IaC generator and write-only properties - AWS CloudFormation

IaC generator and write-only properties

Write-only properties are resource properties that can be written but can’t be read by AWS CloudFormation. (An example would be a database password.) This causes issues when generating templates from existing resources. In general, write-only properties are converted into parameters in the generated template. This allows you to enter the properties as parameter values during import operations. However, write-only properties cannot be converted into parameters in the following cases:

  1. There are multiple exclusive sets of properties, at least some of which are write-only. The IaC generator cannot determine which set of exclusive properties was applied to the resource during creation. For example, you can provide the code for a AWS::Lambda::Function using one of these sets of properties.

    • Code/S3Bucket, Code/S3Key, and optionally Code/S3ObjectVersion

    • Code/ImageUri

    • Code/ZipFile

    All of these properties are write-only. The IaC generator selects one of the exclusive sets of properties and adds them to the generated template. Parameters are added for each of the write-only properties. The parameter names include OneOf and the parameter descriptions indicate that the corresponding property can be replaced with other exclusive properties. The IaC generator sets a warning Type of MUTUALLY_EXCLUSIVE_PROPERTIES for the included properties.

  2. The write-only property can be any of multiple data types. For example, the Body property of AWS::ApiGateway::RestApi can be either an object or a string. When this is the case, the IaC generator sets a warning Type of MUTUALLY_EXCLUSIVE_TYPES and includes the property in the generated template using the type of string.

  3. The write-only property has a type of array. Parameters can only be scalar values so it's not possible to add a parameter to the template for arrays. When this is the case, the IaC generator does not include the property in the generated template and sets a warning Type of UNSUPPORTED_PROPERTIES.

  4. The write-only property is optional. The IaC generator can’t detect if the write-only property was ever used when setting up the resource. In this case, the IaC generator does not include the property in the generated template and sets a warning Type of UNSUPPORTED_PROPERTIES.

When the generated template includes resources with write-only properties. the IaC generator console displays a warning with a summary of the type of issues. For example:


   IaC generator console warning about write-only properties in generated template

You can choose View warning details to see more details. The resources with write-only properties are identified by the logical ID used in the generated template and resource type.


   IaC generator console detailed warnings about write-only properties in generated template

Use the list of warnings to identify resources with write-only properties and look at each resource to determine what changes (if any) need to be made to the generated template. You can download the generated template by choosing the Download button. After changes have been made, you can choose the Import edited template button to continue.

Important

Currently the AWS resource and property types reference documentation does not indicate if a property is write-only, or if it supports multiple types. You need to look at the warnings returned by the IaC generator console or the resource provider schema to determine which properties are write-only.

For more information on the resource provider schema, see Resource provider schema in the CloudFormation Command Line Interface User Guide. To download the resource provider schemas, see CloudFormation resource provider schemas.