YAML Anchors and Passing Variables

image: amazon/aws-cli:2.3.3

definitions:
  steps:
    - script: &setup-creds
        name: Setup role credentials for bitbucket pipeline and set secrets for use
        script:
          - echo "Installing jq ..."
          - yum install -y jq
          - echo "Setup credentials to assume role"
          - export AWS_ACCESS_KEY_ID=$aws_key
          - export AWS_SECRET_ACCESS_KEY=$aws_secret
          - export AWS_DEFAULT_REGION=$default_region
          - echo "Assuming role for deployment..."
          - ROLE_CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::$AWS_ACCOUNT_SYDNEY_PRE_PROD:role/BitbucketDeployerRole --role-session-name bitbucketSession)
          - if [ -z "$ROLE_CREDENTIALS" ]; then echo "Error assuming role"; exit 1; fi
          - export ROLE_CREDENTIALS=$(cat role_credentials.json)
          - export AWS_ACCESS_KEY_ID=$(echo $ROLE_CREDENTIALS | jq -r '.Credentials.AccessKeyId')
          - export AWS_SECRET_ACCESS_KEY=$(echo $ROLE_CREDENTIALS | jq -r '.Credentials.SecretAccessKey')
          - export AWS_SESSION_TOKEN=$(echo $ROLE_CREDENTIALS | jq -r '.Credentials.SessionToken')
          - aws secretsmanager create-secret --name bitb_access_key_id --secret-string $AWS_ACCESS_KEY_ID || aws secretsmanager update-secret --secret-id bitb_access_key_id --secret-string $AWS_ACCESS_KEY_ID
          - aws secretsmanager create-secret --name bitb_secret_access_key --secret-string $AWS_SECRET_ACCESS_KEY || aws secretsmanager update-secret --secret-id bitb_secret_access_key --secret-string $AWS_SECRET_ACCESS_KEY
          - aws secretsmanager create-secret --name bitb_session_token --secret-string $AWS_SESSION_TOKEN || aws secretsmanager update-secret --secret-id bitb_session_token --secret-string $AWS_SESSION_TOKEN
    - script: &upload-template
      - name: Upload Cloudformation pre-Signed Template to S3
      - script:
          - export AWS_ACCESS_KEY_ID=$(aws secretsmanager get-secret-value --secret-id bitb_access_key_id --query SecretString --output text)
          - export AWS_SECRET_ACCESS_KEY=$(aws secretsmanager get-secret-value --secret-id bitb_secret_access_key --query SecretString --output text)
          - export AWS_SESSION_TOKEN=$(aws secretsmanager get-secret-value --secret-id bitb_session_token --query SecretString --output text)
          - export AWS_DEFAULT_REGION=$default_region
          - echo "Uploading CloudFormation template to S3..."
          - aws s3 cp $TEMPLATE_FILE s3://$BITBUCKET_DEPLOYMENT_BUCKET_SYD/$TEMPLATE_FILE
          - TEMPLATE_URL=$(aws s3 presign s3://$BITBUCKET_DEPLOYMENT_BUCKET_SYD/$TEMPLATE_FILE --expires-in 3600)
          - aws secretsmanager create-secret --name TEMPLATE_URL --secret-string $TEMPLATE_URL || aws secretsmanager update-secret --secret-id TEMPLATE_URL --secret-string $TEMPLATE_URL
    - script: &validate-template
        name: Validate Cloudformation pre-Signed Template to S3
        script:
          - export AWS_ACCESS_KEY_ID=$(aws secretsmanager get-secret-value --secret-id bitb_access_key_id --query SecretString --output text)
          - export AWS_SECRET_ACCESS_KEY=$(aws secretsmanager get-secret-value --secret-id bitb_secret_access_key --query SecretString --output text)
          - export AWS_SESSION_TOKEN=$(aws secretsmanager get-secret-value --secret-id bitb_session_token --query SecretString --output text)
          - export AWS_DEFAULT_REGION=$default_region
          - export TEMPLATE_URL=$(aws secretsmanager get-secret-value --secret-id TEMPLATE_URL --query SecretString --output text)
          - echo "Validating CloudFormation template for Platform Foundation..."
          - aws cloudformation validate-template --template-url $TEMPLATE_URL
pipelines:
  tags:
    # Trigger for tags matching "platform-foundation*"
    "platform-foundation*":
      - step: *setup-creds
      - step: *upload-template
        script:
          - export TEMPLATE_FILE='cloudformation/platform-foundation.cfn.yaml'