Motivation

When dynamic references (like {{resolve:secretsmanager:secret-id:secret-string:json-key::}}) return backslashes, they are currently not handled correctly. Mainly, they are interpreted by re.sub, and used to escape characters (or reference sections of the regex match).

The python documentation says this about this topic:

repl can be a string or a function; if it is a string, any backslash escapes in it are processed. That is, \n is converted to a single newline character, \r is converted to a carriage return, and so forth. Unknown escapes of ASCII letters are reserved for future use and treated as errors. Other unknown escapes such as & are left alone. Backreferences, such as \6, are replaced with the substring matched by group 6 in the pattern.

This leads to issues if the secret contains one or multiple backslashes, leading either to escape errors (bad escape \<something> at position <something> or changed values (\\ -> \, \& -> &).

This can lead to significant, but hard to debug issues.

The change replaces the string with a function returning a string, as the backslashes are not processed:

If repl is a function, it is called for every non-overlapping occurrence of pattern. The function takes a single Match argument, and returns the replacement string.

Changes

• dynamic references referencing secrets or parameters with backslashes should now work correctly.
• Added test
• The information for the new cloudformation engine contained an invalid provider name (legacy instead of engine-legacy).