DEV Community

drewmullen
drewmullen

Posted on

Validate Cloudformation parameters with custom logic

#cloudformation #rules

Scenario

I have a Cloudformation (cfn) template that can conditionally build or omit specific resources. The stack requires a RADIUS service (specifics are unimportant) and the template can either build one for the user or can accept an IP Address of a pre-existing service. I use 2 parameters to allow the user to specify how the template works:

Parameters:
  DeployFreeRadius:
    Description: Will build a freeradius server and use as workspaces MFA. allowed values - yes, no
    Default: "yes"
    Type: String
    AllowedValues: ["yes","no"]
  ExistingRadiusIp:
    Description: If you have an existing RADIUS server, input the IP. Only Specify if DeployFreeRadius == no
    Type: String
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})|^(?![\s\S])'
    ConstraintDescription: Must be a valid IP address or empty
Enter fullscreen mode Exit fullscreen mode

The Problem

What happens if if a user says "no" to deploying RADIUS but also doesn't provide an IP? Or, what happens when they say "yes" and also provide an IP? Bad stuff, I'm sure.

Luckily, I discovered an undocumented cloudformation feature, constraint rules. The feature was built specifically for Service Catalog to quickly fail a stack build when a user provides untenable param values. Below are the "rules" I wrote to prevent the undesirable scenarios detailed in the previous paragraph.

Rules:
  # Fail when any assertion returns false
  # Check if instructed do not deploy RADIUS and provides no RADIUS svr ip
  NoDeployAndNoExistingProvided:
    RuleCondition: !Equals
      - !Ref DeploySampleRADIUS
      - "no"
    Assertions:
      - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP
        Assert: !Not
          - !Equals
            - !Ref ExistingRADIUSIp
            - ""
  # Check if instructed to deploy RADIUS and provides also provides RADIUS svr ip
  DeployButAlsoExistingProvided:
    RuleCondition: !Equals
      - !Ref DeploySampleRADIUS
      - "yes"
    Assertions:
      - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP
        Assert: !Equals
            - !Ref ExistingRADIUSIp
            - ""
Enter fullscreen mode Exit fullscreen mode

Conclusion

If your user provides the incorrect parameter values, the stack build fails almost instantly. Here's an example of what the error looks like:

Alt Text

Update: A coworker shared that this feature actually has been documented!

Top comments (0)

Read next

rebeccapeltz profile image

Earth Day Frontend Challenge

Rebeccca Peltz -

sergo profile image

JoyBot will make you smile

Sergo -

paulike profile image

Augmented Assignment Operators

Paul Ngugi -

driver3229 profile image

Cannot render components after the Fetch() call.

Rahul3229 -