CFNV2: implement NoEcho support (#13011)

simonrw · web-flow · commit a7f4742af907 · 2025-08-19T13:09:04.000-05:00
diff --git a/localstack-core/localstack/services/cloudformation/v2/provider.py b/localstack-core/localstack/services/cloudformation/v2/provider.py
@@ -226,7 +226,10 @@ def _resolve_parameters(
             given_value = parameters.get(name)
             default_value = parameter.get("Default")
             resolved_parameter = EngineParameter(
-                type_=parameter["Type"], given_value=given_value, default_value=default_value
+                type_=parameter["Type"],
+                given_value=given_value,
+                default_value=default_value,
+                no_echo=parameter.get("NoEcho"),
             )
 
             # TODO: support other parameter types
@@ -501,9 +504,7 @@ def create_change_set(
             change_set.set_execution_status(ExecutionStatus.UNAVAILABLE)
             change_set.status_reason = "The submitted information didn't contain changes. Submit different information to create a change set."
         else:
-            if stack.status in [StackStatus.CREATE_COMPLETE, StackStatus.UPDATE_COMPLETE]:
-                stack.set_stack_status(StackStatus.UPDATE_IN_PROGRESS)
-            else:
+            if stack.status not in [StackStatus.CREATE_COMPLETE, StackStatus.UPDATE_COMPLETE]:
                 stack.set_stack_status(StackStatus.REVIEW_IN_PROGRESS)
 
             change_set.set_change_set_status(ChangeSetStatus.CREATE_COMPLETE)
@@ -600,42 +601,6 @@ def _run(*args):
 
         return ExecuteChangeSetOutput()
 
-    def _describe_change_set(
-        self, change_set: ChangeSet, include_property_values: bool
-    ) -> DescribeChangeSetOutput:
-        # TODO: The ChangeSetModelDescriber currently matches AWS behavior by listing
-        #       resource changes in the order they appear in the template. However, when
-        #       a resource change is triggered indirectly (e.g., via Ref or GetAtt), the
-        #       dependency's change appears first in the list.
-        #       Snapshot tests using the `capture_update_process` fixture rely on a
-        #       normalizer to account for this ordering. This should be removed in the
-        #       future by enforcing a consistently correct change ordering at the source.
-        change_set_describer = ChangeSetModelDescriber(
-            change_set=change_set, include_property_values=include_property_values
-        )
-        changes: Changes = change_set_describer.get_changes()
-
-        result = DescribeChangeSetOutput(
-            Status=change_set.status,
-            ChangeSetId=change_set.change_set_id,
-            ChangeSetName=change_set.change_set_name,
-            ExecutionStatus=change_set.execution_status,
-            RollbackConfiguration=RollbackConfiguration(),
-            StackId=change_set.stack.stack_id,
-            StackName=change_set.stack.stack_name,
-            CreationTime=change_set.creation_time,
-            Changes=changes,
-            Capabilities=change_set.stack.capabilities,
-            StatusReason=change_set.status_reason,
-            Description=change_set.description,
-            # TODO: static information
-            IncludeNestedStacks=False,
-            NotificationARNs=[],
-        )
-        if change_set.resolved_parameters:
-            result["Parameters"] = self._render_resolved_parameters(change_set.resolved_parameters)
-        return result
-
     @staticmethod
     def _render_resolved_parameters(
         resolved_parameters: dict[str, EngineParameter],
@@ -649,6 +614,10 @@ def _render_resolved_parameters(
             )
             if resolved_value := resolved_parameter.get("resolved_value"):
                 parameter["ResolvedValue"] = resolved_value
+
+            # TODO :what happens to the resolved value?
+            if resolved_parameter.get("no_echo", False):
+                parameter["ParameterValue"] = "****"
             result.append(parameter)
 
         return result
@@ -670,9 +639,38 @@ def describe_change_set(
 
         if not change_set:
             raise ChangeSetNotFoundException(f"ChangeSet [{change_set_name}] does not exist")
-        result = self._describe_change_set(
-            change_set=change_set, include_property_values=include_property_values or False
+
+        # TODO: The ChangeSetModelDescriber currently matches AWS behavior by listing
+        #       resource changes in the order they appear in the template. However, when
+        #       a resource change is triggered indirectly (e.g., via Ref or GetAtt), the
+        #       dependency's change appears first in the list.
+        #       Snapshot tests using the `capture_update_process` fixture rely on a
+        #       normalizer to account for this ordering. This should be removed in the
+        #       future by enforcing a consistently correct change ordering at the source.
+        change_set_describer = ChangeSetModelDescriber(
+            change_set=change_set, include_property_values=include_property_values
         )
+        changes: Changes = change_set_describer.get_changes()
+
+        result = DescribeChangeSetOutput(
+            Status=change_set.status,
+            ChangeSetId=change_set.change_set_id,
+            ChangeSetName=change_set.change_set_name,
+            ExecutionStatus=change_set.execution_status,
+            RollbackConfiguration=RollbackConfiguration(),
+            StackId=change_set.stack.stack_id,
+            StackName=change_set.stack.stack_name,
+            CreationTime=change_set.creation_time,
+            Changes=changes,
+            Capabilities=change_set.stack.capabilities,
+            StatusReason=change_set.status_reason,
+            Description=change_set.description,
+            # TODO: static information
+            IncludeNestedStacks=False,
+            NotificationARNs=[],
+        )
+        if change_set.resolved_parameters:
+            result["Parameters"] = self._render_resolved_parameters(change_set.resolved_parameters)
         return result
 
     @handler("DeleteChangeSet")
diff --git a/localstack-core/localstack/services/cloudformation/v2/types.py b/localstack-core/localstack/services/cloudformation/v2/types.py
@@ -13,6 +13,7 @@ class EngineParameter(TypedDict):
     given_value: NotRequired[str | None]
     resolved_value: NotRequired[str | None]
     default_value: NotRequired[str | None]
+    no_echo: NotRequired[bool | None]
 
 
 def engine_parameter_value(parameter: EngineParameter) -> str:
diff --git a/tests/aws/services/cloudformation/api/test_stacks.py b/tests/aws/services/cloudformation/api/test_stacks.py
@@ -11,7 +11,6 @@
 from localstack_snapshot.snapshots.transformer import SortingTransformer
 from tests.aws.services.cloudformation.conftest import (
     skip_if_v1_provider,
-    skip_if_v2_provider,
     skipped_v2_items,
 )
 
@@ -1032,7 +1031,6 @@ def test_stack_deletion_order(
     snapshot.match("all-events", to_snapshot)
 
 
-@skip_if_v2_provider("DescribeStack")
 @markers.snapshot.skip_snapshot_verify(
     paths=[
         # TODO: this property is present in the response from LocalStack when
@@ -1047,6 +1045,10 @@ def test_stack_deletion_order(
         "$..ResourceChange",
         "$..StackResourceDetail.Metadata",
     ]
+    + skipped_v2_items(
+        "$..Stacks..Outputs..Description",
+        "$..StackResourceDetail.DriftInformation",
+    )
 )
 @markers.aws.validated
 def test_no_echo_parameter(snapshot, aws_client, deploy_cfn_template):
@@ -1082,6 +1084,28 @@ def test_no_echo_parameter(snapshot, aws_client, deploy_cfn_template):
             describe_stack_resource_details,
         )
 
+    # create a change set
+    change_set_name = f"CreateChangeSetSecretParameterValue-{short_uid()}"
+    aws_client.cloudformation.create_change_set(
+        StackName=stack_name,
+        TemplateBody=template,
+        ChangeSetName=change_set_name,
+        Parameters=[
+            {"ParameterKey": "SecretParameter", "ParameterValue": "NewSecretValue1"},
+        ],
+    )
+    aws_client.cloudformation.get_waiter("change_set_create_complete").wait(
+        StackName=stack_name,
+        ChangeSetName=change_set_name,
+    )
+    change_sets = aws_client.cloudformation.describe_change_set(
+        StackName=stack_id,
+        ChangeSetName=change_set_name,
+    )
+    snapshot.match("describe_change_set_on_create_complete", change_sets)
+    describe_stacks = aws_client.cloudformation.describe_stacks(StackName=stack_id)
+    snapshot.match("describe_stack_on_create_complete", describe_stacks)
+
     # Update stack via update_stack (and change the value of SecretParameter)
     aws_client.cloudformation.update_stack(
         StackName=stack_name,
diff --git a/tests/aws/services/cloudformation/api/test_stacks.snapshot.json b/tests/aws/services/cloudformation/api/test_stacks.snapshot.json
@@ -1573,7 +1573,7 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_stacks.py::test_no_echo_parameter": {
-    "recorded-date": "19-12-2024, 11:35:19",
+    "recorded-date": "15-08-2025, 12:01:58",
     "recorded-content": {
       "describe_stacks": {
         "Stacks": [
@@ -1646,6 +1646,141 @@
           "HTTPStatusCode": 200
         }
       },
+      "describe_change_set_on_create_complete": {
+        "Capabilities": [],
+        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:3>",
+        "ChangeSetName": "<change-set-name:1>",
+        "Changes": [
+          {
+            "ResourceChange": {
+              "Action": "Modify",
+              "Details": [
+                {
+                  "CausingEntity": "SecretParameter",
+                  "ChangeSource": "ParameterReference",
+                  "Evaluation": "Static",
+                  "Target": {
+                    "Attribute": "Metadata",
+                    "RequiresRecreation": "Never"
+                  }
+                },
+                {
+                  "CausingEntity": "SecretParameter",
+                  "ChangeSource": "ParameterReference",
+                  "Evaluation": "Static",
+                  "Target": {
+                    "Attribute": "Properties",
+                    "Name": "Tags",
+                    "RequiresRecreation": "Never"
+                  }
+                },
+                {
+                  "ChangeSource": "DirectModification",
+                  "Evaluation": "Dynamic",
+                  "Target": {
+                    "Attribute": "Metadata",
+                    "RequiresRecreation": "Never"
+                  }
+                },
+                {
+                  "ChangeSource": "DirectModification",
+                  "Evaluation": "Dynamic",
+                  "Target": {
+                    "Attribute": "Properties",
+                    "Name": "Tags",
+                    "RequiresRecreation": "Never"
+                  }
+                }
+              ],
+              "LogicalResourceId": "LocalBucket",
+              "PhysicalResourceId": "cfn-noecho-bucket",
+              "Replacement": "False",
+              "ResourceType": "AWS::S3::Bucket",
+              "Scope": [
+                "Metadata",
+                "Properties"
+              ]
+            },
+            "Type": "Resource"
+          }
+        ],
+        "CreationTime": "datetime",
+        "ExecutionStatus": "AVAILABLE",
+        "IncludeNestedStacks": false,
+        "NotificationARNs": [],
+        "Parameters": [
+          {
+            "ParameterKey": "NormalParameter",
+            "ParameterValue": "Some default value here"
+          },
+          {
+            "ParameterKey": "SecretParameter",
+            "ParameterValue": "****"
+          },
+          {
+            "ParameterKey": "SecretParameterWithDefault",
+            "ParameterValue": "****"
+          }
+        ],
+        "RollbackConfiguration": {},
+        "StackId": "arn:<partition>:cloudformation:<region>:111111111111:stack/<stack-name:1>/<resource:2>",
+        "StackName": "<stack-name:1>",
+        "Status": "CREATE_COMPLETE",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
+      "describe_stack_on_create_complete": {
+        "Stacks": [
+          {
+            "Capabilities": [
+              "CAPABILITY_AUTO_EXPAND",
+              "CAPABILITY_IAM",
+              "CAPABILITY_NAMED_IAM"
+            ],
+            "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:1>",
+            "CreationTime": "datetime",
+            "DisableRollback": false,
+            "DriftInformation": {
+              "StackDriftStatus": "NOT_CHECKED"
+            },
+            "EnableTerminationProtection": false,
+            "LastUpdatedTime": "datetime",
+            "NotificationARNs": [],
+            "Outputs": [
+              {
+                "Description": "Secret value from parameter",
+                "OutputKey": "SecretValue",
+                "OutputValue": "SecretValue"
+              }
+            ],
+            "Parameters": [
+              {
+                "ParameterKey": "NormalParameter",
+                "ParameterValue": "Some default value here"
+              },
+              {
+                "ParameterKey": "SecretParameter",
+                "ParameterValue": "****"
+              },
+              {
+                "ParameterKey": "SecretParameterWithDefault",
+                "ParameterValue": "****"
+              }
+            ],
+            "RollbackConfiguration": {},
+            "StackId": "arn:<partition>:cloudformation:<region>:111111111111:stack/<stack-name:1>/<resource:2>",
+            "StackName": "<stack-name:1>",
+            "StackStatus": "CREATE_COMPLETE",
+            "Tags": []
+          }
+        ],
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      },
       "describe_updated_stacks": {
         "Stacks": [
           {
@@ -1697,8 +1832,8 @@
       },
       "describe_updated_change_set": {
         "Capabilities": [],
-        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:3>",
-        "ChangeSetName": "<change-set-name:1>",
+        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:4>",
+        "ChangeSetName": "<change-set-name:2>",
         "Changes": [
           {
             "ResourceChange": {
@@ -1831,8 +1966,8 @@
       },
       "describe_updated_change_set_no_echo_true": {
         "Capabilities": [],
-        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:4>",
-        "ChangeSetName": "<change-set-name:2>",
+        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:5>",
+        "ChangeSetName": "<change-set-name:3>",
         "Changes": [
           {
             "ResourceChange": {
@@ -1965,8 +2100,8 @@
       },
       "describe_updated_change_set_no_echo_false": {
         "Capabilities": [],
-        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:5>",
-        "ChangeSetName": "<change-set-name:3>",
+        "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:6>",
+        "ChangeSetName": "<change-set-name:4>",
         "Changes": [
           {
             "ResourceChange": {
diff --git a/tests/aws/services/cloudformation/api/test_stacks.validation.json b/tests/aws/services/cloudformation/api/test_stacks.validation.json
@@ -75,7 +75,13 @@
     "last_validated_date": "2024-03-26T17:59:43+00:00"
   },
   "tests/aws/services/cloudformation/api/test_stacks.py::test_no_echo_parameter": {
-    "last_validated_date": "2024-12-19T11:35:15+00:00"
+    "last_validated_date": "2025-08-15T12:01:58+00:00",
+    "durations_in_seconds": {
+      "setup": 1.28,
+      "call": 67.64,
+      "teardown": 4.43,
+      "total": 73.35
+    }
   },
   "tests/aws/services/cloudformation/api/test_stacks.py::test_no_parameters_given": {
     "last_validated_date": "2025-07-31T16:12:14+00:00",
diff --git a/tests/aws/services/cloudformation/api/test_transformers.py b/tests/aws/services/cloudformation/api/test_transformers.py
@@ -72,10 +72,6 @@ def test_duplicate_resources(deploy_cfn_template, s3_bucket, snapshot, aws_clien
     snapshot.match("api-resources", resources)
 
 
-@skip_if_v2_provider(
-    "AWS::Include",
-    reason="The transformation is run however the physical resource id for the resource is not available",
-)
 @markers.aws.validated
 def test_transformer_property_level(deploy_cfn_template, s3_bucket, aws_client, snapshot):
     api_spec = textwrap.dedent("""
