Enable use of additional intrinsic functions within Fn::FindInMap

[rhbecker]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

Enable use of additional intrinsic functions within Fn::FindInMap.

Per the documentation ...

You can use the following functions in a Fn::FindInMap function:

• Fn::FindInMap
• Ref

Tell us about the problem you are trying to solve. What are you trying to do, and why is it hard?

As an example of how other functions would be useful ...

I'm defining a template in which I want to enforce documented parameter value constraints for the AWS::KMS::Key resource type - particularly its KeyUsage property.

The relevant portions of my template are below. I'm not pasting a fully formed template because I want to highlight only the relevant parts. The very last line exhibits what I'm requesting ...

Parameters:

  AsymmetricRSAKeyUsage:
    Type: String
    AllowedValues:
      - ENCRYPT_DECRYPT
      - SIGN_VERIFY
    Default: ENCRYPT_DECRYPT

  KeySpec:
    Type: String
    AllowedValues:
      - ECC_NIST_P256
      - ECC_NIST_P384
      - ECC_NIST_P521
      - ECC_SECG_P256K1
      - HMAC_224
      - HMAC_256
      - HMAC_384
      - HMAC_512
      - RSA_2048
      - RSA_3072
      - RSA_4096
      - SYMMETRIC_DEFAULT
    Default: SYMMETRIC_DEFAULT

Conditions:
  IsKeyAsymmetricRSA: !Equals ['RSA', !Select [0, !Split [_, !Ref KeySpec]]]

Mappings:
  KeyPrefix:
    ECC:
      usage: SIGN_VERIFY
    HMAC:
      usage: GENERATE_VERIFY_MAC
    SYMMETRIC:
      usage: ENCRYPT_DECRYPT

Resources:
  Key:
    Type: AWS::KMS::Key
    Properties:
      KeyUsage: !If
        - IsKeyAsymmetricRSA
        - !Ref AsymmetricRSAKeyUsage
        - !FindInMap [KeyPrefix, !Select [0, !Split [_, !Ref KeySpec]], usage]

Are you currently working around this issue?

It seems like the only alternative is a lot of nested conditions?

I think the below would work, using the same parameters in the above example, but with the KeyPrefix mapping removed ...

Conditions:
  IsKeyAsymmetricECC: !Equals ['ECC', !Select [0, !Split [_, !Ref KeySpec]]]
  IsKeyAsymmetricRSA: !Equals ['RSA', !Select [0, !Split [_, !Ref KeySpec]]]
  IsKeyHMAC: !Equals ['HMAC', !Select [0, !Split [_, !Ref KeySpec]]]

Resources:
  Key:
    Type: AWS::KMS::Key
    Properties:
      KeyUsage: !If
        - IsKeyAsymmetricRSA
        - !Ref AsymmetricRSAKeyUsage
        - !If
          - IsKeyAsymmetricECC
          - SIGN_VERIFY
          - !If
            - IsKeyHMAC
            - GENERATE_VERIFY_MAC
            - ENCRYPT_DECRYPT

What is the expect behavior with this new feature

Example provided above.

Additional context

You all do fine work and I appreciate you.

Attachments

n/a

[muneebar]

@rhbecker Thanks for your contribution! We'll triage and take a look at it. Stay tuned for updates!

[jtting-amazon]

Thank you for the feedback! We have launched this feature as part of the FindInMap enhancement:

Docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-findinmap-enhancements.html

[rhbecker]

I can't believe this made it into your queue with only one 👍 - really appreciate the effort here! Thanks!