IaC generator and write-only properties
Write-only properties are resource properties that can be written but can’t be read by AWS CloudFormation. (An example would be a database password.) This causes issues when generating templates from existing resources. In general, write-only properties are converted into parameters in the generated template. This allows you to enter the properties as parameter values during import operations. However, write-only properties cannot be converted into parameters in the following cases:
-
There are multiple exclusive sets of properties, at least some of which are write-only. The IaC generator cannot determine which set of exclusive properties was applied to the resource during creation. For example, you can provide the code for a
AWS::Lambda::Function
using one of these sets of properties.-
Code/S3Bucket
,Code/S3Key
, and optionallyCode/S3ObjectVersion
-
Code/ImageUri
-
Code/ZipFile
All of these properties are write-only. The IaC generator selects one of the exclusive sets of properties and adds them to the generated template. Parameters are added for each of the write-only properties. The parameter names include
OneOf
and the parameter descriptions indicate that the corresponding property can be replaced with other exclusive properties. The IaC generator sets a warningType
ofMUTUALLY_EXCLUSIVE_PROPERTIES
for the included properties. -
-
The write-only property can be any of multiple data types. For example, the
Body
property ofAWS::ApiGateway::RestApi
can be either anobject
or astring
. When this is the case, the IaC generator sets a warningType
ofMUTUALLY_EXCLUSIVE_TYPES
and includes the property in the generated template using the type ofstring
. -
The write-only property has a type of
array
. Parameters can only be scalar values so it's not possible to add a parameter to the template for arrays. When this is the case, the IaC generator does not include the property in the generated template and sets a warningType
ofUNSUPPORTED_PROPERTIES
. -
The write-only property is optional. The IaC generator can’t detect if the write-only property was ever used when setting up the resource. In this case, the IaC generator does not include the property in the generated template and sets a warning
Type
ofUNSUPPORTED_PROPERTIES
.
When the generated template includes resources with write-only properties. the IaC generator console displays a warning with a summary of the type of issues. For example:
You can choose View warning details to see more details. The resources with write-only properties are identified by the logical ID used in the generated template and resource type.
Use the list of warnings to identify resources with write-only properties and look at each resource to determine what changes (if any) need to be made to the generated template. You can download the generated template by choosing the Download button. After changes have been made, you can choose the Import edited template button to continue.
Important
Currently the AWS resource and property types reference documentation does not indicate if a property is write-only, or if it supports multiple types. You need to look at the warnings returned by the IaC generator console or the resource provider schema to determine which properties are write-only.
For more information on the resource provider schema, see Resource provider schema in the CloudFormation Command Line Interface User Guide. To download the resource provider schemas, see CloudFormation resource provider schemas.