External Values
Referencing values from external integration sources.
In addition to setting internal parameter values directly within CloudTruth, parameters can also be created with external values that reference CloudTruth external integration sources. External values can be used as overrides in any CloudTruth environment and parameters can contain a mix of external and internal values.
First, setup CloudTruth integrations from your desired source.
Source Setup
When creating or editing a parameter value, select the External value type.
You are now presented with an external value screen for setting integration source values. The Location window will display your configured integration sources. In the example below we have both an AWS and GitHub integration.
Depending on the source integration you will set an external value by selecting a key or querying a file for a key stored in your integration source file. We use the JMESPath query language.
External Selection
JMESPath Query
Key Selection
String; StringList; SecureString
Key Selection
AWS secrets
JMESPath Query
Key Selection
This example uses SSM to select a key TF_VAR_availability_zone_names which sets the CloudTruth value to ["us-west-2a", "us-west-2b"].

JMESPath File queries

For integrations like AWS S3 and GitHub we use a JMESPath selector to query for a specific key from a supported file type to reference the external value. The following file types are supported:
  • JSON
  • XML
  • YAML
  • dotenv
  • tfstate
The following example uses a JMESpath selector timeout to set the externally referenced value of 500 from the JSON content in the integration into to our CloudTruth parameter. You can test your reference by clicking "See Value" in order to display the contents of the Referenced Value. If the JMESPath selector does not return a valid result, error details will be displayed.
JMESPath with JSON

JMESPath with XML

XML with or without node attributes can be searched with JMESPath, however the expression can be a bit tricky. Consider the following simple XML content:
<Project name="chuck">
<Parameter name="sam">dean</Parameter>
<Parameter name="rowena">castiel</Parameter>
A JMESPath query for Data.Super would give you the value Natural.
A JMESPath query for Data.Project.Parameter[?"@name"==`rowena`]."#text" | [0] would give you the value castiel. Let's break that down:
  1. 1.
    Data.Project inspects each "Project", creating an array.
  2. 2.
    Parameter[?"@name"==`rowena`] searches the array for a Parameter entry with a name attribute set to rowena.
  3. 3.
    "#text" extracts the textual content of that node.
  4. 4.
    | [0] takes the resulting array matches (from step 1), filtered by step 2 and returns the first one. Without this, the result is ['castiel'].

Secrets with External values

When refencing values from AWS Secrets Manager or Secure Strings from SSM the CloudTruth parameter must be marked as a secret in order to reference the secret value. If the CloudTruth Parameter is not marked as a secret the values will be locked.
Since AWS Secrets manager values are always secure, secrets manager is locked at the top level.
AWS Parameter store will intelligently only lock Secure String values.
Last modified 2mo ago