fix(core): throw on intrinsics in CFN update and create policies

packages/aws-cdk-lib/cloudformation-include/lib/cfn-include.ts

@@ -66,6 +66,14 @@ export interface CfnIncludeProps {
    * @default - will throw an error on detecting any cyclical references
    */
   readonly allowCyclicalReferences?: boolean;
+
+  /**
+   * Specifies a list of LogicalIDs for resources that will be included in the CDK Stack,
+   * but will not be parsed and converted to CDK types. This allows you to use CFN templates
+   * that rely on Intrinsic placement that `cfn-include`
+   * would otherwise reject, such as non-primitive values in resource update policies.
+   */
+  readonly unhydratedResources?: string[];
 }
 
 /**
@@ -109,6 +117,7 @@ export class CfnInclude extends core.CfnElement {
   private readonly template: any;
   private readonly preserveLogicalIds: boolean;
   private readonly allowCyclicalReferences: boolean;
+  private readonly unhydratedResources?: string[];
   private logicalIdToPlaceholderMap: Map<string, string>;
 
   constructor(scope: Construct, id: string, props: CfnIncludeProps) {
@@ -125,6 +134,8 @@ export class CfnInclude extends core.CfnElement {
 
     this.preserveLogicalIds = props.preserveLogicalIds ?? true;
 
+    this.unhydratedResources = props.unhydratedResources;
+
     // check if all user specified parameter values exist in the template
     for (const logicalId of Object.keys(this.parametersToReplace)) {
       if (!(logicalId in (this.template.Parameters || {}))) {
@@ -659,6 +670,7 @@ export class CfnInclude extends core.CfnElement {
     const cfnParser = new cfn_parse.CfnParser({
       finder,
       parameters: this.parametersToReplace,
+      unhydratedResources: this.unhydratedResources,
     });
 
     const resourceAttributes: any = this.template.Resources[logicalId];

packages/aws-cdk-lib/cloudformation-include/test/invalid-templates.test.ts

@@ -245,17 +245,108 @@ describe('CDK Include', () => {
       },
     );
   });
+
+  test('throws an exception if Tags contains invalid intrinsics', () => {
+    expect(() => {
+      includeTestTemplate(stack, 'tags-with-invalid-intrinsics.json');
+    }).toThrow(/expression does not exist in the template/);
+  });
+
+  test('non-leaf Intrinsics cannot be used in the top-level creation policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-create-policy.json');
+    }).toThrow(/Resource 'CreationPolicyIntrinsic' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'CreationPolicyIntrinsic' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the autoscaling creation policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-create-policy-autoscaling.json');
+    }).toThrow(/Resource 'AutoScalingCreationPolicyIntrinsic' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'AutoScalingCreationPolicyIntrinsic' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the create policy resource signal', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-create-policy-resource-signal.json');
+    }).toThrow(/Resource 'ResourceSignalIntrinsic' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'ResourceSignalIntrinsic' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the top-level update policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy.json');
+    }).toThrow(/Resource 'ASG' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'ASG' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the auto scaling rolling update update policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-autoscaling-rolling-update.json');
+    }).toThrow(/Resource 'ASG' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'ASG' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the auto scaling replacing update update policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-autoscaling-replacing-update.json');
+    }).toThrow(/Resource 'ASG' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'ASG' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the auto scaling scheduled action update policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-autoscaling-scheduled-action.json');
+    }).toThrow(/Resource 'ASG' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'ASG' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('Intrinsics cannot be used in the code deploy lambda alias update policy', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-code-deploy-lambda-alias-update.json');
+    }).toThrow(/Resource 'Alias' uses an intrinsic in a resource update or deletion policy to represent a non-primitive value. Specify 'Alias' in the 'unhydratedResources' prop to include this resource./);
+  });
+
+  test('FF toggles error checking', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, false);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-code-deploy-lambda-alias-update.json');
+    }).not.toThrow();
+  });
+
+  test('FF disabled with unhydratedResources does not throw', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, false);
+    expect(() => {
+      includeTestTemplate(stack, 'intrinsics-update-policy-code-deploy-lambda-alias-update.json', {
+        unhydratedResources: ['Alias'],
+      });
+    }).not.toThrow();
+  });
+
+  test('unhydrated resources appear in the template', () => {
+    stack.node.setContext(cxapi.CFN_INCLUDE_REJECT_COMPLEX_RESOURCE_UPDATE_CREATE_POLICY_INTRINSICS, true);
+    includeTestTemplate(stack, 'intrinsics-update-policy-code-deploy-lambda-alias-update.json', {
+      unhydratedResources: ['Alias'],
+    });
+
+    expect(Template.fromStack(stack).hasResource('AWS::Lambda::Alias', {}));
+  });
 });
 
 interface IncludeTestTemplateProps {
   /** @default false */
   readonly allowCyclicalReferences?: boolean;
+
+  /** @default none */
+  readonly unhydratedResources?: string[];
 }
 
 function includeTestTemplate(scope: constructs.Construct, testTemplate: string, props: IncludeTestTemplateProps = {}): inc.CfnInclude {
   return new inc.CfnInclude(scope, 'MyScope', {
     templateFile: _testTemplateFilePath(testTemplate),
     allowCyclicalReferences: props.allowCyclicalReferences,
+    unhydratedResources: props.unhydratedResources,
   });
 }
 

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-create-policy-autoscaling.json

@@ -0,0 +1,23 @@
+{
+  "Parameters": {
+    "MinSuccessfulInstancesPercent": {
+      "Type": "Number"
+    }
+  },
+  "Resources": {
+    "AutoScalingCreationPolicyIntrinsic": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "5"
+      },
+      "CreationPolicy": {
+        "AutoScalingCreationPolicy": {
+          "MinSuccessfulInstancesPercent": {
+            "Ref": "MinSuccessfulInstancesPercent"
+          }
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-create-policy-complex.json

@@ -0,0 +1,42 @@
+{
+  "Parameters": {
+    "CountParameter": {
+      "Type": "Number",
+      "Default": 3
+    }
+  },
+  "Conditions": {
+    "SomeCondition": {
+      "Fn::Equals": [
+        2,
+        2
+      ]
+    }
+  },
+  "Resources": {
+    "ASG": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "5"
+      },
+      "CreationPolicy": {
+        "AutoScalingCreationPolicy": {
+          "MinSuccessfulInstancesPercent": 50
+        },
+        "ResourceSignal": {
+          "Count": {
+            "Fn::If": [
+              "SomeCondition",
+              {
+                "Ref": "CountParameter"
+              },
+              4
+            ]
+          },
+          "Timeout":"PT5H4M3S"
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-create-policy-resource-signal.json

@@ -0,0 +1,24 @@
+{
+  "Parameters": {
+    "CountParameter": {
+      "Type": "Number",
+      "Default": 3
+    }
+  },
+  "Resources": {
+    "ResourceSignalIntrinsic": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "5"
+      },
+      "CreationPolicy": {
+        "ResourceSignal": {
+          "Count": {
+            "Ref": "CountParameter"
+          }
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-update-policy-autoscaling-replacing-update.json

@@ -0,0 +1,22 @@
+{
+  "Parameters": {
+    "WillReplace": {
+      "Type": "Boolean",
+      "Default": false
+    }
+  },
+  "Resources": {
+    "ASG": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "10"
+      },
+      "UpdatePolicy": {
+        "AutoScalingReplacingUpdate": {
+          "WillReplace" : { "Ref": "WillReplace" }
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-update-policy-autoscaling-rolling-update.json

@@ -0,0 +1,37 @@
+{
+  "Parameters": {
+    "MinInstances": {
+      "Type": "Number",
+      "Default": 1
+    },
+    "MaxBatchSize": {
+      "Type": "Number",
+      "Default": 1
+    },
+    "PauseTime": {
+      "Type": "String",
+      "Default": "PT5M"
+    },
+    "WaitOnResourceSignals": {
+      "Type": "Boolean",
+      "Default": true
+    }
+  },
+  "Resources": {
+    "ASG": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "10"
+      },
+      "UpdatePolicy": {
+        "AutoScalingRollingUpdate": {
+          "MinInstancesInService": { "Ref": "MinInstances" },
+          "MaxBatchSize": { "Ref": "MaxBatchSize" },
+          "PauseTime": { "Ref": "PauseTime" },
+          "WaitOnResourceSignals": { "Ref": "WaitOnResourceSignals" }
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-update-policy-autoscaling-scheduled-action.json

@@ -0,0 +1,24 @@
+{
+  "Parameters": {
+    "IgnoreUnmodifiedGroupSizeProperties": {
+      "Type": "Boolean",
+      "Default": false
+    }
+  },
+  "Resources": {
+    "ASG": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "MinSize": "1",
+        "MaxSize": "10"
+      },
+      "UpdatePolicy": {
+        "AutoScalingScheduledAction": {
+          "IgnoreUnmodifiedGroupSizeProperties": {
+            "Ref": "IgnoreUnmodifiedGroupSizeProperties"
+          }
+        }
+      }
+    }
+  }
+}

packages/aws-cdk-lib/cloudformation-include/test/test-templates/intrinsics-update-policy-code-deploy-lambda-alias-update.json

@@ -0,0 +1,34 @@
+{
+  "Parameters": {
+    "ApplicationName": {
+      "Type": "String"
+    },
+    "DeploymentGroupName": {
+      "Type": "String"
+    },
+    "BeforeAllowTrafficHook": {
+      "Type": "String"
+    },
+    "AfterAllowTrafficHook": {
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "Alias": {
+      "Type": "AWS::Lambda::Alias",
+      "Properties": {
+        "FunctionName": "SomeLambda",
+        "FunctionVersion": "SomeVersion",
+        "Name": "MyAlias"
+      },
+      "UpdatePolicy": {
+        "CodeDeployLambdaAliasUpdate": {
+          "ApplicationName": { "Ref": "ApplicationName" },
+          "DeploymentGroupName": { "Ref": "DeploymentGroupName" },
+          "BeforeAllowTrafficHook": { "Ref": "BeforeAllowTrafficHook" },
+          "AfterAllowTrafficHook": { "Ref": "AfterAllowTrafficHook" }
+        }
+      }
+    }
+  }
+}