Setting Values for CloudFormation Template (CFT) Parameters and Pseudo Parameters

Examples for setting CFT parameter and pseudo parameter values with mimics

When DevOps engineers write IaC templates, they'll often use parameters and pseudo parameters to enable using the same infrastructure for different purposes and environments. InsightCloudSec can run IaC scans on these templates without manually providing any values for them because the default value from the template is used (if one is specified) or a new value is generated as necessary (if there isn't a default specified).

However, InsightCloudSec can more accurately simulate IaC resources if it has the same parameter and pseudo parameter values that AWS does when CloudFormation creates a stack. To support these more accurate simulations, the mimics client accepts containing values for parameters using the --parameters flag and values for pseudo parameters using the --overrides flag.

CFT Parameters

Here's an example of a CFT defining an application that's deployed with different instance sizes in development and production environments:

AWSTemplateFormatVersion: "2010-09-09"
Description: Example template with parameterized instance sizes
Parameters:
  ParameterizedInstanceType:
    Type: String
    Default: t2.micro
    AllowedValues:
      - t2.micro
      - m1.large
    Description: Use large instances in production, small instances in development
Resources:
  AppInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType:
        Ref: ParameterizedInstanceType
      ImageId: example-ami

This template defines a parameter named ParameterizedInstanceType in its Parameters block, which is later used in the Resources block. As a result, DevOps users can specify it as a variable when the stack is created rather than in the template itself. In many automated workflows, they do so by specifying a parameter file to aws create-stack:

aws cloudformation create-stack \
  --stack-name ExampleStack \
  --template-body file://template.yaml
  --parameters file://example-parameters.json

The file can have any name, so CloudFormation users simply pass that name to the create-stack subcommand. In this case, example-parameters.json contains a JSON array of parameter objects in an AWS-specific format:

[
  {
    "ParameterKey": "ParameterizedInstanceType",
    "ParameterValue": "m1.large"
  }
]

This is a simple example, but CFTs often have dozens of user-defined parameters. If no file is provided or if the parameter name isn't in the parameters file, CloudFormation will use the Default value with which the parameter was defined in the template.

Setting Parameter Values in InsightCloudSec CFT Scans

Because the create-stack command expects the format listed in the example above, DevOps teams using CFT probably already have files in this format. For convenience, the mimics --parameters flag accepts the same format; you can use these files without modification. InsightCloudSec uses the "ParameterKey" and "ParameterValue" keys in the objects and ignores all other keys.

For example, if a DevOps team sets parameter values in a file named example-parameters.json, you could provide it to mimics with a command like this:

$ mimics scan \
    ./example-cft.json \
    --base-url=ics-url.net \
    --config-name='Example Configuration Name' \
    --provider=cft \
    --scan_name='Example Scan' \
    --report-formats=html \
    --parameters=./example-parameters.json

As with CloudFormation, if no file is provided to InsightCloudSec or if the parameter name isn't in the parameters file, InsightCloudSec will use the Default value with which the parameter was defined in the template.

CFT Pseudo Parameters

CFT resources can also use values for AWS-specific parameters called pseudo parameters, which can specify the current account ID, region name, and other deployment-time values that can't be changed in templates. For example, it's common to dynamically generate ARNs for resources using the AWS::AccountId and AWS::Region pseudo parameters:

Resources:
  DynamicAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ExampleDynamicPolicy
      Roles:
        - Ref: ExampleRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ReceieveFromAny
            Effect: Allow
            Action:
              - sqs:ReceiveMessage
            Resource:
              - Fn::Join:
                  - ""
                  - - "arn:aws:sqs:"
                    - Ref: AWS::Region
                    - ":"
                    - Ref: AWS::AccountNumber
                    - ":*"

Note that CFT authors can't specify custom values for these parameters. Instead, AWS will substitute these values in the cloud when the stack is created. In this case, the ARN constructed in Fn::Join will be a valid ARN pattern for all SQS queues in the region and account in which the stack is created.

For accurate and complete analysis, it can be helpful to set these values for InsightCloudSec scans. For example, in the template above, providing the correct account number can help us accurately analyze for policies granting permissions to principals in unknown accounts.

Setting Pseudo Parameter Values in InsightCloudSec CFT Scans

To specify values for pseudo parameters, create a file to provide to the mimics --overrides flag. This file can have any name and should contain a single JSON object mapping pseudo parameter names to the values you want to substitute:

{
  "AWS::AccountId": "123456789012",
  "AWS::Region": "us-west-2"
}

Use this file with the --overrides flag to set these values in scans:

$ mimics scan \
    ./example-cft.json \
    --base-url=ics-url.net \
    --config-name='Example Configuration Name' \
    --provider=cft \
    --scan_name='Example Scan' \
    --report-formats=html \
    --overrides=./example-pseudo-params.json

You can also specify the names of user-specified parameters as keys; if you do, they will take precedent over values set in the file passed via --parameters. This allows you to override values in the parameters files your DevOps team uses without changing those configuration files:

{
  "AWS::AccountId": "123456789012",
  "AWS::Region": "us-west-2",
  "ParameterizedInstanceType": "fake.ics.scan.instance.type"
}

The values for pseudo parameters will likely be different depending on the pipeline in which the template is used; a single CFT could be used by many pipelines to define deployments in different environments. Work with CFT authors and pipeline teams to determine how to choose values for pseudo parameters in this file for each pipeline in which the template is used.


Did this page help you?