CFn: handle resolving parameter names constructed in intrinsics (#13192)

simonrw · web-flow · commit 339ad5c63ebb · 2025-09-25T12:15:39.000-05:00
diff --git a/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py b/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py
@@ -45,6 +45,7 @@
     ChangeSetModelVisitor,
 )
 from localstack.services.cloudformation.engine.v2.resolving import (
+    REGEX_DYNAMIC_REF,
     extract_dynamic_reference,
     perform_dynamic_reference_lookup,
 )
@@ -432,14 +433,15 @@ def _maybe_perform_on_delta(
     def _perform_dynamic_replacements(self, value: _T) -> _T:
         if not isinstance(value, str):
             return value
+
         if dynamic_ref := extract_dynamic_reference(value):
             new_value = perform_dynamic_reference_lookup(
                 reference=dynamic_ref,
                 account_id=self._change_set.account_id,
                 region_name=self._change_set.region_name,
             )
             if new_value:
-                return new_value
+                return REGEX_DYNAMIC_REF.sub(new_value, value)
 
         return value
 
diff --git a/localstack-core/localstack/services/cloudformation/engine/v2/resolving.py b/localstack-core/localstack/services/cloudformation/engine/v2/resolving.py
@@ -10,7 +10,9 @@
 
 LOG = logging.getLogger(__name__)
 
-REGEX_DYNAMIC_REF = re.compile(r"{{resolve:([^:]+):(.+)}}")
+# CloudFormation allows using dynamic references in `Fn::Sub` expressions, so we must make sure
+# we don't capture the parameter usage by excluding ${} characters
+REGEX_DYNAMIC_REF = re.compile(r"{{resolve:([^:]+):([^${}]+)}}")
 
 
 @dataclass
@@ -21,7 +23,7 @@ class DynamicReference:
 
 def extract_dynamic_reference(value: Any) -> DynamicReference | None:
     if isinstance(value, str):
-        if dynamic_ref_match := REGEX_DYNAMIC_REF.match(value):
+        if dynamic_ref_match := REGEX_DYNAMIC_REF.search(value):
             return DynamicReference(dynamic_ref_match[1], dynamic_ref_match[2])
     return None
 
diff --git a/tests/aws/services/cloudformation/test_template_engine.py b/tests/aws/services/cloudformation/test_template_engine.py
@@ -349,20 +349,21 @@ def test_create_stack_with_ssm_parameters(
         )
 
     @markers.aws.validated
-    def test_resolve_ssm(self, create_parameter, deploy_cfn_template):
+    @skip_if_legacy_engine()
+    def test_resolve_ssm(self, create_parameter, deploy_cfn_template, snapshot):
         parameter_key = f"param-key-{short_uid()}"
         parameter_value = f"param-value-{short_uid()}"
+        snapshot.add_transformer(snapshot.transform.regex(parameter_value, "<parameter-value>"))
         create_parameter(Name=parameter_key, Value=parameter_value, Type="String")
 
         result = deploy_cfn_template(
-            parameters={"DynamicParameter": parameter_key},
+            parameters={"DynamicParameter": parameter_key, "ParameterName": parameter_key},
             template_path=os.path.join(
                 os.path.dirname(__file__), "../../templates/resolve_ssm.yaml"
             ),
         )
 
-        topic_name = result.outputs["TopicName"]
-        assert topic_name == parameter_value
+        snapshot.match("results", result.outputs)
 
     @markers.aws.validated
     def test_resolve_ssm_with_version(self, create_parameter, deploy_cfn_template, aws_client):
@@ -380,8 +381,12 @@ def test_resolve_ssm_with_version(self, create_parameter, deploy_cfn_template, a
             Name=parameter_key, Overwrite=True, Type="String", Value=parameter_value_v2
         )
 
+        versioned_parameter_reference = f"{parameter_key}:{v1['Version']}"
         result = deploy_cfn_template(
-            parameters={"DynamicParameter": f"{parameter_key}:{v1['Version']}"},
+            parameters={
+                "DynamicParameter": versioned_parameter_reference,
+                "ParameterName": versioned_parameter_reference,
+            },
             template_path=os.path.join(
                 os.path.dirname(__file__), "../../templates/resolve_ssm.yaml"
             ),
@@ -515,7 +520,7 @@ def test_resolve_secretsmanager(self, create_secret, deploy_cfn_template, templa
         create_secret(Name=parameter_key, SecretString=parameter_value)
 
         result = deploy_cfn_template(
-            parameters={"DynamicParameter": f"{parameter_key}"},
+            parameters={"DynamicParameter": parameter_key},
             template_path=os.path.join(
                 os.path.dirname(__file__),
                 "../../templates",
diff --git a/tests/aws/services/cloudformation/test_template_engine.snapshot.json b/tests/aws/services/cloudformation/test_template_engine.snapshot.json
@@ -691,5 +691,14 @@
     "recorded-content": {
       "error-response": "An error occurred (ValidationError) when calling the CreateChangeSet operation: Parameter InputValue should either have input value or default value"
     }
+  },
+  "tests/aws/services/cloudformation/test_template_engine.py::TestSsmParameters::test_resolve_ssm": {
+    "recorded-date": "24-09-2025, 22:06:32",
+    "recorded-content": {
+      "results": {
+        "ParameterValue": "abc:<parameter-value>",
+        "TopicName": "<parameter-value>"
+      }
+    }
   }
 }
diff --git a/tests/aws/services/cloudformation/test_template_engine.validation.json b/tests/aws/services/cloudformation/test_template_engine.validation.json
@@ -110,6 +110,15 @@
       "total": 61.74
     }
   },
+  "tests/aws/services/cloudformation/test_template_engine.py::TestSsmParameters::test_resolve_ssm": {
+    "last_validated_date": "2025-09-24T22:07:22+00:00",
+    "durations_in_seconds": {
+      "setup": 0.95,
+      "call": 10.67,
+      "teardown": 50.0,
+      "total": 61.62
+    }
+  },
   "tests/aws/services/cloudformation/test_template_engine.py::TestSsmParameters::test_resolve_ssm_missing_parameter": {
     "last_validated_date": "2025-08-06T09:34:07+00:00",
     "durations_in_seconds": {
diff --git a/tests/aws/templates/resolve_ssm.yaml b/tests/aws/templates/resolve_ssm.yaml
@@ -2,14 +2,25 @@ Parameters:
   DynamicParameter:
     Type: String
 
+  ParameterName:
+    Type: String
+
 Resources:
   topic69831491:
     Type: AWS::SNS::Topic
     Properties:
-      TopicName: !Join [ "", [ "{{resolve:ssm:", !Ref DynamicParameter, "}}"  ] ]
+      TopicName: !Join [ "", [ "{{resolve:ssm:", !Ref DynamicParameter, "}}" ] ]
+  MyParameter:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Type: String
+      Value: !Sub "abc:{{resolve:ssm:${ParameterName}}}"
 Outputs:
   TopicName:
     Value:
       Fn::GetAtt:
         - topic69831491
         - TopicName
+
+  ParameterValue:
+    Value: !GetAtt MyParameter.Value
diff --git a/tests/unit/services/cloudformation/test_cloudformation.py b/tests/unit/services/cloudformation/test_cloudformation.py
@@ -1,9 +1,12 @@
+import pytest
+
 from localstack.services.cloudformation.api_utils import is_local_service_url
 from localstack.services.cloudformation.deployment_utils import (
     PLACEHOLDER_AWS_NO_VALUE,
     remove_none_values,
 )
 from localstack.services.cloudformation.engine.template_deployer import order_resources
+from localstack.services.cloudformation.engine.v2.resolving import REGEX_DYNAMIC_REF
 
 
 def test_is_local_service_url():
@@ -60,3 +63,28 @@ def test_order_resources():
     )
 
     assert list(sorted_resources.keys()) == ["A", "B"]
+
+
+class TestDynamicResolving:
+    @pytest.mark.parametrize(
+        "value,matches",
+        [
+            pytest.param("{{resolve:ssm:abc123}}", True, id="ssm-basic"),
+            pytest.param("abc:{{resolve:ssm:abc123}}:foo", True, id="ssm-with-surrounding"),
+            pytest.param("{{resolve:ssm:${ParameterName}}}", False, id="ssm-in-sub"),
+            pytest.param("{{resolve:secretsmanager:foo}}", True, id="secrets-basic"),
+            pytest.param(
+                "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:000000000000:secret:foo:SecretString:}}",
+                True,
+                id="secrets-partial",
+            ),
+            pytest.param(
+                "{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:000000000000:secret:foo:SecretString:::}}",
+                True,
+                id="secrets-full",
+            ),
+            pytest.param("{{resolve:secretsmanager:${SecretName}}}", False, id="secrets-in-sub"),
+        ],
+    )
+    def test_dynamic_ref_regex_matches(self, value, matches):
+        assert bool(REGEX_DYNAMIC_REF.search(value)) == matches

Original file line number	Diff line number	Diff line change
`@@ -691,5 +691,14 @@`
`691`	`691`	`"recorded-content": {`
`692`	`692`	`"error-response": "An error occurred (ValidationError) when calling the CreateChangeSet operation: Parameter InputValue should either have input value or default value"`
`693`	`693`	`}`
	`694`	`+ },`
	`695`	`+ "tests/aws/services/cloudformation/test_template_engine.py::TestSsmParameters::test_resolve_ssm": {`
	`696`	`+ "recorded-date": "24-09-2025, 22:06:32",`
	`697`	`+ "recorded-content": {`
	`698`	`+ "results": {`
	`699`	`+ "ParameterValue": "abc:<parameter-value>",`
	`700`	`+ "TopicName": "<parameter-value>"`
	`701`	`+ }`
	`702`	`+ }`
`694`	`703`	`}`
`695`	`704`	`}`