Fail on stacks that use template transforms#2
Open
deorus wants to merge 1 commit into
Open
Conversation
Detect a non-empty Transform section via GetTemplate before UpdateStack and error out, instead of silently reporting nothing to update.
deorus
force-pushed
the
fail-on-template-transforms
branch
from
5013545 to
9d67457
Compare
doistbot
reviewed
Jun 22, 2026
doistbot
left a comment
doistbot
left a comment
Member
There was a problem hiding this comment.
This PR adds a preflight GetTemplate + hasTransform() check so that stacks with a non-empty Transform section fail with a clear error instead of silently no-opping during updates.
I also included a few optional follow-up notes in the details below.
Optional follow-up notes (3)
- [P3] main.go:245: This strict prefix check will miss the top-level
Transformkey if it happens to be quoted in YAML (e.g.,"Transform": AWS::...or'Transform':). Consider adding checks for"Transform":and'Transform':to make the YAML fallback detection more robust. - [P3] main.go:71:
GetTemplatenow runs before we validatetoReplaceagainststack.Parameters, so a typo likeMissingParam=valuepays for a full template fetch even thoughDescribeStacksalready gives enough data to fail fast. Move the transform check until after thelen(toReplace) != 0guard (or after buildingparams) so unknown-parameter runs avoid the extra network round trip and template download. - [P3] main_test.go:44: The JSON branch of
hasTransformexplicitly handles"[]"and"\"\""(empty array and empty string) as no-transform cases, but there are no table entries covering them. AnullTransform is tested; adding{"Transform": []}and{"Transform": ""}entries would lock in the behavior and guard against an accidental regression where a valid stack gets incorrectly rejected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, updating a stack with a non-empty
Transformsection is a silent no-op: the params-onlyUpdateStackreturnsNo updates are to be performed., whichmain()swallows as a::warning::nothing to updateand exits 0. The README already documents this as a known limitation, but there's no guard — the action reports success while changing nothing.This adds a preflight check:
GetTemplate(original stage) +hasTransform()parses the body for a top-levelTransformsection and fails with a clear error before callingUpdateStack.YAML short-form intrinsics (
!Ref, etc.) make full parsing impractical, so the YAML path only scans for a top-levelTransformkey; JSON templates are parsed properly.Note: needs
cloudformation:GetTemplateon the role (added to README permissions). There's no way to inspect the template without aGet*call —GetTemplatereuses raw-body parsing rather than the separateGetTemplateSummaryaction.