Skip to content

feat(cloudformation): Add partial NoEcho parameter support #11897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 19, 2024
Merged

feat(cloudformation): Add partial NoEcho parameter support #11897

merged 1 commit into from
Dec 19, 2024

Conversation

rominf
Copy link
Contributor

@rominf rominf commented Nov 21, 2024
edited
Loading

Motivation

This commit introduces support for the NoEcho attribute in CloudFormation parameters. This change aligns LocalStack's behavior more closely with AWS CloudFormation, providing a more accurate local testing environment.

Changes

The implementation ensures that sensitive parameters marked with NoEcho: true are properly masked in responses from describe-stacks and describe-change-set operations, enhancing security and compliance.

  • Masked NoEcho parameters in the Parameters section of describe-stacks output
  • Applied similar masking logic to the Parameters section in describe-change-set output

Follow-up changes might include printing warnings when using NoEcho parameters, stating that this may expose sensitive information in the stack outputs and metadata. Users should ensure that sensitive information is not directly embedded in the template.

@rominf rominf force-pushed the rominf-cloudformation-noecho branch 3 times, most recently from eca35ab to b626579 Compare November 22, 2024 16:50
@rominf rominf marked this pull request as ready for review November 22, 2024 16:53
@rominf rominf changed the title Support NoEcho field in CloudFormation parameters feat(cloudformation): Add partial NoEcho parameter support Nov 22, 2024
@rominf rominf force-pushed the rominf-cloudformation-noecho branch from b626579 to 004168b Compare November 24, 2024 09:05
@rominf rominf mentioned this pull request Nov 24, 2024
Closed
@alexrashed alexrashed added aws:cloudformation AWS CloudFormation semver: patch Non-breaking changes which can be included in patch releases labels Nov 25, 2024
simonrw
simonrw reviewed Nov 25, 2024
View reviewed changes
Copy link
Contributor

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a really good first attempt. Just a few comments in the code.

Did you consider the additional caveats when implementing this feature?

image

From the docs

Would you tackle these here or in a follow up?

@rominf rominf force-pushed the rominf-cloudformation-noecho branch from 004168b to 82e958a Compare November 26, 2024 09:07
@rominf
Copy link
Contributor Author

rominf commented Nov 26, 2024

@simonrw Thank you for your review and feedback.

I have addressed all code comments. As for handling the caveats related to NoEcho parameters, I want to ensure that my implementation aligns with AWS best practices. Specifically, here is what I have done:

  1. Outputs Section:

    • I have a test that ensures parameters referenced in the Outputs section are printed as-is in API responses.
    • This aligns with AWS documentation, which states that values in the Outputs section should not be masked.

  2. Metadata Section:

    • Currently, my implementation does not mask any values in the Metadata section.
    • I plan to add tests to verify this behavior and ensure it remains consistent.

  3. Resource Metadata Attribute:

    • Similarly, values in the Metadata attribute of resource definitions are not masked.
    • I plan to add tests to cover this aspect as well.

  4. Primary Identifiers:

    • I understood that NoEcho parameters should not used in properties that form primary identifiers for resources.
    • If such a scenario is detected, I plan to print a warning message during stack creation or update operations.

  5. Warnings for Sensitive Data:

    • While NoEcho does not mask data in the Metadata and Outputs sections and Resource Metadata Attribute, I will consider adding warnings when users create or update stacks with NoEcho parameters in these sections by modifying resolve_dependencies function.
    • This aligns with AWS best practices to avoid embedding sensitive information directly in templates.

Would you like me to add specific tests for the Metadata section and Resource Metadata attribute? Additionally, should I proceed with printing warnings for NoEcho parameters used in places mentioned above?

@simonrw
Copy link
Contributor

simonrw commented Nov 26, 2024

Thanks for the detailed response @rominf.

  1. Outputs Section:
  • I have a test that ensures parameters referenced in the Outputs section are printed as-is in API responses.
  • This aligns with AWS documentation, which states that values in the Outputs section should not be masked.

👍

  1. Metadata Section:
  • Currently, my implementation does not mask any values in the Metadata section.
  • I plan to add tests to verify this behavior and ensure it remains consistent.
  1. Resource Metadata Attribute:
  • Similarly, values in the Metadata attribute of resource definitions are not masked.
  • I plan to add tests to cover this aspect as well.

That's great, thanks - updating the single test you have would be enough to cover both of these cases. The test already snapshots the Outputs section, so it's just the two Metadata sections that are not covered.

  1. Primary Identifiers:
  • I understood that NoEcho parameters should not used in properties that form primary identifiers for resources.
  • If such a scenario is detected, I plan to print a warning message during stack creation or update operations.
  1. Warnings for Sensitive Data:
  • While NoEcho does not mask data in the Metadata and Outputs sections and Resource Metadata Attribute, I will consider adding warnings when users create or update stacks with NoEcho parameters in these sections by modifying resolve_dependencies function.
  • This aligns with AWS best practices to avoid embedding sensitive information directly in templates.

I think this is a nice feature to have for our users. I am not sure if resolve_dependencies is the right place. I think we have two options:

  1. perform a looser check that prints a warning if any of the Parameters have NoEcho set, with a message like: "NoEcho parameters are being used. This may expose sensitive information in the stack outputs and metadata. Please ensure that you are not embedding sensitive information directly in the template.", or
  2. perform a stricter check that warns in these specific situations i.e. when a property is used in a position where it may be exposed. In which case, we could use either resolve_outputs, or resolve_ref (if we know where the resolution is happening). We don't have any helpers for resolution in the Metadata section, so we would likely skip this for now.

Which would you suggest?

@simonrw
Copy link
Contributor

simonrw commented Nov 26, 2024

@rominf I can see one of our integration tests failing with your latest commit. Could you fix this please?

@rominf rominf force-pushed the rominf-cloudformation-noecho branch 2 times, most recently from b871e6b to afdfbcb Compare November 26, 2024 13:30
@rominf
Copy link
Contributor Author

rominf commented Nov 26, 2024

@simonrw You are right; resolve_dependencies is not the correct place. I would perform stricter checks, as looser checks might give too many false positives. Since AWS documentation explicitly mentions that NoEcho should be avoided, I do not see much value in implementing a looser check. However, I would prefer to ship full strict checking, and since helpers are not fully ready, I would prioritize other tasks.

As for the template Metadata, it turns out that CloudFormation does not expose the fully processed or final template, so I implemented a check for resource Metadata only.

I can see one of our integration tests failing with your latest commit. Could you fix this please?

Thanks. I fixed it.

@rominf rominf requested a review from simonrw November 26, 2024 13:49
@rominf rominf force-pushed the rominf-cloudformation-noecho branch from afdfbcb to aaa2474 Compare November 26, 2024 15:00
@simonrw simonrw force-pushed the rominf-cloudformation-noecho branch from aaa2474 to 0cd3b9c Compare December 19, 2024 11:25
@rominf @simonrw
feat(cloudformation): Add partial NoEcho parameter support
8072a41 
This commit introduces support for the `NoEcho` attribute in
CloudFormation parameters.

The implementation ensures that sensitive parameters marked with
`NoEcho: true` are properly masked in responses from `describe-stacks`
and `describe-change-set` operations, enhancing security and compliance.

- Masked `NoEcho` parameters in the Parameters section of
  `describe-stacks` output
- Applied similar masking logic to the Parameters section in
  `describe-change-set` output

This change aligns LocalStack's behavior more closely with
AWS CloudFormation, providing a more accurate local testing environment.

Follow-up changes might include printing warnings when using `NoEcho`
parameters, stating that this may expose sensitive information in the
stack outputs and metadata. Users should ensure that sensitive
information is not directly embedded in the template.
@simonrw simonrw force-pushed the rominf-cloudformation-noecho branch from 0cd3b9c to 8072a41 Compare December 19, 2024 11:50
simonrw
simonrw approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@simonrw simonrw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for resolving my suggestions, this PR is looking good 🎉 Thank you for your contribution!

@simonrw simonrw merged commit e4038fc into localstack:master Dec 19, 2024
29 checks passed
@rominf rominf deleted the rominf-cloudformation-noecho branch December 19, 2024 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonrw simonrw simonrw approved these changes

@dominikschubert dominikschubert Awaiting requested review from dominikschubert

@pinzon pinzon Awaiting requested review from pinzon

Assignees

@simonrw simonrw

Labels
aws:cloudformation AWS CloudFormation semver: patch Non-breaking changes which can be included in patch releases
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rominf @simonrw @alexrashed