npm - @znemz/cfn-include - Versions diffs - 2.1.11 → 2.1.12 - Mend

@znemz/cfn-include 2.1.11 → 2.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1201,6 +1201,61 @@ If an AWS pseudo-parameter is not set via environment variables, it falls back t
 **Error handling:**
 If a reference cannot be resolved, `Fn::RefNow` will throw an error. Ensure all referenced parameters and variables are available via inject, scope, or environment variables.
+**Resolving LogicalResourceIds:**
+`Fn::RefNow` can also resolve references to CloudFormation Resource LogicalResourceIds, enabling you to construct ARNs or other resource-specific values during template preprocessing. When a reference matches a LogicalResourceId in the Resources section, `Fn::RefNow` will automatically generate the appropriate ARN based on the resource type and properties.
+**Supported Resource Types for ARN/Name Resolution:**
+- `AWS::IAM::ManagedPolicy` - Returns policy ARN (supports Path)
+- `AWS::IAM::Role` - Returns role ARN (supports Path)
+- `AWS::IAM::InstanceProfile` - Returns instance profile ARN (supports Path)
+- `AWS::S3::Bucket` - Returns bucket ARN
+- `AWS::Lambda::Function` - Returns function ARN
+- `AWS::SQS::Queue` - Returns queue ARN
+- `AWS::SNS::Topic` - Returns topic ARN
+- `AWS::DynamoDB::Table` - Returns table ARN
+- `AWS::RDS::DBInstance` - Returns DB instance ARN
+- `AWS::SecretsManager::Secret` - Returns secret ARN
+- `AWS::KMS::Key` - Returns key ARN
+Example with AWS::IAM::ManagedPolicy:
+```yaml
+Resources:
+  ObjPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: teststack-CreateTestDBPolicy-16M23YE3CS700
+      Path: /CRAP/
+  IAMRole:
+    Type: AWS::IAM::Role
+    Properties:
+      ManagedPolicyArns:
+        - Fn::RefNow: ObjPolicy  # Resolves to: arn:aws:iam::${AWS_ACCOUNT_ID}:policy/CRAP/teststack-CreateTestDBPolicy-16M23YE3CS700
+```
+**Returning Resource Names Instead of ARNs:**
+By default, `Fn::RefNow` returns the ARN for supported resource types. However, if the key name ends with `Name` (e.g., `RoleName`, `BucketName`, `FunctionName`), it automatically returns the resource name/identifier instead:
+```yaml
+Resources:
+  MyRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: MyExecutionRole
+  RoleArn:
+    Fn::RefNow: MyRole  # Returns: arn:aws:iam::${AWS_ACCOUNT_ID}:role/MyExecutionRole
+  RoleName:
+    Fn::RefNow: MyRole  # Returns: MyExecutionRole (because key ends with "Name")
+```
+This intuitive approach makes templates more readable and follows natural CloudFormation naming conventions.
 **CLI Options for Fn::RefNow:**
 The `cfn-include` command provides CLI options to control how unresolved references are handled:

package/index.js CHANGED Viewed

@@ -59,7 +59,9 @@ module.exports = async function (options) {
   template = _.isUndefined(template)
     ? fnInclude({ base, scope, cft: options.url, ...options })
     : template;
-  return recurse({ base, scope, cft: template, ...options });
+  // Resolve template if it's a promise to extract the root template for reference lookups
+  const resolvedTemplate = await Promise.resolve(template);
+  return recurse({ base, scope, cft: resolvedTemplate, rootTemplate: resolvedTemplate, ...options });
 };
 /**
@@ -102,6 +104,164 @@ function getAwsPseudoParameters() {
   };
 }
+/**
+ * Build an ARN for a CloudFormation resource based on its Type and Properties
+ * Supports both ARN construction and property name resolution
+ * @param {string} resourceType - The CloudFormation resource type (e.g., 'AWS::IAM::ManagedPolicy')
+ * @param {object} properties - The resource properties
+ * @param {object} pseudoParams - AWS pseudo-parameters including AccountId, Region
+ * @param {object} options - Optional configuration
+ * @param {string} options.returnType - 'arn' (default) or 'name' to return the resource name/identifier
+ * @returns {string|null} - The ARN, name, or null if not applicable
+ */
+function buildResourceArn(resourceType, properties = {}, pseudoParams = {}, options = {}) {
+  const accountId = pseudoParams['AWS::AccountId'] || '${AWS::AccountId}';
+  const region = pseudoParams['AWS::Region'] || '${AWS::Region}';
+  const partition = pseudoParams['AWS::Partition'] || 'aws';
+  const returnType = options.returnType || 'arn';
+  // Handle AWS::IAM::ManagedPolicy
+  if (resourceType === 'AWS::IAM::ManagedPolicy') {
+    const { ManagedPolicyName, Path } = properties;
+    if (ManagedPolicyName) {
+      if (returnType === 'name') {
+        return ManagedPolicyName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:policy${path}${ManagedPolicyName}`;
+    }
+  }
+  // Handle AWS::IAM::Role
+  if (resourceType === 'AWS::IAM::Role') {
+    const { RoleName, Path } = properties;
+    if (RoleName) {
+      if (returnType === 'name') {
+        return RoleName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:role${path}${RoleName}`;
+    }
+  }
+  // Handle AWS::S3::Bucket
+  if (resourceType === 'AWS::S3::Bucket') {
+    const { BucketName } = properties;
+    if (BucketName) {
+      if (returnType === 'name') {
+        return BucketName;
+      }
+      return `arn:${partition}:s3:::${BucketName}`;
+    }
+  }
+  // Handle AWS::Lambda::Function
+  if (resourceType === 'AWS::Lambda::Function') {
+    const { FunctionName } = properties;
+    if (FunctionName) {
+      if (returnType === 'name') {
+        return FunctionName;
+      }
+      return `arn:${partition}:lambda:${region}:${accountId}:function:${FunctionName}`;
+    }
+  }
+  // Handle AWS::SQS::Queue
+  if (resourceType === 'AWS::SQS::Queue') {
+    const { QueueName } = properties;
+    if (QueueName) {
+      if (returnType === 'name') {
+        return QueueName;
+      }
+      return `arn:${partition}:sqs:${region}:${accountId}:${QueueName}`;
+    }
+  }
+  // Handle AWS::SNS::Topic
+  if (resourceType === 'AWS::SNS::Topic') {
+    const { TopicName } = properties;
+    if (TopicName) {
+      if (returnType === 'name') {
+        return TopicName;
+      }
+      return `arn:${partition}:sns:${region}:${accountId}:${TopicName}`;
+    }
+  }
+  // Handle AWS::DynamoDB::Table
+  if (resourceType === 'AWS::DynamoDB::Table') {
+    const { TableName } = properties;
+    if (TableName) {
+      if (returnType === 'name') {
+        return TableName;
+      }
+      return `arn:${partition}:dynamodb:${region}:${accountId}:table/${TableName}`;
+    }
+  }
+  // Handle AWS::RDS::DBInstance
+  if (resourceType === 'AWS::RDS::DBInstance') {
+    const { DBInstanceIdentifier } = properties;
+    if (DBInstanceIdentifier) {
+      if (returnType === 'name') {
+        return DBInstanceIdentifier;
+      }
+      return `arn:${partition}:rds:${region}:${accountId}:db:${DBInstanceIdentifier}`;
+    }
+  }
+  // Handle AWS::EC2::SecurityGroup
+  if (resourceType === 'AWS::EC2::SecurityGroup') {
+    const { GroupName } = properties;
+    if (GroupName) {
+      if (returnType === 'name') {
+        return GroupName;
+      }
+      // Security groups need to be referenced by ID in most cases, not ARN
+      // This returns the name for reference purposes
+      return GroupName;
+    }
+  }
+  // Handle AWS::IAM::InstanceProfile
+  if (resourceType === 'AWS::IAM::InstanceProfile') {
+    const { InstanceProfileName, Path } = properties;
+    if (InstanceProfileName) {
+      if (returnType === 'name') {
+        return InstanceProfileName;
+      }
+      const path = Path || '/';
+      return `arn:${partition}:iam::${accountId}:instance-profile${path}${InstanceProfileName}`;
+    }
+  }
+  // Handle AWS::KMS::Key
+  if (resourceType === 'AWS::KMS::Key') {
+    // KMS keys are referenced by KeyId or KeyArn in properties
+    const { KeyId } = properties;
+    if (KeyId) {
+      if (returnType === 'name') {
+        return KeyId;
+      }
+      return `arn:${partition}:kms:${region}:${accountId}:key/${KeyId}`;
+    }
+  }
+  // Handle AWS::SecretsManager::Secret
+  if (resourceType === 'AWS::SecretsManager::Secret') {
+    const { Name } = properties;
+    if (Name) {
+      if (returnType === 'name') {
+        return Name;
+      }
+      return `arn:${partition}:secretsmanager:${region}:${accountId}:secret:${Name}`;
+    }
+  }
+  // Add more resource types as needed
+  return null;
+}
 async function recurse({ base, scope, cft, ...opts }) {
   if (opts.doLog) {
@@ -481,8 +641,17 @@ async function recurse({ base, scope, cft, ...opts }) {
       });
     }
     if (cft['Fn::RefNow']) {
-      return recurse({ base, scope, cft: cft['Fn::RefNow'], ...opts }).then((logicalName) => {
-        let refName = logicalName;
+      // Handle both simple string and object format for Fn::RefNow
+      // e.g., Fn::RefNow: "MyRole" or Fn::RefNow: { Ref: "MyRole" }
+      return recurse({ base, scope, cft: cft['Fn::RefNow'], ...opts }).then((refInput) => {
+        let refName = refInput;
+        let refOptions = {};
+        // Parse the input - could be string or object
+        if (_.isPlainObject(refInput)) {
+          refName = refInput.Ref || refInput.ref;
+          refOptions = _.omit(refInput, ['Ref', 'ref']);
+        }
         // Check if this ref name is in the ignores list
         if (opts.refNowIgnores && opts.refNowIgnores.includes(refName)) {
@@ -502,6 +671,36 @@ async function recurse({ base, scope, cft, ...opts }) {
           return allRefs[refName];
         }
+        // Check if this is a LogicalResourceId in the Resources section
+        if (opts.rootTemplate && _.isPlainObject(opts.rootTemplate)) {
+          const resources = opts.rootTemplate.Resources || {};
+          if (refName in resources) {
+            const resource = resources[refName];
+            const resourceType = resource.Type;
+            const properties = resource.Properties || {};
+            // Determine return type based on key name
+            // If the key ends with "Name" (e.g., RoleName, BucketName), return name/identifier
+            // Otherwise return ARN (default)
+            let returnType = 'arn';
+            if (opts.key && opts.key.endsWith('Name')) {
+              returnType = 'name';
+            }
+            // Try to build an ARN or name for this resource
+            // Merge ref options with global options (ref options take precedence)
+            const resourceOptions = {
+              returnType,
+              ...opts.refNowReturnType ? { returnType: opts.refNowReturnType } : {},
+              ...refOptions,
+            };
+            const result = buildResourceArn(resourceType, properties, allRefs, resourceOptions);
+            if (result) {
+              return result;
+            }
+          }
+        }
         // If not found and refNowIgnoreMissing is true, return Ref syntax; otherwise throw error
         if (opts.refNowIgnoreMissing) {
           return { Ref: refName };
@@ -538,7 +737,7 @@ async function recurse({ base, scope, cft, ...opts }) {
     }
     return Promise.props(
-      _.mapValues(cft, (template) => recurse({ base, scope, cft: template, ...opts })),
+      _.mapValues(cft, (template, key) => recurse({ base, scope, cft: template, key, ...opts })),
     );
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@znemz/cfn-include",
-  "version": "2.1.11",
+  "version": "2.1.12",
   "description": "Preprocessor for CloudFormation templates with support for loops and flexible include statements",
   "keywords": [
     "aws",