Posted on Feb 3, 2021

Validate Cloudformation parameters with custom logic

Scenario

I have a Cloudformation (cfn) template that can conditionally build or omit specific resources. The stack requires a RADIUS service (specifics are unimportant) and the template can either build one for the user or can accept an IP Address of a pre-existing service. I use 2 parameters to allow the user to specify how the template works:

Parameters: DeployFreeRadius: Description: Will build a freeradius server and use as workspaces MFA. allowed values - yes, no Default: "yes" Type: String AllowedValues: ["yes","no"] ExistingRadiusIp: Description: If you have an existing RADIUS server, input the IP. Only Specify if DeployFreeRadius == no Type: String AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})|^(?![\s\S])' ConstraintDescription: Must be a valid IP address or empty

The Problem

What happens if if a user says "no" to deploying RADIUS but also doesn't provide an IP? Or, what happens when they say "yes" and also provide an IP? Bad stuff, I'm sure.

Luckily, I discovered an undocumented cloudformation feature, constraint rules. The feature was built specifically for Service Catalog to quickly fail a stack build when a user provides untenable param values. Below are the "rules" I wrote to prevent the undesirable scenarios detailed in the previous paragraph.

Rules: # Fail when any assertion returns false # Check if instructed do not deploy RADIUS and provides no RADIUS svr ip NoDeployAndNoExistingProvided: RuleCondition: !Equals - !Ref DeploySampleRADIUS - "no" Assertions: - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP Assert: !Not - !Equals - !Ref ExistingRADIUSIp - "" # Check if instructed to deploy RADIUS and provides also provides RADIUS svr ip DeployButAlsoExistingProvided: RuleCondition: !Equals - !Ref DeploySampleRADIUS - "yes" Assertions: - AssertDescription: You must either Deploy RADIUS or specify a RADIUS Server IP Assert: !Equals - !Ref ExistingRADIUSIp - ""