Skip to content

Allow AWS::NoValue to omit Role property in if - FeatureRequest#3728 #3736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Allow AWS::NoValue to omit Role property in if - FeatureRequest#3728 #3736

wants to merge 5 commits into from

Conversation

SherrryX
Copy link

3728 #, if available

Allow AWS::NoValue to omit Role property in Fn::If

I have validated the changes with unit tests and hand testing with bin/sam-translate.py. The change resolved my need in #3728.

Checklist

Examples?

Please reach out in the comments if you want to add an example. Examples will be
added to sam init through aws/aws-sam-cli-app-templates.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@SherrryX SherrryX requested a review from a team as a code owner March 20, 2025 17:18
@roger-zhangg
Copy link
Member

Hi @SherrryX Thanks for the PR, One concern is from this issue: #2533 . Could we add tests that verifies the intrinsic functions implemented in this PR could reject stack resources as intended?

@SherrryX
Copy link
Author

Below please find some examples of the auto generated output results via testing with bin/sam-translate.py:

My template:

Role: !If
      - RoleExists
      - !Ref roleArn
      - !If
          - PermissionsBoundaryExists
          - "arn:aws:iam::123456789012:role/MyAnotherCustomRole"
          - !Ref "AWS::NoValue"

For case#1 when Role parameter is not present in the template or Role is eventually evaluated to "AWS::NoValue" - SAM generates the the role:
42DCEA95-0659-415B-8C23-634AF2ADD4A2

For case#2 when roleArn is provided (roleArn: "arn:aws:iam::123456789012:role/MyCustomRole") and so roleArn1 is true - use the given role:
AC4F5E6B-375E-4F49-B6AC-55BF75ADA627_4_5005_c
7929D0CC-205B-48F8-811F-28D49F5386E0_4_5005_c

For case#3 when roelArn is false but PermissionsBoundaryExists is true - use the given role:
CD92507A-8A5A-49D5-B07A-F9A7B60BF721_4_5005_c

@valerena
Copy link
Contributor

We discussed offline. But this solution assumes that the value of the parameters and condition will be known at the time of the transform (which is not). It works when trying locally (because it will use the default values), but when actually deployed and working, SAM doesn't know about the parameters values, therefore there won't be nothing to resolve and these changes won't work.

The solution is to implement extra logic that keeps the conditions, but takes into account both options depending on the values, to define if it will create a role or not.

Generated template should be like this:

Conditions:
	MyCondition:
	NegateMyCondition:

Function:
   Properties:
     Role: !If
       - MyCondition
       - !Ref ExistingRole
       - !Ref NewCreatedRole
 NewCreatedRole:
   Condition: NegateMyCondition
   Type: AWS::IAM::Role
   Properties:
      ...

Existing code where a similar situation is used for destinations here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@SherrryX @roger-zhangg @valerena @vicheey @seshubaws