moto/tests/test_cloudformation/test_conditions.py

from uuid import uuid4

import boto3
import pytest
from botocore.exceptions import ClientError

from . import cloudformation_aws_verified

conditional_output_conditional_value = """
Outputs:
  roleArn:
    Condition: RoleCondition
    Value: !GetAtt role.Arn

Parameters:
  roleName:
    Type: String
    Description: Predefined role name

Conditions:
  RoleCondition: !Equals [ !Ref roleName, "myrole" ]

Resources:
  role:
    Condition: RoleCondition
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
"""


@pytest.mark.aws_verified
@cloudformation_aws_verified()
def test_conditional_output_conditional_value():
    cf = boto3.client("cloudformation", region_name="us-east-1")
    param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]
    name = f"stack{str(uuid4())[0:6]}"
    cf.create_stack(
        StackName=name,
        TemplateBody=conditional_output_conditional_value,
        Parameters=param,
        Capabilities=["CAPABILITY_IAM"],
    )
    waiter = cf.get_waiter("stack_create_complete")
    waiter.wait(StackName=name)

    stack = cf.describe_stacks(StackName=name)["Stacks"][0]
    assert stack["Outputs"][0]["OutputKey"] == "roleArn"

    cf.delete_stack(StackName=name)

    # verify role does not exist with different name
    param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]
    cf.create_stack(
        StackName=f"{name}2",
        TemplateBody=conditional_output_conditional_value,
        Parameters=param,
        Capabilities=["CAPABILITY_IAM"],
    )
    waiter = cf.get_waiter("stack_create_complete")
    waiter.wait(StackName=f"{name}2")
    stack = cf.describe_stacks()["Stacks"][0]
    assert "Outputs" not in stack

    cf.delete_stack(StackName=f"{name}2")


permanent_output_conditional_value = """
Outputs:
  roleArn:
    Value: !GetAtt role.Arn

Parameters:
  roleName:
    Type: String
    Description: Predefined role name

Conditions:
  RoleCondition: !Equals [ !Ref roleName, "myrole" ]

Resources:
  role:
    Condition: RoleCondition
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
"""


@pytest.mark.aws_verified
@cloudformation_aws_verified()
def test_permanent_output_conditional_value():
    cf = boto3.client("cloudformation", region_name="us-east-1")
    param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]

    name = f"stack{str(uuid4())[0:6]}"
    cf.create_stack(
        StackName=name,
        TemplateBody=permanent_output_conditional_value,
        Parameters=param,
        Capabilities=["CAPABILITY_IAM"],
    )
    waiter = cf.get_waiter("stack_create_complete")
    waiter.wait(StackName=name)

    # Works - because role exists
    stack = cf.describe_stacks(StackName=name)["Stacks"][0]
    assert stack["Outputs"][0]["OutputKey"] == "roleArn"

    cf.delete_stack(StackName=name)

    # Role does not exist with different name
    # So we can't get the Output either
    param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]
    with pytest.raises(ClientError) as exc:
        cf.create_stack(
            StackName=f"{name}2",
            TemplateBody=permanent_output_conditional_value,
            Parameters=param,
            Capabilities=["CAPABILITY_IAM"],
        )
    err = exc.value.response["Error"]
    assert err["Code"] == "ValidationError"
    assert (
        err["Message"]
        == "Unresolved resource dependencies [role] in the Outputs block of the template"
    )


conditional_output_of_permanent_value = """
Outputs:
  roleArn:
    Condition: RoleCondition
    Value: !GetAtt role.Arn

Parameters:
  roleName:
    Type: String
    Description: Predefined role name

Conditions:
  RoleCondition: !Equals [ !Ref roleName, "myrole" ]

Resources:
  role:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
"""


@pytest.mark.aws_verified
@cloudformation_aws_verified()
def test_conditional_output_of_permanent_value():
    cf = boto3.client("cloudformation", region_name="us-east-1")
    param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]

    name = f"stack{str(uuid4())[0:6]}"
    cf.create_stack(
        StackName=name,
        TemplateBody=conditional_output_of_permanent_value,
        Parameters=param,
        Capabilities=["CAPABILITY_IAM"],
    )
    waiter = cf.get_waiter("stack_create_complete")
    waiter.wait(StackName=name)

    stack = cf.describe_stacks(StackName=name)["Stacks"][0]
    assert stack["Outputs"][0]["OutputKey"] == "roleArn"

    cf.delete_stack(StackName=name)

    # verify role does not exist with different name
    param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]
    cf.create_stack(
        StackName=f"{name}2",
        TemplateBody=conditional_output_of_permanent_value,
        Parameters=param,
        Capabilities=["CAPABILITY_IAM"],
    )
    waiter = cf.get_waiter("stack_create_complete")
    waiter.wait(StackName=f"{name}2")
    stack = cf.describe_stacks(StackName=f"{name}2")["Stacks"][0]
    # The Role does exist
    # But Output is conditional, and just doesn't return anything
    assert "Outputs" not in stack

    cf.delete_stack(StackName=f"{name}2")
CloudFormation: Allow Conditions in Outputs (#7470) 2024-03-14 23:26:15 +00:00			`from uuid import uuid4`

			`import boto3`
			`import pytest`
			`from botocore.exceptions import ClientError`

			`from . import cloudformation_aws_verified`

			`conditional_output_conditional_value = """`
			`Outputs:`
			`roleArn:`
			`Condition: RoleCondition`
			`Value: !GetAtt role.Arn`

			`Parameters:`
			`roleName:`
			`Type: String`
			`Description: Predefined role name`

			`Conditions:`
			`RoleCondition: !Equals [ !Ref roleName, "myrole" ]`

			`Resources:`
			`role:`
			`Condition: RoleCondition`
			`Type: 'AWS::IAM::Role'`
			`Properties:`
			`AssumeRolePolicyDocument:`
			`Version: 2012-10-17`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service:`
			`- ec2.amazonaws.com`
			`Action:`
			`- 'sts:AssumeRole'`
			`"""`


			`@pytest.mark.aws_verified`
			`@cloudformation_aws_verified()`
			`def test_conditional_output_conditional_value():`
			`cf = boto3.client("cloudformation", region_name="us-east-1")`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]`
			`name = f"stack{str(uuid4())[0:6]}"`
			`cf.create_stack(`
			`StackName=name,`
			`TemplateBody=conditional_output_conditional_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`waiter = cf.get_waiter("stack_create_complete")`
			`waiter.wait(StackName=name)`

			`stack = cf.describe_stacks(StackName=name)["Stacks"][0]`
			`assert stack["Outputs"][0]["OutputKey"] == "roleArn"`

			`cf.delete_stack(StackName=name)`

			`# verify role does not exist with different name`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]`
			`cf.create_stack(`
			`StackName=f"{name}2",`
			`TemplateBody=conditional_output_conditional_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`waiter = cf.get_waiter("stack_create_complete")`
			`waiter.wait(StackName=f"{name}2")`
			`stack = cf.describe_stacks()["Stacks"][0]`
			`assert "Outputs" not in stack`

			`cf.delete_stack(StackName=f"{name}2")`


			`permanent_output_conditional_value = """`
			`Outputs:`
			`roleArn:`
			`Value: !GetAtt role.Arn`

			`Parameters:`
			`roleName:`
			`Type: String`
			`Description: Predefined role name`

			`Conditions:`
			`RoleCondition: !Equals [ !Ref roleName, "myrole" ]`

			`Resources:`
			`role:`
			`Condition: RoleCondition`
			`Type: 'AWS::IAM::Role'`
			`Properties:`
			`AssumeRolePolicyDocument:`
			`Version: 2012-10-17`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service:`
			`- ec2.amazonaws.com`
			`Action:`
			`- 'sts:AssumeRole'`
			`"""`


			`@pytest.mark.aws_verified`
			`@cloudformation_aws_verified()`
			`def test_permanent_output_conditional_value():`
			`cf = boto3.client("cloudformation", region_name="us-east-1")`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]`

			`name = f"stack{str(uuid4())[0:6]}"`
			`cf.create_stack(`
			`StackName=name,`
			`TemplateBody=permanent_output_conditional_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`waiter = cf.get_waiter("stack_create_complete")`
			`waiter.wait(StackName=name)`

			`# Works - because role exists`
			`stack = cf.describe_stacks(StackName=name)["Stacks"][0]`
			`assert stack["Outputs"][0]["OutputKey"] == "roleArn"`

			`cf.delete_stack(StackName=name)`

			`# Role does not exist with different name`
			`# So we can't get the Output either`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]`
			`with pytest.raises(ClientError) as exc:`
			`cf.create_stack(`
			`StackName=f"{name}2",`
			`TemplateBody=permanent_output_conditional_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`err = exc.value.response["Error"]`
			`assert err["Code"] == "ValidationError"`
			`assert (`
			`err["Message"]`
			`== "Unresolved resource dependencies [role] in the Outputs block of the template"`
			`)`


			`conditional_output_of_permanent_value = """`
			`Outputs:`
			`roleArn:`
			`Condition: RoleCondition`
			`Value: !GetAtt role.Arn`

			`Parameters:`
			`roleName:`
			`Type: String`
			`Description: Predefined role name`

			`Conditions:`
			`RoleCondition: !Equals [ !Ref roleName, "myrole" ]`

			`Resources:`
			`role:`
			`Type: 'AWS::IAM::Role'`
			`Properties:`
			`AssumeRolePolicyDocument:`
			`Version: 2012-10-17`
			`Statement:`
			`- Effect: Allow`
			`Principal:`
			`Service:`
			`- ec2.amazonaws.com`
			`Action:`
			`- 'sts:AssumeRole'`
			`"""`


			`@pytest.mark.aws_verified`
			`@cloudformation_aws_verified()`
			`def test_conditional_output_of_permanent_value():`
			`cf = boto3.client("cloudformation", region_name="us-east-1")`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "myrole"}]`

			`name = f"stack{str(uuid4())[0:6]}"`
			`cf.create_stack(`
			`StackName=name,`
			`TemplateBody=conditional_output_of_permanent_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`waiter = cf.get_waiter("stack_create_complete")`
			`waiter.wait(StackName=name)`

			`stack = cf.describe_stacks(StackName=name)["Stacks"][0]`
			`assert stack["Outputs"][0]["OutputKey"] == "roleArn"`

			`cf.delete_stack(StackName=name)`

			`# verify role does not exist with different name`
			`param = [{"ParameterKey": "roleName", "ParameterValue": "diffname"}]`
			`cf.create_stack(`
			`StackName=f"{name}2",`
			`TemplateBody=conditional_output_of_permanent_value,`
			`Parameters=param,`
			`Capabilities=["CAPABILITY_IAM"],`
			`)`
			`waiter = cf.get_waiter("stack_create_complete")`
			`waiter.wait(StackName=f"{name}2")`
			`stack = cf.describe_stacks(StackName=f"{name}2")["Stacks"][0]`
			`# The Role does exist`
			`# But Output is conditional, and just doesn't return anything`
			`assert "Outputs" not in stack`

			`cf.delete_stack(StackName=f"{name}2")`