CFN: add more validations to intrinsic FnEquals (#13217)

pinzon · web-flow · commit 69ed78486d08 · 2025-10-10T12:18:12.000-05:00
diff --git a/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py b/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_preproc.py
@@ -227,6 +227,8 @@ def _save_runtime_cache(self) -> None:
     def process(self) -> None:
         self._setup_runtime_cache()
         node_template = self._change_set.update_model.node_template
+        node_conditions = self._change_set.update_model.node_template.conditions
+        self.visit(node_conditions)
         self.visit(node_template)
         self._save_runtime_cache()
 
@@ -643,6 +645,12 @@ def _compute_fn_equals(args: list[Any]) -> bool:
             return args[0] == args[1]
 
         arguments_delta = self.visit(node_intrinsic_function.arguments)
+
+        if isinstance(arguments_delta.after, list) and len(arguments_delta.after) != 2:
+            raise ValidationError(
+                "Template error: every Fn::Equals object requires a list of 2 string parameters."
+            )
+
         delta = self._cached_apply(
             scope=node_intrinsic_function.scope,
             arguments_delta=arguments_delta,
@@ -919,6 +927,7 @@ def _compute_fn_split(args: list[Any]) -> Any:
             return split_string
 
         arguments_delta = self.visit(node_intrinsic_function.arguments)
+
         delta = self._cached_apply(
             scope=node_intrinsic_function.scope,
             arguments_delta=arguments_delta,
diff --git a/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_visitor.py b/localstack-core/localstack/services/cloudformation/engine/v2/change_set_model_visitor.py
@@ -54,6 +54,7 @@ def visit_node_template(self, node_template: NodeTemplate):
         # entities (parameters, mappings, conditions, etc.). Then compute the output fields; computing
         # only the output fields would only result in the deployment logic of the referenced outputs
         # being evaluated, hence enforce the visiting of all the resources first.
+        self.visit(node_template.conditions)
         self.visit(node_template.resources)
         self.visit(node_template.outputs)
 
diff --git a/tests/aws/services/cloudformation/engine/test_conditions.py b/tests/aws/services/cloudformation/engine/test_conditions.py
@@ -1,6 +1,8 @@
+import json
 import os.path
 
 import pytest
+from botocore.exceptions import ClientError
 from localstack_snapshot.snapshots.transformer import SortingTransformer
 from tests.aws.services.cloudformation.conftest import skip_if_legacy_engine
 
@@ -550,3 +552,29 @@ def test_references_to_disabled_resources(
             StackName=stack.stack_id
         )
         snapshot.match("resources-description", describe_resources)
+
+
+class TestValidateConditions:
+    @markers.aws.validated
+    @skip_if_legacy_engine
+    def test_validate_equals_args_len(self, aws_client, snapshot):
+        template = {
+            "Conditions": {"ShouldDeploy": {"Fn::Equals": ["a"]}},
+            "Resources": {
+                "Topic1": {
+                    "Type": "AWS::SNS::Topic",
+                },
+            },
+        }
+
+        stack_name = f"stack-{short_uid()}"
+        change_set_name = f"ch-{short_uid()}"
+        with pytest.raises(ClientError) as ex:
+            aws_client.cloudformation.create_change_set(
+                StackName=stack_name,
+                ChangeSetName=change_set_name,
+                ChangeSetType="CREATE",
+                TemplateBody=json.dumps(template),
+            )
+
+        snapshot.match("error", ex.value.response)
diff --git a/tests/aws/services/cloudformation/engine/test_conditions.snapshot.json b/tests/aws/services/cloudformation/engine/test_conditions.snapshot.json
@@ -933,5 +933,21 @@
         }
       }
     }
+  },
+  "tests/aws/services/cloudformation/engine/test_conditions.py::TestValidateConditions::test_validate_equals_args_len": {
+    "recorded-date": "08-10-2025, 18:18:14",
+    "recorded-content": {
+      "error": {
+        "Error": {
+          "Code": "ValidationError",
+          "Message": "Template error: every Fn::Equals object requires a list of 2 string parameters.",
+          "Type": "Sender"
+        },
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 400
+        }
+      }
+    }
   }
 }
diff --git a/tests/aws/services/cloudformation/engine/test_conditions.validation.json b/tests/aws/services/cloudformation/engine/test_conditions.validation.json
@@ -52,5 +52,14 @@
   },
   "tests/aws/services/cloudformation/engine/test_conditions.py::TestCloudFormationConditions::test_update_conditions": {
     "last_validated_date": "2024-06-18T19:43:43+00:00"
+  },
+  "tests/aws/services/cloudformation/engine/test_conditions.py::TestValidateConditions::test_validate_equals_args_len": {
+    "last_validated_date": "2025-10-08T18:18:14+00:00",
+    "durations_in_seconds": {
+      "setup": 0.25,
+      "call": 0.36,
+      "teardown": 0.0,
+      "total": 0.61
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -933,5 +933,21 @@`
`933`	`933`	`}`
`934`	`934`	`}`
`935`	`935`	`}`
	`936`	`+ },`
	`937`	`+ "tests/aws/services/cloudformation/engine/test_conditions.py::TestValidateConditions::test_validate_equals_args_len": {`
	`938`	`+ "recorded-date": "08-10-2025, 18:18:14",`
	`939`	`+ "recorded-content": {`
	`940`	`+ "error": {`
	`941`	`+ "Error": {`
	`942`	`+ "Code": "ValidationError",`
	`943`	`+ "Message": "Template error: every Fn::Equals object requires a list of 2 string parameters.",`
	`944`	`+ "Type": "Sender"`
	`945`	`+ },`
	`946`	`+ "ResponseMetadata": {`
	`947`	`+ "HTTPHeaders": {},`
	`948`	`+ "HTTPStatusCode": 400`
	`949`	`+ }`
	`950`	`+ }`
	`951`	`+ }`
`936`	`952`	`}`
`937`	`953`	`}`