localstack-core 4.7.1.dev139__py3-none-any.whl → 4.10.1.dev42__py3-none-any.whl

localstack/services/apigateway/next_gen/execute_api/integrations/http.py

@@ -8,7 +8,7 @@ from werkzeug.datastructures import Headers
 from localstack.aws.api.apigateway import Integration
 
 from ..context import EndpointResponse, IntegrationRequest, RestApiInvocationContext
-from ..gateway_response import ApiConfigurationError, IntegrationFailureError
+from ..gateway_response import ApiConfigurationError, IntegrationFailureError, InternalServerError
 from ..header_utils import build_multi_value_headers
 from .core import RestApiIntegration
 
@@ -72,7 +72,7 @@ class RestApiHttpIntegration(BaseRestApiHttpIntegration):
         except (requests.exceptions.InvalidURL, requests.exceptions.InvalidSchema) as e:
             LOG.warning("Execution failed due to configuration error: Invalid endpoint address")
             LOG.debug("The URI specified for the HTTP/HTTP_PROXY integration is invalid: %s", uri)
-            raise ApiConfigurationError("Internal server error") from e
+            raise InternalServerError("Internal server error") from e
 
         except (requests.exceptions.Timeout, requests.exceptions.SSLError) as e:
             # TODO make the exception catching more fine grained
@@ -127,7 +127,7 @@ class RestApiHttpProxyIntegration(BaseRestApiHttpIntegration):
         except (requests.exceptions.InvalidURL, requests.exceptions.InvalidSchema) as e:
             LOG.warning("Execution failed due to configuration error: Invalid endpoint address")
             LOG.debug("The URI specified for the HTTP/HTTP_PROXY integration is invalid: %s", uri)
-            raise ApiConfigurationError("Internal server error") from e
+            raise InternalServerError("Internal server error") from e
 
         except (requests.exceptions.Timeout, requests.exceptions.SSLError):
             # TODO make the exception catching more fine grained

localstack/services/apigateway/next_gen/execute_api/test_invoke.py

@@ -62,6 +62,17 @@ TEST_INVOKE_TEMPLATE_MOCK = """Execution log for request {request_id}
 {formatted_date} : Method completed with status: {method_response_status}
 """
 
+TEST_INVOKE_TEMPLATE_FAILED = """Execution log for request {request_id}
+{formatted_date} : Starting execution for request: {request_id}
+{formatted_date} : HTTP Method: {request_method}, Resource Path: {resource_path}
+{formatted_date} : Method request path: {method_request_path_parameters}
+{formatted_date} : Method request query string: {method_request_query_string}
+{formatted_date} : Method request headers: {method_request_headers}
+{formatted_date} : Method request body before transformations: {method_request_body}
+{formatted_date} : Execution failed due to {error_type}: {error_message}
+{formatted_date} : Method completed with status: {method_response_status}
+"""
+
 
 def _dump_headers(headers: Headers) -> str:
     if not headers:
@@ -80,9 +91,9 @@ def log_template(invocation_context: RestApiInvocationContext, response_headers:
     formatted_date = datetime.datetime.now(tz=datetime.UTC).strftime("%a %b %d %H:%M:%S %Z %Y")
     request = invocation_context.invocation_request
     context_var = invocation_context.context_variables
-    integration_req = invocation_context.integration_request
-    endpoint_resp = invocation_context.endpoint_response
-    method_resp = invocation_context.invocation_response
+    integration_req = invocation_context.integration_request or {}
+    endpoint_resp = invocation_context.endpoint_response or {}
+    method_resp = invocation_context.invocation_response or {}
     # TODO: if endpoint_uri is an ARN, it means it's an AWS_PROXY integration
     #  this should be transformed to the true URL of a lambda invoke call
     endpoint_uri = integration_req.get("uri", "")
@@ -116,7 +127,7 @@ def log_mock_template(
     formatted_date = datetime.datetime.now(tz=datetime.UTC).strftime("%a %b %d %H:%M:%S %Z %Y")
     request = invocation_context.invocation_request
     context_var = invocation_context.context_variables
-    method_resp = invocation_context.invocation_response
+    method_resp = invocation_context.invocation_response or {}
 
     return TEST_INVOKE_TEMPLATE_MOCK.format(
         formatted_date=formatted_date,
@@ -133,6 +144,29 @@ def log_mock_template(
     )
 
 
+def log_failed_template(
+    invocation_context: RestApiInvocationContext, response_status_code: int
+) -> str:
+    formatted_date = datetime.datetime.now(tz=datetime.UTC).strftime("%a %b %d %H:%M:%S %Z %Y")
+    request = invocation_context.invocation_request
+    context_var = invocation_context.context_variables
+
+    return TEST_INVOKE_TEMPLATE_FAILED.format(
+        formatted_date=formatted_date,
+        request_id=context_var["requestId"],
+        resource_path=request["path"],
+        request_method=request["http_method"],
+        method_request_path_parameters=dict_to_string(request["path_parameters"]),
+        method_request_query_string=dict_to_string(request["query_string_parameters"]),
+        method_request_headers=_dump_headers(request.get("headers")),
+        method_request_body=to_str(request.get("body", "")),
+        method_response_status=response_status_code,
+        # TODO: fix the error message
+        error_type="",
+        error_message="",
+    )
+
+
 def create_test_chain() -> HandlerChain[RestApiInvocationContext]:
     return HandlerChain(
         request_handlers=[
@@ -216,7 +250,9 @@ def create_test_invocation_context(
         responseOverride=ContextVarsResponseOverride(header={}, status=0),
     )
     invocation_context.trace_id = parse_handler.populate_trace_id({})
-    resource_method = resource["resourceMethods"][http_method]
+    resource_method = (
+        resource["resourceMethods"].get(http_method) or resource["resourceMethods"]["ANY"]
+    )
     invocation_context.resource = resource
     invocation_context.resource_method = resource_method
     invocation_context.integration = resource_method["methodIntegration"]
@@ -256,7 +292,15 @@ def run_test_invocation(
     # AWS does not return the Content-Length for TestInvokeMethod
     response_headers.remove("Content-Length")
 
-    if is_mock_integration:
+    if not invocation_context.invocation_response:
+        # TODO: this is an heuristic to guess if we encounter an exception in the call
+        #  in the future, we should attach the exception to the context so we could act on it and properly
+        #  log as we go through the invocation, so that if we have an error we stop logging at the right moment
+        for header in ("Content-Type", "X-Amzn-Trace-Id"):
+            response_headers.remove(header)
+        log = log_failed_template(invocation_context, test_response.status_code)
+
+    elif is_mock_integration:
         # TODO: revisit how we're building the logs
         log = log_mock_template(invocation_context, response_headers)
     else:

localstack/services/apigateway/next_gen/provider.py

@@ -429,6 +429,11 @@ class ApigatewayNextGenProvider(ApigatewayProvider):
         if not resource:
             raise NotFoundException("Invalid Resource identifier specified")
 
+        resource_methods = resource.resource_methods
+
+        if request["httpMethod"] not in resource_methods and "ANY" not in resource_methods:
+            raise NotFoundException("Invalid Method identifier specified")
+
         # test httpMethod
 
         rest_api_container = get_rest_api_container(context, rest_api_id=rest_api_id)

localstack/services/apigateway/patches.py

@@ -5,7 +5,6 @@ import logging
 from moto.apigateway import models as apigateway_models
 from moto.apigateway.exceptions import (
     DeploymentNotFoundException,
-    NoIntegrationDefined,
     RestAPINotFound,
     StageStillActive,
 )
@@ -113,14 +112,6 @@ def apply_patches():
         )
         return result
 
-    # patch integration error responses
-    @patch(apigateway_models.Resource.get_integration)
-    def apigateway_models_resource_get_integration(fn, self, method_type):
-        resource_method = self.resource_methods.get(method_type, {})
-        if not resource_method.method_integration:
-            raise NoIntegrationDefined()
-        return resource_method.method_integration
-
     @patch(apigateway_models.RestAPI.to_dict)
     def apigateway_models_rest_api_to_dict(fn, self):
         resp = fn(self)

localstack/services/cloudformation/engine/entities.py

@@ -14,7 +14,13 @@ from localstack.services.cloudformation.engine.v2.change_set_model import (
 )
 from localstack.utils.aws import arns
 from localstack.utils.collections import select_attributes
-from localstack.utils.id_generator import ExistingIds, ResourceIdentifier, Tags, generate_short_uid
+from localstack.utils.id_generator import (
+    ExistingIds,
+    ResourceIdentifier,
+    Tags,
+    generate_short_uid,
+    generate_uid,
+)
 from localstack.utils.json import clone_safe
 from localstack.utils.objects import recurse_object
 from localstack.utils.strings import long_uid, short_uid
@@ -75,6 +81,11 @@ class StackIdentifier(ResourceIdentifier):
         return generate_short_uid(resource_identifier=self, existing_ids=existing_ids, tags=tags)
 
 
+class StackIdentifierV2(StackIdentifier):
+    def generate(self, existing_ids: ExistingIds = None, tags: Tags = None) -> str:
+        return generate_uid(resource_identifier=self, existing_ids=existing_ids, tags=tags)
+
+
 # TODO: remove metadata (flatten into individual fields)
 class Stack:
     change_sets: list["StackChangeSet"]

localstack/services/cloudformation/engine/v2/change_set_model.py

@@ -681,9 +681,6 @@ class ChangeSetModel:
             scope=arguments_scope, before_value=before_arguments, after_value=after_arguments
         )
 
-        if intrinsic_function == "Ref" and arguments.value == "AWS::NoValue":
-            arguments.value = Nothing
-
         if is_created(before=before_arguments, after=after_arguments):
             change_type = ChangeType.CREATED
         elif is_removed(before=before_arguments, after=after_arguments):

localstack/services/cloudformation/engine/v2/change_set_model_describer.py

@@ -20,6 +20,7 @@ from localstack.services.cloudformation.engine.v2.change_set_model_preproc impor
     PreprocResource,
 )
 from localstack.services.cloudformation.v2.entities import ChangeSet
+from localstack.utils.numbers import is_number
 
 CHANGESET_KNOWN_AFTER_APPLY: Final[str] = "{{changeSet:KNOWN_AFTER_APPLY}}"
 
@@ -96,6 +97,19 @@ class ChangeSetModelDescriber(ChangeSetModelPreproc):
 
         return value
 
+    def visit_node_intrinsic_function(self, node_intrinsic_function: NodeIntrinsicFunction):
+        """
+        Intrinsic function results are always strings when referring to the describe output
+        """
+        # TODO: what about other places?
+        # TODO: should this be put in the preproc?
+        delta = super().visit_node_intrinsic_function(node_intrinsic_function)
+        if is_number(delta.before):
+            delta.before = str(delta.before)
+        if is_number(delta.after):
+            delta.after = str(delta.after)
+        return delta
+
     def visit_node_intrinsic_function_fn_join(
         self, node_intrinsic_function: NodeIntrinsicFunction
     ) -> PreprocEntityDelta:

localstack/services/cloudformation/engine/v2/change_set_model_executor.py

@@ -1,5 +1,6 @@
 import copy
 import logging
+import os
 import re
 import uuid
 from collections.abc import Callable
@@ -105,14 +106,15 @@ class ChangeSetModelExecutor(ChangeSetModelPreproc):
         except Exception as e:
             failure_message = str(e)
 
+        is_deletion = self._change_set.stack.status == StackStatus.DELETE_IN_PROGRESS
         if self._deferred_actions:
-            if failure_message:
-                # TODO: differentiate between update and create
-                self._change_set.stack.set_stack_status(StackStatus.ROLLBACK_IN_PROGRESS)
-            else:
+            if not is_deletion:
                 # TODO: correct status
+                # TODO: differentiate between update and create
                 self._change_set.stack.set_stack_status(
-                    StackStatus.UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
+                    StackStatus.ROLLBACK_IN_PROGRESS
+                    if failure_message
+                    else StackStatus.UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
                 )
 
             # perform all deferred actions such as deletions. These must happen in reverse from their
@@ -122,7 +124,7 @@ class ChangeSetModelExecutor(ChangeSetModelPreproc):
                 LOG.debug("executing deferred action: '%s'", deferred.name)
                 deferred.action()
 
-        if failure_message:
+        if failure_message and not is_deletion:
             # TODO: differentiate between update and create
             self._change_set.stack.set_stack_status(StackStatus.ROLLBACK_COMPLETE)
 
@@ -515,14 +517,11 @@ class ChangeSetModelExecutor(ChangeSetModelPreproc):
                 resource_type,
                 f'No resource provider found for "{resource_type}"',
             )
-            LOG.warning(
-                "Deployment of resource type %s successful due to config CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES",
-                resource_type,
-            )
-            LOG.warning(
-                "Deployment of resource type %s will fail in upcoming LocalStack releases unless CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES is explicitly enabled.",
-                resource_type,
-            )
+            if "CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES" not in os.environ:
+                LOG.warning(
+                    "Deployment of resource type %s succeeded, but will fail in upcoming LocalStack releases unless CFN_IGNORE_UNSUPPORTED_RESOURCE_TYPES is explicitly enabled.",
+                    resource_type,
+                )
             event = ProgressEvent(
                 OperationStatus.SUCCESS,
                 resource_model={},
@@ -577,7 +576,6 @@ class ChangeSetModelExecutor(ChangeSetModelPreproc):
                     )
                     # TODO: do we actually need this line?
                     resolved_resource.update(extra_resource_properties)
-
             case OperationStatus.FAILED:
                 reason = event.message
                 LOG.warning(

localstack/services/cloudformation/engine/v2/change_set_model_preproc.py

@@ -30,6 +30,7 @@ from localstack.services.cloudformation.engine.v2.change_set_model import (
     NodeProperties,
     NodeProperty,
     NodeResource,
+    NodeResources,
     NodeTemplate,
     Nothing,
     NothingType,
@@ -45,6 +46,7 @@ from localstack.services.cloudformation.engine.v2.change_set_model_visitor impor
     ChangeSetModelVisitor,
 )
 from localstack.services.cloudformation.engine.v2.resolving import (
+    REGEX_DYNAMIC_REF,
     extract_dynamic_reference,
     perform_dynamic_reference_lookup,
 )
@@ -55,6 +57,7 @@ from localstack.services.cloudformation.stores import (
 from localstack.services.cloudformation.v2.entities import ChangeSet
 from localstack.services.cloudformation.v2.types import ResolvedResource
 from localstack.utils.aws.arns import get_partition
+from localstack.utils.numbers import to_number
 from localstack.utils.objects import get_value_from_path
 from localstack.utils.run import to_str
 from localstack.utils.strings import to_bytes
@@ -224,6 +227,8 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
     def process(self) -> None:
         self._setup_runtime_cache()
         node_template = self._change_set.update_model.node_template
+        node_conditions = self._change_set.update_model.node_template.conditions
+        self.visit(node_conditions)
         self.visit(node_template)
         self._save_runtime_cache()
 
@@ -273,10 +278,10 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
         property_value: Any | None = get_value_from_path(properties, property_name)
 
         if property_value:
-            if not isinstance(property_value, (str, list)):
-                # TODO: is this correct? If there is a bug in the logic here, it's probably
-                #  better to know about it with a clear error message than to receive some form
-                #  of message about trying to use a dictionary in place of a string
+            if not isinstance(property_value, (str, list, dict)):
+                # Str: Standard expected type. TODO validate bools and numbers
+                # List: Multiple resource types can return a list of values e.g. AWS::EC2::VPC.
+                # Dict: Custom resources in CloudFormation can return arbitrary data structures.
                 raise RuntimeError(
                     f"Accessing property '{property_name}' from '{resource_logical_id}' resulted in a non-string value nor list"
                 )
@@ -432,6 +437,7 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
     def _perform_dynamic_replacements(self, value: _T) -> _T:
         if not isinstance(value, str):
             return value
+
         if dynamic_ref := extract_dynamic_reference(value):
             new_value = perform_dynamic_reference_lookup(
                 reference=dynamic_ref,
@@ -439,7 +445,11 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
                 region_name=self._change_set.region_name,
             )
             if new_value:
-                return new_value
+                # We need to use a function here, to avoid backslash processing by regex.
+                # From the regex sub documentation:
+                # repl can be a string or a function; if it is a string, any backslash escapes in it are processed.
+                # Using a function, we can avoid this processing.
+                return REGEX_DYNAMIC_REF.sub(lambda _: new_value, value)
 
         return value
 
@@ -559,13 +569,49 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             arguments_list = arguments.split(".")
         else:
             arguments_list = arguments
+
+        if len(arguments_list) < 2:
+            raise ValidationError(
+                "Template error: every Fn::GetAtt object requires two non-empty parameters, the resource name and the resource attribute"
+            )
+
         logical_name_of_resource = arguments_list[0]
-        attribute_name = arguments_list[1]
+        attribute_name = ".".join(arguments_list[1:])
 
         node_resource = self._get_node_resource_for(
             resource_name=logical_name_of_resource,
             node_template=self._change_set.update_model.node_template,
         )
+
+        if not is_nothing(node_resource.condition_reference):
+            condition = self._get_node_condition_if_exists(node_resource.condition_reference.value)
+            evaluation_result = self._resolve_condition(condition.name)
+
+            if select_before and not evaluation_result.before:
+                raise ValidationError(
+                    f"Template format error: Unresolved resource dependencies [{logical_name_of_resource}] in the Resources block of the template"
+                )
+
+            if not select_before and not evaluation_result.after:
+                raise ValidationError(
+                    f"Template format error: Unresolved resource dependencies [{logical_name_of_resource}] in the Resources block of the template"
+                )
+
+        # Custom Resources can mutate their definition
+        # So the preproc should search first in the resource values and then check the template
+        if select_before:
+            value = self._before_deployed_property_value_of(
+                resource_logical_id=logical_name_of_resource,
+                property_name=attribute_name,
+            )
+        else:
+            value = self._after_deployed_property_value_of(
+                resource_logical_id=logical_name_of_resource,
+                property_name=attribute_name,
+            )
+        if value is not None:
+            return value
+
         node_property: NodeProperty | None = self._get_node_property_for(
             property_name=attribute_name, node_resource=node_resource
         )
@@ -573,19 +619,7 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             # The property is statically defined in the template and its value can be computed.
             property_delta = self.visit(node_property)
             value = property_delta.before if select_before else property_delta.after
-        else:
-            # The property is not statically defined and must therefore be available in
-            # the properties deployed set.
-            if select_before:
-                value = self._before_deployed_property_value_of(
-                    resource_logical_id=logical_name_of_resource,
-                    property_name=attribute_name,
-                )
-            else:
-                value = self._after_deployed_property_value_of(
-                    resource_logical_id=logical_name_of_resource,
-                    property_name=attribute_name,
-                )
+
         return value
 
     def visit_node_intrinsic_function_fn_get_att(
@@ -614,6 +648,12 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             return args[0] == args[1]
 
         arguments_delta = self.visit(node_intrinsic_function.arguments)
+
+        if isinstance(arguments_delta.after, list) and len(arguments_delta.after) != 2:
+            raise ValidationError(
+                "Template error: every Fn::Equals object requires a list of 2 string parameters."
+            )
+
         delta = self._cached_apply(
             scope=node_intrinsic_function.scope,
             arguments_delta=arguments_delta,
@@ -843,13 +883,27 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
     ):
         # TODO: add further support for schema validation
         def _compute_fn_select(args: list[Any]) -> Any:
-            values: list[Any] = args[1]
+            values = args[1]
+            # defer evaluation if the selection list contains unresolved elements (e.g., unresolved intrinsics)
+            if isinstance(values, list) and not all(isinstance(value, str) for value in values):
+                raise RuntimeError("Fn::Select list contains unresolved elements")
+
             if not isinstance(values, list) or not values:
-                raise RuntimeError(f"Invalid arguments list value for Fn::Select: '{values}'")
+                raise ValidationError(
+                    "Template error: Fn::Select requires a list argument with two elements: an integer index and a list"
+                )
+            try:
+                index: int = int(args[0])
+            except ValueError as e:
+                raise ValidationError(
+                    "Template error: Fn::Select requires a list argument with two elements: an integer index and a list"
+                ) from e
+
             values_len = len(values)
-            index: int = int(args[0])
-            if not isinstance(index, int) or index < 0 or index > values_len:
-                raise RuntimeError(f"Invalid or out of range index value for Fn::Select: '{index}'")
+            if index < 0 or index >= values_len:
+                raise ValidationError(
+                    "Template error: Fn::Select requires a list argument with two elements: an integer index and a list"
+                )
             selection = values[index]
             return selection
 
@@ -876,6 +930,17 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             return split_string
 
         arguments_delta = self.visit(node_intrinsic_function.arguments)
+
+        if not (
+            is_nothing(arguments_delta.after)
+            or isinstance(arguments_delta.after, list)
+            and len(arguments_delta.after) == 2
+        ):
+            raise ValidationError(
+                "Template error: every Fn::Split object requires two parameters, "
+                "(1) a string delimiter and (2) a string to be split or a function that returns a string to be split."
+            )
+
         delta = self._cached_apply(
             scope=node_intrinsic_function.scope,
             arguments_delta=arguments_delta,
@@ -975,6 +1040,10 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
         return PreprocEntityDelta(before=before_parameters, after=after_parameters)
 
     def visit_node_parameter(self, node_parameter: NodeParameter) -> PreprocEntityDelta:
+        if not VALID_LOGICAL_RESOURCE_ID_RE.match(node_parameter.name):
+            raise ValidationError(
+                f"Template format error: Parameter name {node_parameter.name} is non alphanumeric."
+            )
         dynamic_value = node_parameter.dynamic_value
         dynamic_delta = self.visit(dynamic_value)
 
@@ -990,6 +1059,9 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             match type_:
                 case "List<String>" | "CommaDelimitedList":
                     return [item.strip() for item in value.split(",")]
+                case "Number":
+                    # TODO: validate the parameter type at template parse time (or whatever is in parity with AWS) so we know this cannot fail
+                    return to_number(value)
             return value
 
         if not is_nothing(after):
@@ -1131,6 +1203,20 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
             after = after_delta.after
         return PreprocEntityDelta(before=before, after=after)
 
+    def visit_node_resources(self, node_resources: NodeResources):
+        """
+        Skip resources where they conditionally evaluate to False
+        """
+        for node_resource in node_resources.resources:
+            if not is_nothing(node_resource.condition_reference):
+                condition_delta = self._resolve_resource_condition_reference(
+                    node_resource.condition_reference
+                )
+                condition_after = condition_delta.after
+                if condition_after is False:
+                    continue
+            self.visit(node_resource)
+
     def visit_node_resource(
         self, node_resource: NodeResource
     ) -> PreprocEntityDelta[PreprocResource, PreprocResource]:
@@ -1241,6 +1327,14 @@ class ChangeSetModelPreproc(ChangeSetModelVisitor):
         before: list[PreprocOutput] = []
         after: list[PreprocOutput] = []
         for node_output in node_outputs.outputs:
+            if not is_nothing(node_output.condition_reference):
+                condition_delta = self._resolve_resource_condition_reference(
+                    node_output.condition_reference
+                )
+                condition_after = condition_delta.after
+                if condition_after is False:
+                    continue
+
             output_delta: PreprocEntityDelta[PreprocOutput, PreprocOutput] = self.visit(node_output)
             output_before = output_delta.before
             output_after = output_delta.after

localstack/services/cloudformation/engine/v2/change_set_model_transform.py

@@ -501,7 +501,10 @@ class ChangeSetModelTransform(ChangeSetModelPreproc):
     def visit_node_intrinsic_function_fn_get_att(
         self, node_intrinsic_function: NodeIntrinsicFunction
     ) -> PreprocEntityDelta:
-        return self.visit(node_intrinsic_function.arguments)
+        try:
+            return super().visit_node_intrinsic_function_fn_get_att(node_intrinsic_function)
+        except RuntimeError:
+            return self.visit(node_intrinsic_function.arguments)
 
     def visit_node_intrinsic_function_fn_sub(
         self, node_intrinsic_function: NodeIntrinsicFunction

localstack/services/cloudformation/engine/v2/change_set_model_validator.py

@@ -4,7 +4,6 @@ from typing import Any
 from botocore.exceptions import ParamValidationError
 
 from localstack.services.cloudformation.engine.v2.change_set_model import (
-    Maybe,
     NodeIntrinsicFunction,
     NodeProperty,
     NodeResource,
@@ -27,23 +26,15 @@ class ChangeSetModelValidator(ChangeSetModelPreproc):
     def visit_node_template(self, node_template: NodeTemplate):
         self.visit(node_template.mappings)
         self.visit(node_template.resources)
+        self.visit(node_template.parameters)
 
     def visit_node_intrinsic_function_fn_get_att(
         self, node_intrinsic_function: NodeIntrinsicFunction
     ) -> PreprocEntityDelta:
-        arguments_delta = self.visit(node_intrinsic_function.arguments)
-        before_arguments: Maybe[str | list[str]] = arguments_delta.before
-        after_arguments: Maybe[str | list[str]] = arguments_delta.after
-
-        before = self._before_cache.get(node_intrinsic_function.scope, Nothing)
-        if is_nothing(before) and not is_nothing(before_arguments):
-            before = ".".join(before_arguments)
-
-        after = self._after_cache.get(node_intrinsic_function.scope, Nothing)
-        if is_nothing(after) and not is_nothing(after_arguments):
-            after = ".".join(after_arguments)
-
-        return PreprocEntityDelta(before=before, after=after)
+        try:
+            return super().visit_node_intrinsic_function_fn_get_att(node_intrinsic_function)
+        except RuntimeError:
+            return self.visit(node_intrinsic_function.arguments)
 
     def visit_node_intrinsic_function_fn_sub(
         self, node_intrinsic_function: NodeIntrinsicFunction

localstack/services/cloudformation/engine/v2/change_set_model_visitor.py

@@ -54,6 +54,7 @@ class ChangeSetModelVisitor(abc.ABC):
         # entities (parameters, mappings, conditions, etc.). Then compute the output fields; computing
         # only the output fields would only result in the deployment logic of the referenced outputs
         # being evaluated, hence enforce the visiting of all the resources first.
+        self.visit(node_template.conditions)
         self.visit(node_template.resources)
         self.visit(node_template.outputs)
 

localstack/services/cloudformation/engine/v2/resolving.py

@@ -10,7 +10,9 @@ from localstack.aws.connect import connect_to
 
 LOG = logging.getLogger(__name__)
 
-REGEX_DYNAMIC_REF = re.compile(r"{{resolve:([^:]+):(.+)}}")
+# CloudFormation allows using dynamic references in `Fn::Sub` expressions, so we must make sure
+# we don't capture the parameter usage by excluding ${} characters
+REGEX_DYNAMIC_REF = re.compile(r"{{resolve:([^:]+):([^${}]+)}}")
 
 
 @dataclass
@@ -21,7 +23,7 @@ class DynamicReference:
 
 def extract_dynamic_reference(value: Any) -> DynamicReference | None:
     if isinstance(value, str):
-        if dynamic_ref_match := REGEX_DYNAMIC_REF.match(value):
+        if dynamic_ref_match := REGEX_DYNAMIC_REF.search(value):
             return DynamicReference(dynamic_ref_match[1], dynamic_ref_match[2])
     return None
 
@@ -90,9 +92,9 @@ def perform_dynamic_reference_lookup(
                 raise RuntimeError(
                     f"JSON value for {reference.service_name}.{reference.reference_key} not present"
                 )
-            return json_secret[json_key]
+            return str(json_secret[json_key])
         else:
-            return secret_value
+            return str(secret_value)
 
     LOG.warning(
         "Unsupported service for dynamic parameter: service_name=%s", reference.service_name

localstack/services/cloudformation/engine/yaml_parser.py

@@ -1,5 +1,7 @@
 import yaml
 
+from localstack.services.cloudformation.engine.validations import ValidationError
+
 
 def construct_raw(_, node):
     return node.value
@@ -60,5 +62,10 @@ customloader = NoDatesSafeLoader
 yaml.add_multi_constructor("!", shorthand_constructor, customloader)
 
 
-def parse_yaml(input_data: str):
-    return yaml.load(input_data, customloader)
+def parse_yaml(input_data: str) -> dict:
+    parsed = yaml.load(input_data, Loader=customloader)
+
+    if not isinstance(parsed, dict):
+        raise ValidationError("Template format error: unsupported structure.")
+
+    return parsed