Hello!

I have a Stack that creates a database from the snapshot. Unfortunately it may take up to 2 hours to set up.

When I am using your action like this:

    - name: Create production database copy CloudFormation stack
      uses: aws-actions/aws-cloudformation-github-deploy@v1
      with:
        name: ${{ inputs.jira_id }}-production-db-copy
        template: .github/actions/create_production_db_copy/production-copy.json
        no-fail-on-empty-changeset: "1"
        timeout-in-minutes: 120

It fails after 1 hour:

Run aws-actions/aws-cloudformation-github-deploy@v1
  with:
    name: TICKET-123-production-db-copy
    template: .github/actions/create_production_db_copy/production-copy.json
    no-fail-on-empty-changeset: 1
    timeout-in-minutes: 120
    capabilities: CAPABILITY_IAM
    no-execute-changeset: 0
    no-delete-failed-changeset: 0
    disable-rollback: 0
    termination-protection: 0
  env:
    pythonLocation: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64
    PKG_CONFIG_PATH: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64/lib/pkgconfig
    Python_ROOT_DIR: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64
    Python2_ROOT_DIR: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64
    Python3_ROOT_DIR: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64
    LD_LIBRARY_PATH: /home/ubuntu/actions-runner/_work/_tool/Python/3.9.16/x64/lib
    AWS_DEFAULT_REGION: eu-central-1
    AWS_REGION: eu-central-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***

Error: Resource is not in the state stackCreateComplete

Looks like the timeout-in-minutes is passed to AWS CloudFormation API, but the action ignores the value and still fails after 1 hour.

Getting following warning "(node:3124) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023."

Getting this error running this action from @master:

Error: aws-actions/aws-cloudformation-github-deploy/master/action.yml (Line: 18, Col: 18):
Error: aws-actions/aws-cloudformation-github-deploy/master/action.yml (Line: 18, Col: 18): Unrecognized named-value: 'github'. Located at position 1 within expression: github.workspace
Error: Fail to load aws-actions/aws-cloudformation-github-deploy/master/action.yml

Looking at action.yml, the example, using ${{ github.workspace }}, appears to be interpolated, and the variable isn't set up that early.

Fix #61 introduced a mistake in the documentation stored in the action.yml

Currently, the documentation states:

(e.g. file://github.workspace/variables.json

while it should say:

(e.g. file://${{ github.workspace }}/variables.json

This may not be an issue for experienced users but a simple copy paste from the documentation results in an error when running the action:

Error: File URL host must be "localhost" or empty on linux

Suggested fix:
Add the proper syntax as a comment in the action.yml file, for the ${{ github.workspace }} not to be interpolated
or
Add a section about using local parameter files the README file.

I can work on both but I'd like some feedback first. @kddejong

I'm getting these errors:

Could it be that this check is insufficient?

Please consider exposing NotificationARNs?: NotificationARNs defined in CreateStackInput.

Thanks,
-Ed

I'm trying to deploy using this action but if for whatever reason my stack fails and the stack is rolled back I want to be able to update which is why I usually have a cloudformation stack policy. There doesn't seem to be any way to provide a policy when deploying using the action. Could this feature get introduced please?

So it would work like this:

- name: Deploy to AWS CloudFormation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: My-Stack-Name
          template: ${{ github.workspace}}/cloudformation.yml
		  policy: ${{ github.workspace }}/cloudformation-policy.yml

This feature should implement the following behavior:

• Upload a template to an S3 bucket and replace URL in the template with the S3 URL
• Upload nested templates to an S3 bucket and replace URLs in the template with the S3 URL
• Use the referenced template in creating the stack or creating the changeset

Related issues:

#32

I've got a parameter that is a comma separated list. this doesn't work it instead splits on this value, expecting it to be another Key-Value pair

i've tried with all sorts of combinations of " and ' around the parameters and couldn't get it working.

env:
  SECURITY_GROUP_ID: sg-11111111
  SUBNET_ID: subnet-11111111,subnet-22222222

      - name: Deploy to AWS CloudFormation
        id: cloudformation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: MyStack
          template: ./infrastructure.json
          parameter-overrides: >-
            SecurityGroupId=${{ env.SECURITY_GROUP_ID }},
            SubnetId=${{ env.SUBNET_ID }}

the error i get is

Error: Invalid input for parameter key subnet-22222222". Need to specify either usePreviousValue as true or a value for the parameter

I imagine the update just needs to be update src/utils.ts line 52 to update to a regex that ignores if you have an escape character before the comma

Alternatively. update to use newline character for seperating. you won't have a newline character in your parameters from what i can think of in my use cases

It was not obvious to me, but it seems as if

with:
  name: MyStack
  template: myStack.yaml
  parameter-overrides: "MyParam1=myValue,MyParam2=${{ secrets.MY_SECRET_VALUE }}"

requires that you also set capabilities to include CAPABILITY_AUTO_EXPAND. It is not clear from the documentation.

Otherwise, really enjoy trying this out for our pipeline 👍

In restricted environments, in which only ChangeSet-based creation of stacks is possible, it is impossible to use this action.

Our use case is as follows: we configure the job (using aws-actions/configure-aws-credentials) to assume an IAM role which will execute the CloudFormation deployment action. This role only has Change/ExecuteChangeSet IAM permissions.

This works for updating stacks, but for new stacks, aws-cloudformation-github-deploy action will use CreateStack, which will fail in our case.

I think it should be possible to use CreateChangeSet with ChangeSetType set to CREATE in case the stack does not exist. This will keep the same behavior while requiring a less privileged role.

See example here

If this sounds good, I am happy to contribute of course.

I get the following error when deploying my ECS cluster:

Error: ENOENT: no such file or directory, open '/home/runner/work/go-capture-api/go-capture-api/cloud-formation/ecs.yml'

My deploy.yml file is as follows:

name: Deploy
on:
  workflow_dispatch:
  workflow_run:
    workflows:
      - Build
    types:
      - completed

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          role-to-assume: arn:aws:iam::200049542062:role/gocapture/GithubRole
          aws-region: us-west-1

      - name: Deploy ECS Cluster
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: GoCaptureECSCluster
          template: cloud-formation/ecs.yml
          no-fail-on-empty-changeset: 1

As you can see the name of my repository is repeated in the path. Why is this? What am I missing?

You can find the job here: https://github.com/codeguru42/go-capture-api/actions/runs/3633130293/attempts/1

When I use the following in my workflow, following the instructions here

    - id: deploy
      name: AWS CloudFormation "Deploy CloudFormation Stack" Action for GitHub Actions
      uses: aws-actions/aws-cloudformation-github-deploy@v1
      with:
        name: ${{ steps.stackname.outputs.stackname }}
        template: ${{ steps.filename.outputs.filename }}
        no-delete-failed-changeset: "1"
        no-execute-changeset: "1"
        no-fail-on-empty-changeset: "1"

I get a warning when the action executes:

##[warning]Unexpected input(s) 'no-delete-failed-changeset', 'no-execute-changeset', valid inputs are ['name', 'template', 'capabilities', 'parameter-overrides', 'no-fail-on-empty-changeset', 'disable-rollback', 'timeout-in-minutes', 'notification-arns', 'role-arn', 'tags', 'termination-protection']

The changeset is created and visible in the console, but the action is clearly still trying to deploy it, as the action then fails since I have (intentionally) not yet set the IAM permissions to actually deploy the changeset (in this case to create a hosted zone) with the following error in the cloudformation console:

API: route53:CreateHostedZone User: arn:aws:iam::<my-user-arn> is not authorized to perform: route53:CreateHostedZone

And once the deploy has failed, the changeset then deletes too, and is no longer visible.

I must be missing something somewhere, but I can't see what!

Steps to reproduce

Use job that calls the action without specifying the ChangesetName parameter

See error in build: Error: Unexpected key 'ChangeSetName' found in params

After recent updates on master branch deploying stack for the first time gives error

Locking to @v1.2.0 resolved the issue and deployed the stack as it was doing before

Problem is definitely in latest @master commits, at least it is not backwards compatible if this behavior is expected

Rough action example similar to one from screenshots to maybe help replicate (need to setup secrets and have cf template nearby):

name: Deploy

on:
  workflow_dispatch:
  workflow_call:
  push:
    branches:
      - "**"

jobs:
  backend-deploy:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ secrets.YOUR_AWS_CLIENT_ID }}
          aws-secret-access-key: ${{ secrets.YOUR_AWS_SECRET_KEY }}
          aws-region: "eu-central-1"

      - name: Login to Amazon ECR
        uses: aws-actions/amazon-ecr-login@v1
        
      - name: Deploy vpc cloudformation
        continue-on-error: true
        id: vpc-cloudformation
        uses: aws-actions/aws-cloudformation-github-deploy@master
        with:
          name: "test-prod-vpc"
          template: ./cloudformation/public-vpc.yaml

      - name: Deploy server cloudformation
        id: server-cloudformation
        uses: aws-actions/aws-cloudformation-github-deploy@master
        with:
          name: "test-prod-server"
          template: ./cloudformation/server.yaml
          parameter-overrides: "Environment=prod"

I used the same YAML file in different projects.
The first one works normally, but the second didn't.
The YAML file:

The issue in the second workflow:

Is there a way to specify UsePreviousValue for parameter-overrides provided in-line rather than in a file?

In my case, some of the parameters are determined by the build (eg product version) and some maintained by operations (eg min/max ASG size). I want to UsePreviousValue for the ops params. The build param values are generated by build steps and are quite convenient to use inline.

Thanks,
-Ed

Can a solution be implemented so that when this error happens, the stack is deleted and recreated?

GitHub Actions displays this warning:

The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Related issue: aws-actions/configure-aws-credentials#521

We are getting the below warning for this GitHub action recently.Can I please get an update regarding what would resolve this?

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: aws-actions/aws-cloudformation-github-deploy@v1

Hi there. I have a template that creates some IAM objects, and I apparently need to specify --capabilities CAPABILITY_IAM but I'm not clear on how to do this or if it's even possible. I have tried:

name: Deploy to AWS CloudFormation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: stack-name
          template: master-packaged.template.json
          parameter-overrides: >-
               capabilities=CAPABILITY_IAM

and

name: Deploy to AWS CloudFormation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: stack-name
          template: master-packaged.template.json
          parameter-overrides: >-
               Capabilities=CAPABILITY_IAM

and also created a parameters.json file containing

[
	{
	  "ParameterKey": "Capabilities",
	  "ParameterValue": "CAPABILITY_IAM"
	}
]

and this action:

name: Deploy to AWS CloudFormation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: stack-name
          template: master-packaged.template.json
          parameter-overrides: >-
               [Capabilities=CAPABILITY_IAM](parameter-overrides: "file://${{ github.workspace }}/parameters.json")

In all cases the action fails and I get this error:

Error: Parameters: [Capabilities] do not exist in the template

Am I barking up the wrong tree here?

Error: The URL must be of scheme file

Description

Hi there,

I'm trying to use this action to deploy my project on aws, but I'm getting the following error in Github Action run: Error: The URL must be of scheme file

The stack already exists in CloudFormation, and I'm using the same template file with aws-cloudformation-github-deploy@v1 action, with some parameter overrides.

Looks like the error is related to something that I'm doing wrong with the template parameter.

I'm using the action in this way:

     - name: Deploy to Amazon ECS Cluster
        id: deploy-ecs
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: ${{ env.APP_NAME }}
          template: infra.yml
          no-fail-on-empty-changeset: "1"
          parameter-overrides: >-
            VpcId: ${{ secrets.AWS_VPC }},
            SubnetId: ${{ secrets.AWS_SUBNETS }},
            Image: ${{ steps.push-ecr.outputs.digest }},
            EnvironmentFile: ${{ secrets.ENVIRONMENT_FILE }},
            DatabaseUsername: ${{ secrets.DB_USERNAME }},
            DatabasePassword: ${{ secrets.DB_PASSWORD }},
            DomainName: ${{ env.DOMAIN }}

The complete workflow file can be viewed below

Aditional Information

AWSTemplateFormatVersion: 2010-09-09
Parameters:
VpcId:
  Type: AWS::EC2::VPC::Id
  Description: Select a VPC that allows instances to access the Internet.
SubnetId:
  Type: List<AWS::EC2::Subnet::Id>
  Description: Select at two subnets in your selected VPC.
DomainName:
  Type: String
  Description: >
    The Fully Qualified Domain Name (FQDN) to request a SSL/TLS Certificate.
    You can use a wildcard (*) to request a certificate for many subdomanins.
    For example: *.webapp.com will request a certificate for www.webapp.com
    and api.webapp.com and so on.
DesiredCapacity:
  Type: Number
  Default: "1"
  Description: Number of instances to launch in your ECS cluster.
MaxSize:
  Type: Number
  Default: "2"
  Description: Maximum number of instances that can be launched in your ECS cluster.
EnvironmentFile:
  Type: String
  Description: The Amazon Resource Name (ARN) of an .env file stored in a s3 bucket.
InstanceType:
  Type: String
  Description: EC2 instance type
  Default: t2.micro
  AllowedValues:
    - t2.micro
    - t2.small
    - t2.medium
    - t2.large
    - m3.medium
    - m3.large
    - m3.xlarge
    - m3.2xlarge
    - m4.large
    - m4.xlarge
    - m4.2xlarge
    - m4.4xlarge
    - m4.10xlarge
    - c4.large
    - c4.xlarge
    - c4.2xlarge
    - c4.4xlarge
    - c4.8xlarge
    - c3.large
    - c3.xlarge
    - c3.2xlarge
    - c3.4xlarge
    - c3.8xlarge
    - r3.large
    - r3.xlarge
    - r3.2xlarge
    - r3.4xlarge
    - r3.8xlarge
    - i2.xlarge
    - i2.2xlarge
    - i2.4xlarge
    - i2.8xlarge
  ConstraintDescription: Please choose a valid instance type.
DatabaseUsername:
  Type: String
  Description: Type a login ID for the master user of your DB instance.
DatabasePassword:
  NoEcho: true
  Type: String
  Description: Type a password for the master user of your DB instance.
DatabaseType:
  Type: String
  Description: Choose a DB instance class.
  Default: db.t2.micro
  AllowedValues:
    - db.t2.micro
    - db.t2.small
    - db.t2.medium
    - db.t2.large
    - db.t2.xlarge
    - db.t2.2xlarge
    - db.t3.micro
    - db.t3.small
    - db.t3.medium
    - db.t3.large
    - db.t3.xlarge
    - db.t3.2xlarge
  ConstraintDescription: Please choose a valid instance type.
Image:
  Type: String
  Description: The image containing the application.
Mappings:
AWSRegionToAMI:
  us-east-1:
    AMIID: ami-01146a2120f5af1c5
  us-east-2:
    AMIID: ami-05f074075b6f667c0
  us-west-1:
    AMIID: ami-08850e7f1d87d3e1c
  us-west-2:
    AMIID: ami-063ffacdfca60f249
  sa-east-1:
    AMIID: ami-08d8d510618560f82
Resources:
Cluster:
  Type: AWS::ECS::Cluster
  Properties:
    ClusterName: !Ref AWS::StackName
SecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    VpcId: !Ref VpcId
    GroupName: !Ref AWS::StackName
    GroupDescription: !Join [ "", [ !Ref AWS::StackName, " ", "security group" ] ]
    SecurityGroupIngress:
      - Description: HTTP IPv4
        IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      - Description: HTTP IPv6
        IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIpv6: ::/0
      - Description: HTTPS IPv4
        IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0
      - Description: HTTPS IPv6
        IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIpv6: ::/0
SecurityGroupPostgresInbound:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    Description: PostgreSQL internal traffic
    GroupId: !Ref SecurityGroup
    SourceSecurityGroupId: !Ref SecurityGroup
    IpProtocol: tcp
    FromPort: 5432
    ToPort: 5432
SecurityGroup4000Inbound:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    Description: TCP internal traffic for healthchecks
    GroupId: !Ref SecurityGroup
    SourceSecurityGroupId: !Ref SecurityGroup
    IpProtocol: tcp
    FromPort: 4000
    ToPort: 4000
LogGroup:
  Type: AWS::Logs::LogGroup
  Properties:
    RetentionInDays: 7
    LogGroupName: !Ref AWS::StackName
TaskDefinition:
  Type: AWS::ECS::TaskDefinition
  Properties:
    NetworkMode: awsvpc
    ExecutionRoleArn: !GetAtt TaskExecutionRole.Arn
    RequiresCompatibilities:
      - EC2
    ContainerDefinitions:
      - Name: !Ref AWS::StackName
        Image: !Ref Image
        Essential: true
        MemoryReservation: 128
        EnvironmentFiles:
          - Type: s3
            Value: !Ref EnvironmentFile
        PortMappings:
          - ContainerPort: 4000
            HostPort: 4000
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group: !Ref LogGroup
            awslogs-region: !Ref AWS::Region
            awslogs-stream-prefix: !Ref AWS::StackName
LoadBalancer:
  Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  Properties:
    Type: application
    Name: !Ref AWS::StackName
    Scheme: internet-facing
    Subnets: !Ref SubnetId
    SecurityGroups: [ !Ref SecurityGroup ]
LoadBalancerHTTPSListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    Port: 443
    Protocol: HTTPS
    LoadBalancerArn: !Ref LoadBalancer
    SslPolicy: ELBSecurityPolicy-2016-08
    Certificates:
      - CertificateArn: !Ref Certificate
    DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref TargetGroup
LoadBalancerHTTPListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    Port: 80
    Protocol: HTTP
    LoadBalancerArn: !Ref LoadBalancer
    DefaultActions:
      - Type: redirect
        RedirectConfig:
          Protocol: HTTPS
          Host: "#{host}"
          Port: "443"
          Path: /#{path}
          Query: "#{query}"
          StatusCode: HTTP_301
TargetGroup:
  Type: AWS::ElasticLoadBalancingV2::TargetGroup
  DependsOn: LoadBalancer
  Properties:
    Name: !Ref AWS::StackName
    VpcId: !Ref VpcId
    TargetType: ip
    Protocol: HTTP
    Port: 4000
    HealthCheckPath: /api/index.html
    HealthCheckProtocol: HTTP
    HealthCheckPort: '4000'
    HealthyThresholdCount: 2
    HealthCheckIntervalSeconds: 10
    HealthCheckTimeoutSeconds: 5
    UnhealthyThresholdCount: 2
    Matcher:
      HttpCode: 200-399
Certificate:
  Type: AWS::CertificateManager::Certificate
  Properties:
    DomainName: !Ref DomainName
    ValidationMethod: DNS
AutoScalingGroup:
  Type: AWS::AutoScaling::AutoScalingGroup
  Properties:
    AutoScalingGroupName: !Ref AWS::StackName
    VPCZoneIdentifier: !Ref SubnetId
    DesiredCapacity: !Ref DesiredCapacity
    MaxSize: !Ref MaxSize
    MinSize: "1"
    LaunchTemplate:
      LaunchTemplateId: !Ref LaunchTemplate
      Version: !GetAtt LaunchTemplate.LatestVersionNumber
  CreationPolicy:
    ResourceSignal:
      Timeout: PT15M
  UpdatePolicy:
    AutoScalingReplacingUpdate:
      WillReplace: true
LaunchTemplate:
  Type: AWS::EC2::LaunchTemplate
  Properties:
    LaunchTemplateName: !Ref AWS::StackName
    LaunchTemplateData:
      InstanceType: !Ref InstanceType
      IamInstanceProfile:
        Arn: !GetAtt EC2InstanceProfile.Arn
      SecurityGroupIds:
        - !Ref SecurityGroup
      ImageId: !FindInMap
        - AWSRegionToAMI
        - !Ref AWS::Region
        - AMIID
      UserData: !Base64
        Fn::Join:
          - ""
          - - |
              #!/bin/bash -xe
            - echo ECS_CLUSTER=
            - !Ref Cluster
            - |2
                >> /etc/ecs/ecs.config
            - |
              yum install -y aws-cfn-bootstrap
            - "/opt/aws/bin/cfn-signal -e $? "
            - "         --stack "
            - !Ref AWS::StackName
            - "         --resource AutoScalingGroup "
            - "         --region "
            - !Ref AWS::Region
            - |+

Service:
  Type: AWS::ECS::Service
  DependsOn:
    - LoadBalancerHTTPListener
    - LoadBalancerHTTPSListener
  Properties:
    ServiceName: !Ref AWS::StackName
    Cluster: !Ref Cluster
    TaskDefinition: !Ref TaskDefinition
    DesiredCount: 1
    LaunchType: EC2
    SchedulingStrategy: REPLICA
    DeploymentController:
      Type: ECS
    DeploymentConfiguration:
      MaximumPercent: 100
      MinimumHealthyPercent: 0
    LoadBalancers:
      - ContainerName: !Ref AWS::StackName
        TargetGroupArn: !Ref TargetGroup
        ContainerPort: 4000
    NetworkConfiguration:
      AwsvpcConfiguration:
        SecurityGroups: [ !Ref SecurityGroup ]
        Subnets: !Ref SubnetId
ServiceScalingTarget:
  Type: AWS::ApplicationAutoScaling::ScalableTarget
  Properties:
    ScalableDimension: ecs:service:DesiredCount
    ServiceNamespace: ecs
    MaxCapacity: 2
    MinCapacity: 1
    RoleARN: !GetAtt AutoscalingRole.Arn
    ResourceId: !Join [ "", [ "service", "/", !Ref Cluster, "/", !GetAtt Service.Name ] ]
ServiceScalingPolicy:
  Type: AWS::ApplicationAutoScaling::ScalingPolicy
  Properties:
    PolicyType: StepScaling
    PolicyName: !Ref AWS::StackName
    ScalingTargetId: !Ref ServiceScalingTarget
    StepScalingPolicyConfiguration:
      AdjustmentType: PercentChangeInCapacity
      MetricAggregationType: Average
      Cooldown: 60
      StepAdjustments:
        - MetricIntervalLowerBound: 0
          ScalingAdjustment: 200
LoadBalancer500sAlarmScaleUp:
  Type: AWS::CloudWatch::Alarm
  Properties:
    Period: 60
    Threshold: 10
    EvaluationPeriods: 1
    Statistic: Average
    AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
    ComparisonOperator: GreaterThanThreshold
    MetricName: HTTPCode_ELB_5XX_Count
    Namespace: !Join [ "", [ "aws", "/", !Ref AWS::StackName ] ]
    Dimensions:
      - Name: LoadBalancer
        Value: !GetAtt LoadBalancer.LoadBalancerFullName
    AlarmActions:
      - !Ref ServiceScalingPolicy
EC2Role:
  Type: AWS::IAM::Role
  Properties:
    Path: /
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - "sts:AssumeRole"
          Principal:
            Service:
              - ec2.amazonaws.com
    Policies:
      - PolicyName: !Join [ "", [ !Ref AWS::StackName, "-ec2-role" ] ]
        PolicyDocument:
          Statement:
            - Effect: Allow
              Resource: "*"
              Action:
                - "ecs:CreateCluster"
                - "ecs:DeregisterContainerInstance"
                - "ecs:DiscoverPollEndpoint"
                - "ecs:Poll"
                - "ecs:RegisterContainerInstance"
                - "ecs:StartTelemetrySession"
                - "ecs:Submit*"
                - "logs:CreateLogStream"
                - "logs:PutLogEvents"
AutoscalingRole:
  Type: AWS::IAM::Role
  Properties:
    Path: /
    AssumeRolePolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - "sts:AssumeRole"
          Principal:
            Service:
              - application-autoscaling.amazonaws.com
    Policies:
      - PolicyName: !Join [ "", [ !Ref AWS::StackName, "-autoscaling-role" ] ]
        PolicyDocument:
          Statement:
            - Effect: Allow
              Resource: "*"
              Action:
                - "application-autoscaling:*"
                - "cloudwatch:DescribeAlarms"
                - "cloudwatch:PutMetricAlarm"
                - "ecs:DescribeServices"
                - "ecs:UpdateService"
EC2InstanceProfile:
  Type: AWS::IAM::InstanceProfile
  Properties:
    Path: /
    Roles:
      - !Ref EC2Role
TaskExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Action:
            - sts:AssumeRole
          Principal:
            Service: ecs-tasks.amazonaws.com
    ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
      - arn:aws:iam::aws:policy/AmazonS3FullAccess
Database:
  Type: AWS::RDS::DBInstance
  Properties:
    DBName: !Ref AWS::StackName
    DBInstanceIdentifier: !Ref AWS::StackName
    DBInstanceClass: !Ref DatabaseType
    MasterUsername: !Ref DatabaseUsername
    MasterUserPassword: !Ref DatabasePassword
    VPCSecurityGroups: [ !Ref SecurityGroup ]
    PubliclyAccessible: false
    EnablePerformanceInsights: false
    BackupRetentionPeriod: 0
    Engine: Postgres
    EngineVersion: '12.5'
    AllocatedStorage: '20'
    StorageType: gp2
    MultiAZ: false
Outputs:
Service:
  Value: !Ref Service
Cluster:
  Value: !Ref Cluster
LoadBalancer:
  Description: LoadBalancer URL
  Value: !GetAtt LoadBalancer.DNSName
TaskDefinition:
  Value: !Ref TaskDefinition

name: Deploy to Amazon ECS

on:
workflow_dispatch:
  inputs:
    version:
      description: Version to deploy
      default: 'latest'
      required: true

env:
AWS_REGION: us-east-1
APP_NAME: rocketpay
DOMAIN: '*.rocketpay.tk'

defaults:
run:
  shell: bash

jobs:
deploy:
  name: Deploy
  runs-on: ubuntu-latest
  environment: deployment
  permissions:
    packages: write
    contents: read

  steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ env.AWS_REGION }}

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

    - name: Set up Docker Buildx
      id: buildx
      uses: docker/setup-buildx-action@v1

    - name: Cache Docker layers
      uses: actions/cache@v2
      with:
        path: /tmp/.buildx-cache
        key: ${{ runner.os }}-buildx-${{ github.sha }}
        restore-keys: ${{ runner.os }}-buildx-

    - name: Build, tag, and push image to Amazon ECR
      id: push-ecr
      uses: docker/build-push-action@v2
      with:
        target: production
        cache-from: type=local,src=/tmp/.buildx-cache
        cache-to: type=local,dest=/tmp/.buildx-cache
        tags: |
          ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:latest
          ${{ steps.login-ecr.outputs.registry }}/${{ env.APP_NAME }}:${{ github.event.inputs.version }}

    - name: Deploy to Amazon ECS Cluster
      id: deploy-ecs
      uses: aws-actions/aws-cloudformation-github-deploy@v1
      with:
        name: ${{ env.APP_NAME }}
        template: infra.yml
        no-fail-on-empty-changeset: "1"
        parameter-overrides: >-
          VpcId: ${{ secrets.AWS_VPC }},
          SubnetId: ${{ secrets.AWS_SUBNETS }},
          Image: ${{ steps.push-ecr.outputs.digest }},
          EnvironmentFile: ${{ secrets.ENVIRONMENT_FILE }},
          DatabaseUsername: ${{ secrets.DB_USERNAME }},
          DatabasePassword: ${{ secrets.DB_PASSWORD }},
          DomainName: ${{ env.DOMAIN }}

Screenshot

Any kind of help is apreciated.
Thanks in advance

The name parameter-overrides suggests similarity to aws cloudformation deploy --parameter-overrides while this actually functions similarly to aws cloudformation update --parameters, in that Cloudformation will use the default parameter value for stack parameters that were not specified, rather than using the previous value. The documentation for this github action isn't entirely clear on this either.

The updateStack(...) method in deploy.ts uses the AWS SDK v2 createChangeSet(...) call, of which the AWS SDK documentation has this to say:

Parameters — (Array)
A list of Parameter structures that specify input parameters for the change set. For more information, see the Parameter data type.

• ParameterKey — (String)
  The key associated with the parameter. If you don't specify a key and value for a particular parameter, CloudFormation uses the default value that's specified in your template.

Hello,
We are seeing an issue where the action runs successfully but it doesn't apply the changeset, and therefore the changeset is not deleted - which causes errors in the following deployments:
ChangeSet ****-CS cannot be created due to a mismatch with existing attribute Template
This was quite unclear to debug, but I am positive that the previous run was successful and the changeset wasn't applied, although the CS was successfully created.

      - name: Deploy to AWS CloudFormation
        id: cloudformation_deploy_stacks
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: ${{ matrix.pipelines.stack }}
          template: https://s3.amazonaws.com/${{ env.S3_BUCKET }}/${{ matrix.pipelines.stack }}/cfn-template.packaged.yml
          parameter-overrides: file://${{ matrix.pipelines.path }}/config/config.json
          capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM,CAPABILITY_AUTO_EXPAND

The CloudFormation stack yaml is hosted in a s3 bucket, can we specify the path of the template in s3:// or http:// format of the. stack.yaml in the template: section?

- name: Deploy to AWS CloudFormation
  uses: aws-actions/aws-cloudformation-github-deploy@v1
  with:
    name: MyStack
    template: myStack.yaml
    parameter-overrides: "MyParam1=myValue,MyParam2=${{ secrets.MY_SECRET_VALUE }}"

In the documentation of parameters for this github action there is a mistake for specifying parameter-overrides from a file. For some reason the documentation suggest the following format: (e.g. file://file://${{ github.workspace }}/variables.json) where the file:// is duplicated, when in fact the following format works: (e.g. file://${{ github.workspace }}/variables.json).

It is very confusing, so it would be good to fix that.

Suggested fix:

description: 'The parameters to override in the stack inputs. You can pass a comma-delimited list or a file URL. Comma-delimited list has each entry formatted as <ParameterName>=<ParameterValue>. A JSON file can be a local file with a "file://" prefix or remote URL (e.g. file://${{ github.workspace }}/variables.json or http://example.com/variables.json). A local file needs to be specified with an absolute path to it. The file should look like: [ { "ParameterKey": "KeyPairName", "ParameterValue": "MyKey" }]'

Reference to the discussed line:

I am trying to pass in a file for the Parameter Overrides below. When doing it I get:

Error: File URL host must be "localhost" or empty on linux

      - name: Deploy ECR Cloudformation
        uses: aws-actions/aws-cloudformation-github-deploy@v1
        with:
          name: ${{ secrets.ENV_NAME }}-ecr-repos \
          template: ./devops/ecs/ecr_repos.yml
          no-fail-on-empty-changeset: "1"
          region: ${{ env.REGION }}
          parameter-overrides: file://devops/config/cluster/ecr/${{ secrets.ENV_NAME }}.json

Using the AWS CLI works fine:

      - name: ECR Repository Setup
        run: |
          aws cloudformation deploy \
            --capabilities CAPABILITY_NAMED_IAM \
            --template-file ./devops/ecs/ecr_repos.yml \
            --no-fail-on-empty-changeset \
            --stack-name ${{ secrets.ENV_NAME }}-ecr-repos \
            --region ${{ env.REGION }} \
            --parameter-overrides \
            file://devops/config/cluster/ecr/${{ secrets.ENV_NAME }}.json
```

I am sure I am doing something wrong but I can't figure it out.  I have tried hardcoding an ENV_NAME in case it was an interpolation issue.  

Thanks for any suggestions. 

Hi,

We would like to review the CloudFormation ChangeSet and Approve it before deploying it to AWS Account. Can you please let me know if possible to implement this feature?

I was trying to create an S3 BucketPolicy, and the step was hanging for about 7 minutes, and then failed with the following message: Resource is not in the state stackUpdateComplete

Eventually I found cloud trail logs [1] - this showed that this request was failing with AccessDenied due to the deployment user missing s3:PutBucketPolicy and s3:DeleteBucketPolicy permissions.

Could the response from API call be shown in the log? Or possibly just the errorCode / errorMessage properties if they are present?

[1] https://eu-west-2.console.aws.amazon.com/cloudtrail/home

YAML file with key and values

`testAction: "NitishTestAction/test/test.yaml"

localActor: "Nitish"
Var3: value3
`

When using parameter-overrides and passing in a file. I get the following error:

Invalid input for parameter key file://***/***.json. Need to specify either usePreviousValue as true or a value for the parameter

The job in the workflow looks as follows:

    - name: Deploy to AWS CloudFormation
      uses: aws-actions/aws-cloudformation-github-deploy@v1
      with:
        name: XYXYXYXY
        template: ******.yaml
        parameter-overrides: file://***/***.json
        no-fail-on-empty-changeset: "1"
        capabilities: CAPABILITY_NAMED_IAM
        tags: ${{ env.STACK_TAGS }}

The parameter file has the following format:

[
  {
    "ParameterKey": "Env",
    "ParameterValue": "XYXYXYX"
  },
  {
    "ParameterKey": "RepoName",
    "ParameterValue": "XYXYXYX"
  }
]

We are following the current instructions from actions.yml:

  parameter-overrides:
    description: 'The parameters to override in the stack inputs. You can pass a comma-delimited list or a local JSON file. Comma-delimited list has each entry formatted as <ParameterName>=<ParameterValue>. A local JSON file should be named with "file://" prefix (e.g. file://params.json) and should look like: [ { "ParameterKey": "KeyPairName", "ParameterValue": "MyKey" }]'
    required: false

Allow change sets to be reviewed before deploying

• Optional output changeset instead of deploy
• Option take changeset as input instead of generate changeset

This will allow us to generate a changeset, run some tests against it, then deploy it.

Unexpected key 'ChangeSetName' found in params.

After last update in branch master.

outputs:
  stack-id:
    description: "The id of the deployed stack. In addition, any outputs declared in the deployed CloudFormation stack will also be set as outputs for the action, e.g. if the stack has a stack output named 'foo', this action will also have an output named 'foo'."

I am trying to get my outputs from my cloudformation stack. (Access Key & Secret Key)
I have searched for a while, but still cannot get it worked.

When just creating a change-set (not executing it) by setting no-execute-changeset to 1, the changeset name always defaults to ${Stack-Name}-CS.

Would be nice to implement a changeset-name parameter.

Background:
Currently it is not possible to create multiple change sets on the same stack with this action because there is no way to make change-set names unique and there cant be two change-sets with the same name on one stack.

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: aws-actions/[email protected]. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.

This Action isn't compatible with SAM templates that use a local file path for the CodeUri property of a AWS::Serverless::Function resource.

The CodeUi property states

The function code's Amazon S3 URI, local file path, or FunctionCode object.

If an Amazon S3 URI or FunctionCode object is provided, the Amazon S3 object referenced must be a valid Lambda deployment package.

If a local file path is provided, for the code to be transformed properly the template must go through the workflow that includes the sam deploy or sam package command.

(emphasis added)

Attempting to use this Action with a Serverless transform template that contains a AWS::Serverless::Function resource using a local path for CodeUri results in CloudFormation producing this error during stack creation:

Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document.
Number of errors found: 1.
Resource with id [MyLambdaFunction] is invalid. 'CodeUri' is not a valid S3 Uri of the form 's3://bucket/key' with optional versionId query parameter.

Somewhat related to #32 and #33.

Since this requires SAM CLI to correctly deploy a stack, this functionality might instead belong in a separate aws-sam-github-deploy action.

Summary

In the example inside the README.md, set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information, see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

I am getting this issue with github action that the job is failing even though the Stack was updated completely afterwards,

This issue is happening during update of an AWS::ECS::Service resource when the resource is taking some time.

The aws-cloudformation-github-deploy github action does not support working behind a proxy server on self-hosted runners. Other AWS Github actions do support working behind a proxy, but this one does not. We need this (and all) AWS Github action to work behind proxies.

We have reviewed the code for this action, and it is missing the HttpsProxyAgent class that is present in other AWS Github actions, like configure-aws-credentials.

v1 should point to v1.1.0 (latest release as of today) instead of v1.0.4

This is what others do: https://github.com/aws-actions/amazon-ecr-login/releases/tag/v1, https://github.com/aws-actions/configure-aws-credentials/releases/tag/v1

BTW v1 (v1.0.4) uses Node.js 12 (v1.1.0 uses Node.js 16) so all users gets these warnings:

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: aws-actions/aws-cloudformation-github-deploy@v1

The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Related issues:

• #73
• #79

Currently if we run a CloudFormation configuration that results in no changes, the Github Step will fail. This should be a pass, or at least we should have the option to make it a pass.
As an example my github workflow only runs if there are changes to the cloudformation.yml file, however if someone adds comments to it, that will trigger the step. But as it is only comments it will fail the step as there are no changes, and therefore block the commit.

In the actions.yml file I can not find a parameter for setting the description for a stack.

Is this possible and if so how do I do it?

I'm getting the following error TemplateURL must be an Amazon S3 URL. whenever I'm using a nested stack.

My root stack looks like this

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Root stack template'
Resources:
  ObjectStorageStack:
    Type: AWS::CloudFormation::Stack
    Properties: 
      TemplateURL: 'object_storage_template.yml'

And nested stack is in file object_storage_template.yml

Resources:
    ObjectBucket:
      Type: AWS::S3::Bucket

I would expect that this deploy action performs packaging and therefore the TemplateURL gets updated.

Is this behavior supported by this action?

It seems the solution to it is to upload the template file to S3 and then send it in Deploy action, but we do not want to save it to S3 and rather keep it in the code structure only. Is it possible to do so?

• name: Deploy
  uses: aws-actions/aws-cloudformation-github-deploy@v1
  with:
  name: ${{ env.STACK_NAME }}
  template: template.yml
  role-arn: ${{ env.DEPLOYMENT_ROLE_ARN }}
  parameter-overrides: file://${{ github.workspace }}/params.${{ env.BRANCH }}.json
  capabilities: CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND
  no-fail-on-empty-changeset: "1"

The README states that:

The action can be passed a CloudFormation Stack name and a template file. It will create the Stack if it does not exist, or create a Change Set to update the Stack.

However, it always executes the change-set. It is currently not possible to create the change-set to review it prior to executing it.

A great additional feature to this github action would be the support for the --no-execute-changeset aws-cli equivalent option.

Currently when running any action, the following error occurs:

It's due to this commit.

Thank you

Hi Would you be so kind and have a look into that please
Best Regards,
Pete
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: aws-actions/aws-cloudformation-github-deploy@v1. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

working with cloud front distributions and ssl certificates sometimes take a few minutes to successfully deploy.
Recently i've been getting the error after around 30 seconds:

Error: {"state":"TIMEOUT","reason":"Waiter has timed out"}

Which I believe is due to the maxWaitTime of 30 seconds passed to:

waitUntilStackChangeSetCreateComplete()
waitUntilStackUpdateComplete()
waitUntilStackCreateComplete()

like so:

{ client: cfn, maxWaitTime: 30, minDelay: 10 }

Does this sound right or do you think the issue lies somewhere else?