Change references to ="$(expression)" from =$(expression) in scripts

app/db-migrate

@@ -8,7 +8,7 @@
 
 set -euo pipefail
 
-export PGPASSWORD=$(aws rds generate-db-auth-token --hostname=$DB_HOST --port=$DB_PORT --username=$DB_USER)
+export PGPASSWORD="$(aws rds generate-db-auth-token --hostname=$DB_HOST --port=$DB_PORT --username=$DB_USER)"
 echo "Running migrations"
 echo "  DB_HOST=$DB_HOST"
 echo "  DB_PORT=$DB_PORT"

bin/account-ids-by-name

@@ -7,13 +7,13 @@ set -euo pipefail
 # We use script dir to make this script agnostic to where it's called from.
 # This is needed since this script its called from infra/<app>/build-repository
 # in an external data source
-script_dir=$(dirname "$0")
+script_dir="$(dirname "$0")"
 
 key_value_pairs=()
-backend_config_file_paths=$(ls -1 "${script_dir}"/../infra/accounts/*.*.s3.tfbackend)
+backend_config_file_paths="$(ls -1 "${script_dir}"/../infra/accounts/*.*.s3.tfbackend)"
 
 for backend_config_file_path in ${backend_config_file_paths}; do
-  backend_config_file=$(basename "${backend_config_file_path}")
+  backend_config_file="$(basename "${backend_config_file_path}")"
   backend_config_name="${backend_config_file/.s3.tfbackend/}"
   IFS='.' read -r account_name account_id <<< "${backend_config_name}"
   key_value_pairs+=("\"${account_name}\":\"${account_id}\"")

bin/check-database-roles

@@ -17,8 +17,8 @@ environment="$2"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 ./bin/terraform-init "infra/${app_name}/database" "${environment}"
-db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+db_role_manager_function_name="$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)"
+db_config="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")"
 payload="{\"action\":\"check\",\"config\":${db_config}}"
 
 echo "======================="
@@ -31,13 +31,13 @@ echo
 echo "Invoking Lambda function: ${db_role_manager_function_name}"
 echo "  Payload: ${payload}"
 echo
-cli_response=$(aws lambda invoke \
+cli_response="$(aws lambda invoke \
   --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
   --payload "$(echo -n "${payload}" | base64)" \
   --output json \
-  response.json)
+  response.json)"
 
 # Print logs out (they are returned base64 encoded)
 echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
@@ -47,7 +47,7 @@ cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+function_error="$(echo "${cli_response}" | jq -r '.FunctionError')"
 if [ "${function_error}" != "null" ]; then
   exit 1
 fi

bin/check-github-actions-auth

@@ -12,9 +12,9 @@ account_name="$1"
 
 # This is used later to determine the run id of the workflow run
 # See comment below about "Getting workflow run id"
-prev_run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
+prev_run_create_time="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")"
 
-code_repository=$(terraform -chdir="infra/project-config" output --raw code_repository)
+code_repository="$(terraform -chdir="infra/project-config" output --raw code_repository)"
 
 echo "========================="
 echo "Check GitHub Actions Auth"
@@ -28,17 +28,17 @@ echo "::group::AWS account authentication details"
 
 terraform -chdir="infra/project-config" init > /dev/null
 terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
-aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
+aws_region="$(terraform -chdir="infra/project-config" output -raw default_region)"
 echo "aws_region=${aws_region}"
-github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
+github_actions_role_name="$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)"
 echo "github_actions_role_name=${github_actions_role_name}"
 
 # Get the account id associated with the account name extracting the
 # account_id part of the tfbackend file name which looks like
 # <account_name>.<account_id>.s3.tfbackend.
 # The cut command splits the string with period as the delimiter and
 # extracts the second field.
-account_id=$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)
+account_id="$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)"
 echo "account_id=${account_id}"
 
 aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
@@ -76,13 +76,13 @@ echo "Previous workflow run created at ${prev_run_create_time}"
 echo "Check workflow run create time until we find a newer workflow run"
 while : ; do
   echo -n "."
-  run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
+  run_create_time="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")"
   [[ "${run_create_time}" > "${prev_run_create_time}" ]] && break
 done
 echo "Found newer workflow run created at ${run_create_time}"
 
 echo "Get id of workflow run"
-workflow_run_id=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")
+workflow_run_id="$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")"
 echo "Workflow run id: ${workflow_run_id}"
 
 workflow_run_url="https://github.com/${code_repository}/actions/runs/${workflow_run_id}"

bin/configure-monitoring-secret

@@ -19,13 +19,13 @@ integration_endpoint_url="$3"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 
-has_incident_management_service=$(terraform -chdir="infra/${app_name}/app-config" output -raw has_incident_management_service)
+has_incident_management_service="$(terraform -chdir="infra/${app_name}/app-config" output -raw has_incident_management_service)"
 if [ "${has_incident_management_service}" = "false" ]; then
   echo "Application does not have incident management service, no secret to create"
   exit 0
 fi
 
-secret_name=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.incident_management_service_integration.integration_url_param_name")
+secret_name="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.incident_management_service_integration.integration_url_param_name")"
 
 echo "====================="
 echo "Setting up SSM secret"

bin/create-or-update-database-roles

@@ -19,8 +19,8 @@ environment="$2"
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 ./bin/terraform-init "infra/${app_name}/database" "${environment}"
-db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+db_role_manager_function_name="$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)"
+db_config="$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")"
 payload="{\"action\":\"manage\",\"config\":${db_config}}"
 
 echo "================================"
@@ -33,13 +33,13 @@ echo
 echo "Invoking Lambda function: ${db_role_manager_function_name}"
 echo "  Payload: ${payload}"
 echo
-cli_response=$(aws lambda invoke \
+cli_response="$(aws lambda invoke \
   --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
   --payload "$(echo -n "${payload}" | base64)" \
   --output json \
-  response.json)
+  response.json)"
 
 # Print logs out (they are returned base64 encoded)
 echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
@@ -49,7 +49,7 @@ cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+function_error="$(echo "${cli_response}" | jq -r '.FunctionError')"
 if [ "${function_error}" != "null" ]; then
   exit 1
 fi

bin/create-tfbackend

@@ -26,9 +26,9 @@ backend_config_file="${module_dir}/${backend_config_name}.s3.tfbackend"
 # and the name of the DynamoDB table that was created for tf state locks.
 # This will be used to configure the S3 backends in all the application
 # modules
-tf_state_bucket_name=$(terraform -chdir="infra/accounts" output --raw tf_state_bucket_name)
-tf_locks_table_name=$(terraform -chdir="infra/accounts" output --raw tf_locks_table_name)
-region=$(terraform -chdir="infra/accounts" output --raw region)
+tf_state_bucket_name="$(terraform -chdir="infra/accounts" output --raw tf_state_bucket_name)"
+tf_locks_table_name="$(terraform -chdir="infra/accounts" output --raw tf_locks_table_name)"
+region="$(terraform -chdir="infra/accounts" output --raw region)"
 
 echo "===================================="
 echo "Create terraform backend config file"

bin/current-account-config-name

@@ -5,8 +5,8 @@
 # The config name is "<account name>.<account id>""
 set -euo pipefail
 
-current_account_id=$(./bin/current-account-id)
-backend_config_file_path=$(ls -1 infra/accounts/*."${current_account_id}".s3.tfbackend)
-backend_config_file=$(basename "${backend_config_file_path}")
+current_account_id="$(./bin/current-account-id)"
+backend_config_file_path="$(ls -1 infra/accounts/*."${current_account_id}".s3.tfbackend)"
+backend_config_file="$(basename "${backend_config_file_path}")"
 backend_config_name="${backend_config_file/.s3.tfbackend/}"
 echo "${backend_config_name}"

bin/deploy-release

@@ -22,8 +22,8 @@ echo "::endgroup::"
 
 # Wait for the service to become stable
 
-cluster_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)
-service_name=$(terraform -chdir="infra/${app_name}/service" output -raw service_name)
+cluster_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_cluster_name)"
+service_name="$(terraform -chdir="infra/${app_name}/service" output -raw service_name)"
 echo "Wait for service ${service_name} to become stable"
 aws ecs wait services-stable --cluster "${cluster_name}" --services "${service_name}"
 

bin/destroy-pr-environment

@@ -33,13 +33,13 @@ terraform -chdir="infra/${app_name}/service" workspace select default
 echo "Delete workspace: ${workspace}"
 terraform -chdir="infra/${app_name}/service" workspace delete "${workspace}"
 
-pr_info=$(cat <<EOF
+pr_info="$(cat <<EOF
 <!-- begin PR environment info -->
 ## Preview environment
 ♻️ Environment destroyed ♻️
 <!-- end PR environment info -->
 EOF
-)
+)"
 
 pr_body="$(gh pr view "${pr_number}" --json body | jq --raw-output .body)"
 if [[ $pr_body == *"<!-- begin PR environment info -->"*"<!-- end PR environment info -->"* ]]; then

bin/infra-deploy-status-check-configs

@@ -94,13 +94,13 @@ function get_app_names() {
 
 function get_account_layer_configs() {
   local configs
-  configs=$(get_root_module_configs "accounts")
+  configs="$(get_root_module_configs "accounts")"
   echo "${configs}" | jq -c '. + {account_name: (.backend_config_name | split(".")[0])}'
 }
 
 function get_network_layer_configs() {
   local configs
-  configs=$(get_root_module_configs "networks")
+  configs="$(get_root_module_configs "networks")"
   echo "${configs}" | jq -c '. + {extra_params: "-var=\"network_name=\(.backend_config_name)\""}'
 }
 

bin/is-image-published

@@ -8,13 +8,13 @@ app_name="$1"
 git_ref="$2"
 
 # Get commit hash
-image_tag=$(git rev-parse "${git_ref}")
+image_tag="$(git rev-parse "${git_ref}")"
 
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
-region=$(./bin/current-region)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)"
+region="$(./bin/current-region)"
 
 result=""
 result=$(aws ecr describe-images --repository-name "${image_repository_name}" --image-ids "imageTag=${image_tag}" --region "${region}" 2> /dev/null ) || true

bin/lint-markdown

@@ -4,7 +4,7 @@
 # running, regardless where the user is when invoking this script.
 
 # Grab the full directory name for where this script lives.
-script_dir=$(readlink -f "$0" | xargs dirname)
+script_dir="$(readlink -f "$0" | xargs dirname)"
 
 # Move up to the root since we want to do everything relative to that. Note that this only impacts
 # this script, but will leave the user wherever they were when the script exists.

bin/publish-release

@@ -17,9 +17,9 @@ echo "  image_tag=${image_tag}"
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)"
 
-region=$(./bin/current-region)
+region="$(./bin/current-region)"
 read -r image_registry_id image_repository_url <<< "$(aws ecr describe-repositories --repository-names "${image_repository_name}" --query "repositories[0].[registryId,repositoryUri]" --output text)"
 image_registry="${image_registry_id}.dkr.ecr.${region}.amazonaws.com"