comcalvi
commented
2 years ago working example
Outputs:
Output:
Value:
Fn::Join:
- ""
- - '"'
- Fn::Select:
- 1
- Fn::Split:
- a
- Ref: Parameter
- '"'failing:
Outputs:
Output:
Value:
Fn::Join:
- ""
- - '"'
- Fn::Select:
- 1
- Fn::Split:
- \"
- Ref: Parameter
- '"'json form of failure:
"Fn::Split": [
"\\\"",
{
"Ref": "Parameter"
}
]
mrgrain
Consider a
Fn::Splitintrinsic that is encoded as JSON. For example, aSplitthat is used in the definition of a State Machine or in the arguments to a Custom Resource. If theSplitdelimiter contains some JSON-reserved characters (such as"or\), the token-aware stringification still quotes the delimiter as if it were a true string literal. This means that values originating in CloudFormation (such asCfnParameters orCfnWaitConditions) cannot be "parsed" using JSON-reserved characters.Reproduction Steps
What did you expect to happen?
Stack successfully deploys, produces output with value
"def".What actually happened?
Stack fails to deploy, produces CloudFormation error:
Environment
Other
Switching the
"in both the parameter and the split delimiter to some other character such as:produces the correct result.The concrete example that provided the impetus for this bug report was due to #13074 which modified custom resources to accept their Create/Update/Delete parameters as JSON-encoded strings. Previously, we were using a CfnWaitCondition to allow the deployer to manually create a WorkDocs site in the middle of stack deployment (since there is no API or CFN resource to do so). Then, the response sent to CloudFormation to signal successful creation was used in other WorkDocs resources (such as users and folders) to both populate the site organization ID, as well as set an implicit CloudFormation dependency on the creation of the site. Because the signal is presented to the template as a JSON object (see the very bottom of this documentation page), some string parsing within the template was necessary to grab the ID from the response. We simply used the Split and Select intrinsics to separate the data into a list of strings and get the ID. The templates that are synthesized before and after #13074 show how the delimiter is escaped from
"\"to"\\\"", while the value cannot be similarly escaped since it itself is an intrinsic. The CfnWaitCondition logical ID isActiveDirectoryWorkDocs8BACF9E0, and an example of the value returned from{Fn::GetAtt: ["ActiveDirectoryWorkDocs8BACF9E0", "Data"]}is{"UniqueId123":"d-83630ac3db"}Before:
After:
This is :bug: Bug Report