Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Named conditions fail to migrate #694

Open
steven10172 opened this issue Jun 13, 2024 · 4 comments
Open

Named conditions fail to migrate #694

steven10172 opened this issue Jun 13, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@steven10172
Copy link

When attempting to migrate a CloudFormation template that contains a named condition it failed with an error.

CloudFormation:

Conditions:
  HasSecurityGroupIds:
    Fn::Not:
      - Fn::Equals:
        - ""
        - Fn::Join: ["", Ref: SecurityGroupIds]


  CloudAuthVpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      SecurityGroupIds:
        Fn::If:
          - HasSecurityGroupIds
          - Ref: SecurityGroupIds
          - Ref: 'AWS::NoValue'
      ServiceName:
        Fn::FindInMap:
          - CloudAuthVpcEndpointServices
          - Ref: 'AWS::Region'
          - vpces
      SubnetIds:
        - Fn::ImportValue: PrivateSubnet01
        - Fn::ImportValue: PrivateSubnet02
        - Fn::ImportValue: PrivateSubnet03
      VpcEndpointType: Interface
      VpcId:
        Fn::ImportValue: VPC

Error:

CloudAuthInfrastructureStackStack could not be generated because Conditions.HasSecurityGroupIds: data did not match any variant of untagged enum Singleton at line 22 column 5
@iph iph added the bug Something isn't working label Sep 5, 2024
@iph
Copy link
Collaborator

iph commented Sep 6, 2024

The error is weird but shockingly isn't named conditions that is the problem. It seems that Fn::Equals in combination with Fn::Join is not a great combo.

I'm unsure why. As an example, I took your template and modified to remove the Fn::Join:

Conditions:
  HasSecurityGroupIds:
    Fn::Not:
      - Fn::Equals:
        - ""
        - Ref: AWS::Region
Resources:
  CloudAuthVpcEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      SecurityGroupIds:
        Fn::If:
          - HasSecurityGroupIds
          - Ref: SecurityGroupIds
          - Ref: 'AWS::NoValue'
      ServiceName:
        Fn::FindInMap:
          - CloudAuthVpcEndpointServices
          - Ref: 'AWS::Region'
          - vpces
      SubnetIds:
        - Fn::ImportValue: PrivateSubnet01
        - Fn::ImportValue: PrivateSubnet02
        - Fn::ImportValue: PrivateSubnet03
      VpcEndpointType: Interface
      VpcId:
        Fn::ImportValue: VPC

and gets past the issue.

@iph
Copy link
Collaborator

iph commented Sep 6, 2024
edited
Loading

Ahh, this is a classic case of Conditions are not the same as the full support of functions.

When I initially wrote the Conditions parser, I took the documentation quite literally: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-conditions.html#w41aac23c24c21c29

The topics quite literally show the only supported conditions are And, Equals, If, Not, Or. The FUNCTIONs supported specifically are for Fn::If (which allows sub, select, join etc.)

Is this a valid template? If so, it may make sense to just support all functions and let the world run wild here.

@steven10172
Copy link
Author

The template is valid and does run. It was in production for years before I migrated everything to CDK

@iph
Copy link
Collaborator

iph commented Dec 13, 2024

Dope.

Then it's valid to say that CFN doesn't enforce its own documentation and it's best to assume all meta functions work in conditions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iph @steven10172