I use Sceptre to manage AWS infrastructure, but not always in a CI/CD pipeline. Sometimes updates are manual. In that case, the engineer will set the environment variables corresponding to the AWS account (usually there are three accounts per project, dev-pre-pro), and in the project folder execute something like sceptre launch pre.
There appears a problem when the AWS account in the environment is not actually the right account, for example executing sceptre launch pre when the environment keys are for the dev project. While of course people shouldn't mess up, and usually any mistakes are caught by warnings, I would like to prevent errors, and I think the best way would be to explicitly set an account number in the configuration and have sceptre check in some pre-hook that it is actually accessing that account before attempting any modification.
How would that best be done? I know how to identify the account number using plain boto commands; can I simply put some plain python pre-hook that would get the account keys from the environment, the expected account number from a sceptre parameter, and abort on any discrepancy, or is there a better way?
There is provision for hooks with sceptre templates as well. See: hook-docs
You can either run aws-cli command with hook like below:
template:
path: vpc-sample.yaml
type: file
parameters:
CidrBlock: ...
hooks:
before_launch:
- !cmd "aws configure get region"
- !cmd ...
Or if you want to do a bit more, you can try creating a custom hook. Ref: custom-hooks