating the environment template has the correct syntax but the template as seen in the CloudFormation console for the stack seems to have an empty string. Instead of letting CloudFormation resolve the dynamic references, it seems that it is being resolved even before it gets to CloudFormation. Interestingly enough, it is taking the dynamic referencing syntax out of the comments as well which leads me to believe that it is parsing the template entirely before creating the CloudFormation stack.