-
Notifications
You must be signed in to change notification settings - Fork 16
/
sceptre.cli.txt
487 lines (361 loc) · 27.2 KB
/
sceptre.cli.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
SCEPTRE
ALTERNATIVES ==> # - rain:
# - CLI flags-based, except for PARAMs|TAGs
# - S3 upload: TEMPLATE + assets
# - works with SET
# - with TEMPLATEs: can scaffold, prettify|convert, merge, diff, visualize dependencies, forecast
# - with STACKs: watch, logs
# - sceptre:
# - config file-based
# - S3 upload: TEMPLATE only
# - GROUP of STACKs
# - advanced templating in config|templates
# - can: validate TEMPLATE, diff, drift
# - hooks
# - aws-cfn-control:
# - config file-based, only for PARAMs
# - S3 upload: TEMPLATE only
#CDK includes all of the above features, and more, i.e. is preferred instead
#If not using CDK, preferred:
# - TEMPLATE manipulation (including S3 upload): rain
# - STACK manipulation: sceptre (unless needs SET)
# - STACK watch|logs: rain
ALTERNATIVES FOR DIFF ==> #See cdk diff doc
VERSION ==> #4.3.0 (2023-12-12)
#Installed with pip|Docker
sceptre -U #Update version
GCONFIG.required_version #'>= X.Y[.Z]'. Minimum sceptre version
SUMMARY ==> #Config: [sub-]group, stack
#Permissions: profile, sceptre role, stack role
#Templates location: read (local, HTTP, S3), write (S3)
#Templating: Jinja, Python, ENVVARs, config vars, argv, user vars
#Resolvers:
# - insert: ENVVARs, file, cmd, config vars, STACK OUTPUT, HTTP, KMS, SSM
# - utils: join, split, sub, select, no_value, date, JSON
#Hooks
#Templates: print, validate, estimate-cost
#Stack: launch|create|update, status|outputs|resources, delete|ignore|protect|obsolete, policy
#Changeset: create|update|execute, describe|list, delete
#Diff
#Drift
#Linting
/=+===============================+=\
/ : : \
)==: CLI :==(
\ :_______________________________: /
\=+===============================+=/
sceptre #CLI on top of `aws cloudformation`
--output #text|yaml|json
--no-colour #
--debug #Debug logs
eval
"$(_SCEPTRE_COMPLETE=source[_zsh]
sceptre)" #Add autocompletion for Bash|ZSH
/=+===============================+=\
/ : : \
)==: GITHUB ACTION :==(
\ :_______________________________: /
\=+===============================+=/
Sceptre/github-ci-action@v2 #GitHub action
#Runs `pip install sceptre`
#Version 2.3.0
INPUTS.sceptre_subcommand #'COMMAND ...'. Runs `sceptre COMMAND ...`
INPUTS.sceptre_directory #'DIR' (def: '.'). cwd of sceptre_subcommand
INPUTS.sceptre_version #STR (def: latest)
INPUTS.sceptre_plugins #'PACKAGE ...' to install with `pip`
/=+===============================+=\
/ : : \
)==: CONFIG :==(
\ :_______________________________: /
\=+===============================+=/
sceptre --dir #'DIR' (def: '.') used as cwd
/PROJECT/config #/APATH. Top-level GROUP
/APATH/GROUP #/APATH. Child GROUP
/APATH/config.yaml #GCONFIG, i.e. config for a GROUP
#Can also define all SCONFIG.*, targeting all STACKs of this GROUP
# - except for: SCONFIG.template|stack_name
# - SCONFIG.* overrides GCONFIG.*
# - except SCONFIG.dependencies, which is concatenated instead
/APATH/STACK.yaml #SCONFIG, i.e. config for a STACK
GPATH #PATH to GCONFIG, targetting multiple STACKs
SPATH #PATH to SCONFIG, targetting a single STACK
GSPATH #GPATH|SPATH
sceptre new project PROJECT #Creates /PROJECT/config/config.yaml and /PROJECT/templates
sceptre new group GROUP #Creates /PROJECt/config/GROUP/config.yaml
sceptre list stacks GSPATH #Print SCONFIG, before applying templating
sceptre dump config GSPATH #Print SCONFIG, after applying templating
--to-file #Output to .dump/STACK/... instead of stdout
/=+===============================+=\
/ : : \
)==: PERMISSIONS :==(
\ :_______________________________: /
\=+===============================+=/
GCONFIG.profile #'PROFILE' used by the initial user, that calls STS AssumeRole() to SCONFIG.sceptre_role
#Def: guessed from AWS config (see its doc)
SCONFIG.sceptre_role #ROLE_ARN used by `spectre` when calling CloudFormation API
#Def: none, i.e. uses GCONFIG.profile instead
SCONFIG
.sceptre_role_session_duration #NUM (in secs, def: 1h). STS AssumeRole() DurationSeconds
GCONFIG.region #'REGION'
/=+===============================+=\
/ : : \
)==: TEMPLATES LOCATION :==(
\ :_______________________________: /
\=+===============================+=/
SCONFIG.template #TEMPLATE_HANDLER. Where to read TEMPLATE (not write) for most `sceptre` commands
#Can implement custom one with Python logic (not documented yet)
TEMPLATE_HANDLER.type #'path|s3|http'
TEMPLATE_HANDLER.path #Location of TEMPLATE.EXT. With type:
# - 'path': 'PATH', usually /PROJECT/templates/STACK.EXT
# - 's3': 'BUCKET/OBJECT'
TEMPLATE_HANDLER.url #'URL'. Location of TEMPLATE.EXT with type 'http'
GCONFIG
.http_template_handler.retries #NUM (def: 5) of retries, with type 'http'
GCONFIG
.http_template_handler.timeout #NUM (in secs, def: 5) timeout, with type 'http'
GCONFIG.template_bucket_name #'BUCKET' where to upload TEMPLATEs during `sceptre launch|create|update` and `sceptre validate|estimate-cost`
#Takes the local TEMPLATE, upload it to S3, then use STACK|CHANGELOG.TemplateURL
# - i.e. similar to `aws cloudformation package` on STACK.TemplateURL
#Stored as S3 OBJECT '[PREFIX/]REGION/GROUP/STACK-YYYY-MM-DD-HH-MM-SS-SSSZ.json|yaml'
GCONFIG.template_key_prefix #'PREFIX' to S3 OBJECT with uploaded TEMPLATE
sceptre dump template GSPATH
sceptre generate GSPATH #Print local TEMPLATE, after applying templating
--to-file #Like sceptre dump config
sceptre dump all GSPATH #Combines both sceptre dump config|template
sceptre fetch-remote-template PATH#GetTemplate(), i.e. output the TEMPLATE currently in CloudFormation
sceptre-cdk-handler ##TEMPLATE_HANDLER allowing to use CDK
##type is 'cdk', path is APP file or 'cdk.json'
##Runs `cdk-assets` CLI (must be installed) instead of `cdk deploy`
##Only with Python
##CSTACKs must inherit from SceptreCdkStack
##Overall, it is quite hacky. When using CDK, should just not use sceptre
##Version 2.1.0
/=+===============================+=\
/ : : \
)==: TEMPLATING :==(
\ :_______________________________: /
\=+===============================+=/
JINJA TEMPLATING ==> #Can be used in:
# - GCONFIG|SCONFIG: to YAML
# - TEMPLATE.j2: to JSON|YAML
#As opposed to TEMPLATE.json|yaml:
# - no Jinja templating
# - should try to use CloudFormation RFUNC and PARAMs instead, when possible
#Jinja syntax includes:
# - {{ TVAR }}
# - {{ TVAR | default('...') }}
## - {{ TVAR | unquote_resolvers(ARG=VAL,...) }}
## - when TVAR contains !RFUNCs
## - pip package jinja-unquote-resolvers-filter (version 2023-04-27)
## - must be installed as GCONFIG.j2_environment.extensions ['jinja_unquote_resolvers_filter.UnquoteResolversFilterExtension']
## - ARGs: indent NUM (def: 2), output_indent NUM (def: 0), trim BOOL (def: false)
GCONFIG.j2_environment #OBJ. Jinja configuration. Not documented yet
TEMPLATE.py #Alternative to Jinja templating, using Python FUNC instead
#Must be sceptre_handler()->'TEMPLATE_JSON|YAML'
TVAR #Template variables to use in Jinja templating
TVAR environment_variable.ENVVAR #VAL
TVAR [stack_group_config.]VARR #GCONFIG|SCONFIG.VARR. Of parent config files only, not current one
TVAR command_path.NUM #Additional arguments passed to `spectre ...`
sceptre
--var-file #'PATH' with YAML OBJ, set as TVAR `var`
--var #Same as 'VARR=VAL'
--merge-vars #If two --var[-file] specify same VARR, deep merge instead of overwriting
SCONFIG.sceptre_user_data #OBJ set as TVAR `sceptre_user_data`
#Also passed as argument to TEMPLATE.py sceptre_handler()
/=+===============================+=\
/ : : \
)==: RESOLVERS :==(
\ :_______________________________: /
\=+===============================+=/
!RFUNC VAL #Similar to CloudFormation RFUNC, but for GCONFIG|SCONFIG
#Only for:
# - values of GCONFIG: template_bucket_name
# - values of SCONFIG: template|ignore|notifications|role_arn|*_role|sceptre_user_data|stack_tags
# - OBJ values of SCONFIG.parameters
#Multiple ARGs: must be an ARR
#Performed after Jinja templating
#Can implement custom RFUNCs with Python logic (not documented yet)
sceptre validate|diff
|dump template
--no-placeholders|-n #Unlike specified, if !RFUNC cannot be resolved, it is substituted with '!RFUNC(ARG)'
#This happens for example with !stack_output SPATH::OUTPUT:
# - `spectre launch|create|update|delete` operates other STACK first, i.e. resolves it correctly
# - but `spectre diff|validate|generate` do not, i.e. would fail
!environment_variable ENVVAR #VAL
!file PATH|URL #File contents
#If .json|y[a]ml, injected as VAL, otherwise as STR
!rcmd SHELL_COMMAND #Runs in /bin/bash
!join DELIM STR... #STR.join(DELIM)
!split DELIM STR #STR.split(DELIM)
!sub STR OBJ #Replace {VAR} in STR by OBJ.VAR
#Should prefer Jinja templating most of the time
!select NUM VAL... #ARR[NUM]. NUM can be negative
!no_value #undefined
!stack_attr VARR #Like TVAR stack_group_config.VARR, but as an RFUNC
!stack_output SPATH::OUTPUT #STACK OUTPUT, resolved locally
#Cannot be used if other STACK has SCONFIG.stack_name defined
# - should use !stack_output_external + SCONFIG.dependencies ['STACK'] instead
!stack_output_external #STACK OUTPUT, resolved by calling CloudFormation
STACK::OUTPUT [PROFILE] #Can specify PROFILE, if STACK is in a different ACCOUNT|REGION
!date [STR] ##Current time. STR is Python format (def: 'YYYY-MM-DD HH:MM:SS')
##pip package sceptre-date-resolver (version 2022-12-13)
!to_json [VAL] ##JSON.serialize(VAL)->STR
!from_json [STR] ##JSON.parse(STR)->VAL
##pip package sceptre-json-resolver (version 2023-04-18)
!request 'URL'|OBJ ##HTTP request
##pip package sceptre-json-resolver (version 2023-04-05)
OBJ.url ##'URL'
OBJ.user|password ##STR
OBJ.auth ##'basic', for HTTP basic auth
!kms STR ##KMS Decrypt() with CiphertextBlob STR (after base64 decode)
##pip package sceptre-kms-resolver (version 2023-03-07)
!ssm '/PATH'|OBJ ##AWS SSM GetParameter()
##pip package sceptre-ssm-resolver (version 2022-03-07)
OBJ.name ##'/PATH' Name. Uses WithDecryption true
OBJ.profile ##'PROFILE'
OBJ.region ##'REGION'
/=+===============================+=\
/ : : \
)==: HOOKS :==(
\ :_______________________________: /
\=+===============================+=/
SCONFIG.hooks.before|after_EVENT #!CTYPE ARGS...
#Runs CTYPE(ARGS...) before|after EVENT (triggered by `sceptre` CLI command)
#EVENT can be:
# - create|update|delete: of a STACK
# - create_change_set: of a CHANGESET
# - launch|validate|diff|drift_detect|drift_show: `sceptre EVENT`
# - dump_template|generate: `sceptre diff|generate|dump template`
#Following !CTYPE are available
# - can also implement custom one with Python logic (not documented yet)
!cmd SHELL_COMMAND|OBJ #OBJ:
# - run 'SHELL_COMMAND'
# - shell 'COMMAND|PATH' (def: /bin/sh on Unix, cmd.exe on Windows)
!asg_scaling_processes
suspend|resume::STR #AutoScaling Suspend|ResumeProcesses() with ScalingProcesses STR
/=+===============================+=\
/ : : \
)==: TEMPLATE :==(
\ :_______________________________: /
\=+===============================+=/
sceptre validate GSPATH #ValidateTemplate()
sceptre estimate-cost GSPATH #EstimateTemplateCost(), opening a browser
/=+===============================+=\
/ : : \
)==: GROUP :==(
\ :_______________________________: /
\=+===============================+=/
GROUP #Group of STACKs deployed together in the same ACCOUNT|REGION
#As opposed to a SET, which is a single STACK deployed on multiple ACCOUNTs|REGIONs
SCONFIG.dependencies #'STACK'_ARR to build first
#Automatically done when using !stack_output
sceptre --ignore-dependencies #Ignore STACK dependencies
/=+===============================+=\
/ : : \
)==: STACK :==(
\ :_______________________________: /
\=+===============================+=/
SCONFIG.stack_name #STR. STACK.StackName
GCONFIG.project_code #STR, prefixed to the StackName of all STACKs in the GROUP
SCONFIG.parameters #OBJ of PARAMVALs. STACK|CHANGESET.Parameters
SCONFIG
.cloudformation_service_role #ROLE_ARN. STACK|CHANGESET.RoleARN
SCONFIG.notifications #SNS_TOPIC_ARN_ARR. STACK|CHANGESET.NotificationARNs
SCONFIG.stack_tags #OBJ. STACK|CHANGESET.Tags
SCONFIG.disable_rollback #BOOL (def: false). STACK.DisableRollback
SCONFIG.on_failure #STR (def: 'ROLLBACK'). STACK.OnFailure
SCONFIG.stack_timeout #NUM (def: none). STACK.TimeoutInMinutes
sceptre launch|create|update
|execute|delete|prune
--yes|-y #No CLI interactive input
--disable|enable-rollback #STACK|CHANGESET.DisableRollback BOOL (def: false)
SCONFIG.protected #BOOL (def: false). Forbid `sceptre launch|create|update|execute|delete|prune`
sceptre launch GSPATH #Upserts STACK, i.e. like `sceptre create|update`
sceptre create GSPATH #CreateStack()
#Use STACK|CHANGESET.Capabilities ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
sceptre update GSPATH #UpdateStack()
sceptre status GSPATH #Print STACK.StackStatus (using DescribeStacks())
sceptre list outputs GSPATH #Print STACK.Outputs (using DescribeStacks())
--export|-e #How to print, among:
# - default: flat
# - envvar: export SCEPTRE_{OUTPUT}=VAL
# - stackoutput[external]: !stack_output[_external] STACK.yaml::OUTPUT [VAL]
sceptre list resources GSPATH #DescribeStackResources()
sceptre delete GSPATH #DeleteStack()
SCONFIG.ignore #BOOL (def: false). Make `sceptre launch` ignore STACK
sceptre diff --all|-a #Include STACKs that are ignored or obsolete
SCONFIG.obsolete #BOOL (def: false). Like SCONFIG.ignore but also make `prune` delete STACK
#Meant to delete STACKs in a CI flow
sceptre prune [GSPATH]
sceptre launch --prune|-p #DeleteStack() if SCONFIG.obsolete true
/=+===============================+=\
/ : : \
)==: CHANGESET :==(
\ :_______________________________: /
\=+===============================+=/
sceptre create GSPATH CHANGESET #CreateChangeSet()
#Use same Capabilities as above
sceptre update
--change-set|-c #CreateChangeSet(), then confirmation (DescribeChangeSet()), then ExecuteChangeSet()
--verbose|-v #Show raw response of DescribeChangeSet() instead of simplified
sceptre describe change-set
GSPATH CHANGESET #DescribeChangeSet()
--verbose|-v #Raw response instead of simplified
sceptre list change-sets GSPATH #ListChangeSets()
--url|-U #Print as URLs to AWS UI
sceptre execute GSPATH CHANGESET #ExecuteChangeSet()
sceptre delete GSPATH CHANGESET #DeleteChangeSet()
/=+===============================+=\
/ : : \
)==: STACK POLICY :==(
\ :_______________________________: /
\=+===============================+=/
sceptre set-policy
GSPATH POLICY_PATH #SetStackPolicy()
--built-in|-b #'allow-all|deny-all'. Instead of POLICY_PATH, use built-in one
#With STATEMENT: Effect 'Allow|Deny', Action 'Update:*', Principal '*', Resource '*'
sceptre describe policy GSPATH #GetStackPolicy()
/=+===============================+=\
/ : : \
)==: DIFF :==(
\ :_______________________________: /
\=+===============================+=/
sceptre diff GSPATH #Diff between:
# - local|deployed TEMPLATEs
# - SCONFIG.* and STACK.*
# - only parameters|notifications|cloudformation_service_role|stack_tags
#I.e. not meant for drift, but for changes not committed yet
--type|-t #How to diff:
# - deepdiff (def): recursive comparison
# - difflib: more traditional `diff`
--show-no-echo|-s #Whether to display NoEcho PARAMs
#Always false for PARAMs retrieved from CloudFormation, i.e. only for PARAMs specified locally
/=+===============================+=\
/ : : \
)==: DRIFT :==(
\ :_______________________________: /
\=+===============================+=/
sceptre drift detect GSPATH #DetectStackDrift()
#5 minutes timeout
sceptre drift show GSPATH #DetectStackDrift() + DescribeStackResourceDrifts()
#5 minutes timeout
--drifted|-D #Only show RESOURCEs not IN_SYNC
/=+===============================+=\
/ : : \
)==: LINTING :==(
\ :_______________________________: /
\=+===============================+=/
sceptrelint #Lint GCONFIG|SCONFIG. Collection of different binaries
#Installed with pip
#Version 2023-03-10
check_file_names GSPATH #SCONFIG.stack_name is same as filename
check_stack_names GSPATH #SCONFIG.stack_name is [[:alnum:]], max 128 chars
check_stack_tags GSPATH
--tag|-t TAG #SCONFIG.stack_tags.TAG exists
check_stack_tag-values GSPATH
--tag|-t TAG #SCONFIG.stack_tags.TAG exists
--file|-f PATH #Valid values for any SCONFIG.stack_tags.TAG
--exclude|-e STR #Invalid value for any SCONFIG.stack_tags.TAG
--tag|-t TAG #SCONFIG.stack_tags.TAG exists