Source Control Your AWS CloudFormation Templates With GitHub | by Sarah Lean | May, 2022

Enhance your productiveness with GitHub Actions

Picture by creator

Supply management is the observe of monitoring and managing adjustments to your code. This might be software program code or infrastructure as code (IaC).

Supply management within the growth aspect of IT has been frequent observe for a very long time. However it’s one thing that’s nonetheless new or unusual throughout the operations groups in IT.

I can maintain my hand up and say numerous the scripts or deployment templates I wrote used to dwell in folders marked model 1, previous model, new model, and so on. And even in draft emails in my e mail account. What a loopy strategy to work, proper?

Because of the invention and my discovery of GitHub, I’ve turn into higher at writing and storing scripts (hopefully!). Now all the pieces is publicly on show.

I’ve just lately been studying and creating AWS CloudFormation templates and have created a GitHub repository to assist retailer my templates, so I can work on them and likewise share them with others.

You will discover my work right here:

After I was creating the templates on my native machine, I had been utilizing sure instruments to validate and examine my templates for finest practices and any safety vulnerabilities.

This led me to see if I may construct these checks into my GitHub repository with GitHub Actions, and I can!

When writing a template, it may be straightforward to get into unhealthy habits or use the improper phrasing or syntax. Particularly if you’re switching between languages and even multitasking.

So as to take a look at your AWS CloudFormation templates, you’ll be able to deploy them. It can assist to validate your template, however there are different, higher methods. Lint testing your code is the way in which ahead.

Lint testing your code might help you determine errors or finest observe violations. You’ll be able to lint take a look at your code as you write it. There are sometimes instruments you’ll be able to set up or plugins inside your favorite code editor. However a finest observe can also be to carry out lint testing if you examine code into your supply management setting.

To assist validate your AWS CloudFormation templates, you should utilize a software referred to as cfn-lint.

The cfn-lint software can validate each YAML and JSON templates towards the AWS CloudFormation Resource Specification.

The cfn-lint software will return a zero exit code if there are not any points present in your template. Every other worth suggests there’s something improper with the template. Right here’s an inventory of potential codes that will help you:

  • 0 isn’t any challenge was discovered
  • 2 is an error
  • 4 is a warning
  • 6 is an error and a warning
  • 8 is an informational
  • 10 is an error and informational
  • 12 is a warning and informational
  • 14 is an error and a warning and an informational

There’s one other software referred to as cfn_nag that may examine your code for probably any insecure infrastructure. If you learn the documentation round this software, the creator says it will possibly examine for issues corresponding to:

  • IAM guidelines which might be too permissive (wildcards)
  • Safety group guidelines which might be too permissive (wildcards)
  • Entry logs that aren’t enabled
  • Encryption that isn’t enabled
  • Password literals

Checking your infrastructure templates early within the course of for any potential safety points is necessary. Nobody desires to be chargeable for safety holes inside their infrastructure that might trigger reputational or monetary points for them or their prospects.

With our AWS CloudFormation templates being saved inside GitHub as a central repository, we need to make sure that solely templates that conform to the proper requirements are saved there.

So as to do that, we will construct a GitHub actions workflow that may run the cfn-lint and cfn_nag instruments.

Right here is the GitHub Actions workflow I’ve created:

GitHub Workflow to examine CloudFormation

The workflow I created will set off for quite a lot of causes:

  • When one thing is pushed into the primary department of the repository
  • When a pull request is created to push one thing into the repository’s major department
  • When manually triggered

The GitHub Motion runs on a Ubuntu runner. It runs the next three steps:

  • Checkout — This step checks out the code so the workflow can work with it and have entry to it.
  • cfn-lint-action — This second step runs all my YAML template information towards the cfn-lint software.
  • stelligent cfn_nag — This third step runs the cfn_nag software towards all of the templates.

I just lately created a pull request making an attempt to merge a brand new template into the primary repository, and when the checks ran, there have been errors.

After I drilled into the main points, I may see I had some warnings and errors inside my template in response to the cfn_nag software.

This helps alert me and the proprietor or maintainer of the repository that the template has some points and needs to be checked out earlier than being merged into the primary department.

Let me know the way you might be utilizing GitHub Actions to assist retailer and write higher Infrastructure as Code templates!

More Posts