Troubleshooting AWS CloudFormation Guard - AWS CloudFormation Guard
Clause fails when no resources of the selected type are presentGuard does not evaluate CloudFormation templateGeneral troubleshooting topics

Troubleshooting AWS CloudFormation Guard

If you encounter issues while working with AWS CloudFormation Guard, consult the topics in this section.

Clause fails when no resources of the selected type are present

When a query uses a filter like Resources.*[ Type == 'AWS::ApiGateway::RestApi' ], if there are no AWS::ApiGateway::RestApi resources in the input, the clause evaluates to FAIL.

%api_gws.Properties.EndpointConfiguration.Types[*] == "PRIVATE"

To avoid this outcome, assign filters to variables and use the when condition check.

let api_gws = Resources.*[ Type == 'AWS::ApiGateway::RestApi' ]
    when %api_gws !empty { ...}

Guard does not evaluate CloudFormation template with short-form Fn::GetAtt references

Guard doesn't support the short forms of intrinsic functions. For example, using !Join, !Sub in a YAML-formatted AWS CloudFormation template isn't supported. Instead, use the expanded forms of CloudFormation intrinsic functions. For example, use Fn::Join, Fn::Sub in YAML-formatted CloudFormation templates when evaluating them against Guard rules.

For more information about intrinsic functions, see the intrinsic function reference in the AWS CloudFormation User Guide.

General troubleshooting topics

  • Verify that string literals don't contain embedded escaped strings. Currently, Guard doesn't support embedded escape strings in string literals.

  • Verify that your != comparisons compare compatible data types. For example, a string and an int are not compatible data types for comparison. When performing != comparison, if the values are incompatible, an error occurs internally. Currently, the error is suppressed and converted to false to satisfy the PartialEq trait in Rust.