@znemz/cfn-include 2.1.10 → 2.1.12

package/README.md

@@ -1201,6 +1201,83 @@ If an AWS pseudo-parameter is not set via environment variables, it falls back t
 **Error handling:**
 If a reference cannot be resolved, `Fn::RefNow` will throw an error. Ensure all referenced parameters and variables are available via inject, scope, or environment variables.
 
+**Resolving LogicalResourceIds:**
+
+`Fn::RefNow` can also resolve references to CloudFormation Resource LogicalResourceIds, enabling you to construct ARNs or other resource-specific values during template preprocessing. When a reference matches a LogicalResourceId in the Resources section, `Fn::RefNow` will automatically generate the appropriate ARN based on the resource type and properties.
+
+**Supported Resource Types for ARN/Name Resolution:**
+
+- `AWS::IAM::ManagedPolicy` - Returns policy ARN (supports Path)
+- `AWS::IAM::Role` - Returns role ARN (supports Path)
+- `AWS::IAM::InstanceProfile` - Returns instance profile ARN (supports Path)
+- `AWS::S3::Bucket` - Returns bucket ARN
+- `AWS::Lambda::Function` - Returns function ARN
+- `AWS::SQS::Queue` - Returns queue ARN
+- `AWS::SNS::Topic` - Returns topic ARN
+- `AWS::DynamoDB::Table` - Returns table ARN
+- `AWS::RDS::DBInstance` - Returns DB instance ARN
+- `AWS::SecretsManager::Secret` - Returns secret ARN
+- `AWS::KMS::Key` - Returns key ARN
+
+Example with AWS::IAM::ManagedPolicy:
+
+```yaml
+Resources:
+  ObjPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: teststack-CreateTestDBPolicy-16M23YE3CS700
+      Path: /CRAP/
+
+  IAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      ManagedPolicyArns:
+        - Fn::RefNow: ObjPolicy  # Resolves to: arn:aws:iam::${AWS_ACCOUNT_ID}:policy/CRAP/teststack-CreateTestDBPolicy-16M23YE3CS700
+```
+
+**Returning Resource Names Instead of ARNs:**
+
+By default, `Fn::RefNow` returns the ARN for supported resource types. However, if the key name ends with `Name` (e.g., `RoleName`, `BucketName`, `FunctionName`), it automatically returns the resource name/identifier instead:
+
+```yaml
+Resources:
+  MyRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: MyExecutionRole
+
+  RoleArn:
+    Fn::RefNow: MyRole  # Returns: arn:aws:iam::${AWS_ACCOUNT_ID}:role/MyExecutionRole
+
+  RoleName:
+    Fn::RefNow: MyRole  # Returns: MyExecutionRole (because key ends with "Name")
+```
+
+This intuitive approach makes templates more readable and follows natural CloudFormation naming conventions.
+
+**CLI Options for Fn::RefNow:**
+
+The `cfn-include` command provides CLI options to control how unresolved references are handled:
+
+- `--ref-now-ignore-missing`: Do not fail if a `Fn::RefNow` reference cannot be resolved. Instead, the reference will be returned in AWS CloudFormation's standard `Ref` syntax (e.g., `{ Ref: 'UnresolvedRef' }`), allowing CloudFormation to resolve it at stack creation time.
+- `--ref-now-ignores <names>`: Comma-separated list of reference names to ignore if not found. These references will be returned in `Ref` syntax instead of throwing an error.
+
+**Example usage:**
+
+```bash
+# Ignore all unresolved references
+cfn-include template.yaml --ref-now-ignore-missing
+
+# Ignore specific reference names
+cfn-include template.yaml --ref-now-ignores "OptionalRef1,OptionalRef2"
+
+# Combine both options
+cfn-include template.yaml --ref-now-ignore-missing --ref-now-ignores "SpecificRef"
+```
+
+This is useful for templates that reference CloudFormation parameters or other resources that may not be available at template processing time but will be available at stack creation time.
+
 ## Fn::ApplyTags
 
 See [ApplyTags test file](t/tests/applyTags.yml).

package/bin/cli.js

@@ -88,6 +88,14 @@ const { env } = process;
        
       desc: `console log out include options in recurse step`,
     },
+    'ref-now-ignore-missing': {
+      boolean: true,
+      desc: 'do not fail if Fn::RefNow reference cannot be resolved',
+    },
+    'ref-now-ignores': {
+      string: true,
+      desc: 'comma-separated list of reference names to ignore if not found',
+    },
     version: {
       boolean: true,
       desc: 'print version and exit',
@@ -102,6 +110,9 @@ const { env } = process;
 // make enable an array
 opts.enable = opts.enable.split(',');
 
+// Parse ref-now-ignores into an array
+const refNowIgnores = opts['ref-now-ignores'] ? opts['ref-now-ignores'].split(',').map(s => s.trim()) : [];
+
 let promise;
 if (opts.path) {
   let location;
@@ -115,6 +126,8 @@ if (opts.path) {
     doEval: opts.enable.includes('eval'),
     inject: opts.inject,
     doLog: opts.doLog,
+    refNowIgnoreMissing: opts['ref-now-ignore-missing'],
+    refNowIgnores: refNowIgnores,
   });
 } else {
   promise = new Promise((resolve, reject) => {
@@ -142,6 +155,8 @@ if (opts.path) {
       doEval: opts.enable.includes('eval'),
       inject: opts.inject,
       doLog: opts.doLog,
+      refNowIgnoreMissing: opts['ref-now-ignore-missing'],
+      refNowIgnores: refNowIgnores,
     }).catch((err) => console.error(err));
   });
 }

package/index.js

@@ -59,7 +59,9 @@ module.exports = async function (options) {
   template = _.isUndefined(template)
     ? fnInclude({ base, scope, cft: options.url, ...options })
     : template;
-  return recurse({ base, scope, cft: template, ...options });
+  // Resolve template if it's a promise to extract the root template for reference lookups
+  const resolvedTemplate = await Promise.resolve(template);
+  return recurse({ base, scope, cft: resolvedTemplate, rootTemplate: resolvedTemplate, ...options });
 };
 
 /**
@@ -102,6 +104,164 @@ function getAwsPseudoParameters() {
   };
 }
 
+/**
+ * Build an ARN for a CloudFormation resource based on its Type and Properties
+ * Supports both ARN construction and property name resolution
+ * @param {string} resourceType - The CloudFormation resource type (e.g., 'AWS::IAM::ManagedPolicy')
+ * @param {object} properties - The resource properties
+ * @param {object} pseudoParams - AWS pseudo-parameters including AccountId, Region
+ * @param {object} options - Optional configuration
+ * @param {string} options.returnType - 'arn' (default) or 'name' to return the resource name/identifier
+ * @returns {string|null} - The ARN, name, or null if not applicable
+ */
+function buildResourceArn(resourceType, properties = {}, pseudoParams = {}, options = {}) {
+  const accountId = pseudoParams['AWS::AccountId'] || '${AWS::AccountId}';
+  const region = pseudoParams['AWS::Region'] || '${AWS::Region}';
+  const partition = pseudoParams['AWS::Partition'] || 'aws';
+  const returnType = options.returnType || 'arn';
+
+  // Handle AWS::IAM::ManagedPolicy
+  if (resourceType === 'AWS::IAM::ManagedPolicy') {
+    const { ManagedPolicyName, Path } = properties;
+    if (ManagedPolicyName) {
+      if (returnType === 'name') {
+        return ManagedPolicyName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:policy${path}${ManagedPolicyName}`;
+    }
+  }
+
+  // Handle AWS::IAM::Role
+  if (resourceType === 'AWS::IAM::Role') {
+    const { RoleName, Path } = properties;
+    if (RoleName) {
+      if (returnType === 'name') {
+        return RoleName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:role${path}${RoleName}`;
+    }
+  }
+
+  // Handle AWS::S3::Bucket
+  if (resourceType === 'AWS::S3::Bucket') {
+    const { BucketName } = properties;
+    if (BucketName) {
+      if (returnType === 'name') {
+        return BucketName;
+      }
+      return `arn:${partition}:s3:::${BucketName}`;
+    }
+  }
+
+  // Handle AWS::Lambda::Function
+  if (resourceType === 'AWS::Lambda::Function') {
+    const { FunctionName } = properties;
+    if (FunctionName) {
+      if (returnType === 'name') {
+        return FunctionName;
+      }
+      return `arn:${partition}:lambda:${region}:${accountId}:function:${FunctionName}`;
+    }
+  }
+
+  // Handle AWS::SQS::Queue
+  if (resourceType === 'AWS::SQS::Queue') {
+    const { QueueName } = properties;
+    if (QueueName) {
+      if (returnType === 'name') {
+        return QueueName;
+      }
+      return `arn:${partition}:sqs:${region}:${accountId}:${QueueName}`;
+    }
+  }
+
+  // Handle AWS::SNS::Topic
+  if (resourceType === 'AWS::SNS::Topic') {
+    const { TopicName } = properties;
+    if (TopicName) {
+      if (returnType === 'name') {
+        return TopicName;
+      }
+      return `arn:${partition}:sns:${region}:${accountId}:${TopicName}`;
+    }
+  }
+
+  // Handle AWS::DynamoDB::Table
+  if (resourceType === 'AWS::DynamoDB::Table') {
+    const { TableName } = properties;
+    if (TableName) {
+      if (returnType === 'name') {
+        return TableName;
+      }
+      return `arn:${partition}:dynamodb:${region}:${accountId}:table/${TableName}`;
+    }
+  }
+
+  // Handle AWS::RDS::DBInstance
+  if (resourceType === 'AWS::RDS::DBInstance') {
+    const { DBInstanceIdentifier } = properties;
+    if (DBInstanceIdentifier) {
+      if (returnType === 'name') {
+        return DBInstanceIdentifier;
+      }
+      return `arn:${partition}:rds:${region}:${accountId}:db:${DBInstanceIdentifier}`;
+    }
+  }
+
+  // Handle AWS::EC2::SecurityGroup
+  if (resourceType === 'AWS::EC2::SecurityGroup') {
+    const { GroupName } = properties;
+    if (GroupName) {
+      if (returnType === 'name') {
+        return GroupName;
+      }
+      // Security groups need to be referenced by ID in most cases, not ARN
+      // This returns the name for reference purposes
+      return GroupName;
+    }
+  }
+
+  // Handle AWS::IAM::InstanceProfile
+  if (resourceType === 'AWS::IAM::InstanceProfile') {
+    const { InstanceProfileName, Path } = properties;
+    if (InstanceProfileName) {
+      if (returnType === 'name') {
+        return InstanceProfileName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:instance-profile${path}${InstanceProfileName}`;
+    }
+  }
+
+  // Handle AWS::KMS::Key
+  if (resourceType === 'AWS::KMS::Key') {
+    // KMS keys are referenced by KeyId or KeyArn in properties
+    const { KeyId } = properties;
+    if (KeyId) {
+      if (returnType === 'name') {
+        return KeyId;
+      }
+      return `arn:${partition}:kms:${region}:${accountId}:key/${KeyId}`;
+    }
+  }
+
+  // Handle AWS::SecretsManager::Secret
+  if (resourceType === 'AWS::SecretsManager::Secret') {
+    const { Name } = properties;
+    if (Name) {
+      if (returnType === 'name') {
+        return Name;
+      }
+      return `arn:${partition}:secretsmanager:${region}:${accountId}:secret:${Name}`;
+    }
+  }
+
+  // Add more resource types as needed
+  return null;
+}
+
 async function recurse({ base, scope, cft, ...opts }) {
   if (opts.doLog) {
 
@@ -481,8 +641,22 @@ async function recurse({ base, scope, cft, ...opts }) {
       });
     }
     if (cft['Fn::RefNow']) {
-      return recurse({ base, scope, cft: cft['Fn::RefNow'], ...opts }).then((logicalName) => {
-        let refName = logicalName;
+      // Handle both simple string and object format for Fn::RefNow
+      // e.g., Fn::RefNow: "MyRole" or Fn::RefNow: { Ref: "MyRole" }
+      return recurse({ base, scope, cft: cft['Fn::RefNow'], ...opts }).then((refInput) => {
+        let refName = refInput;
+        let refOptions = {};
+
+        // Parse the input - could be string or object
+        if (_.isPlainObject(refInput)) {
+          refName = refInput.Ref || refInput.ref;
+          refOptions = _.omit(refInput, ['Ref', 'ref']);
+        }
+
+        // Check if this ref name is in the ignores list
+        if (opts.refNowIgnores && opts.refNowIgnores.includes(refName)) {
+          return { Ref: refName };
+        }
 
         // Merge AWS pseudo-parameters with inject and scope variables
         const allRefs = {
@@ -497,7 +671,42 @@ async function recurse({ base, scope, cft, ...opts }) {
           return allRefs[refName];
         }
 
-        // If not found, throw an error
+        // Check if this is a LogicalResourceId in the Resources section
+        if (opts.rootTemplate && _.isPlainObject(opts.rootTemplate)) {
+          const resources = opts.rootTemplate.Resources || {};
+          if (refName in resources) {
+            const resource = resources[refName];
+            const resourceType = resource.Type;
+            const properties = resource.Properties || {};
+            
+            // Determine return type based on key name
+            // If the key ends with "Name" (e.g., RoleName, BucketName), return name/identifier
+            // Otherwise return ARN (default)
+            let returnType = 'arn';
+            if (opts.key && opts.key.endsWith('Name')) {
+              returnType = 'name';
+            }
+            
+            // Try to build an ARN or name for this resource
+            // Merge ref options with global options (ref options take precedence)
+            const resourceOptions = { 
+              returnType,
+              ...opts.refNowReturnType ? { returnType: opts.refNowReturnType } : {},
+              ...refOptions,
+            };
+            const result = buildResourceArn(resourceType, properties, allRefs, resourceOptions);
+            if (result) {
+              return result;
+            }
+          }
+        }
+
+        // If not found and refNowIgnoreMissing is true, return Ref syntax; otherwise throw error
+        if (opts.refNowIgnoreMissing) {
+          return { Ref: refName };
+        }
+
+        // Default behavior: throw an error (backward compatible)
         throw new Error(`Unable to resolve Ref for logical name: ${refName}`);
       });
     }
@@ -528,7 +737,7 @@ async function recurse({ base, scope, cft, ...opts }) {
     }
 
     return Promise.props(
-      _.mapValues(cft, (template) => recurse({ base, scope, cft: template, ...opts })),
+      _.mapValues(cft, (template, key) => recurse({ base, scope, cft: template, key, ...opts })),
     );
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@znemz/cfn-include",
-  "version": "2.1.10",
+  "version": "2.1.12",
   "description": "Preprocessor for CloudFormation templates with support for loops and flexible include statements",
   "keywords": [
     "aws",