DEV Community

drewmullen
drewmullen

Posted on

1 1

Validate Cloudformation parameters with custom logic

#cloudformation #rules

Scenario

I have a Cloudformation (cfn) template that can conditionally build or omit specific resources. The stack requires a RADIUS service (specifics are unimportant) and the template can either build one for the user or can accept an IP Address of a pre-existing service. I use 2 parameters to allow the user to specify how the template works:

Parameters:
  DeployFreeRadius:
    Description: Will build a freeradius server and use as workspaces MFA. allowed values - yes, no
    Default: "yes"
    Type: String
    AllowedValues: ["yes","no"]
  ExistingRadiusIp:
    Description: If you have an existing RADIUS server, input the IP. Only Specify if DeployFreeRadius == no
    Type: String
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})|^(?![\s\S])'
    ConstraintDescription: Must be a valid IP address or empty
Enter fullscreen mode Exit fullscreen mode

The Problem

What happens if if a user says "no" to deploying RADIUS but also doesn't provide an IP? Or, what happens when they say "yes" and also provide an IP? Bad stuff, I'm sure.

Luckily, I discovered an undocumented cloudformation feature, constraint rules. The feature was built specifically for Service Catalog to quickly fail a stack build when a user provides untenable param values. Below are the "rules" I wrote to prevent the undesirable scenarios detailed in the previous paragraph.

Rules:
  # Fail when any assertion returns false
  # Check if instructed do not deploy RADIUS and provides no RADIUS svr ip
  NoDeployAndNoExistingProvided:
    RuleCondition: !Equals
      - !Ref DeploySampleRADIUS
      - "no"
    Assertions:
      - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP
        Assert: !Not
          - !Equals
            - !Ref ExistingRADIUSIp
            - ""
  # Check if instructed to deploy RADIUS and provides also provides RADIUS svr ip
  DeployButAlsoExistingProvided:
    RuleCondition: !Equals
      - !Ref DeploySampleRADIUS
      - "yes"
    Assertions:
      - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP
        Assert: !Equals
            - !Ref ExistingRADIUSIp
            - ""
Enter fullscreen mode Exit fullscreen mode

Conclusion

If your user provides the incorrect parameter values, the stack build fails almost instantly. Here's an example of what the error looks like:

Alt Text

Update: A coworker shared that this feature actually has been documented!

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Neon
 Promoted

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →

Read next

mikeyoung44 profile image

Simple Method Lets You Control AI Image Generation with Both Text and Pictures

Mike Young -

mikeyoung44 profile image

How AI Art Models Learn to Avoid Generating Specific Content: New Research on Concept Erasure

Mike Young -

mikeyoung44 profile image

UniTok: New AI System Creates and Understands Images Using Single Universal Tokenizer

Mike Young -

mikeyoung44 profile image

AI Dataset Breakthrough: New Tool Extracts Complex Financial Metrics from Earnings Reports with 84% Accuracy

Mike Young -