Hide CloudFormation pararamters with NoEcho. Fixes #2021 (#2024)

AUTHORS.md

@@ -54,4 +54,5 @@ Moto is written by Steve Pulec with contributions from:
 * [William Richard](https://github.com/william-richard)
 * [Alex Casalboni](https://github.com/alexcasalboni)
 * [Jon Beilke](https://github.com/jrbeilke)
+* [Craig Anderson](https://github.com/craiga)
 * [Robert Lewis](https://github.com/ralewis85)

moto/cloudformation/parsing.py

@@ -425,11 +425,18 @@ class ResourceMap(collections.Mapping):
             self.resolved_parameters[parameter_name] = parameter.get('Default')
 
         # Set any input parameters that were passed
+        self.no_echo_parameter_keys = []
         for key, value in self.input_parameters.items():
             if key in self.resolved_parameters:
-                value_type = parameter_slots[key].get('Type', 'String')
+                parameter_slot = parameter_slots[key]
+
+                value_type = parameter_slot.get('Type', 'String')
                 if value_type == 'CommaDelimitedList' or value_type.startswith("List"):
                     value = value.split(',')
+
+                if parameter_slot.get('NoEcho'):
+                    self.no_echo_parameter_keys.append(key)
+
                 self.resolved_parameters[key] = value
 
         # Check if there are any non-default params that were not passed input

moto/cloudformation/responses.py

@@ -654,7 +654,11 @@ DESCRIBE_STACKS_TEMPLATE = """<DescribeStacksResponse>
         {% for param_name, param_value in stack.stack_parameters.items() %}
           <member>
             <ParameterKey>{{ param_name }}</ParameterKey>
-            <ParameterValue>{{ param_value }}</ParameterValue>
+            {% if param_name in stack.resource_map.no_echo_parameter_keys %}
+                <ParameterValue>****</ParameterValue>
+            {% else %}
+                <ParameterValue>{{ param_value }}</ParameterValue>
+            {% endif %}
           </member>
         {% endfor %}
         </Parameters>

tests/test_cloudformation/test_stack_parsing.py

@@ -83,6 +83,18 @@ get_availability_zones_output = {
     }
 }
 
+parameters = {
+    "Parameters": {
+        "Param": {
+            "Type": "String",
+        },
+        "NoEchoParam": {
+            "Type": "String",
+            "NoEcho": True
+        }
+    }
+}
+
 split_select_template = {
     "AWSTemplateFormatVersion": "2010-09-09",
     "Resources": {
@@ -157,6 +169,9 @@ get_attribute_outputs_template = dict(
 get_availability_zones_template = dict(
     list(dummy_template.items()) + list(get_availability_zones_output.items()))
 
+parameters_template = dict(
+    list(dummy_template.items()) + list(parameters.items()))
+
 dummy_template_json = json.dumps(dummy_template)
 name_type_template_json = json.dumps(name_type_template)
 output_type_template_json = json.dumps(outputs_template)
@@ -165,6 +180,7 @@ get_attribute_outputs_template_json = json.dumps(
     get_attribute_outputs_template)
 get_availability_zones_template_json = json.dumps(
     get_availability_zones_template)
+parameters_template_json = json.dumps(parameters_template)
 split_select_template_json = json.dumps(split_select_template)
 sub_template_json = json.dumps(sub_template)
 export_value_template_json = json.dumps(export_value_template)
@@ -290,6 +306,18 @@ def test_parse_stack_with_bad_get_attribute_outputs():
         "test_id", "test_stack", bad_output_template_json, {}, "us-west-1").should.throw(ValidationError)
 
 
+def test_parse_stack_with_parameters():
+    stack = FakeStack(
+        stack_id="test_id",
+        name="test_stack",
+        template=parameters_template_json,
+        parameters={"Param": "visible value", "NoEchoParam": "hidden value"},
+        region_name='us-west-1')
+
+    stack.resource_map.no_echo_parameter_keys.should.have("NoEchoParam")
+    stack.resource_map.no_echo_parameter_keys.should_not.have("Param")
+
+
 def test_parse_equals_condition():
     parse_condition(
         condition={"Fn::Equals": [{"Ref": "EnvType"}, "prod"]},