localstack
diff --git a/‎localstack-core/localstack/aws/api/cloudformation/__init__.py
Lines changed: 1 addition & 0 deletions b/‎localstack-core/localstack/aws/api/cloudformation/__init__.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎localstack-core/localstack/services/cloudformation/engine/entities.py
Lines changed: 4 additions & 1 deletion b/‎localstack-core/localstack/services/cloudformation/engine/entities.py
Lines changed: 4 additions & 1 deletion
diff --git a/‎localstack-core/localstack/services/cloudformation/engine/parameters.py
Lines changed: 10 additions & 1 deletion b/‎localstack-core/localstack/services/cloudformation/engine/parameters.py
Lines changed: 10 additions & 1 deletion
diff --git a/‎localstack-core/localstack/services/cloudformation/provider.py
Lines changed: 4 additions & 3 deletions b/‎localstack-core/localstack/services/cloudformation/provider.py
Lines changed: 4 additions & 3 deletions
diff --git a/‎tests/aws/services/cloudformation/api/test_templates.py
Lines changed: 16 additions & 0 deletions b/‎tests/aws/services/cloudformation/api/test_templates.py
Lines changed: 16 additions & 0 deletions
diff --git a/‎tests/aws/services/cloudformation/api/test_templates.snapshot.json
Lines changed: 62 additions & 8 deletions b/‎tests/aws/services/cloudformation/api/test_templates.snapshot.json
Lines changed: 62 additions & 8 deletions
diff --git a/‎tests/aws/templates/cfn_noecho.yml
Lines changed: 18 additions & 0 deletions b/‎tests/aws/templates/cfn_noecho.yml
Lines changed: 18 additions & 0 deletions
diff --git a/‎tests/aws/templates/valid_template.json
Lines changed: 5 additions & 0 deletions b/‎tests/aws/templates/valid_template.json
Lines changed: 5 additions & 0 deletions
@@ -1070,6 +1070,7 @@ class RollbackConfiguration(TypedDict, total=False):
 class Parameter(TypedDict, total=False):
     ParameterKey: Optional[ParameterKey]
     ParameterValue: Optional[ParameterValue]
+    NoEcho: Optional[NoEcho]
     UsePreviousValue: Optional[UsePreviousValue]
     ResolvedValue: Optional[ParameterValue]
 
 
@@ -5,6 +5,7 @@
 from localstack.services.cloudformation.engine.parameters import (
     StackParameter,
     convert_stack_parameters_to_list,
+    mask_noecho,
     strip_parameter_type,
 )
 from localstack.utils.aws import arns
@@ -167,7 +168,9 @@ def describe_details(self):
             result["Outputs"] = outputs
         stack_parameters = convert_stack_parameters_to_list(self.resolved_parameters)
         if stack_parameters:
-            result["Parameters"] = [strip_parameter_type(sp) for sp in stack_parameters]
+            result["Parameters"] = [
+                mask_noecho(strip_parameter_type(sp)) for sp in stack_parameters
+            ]
         if not result.get("DriftInformation"):
             result["DriftInformation"] = {"StackDriftStatus": "NOT_CHECKED"}
         for attr in ["Tags", "NotificationARNs"]:
 
@@ -42,8 +42,8 @@ def extract_stack_parameter_declarations(template: dict) -> dict[str, ParameterD
             ParameterKey=param_key,
             DefaultValue=param.get("Default"),
             ParameterType=param.get("Type"),
+            NoEcho=param.get("NoEcho", False),
             # TODO: test & implement rest here
-            # NoEcho=?,
             # ParameterConstraints=?,
             # Description=?
         )
@@ -113,6 +113,7 @@ def resolve_parameters(
             else:
                 resolved_param["ParameterValue"] = new_parameter["ParameterValue"]
 
+        resolved_param["NoEcho"] = pm.get("NoEcho", False)
         resolved_parameters[pm_key] = resolved_param
 
         # Note that SSM parameters always need to be resolved anew here
@@ -152,6 +153,14 @@ def strip_parameter_type(in_param: StackParameter) -> Parameter:
     return result
 
 
+def mask_noecho(in_param: StackParameter) -> Parameter:
+    result = in_param.copy()
+    noecho = result.pop("NoEcho", False)
+    if noecho:
+        result["ParameterValue"] = "*" * len(result.get("ParameterValue", ""))
+    return result
+
+
 def convert_stack_parameters_to_list(
     in_params: dict[str, StackParameter] | None,
 ) -> list[StackParameter]:
 
@@ -92,7 +92,7 @@
     StackInstance,
     StackSet,
 )
-from localstack.services.cloudformation.engine.parameters import strip_parameter_type
+from localstack.services.cloudformation.engine.parameters import mask_noecho, strip_parameter_type
 from localstack.services.cloudformation.engine.resource_ordering import (
     NoResourceInStack,
     order_resources,
@@ -667,7 +667,8 @@ def create_change_set(
             case ChangeSetType.UPDATE:
                 # add changeset to existing stack
                 old_parameters = {
-                    k: strip_parameter_type(v) for k, v in stack.resolved_parameters.items()
+                    k: mask_noecho(strip_parameter_type(v))
+                    for k, v in stack.resolved_parameters.items()
                 }
             case ChangeSetType.IMPORT:
                 raise NotImplementedError()  # TODO: implement importing resources
@@ -1016,7 +1017,7 @@ def validate_template(
                 TemplateParameter(
                     ParameterKey=k,
                     DefaultValue=v.get("Default", ""),
-                    NoEcho=False,
+                    NoEcho=v.get("NoEcho", False),
                     Description=v.get("Description", ""),
                 )
                 for k, v in valid_template.get("Parameters", {}).items()
 
@@ -31,6 +31,22 @@ def test_get_template_summary(deploy_cfn_template, snapshot, aws_client):
     snapshot.match("template-summary", res)
 
 
+@markers.aws.validated
+def test_describe_stacks_noecho(deploy_cfn_template, aws_client, snapshot):
+    snapshot.add_transformer(snapshot.transform.cloudformation_api())
+    deployment = deploy_cfn_template(
+        template_path=os.path.join(
+            # This template has secret parameters that should be masked
+            os.path.dirname(__file__),
+            "../../../templates/cfn_noecho.yml",
+        ),
+        parameters={"MySecretParameter": "SecretValue"},
+    )
+    res = aws_client.cloudformation.describe_stacks(StackName=deployment.stack_name)
+
+    snapshot.match("stacks", res)
+
+
 @markers.aws.validated
 @pytest.mark.parametrize("url_style", ["s3_url", "http_path", "http_host", "http_invalid"])
 def test_create_stack_from_s3_template_url(
 
@@ -1,6 +1,6 @@
 {
   "tests/aws/services/cloudformation/api/test_templates.py::test_get_template_summary": {
-    "recorded-date": "24-05-2023, 15:05:00",
+    "recorded-date": "22-11-2024, 10:56:47",
     "recorded-content": {
       "template-summary": {
         "Metadata": "{'TopicName': 'sns-topic-simple'}",
@@ -25,7 +25,7 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_create_stack_from_s3_template_url[s3_url]": {
-    "recorded-date": "11-10-2023, 00:03:44",
+    "recorded-date": "22-11-2024, 10:56:49",
     "recorded-content": {
       "create-error": {
         "Error": {
@@ -41,7 +41,7 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_create_stack_from_s3_template_url[http_path]": {
-    "recorded-date": "11-10-2023, 00:03:53",
+    "recorded-date": "22-11-2024, 10:56:50",
     "recorded-content": {
       "matching-topic": [
         {
@@ -51,7 +51,7 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_create_stack_from_s3_template_url[http_host]": {
-    "recorded-date": "11-10-2023, 00:04:02",
+    "recorded-date": "22-11-2024, 10:56:51",
     "recorded-content": {
       "matching-topic": [
         {
@@ -61,7 +61,7 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_create_stack_from_s3_template_url[http_invalid]": {
-    "recorded-date": "11-10-2023, 00:04:04",
+    "recorded-date": "22-11-2024, 10:56:51",
     "recorded-content": {
       "create-error": {
         "Error": {
@@ -77,14 +77,21 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_validate_template": {
-    "recorded-date": "18-06-2024, 17:23:30",
+    "recorded-date": "22-11-2024, 10:56:51",
     "recorded-content": {
       "validate-template": {
         "Parameters": [
           {
+            "DefaultValue": "",
             "Description": "The EC2 Key Pair to allow SSH access to the instance",
             "NoEcho": false,
             "ParameterKey": "KeyExample"
+          },
+          {
+            "DefaultValue": "",
+            "Description": "Secret value here",
+            "NoEcho": true,
+            "ParameterKey": "SecretKeyExample"
           }
         ],
         "ResponseMetadata": {
@@ -95,12 +102,12 @@
     }
   },
   "tests/aws/services/cloudformation/api/test_templates.py::test_validate_invalid_json_template_should_fail": {
-    "recorded-date": "18-06-2024, 17:25:49",
+    "recorded-date": "22-11-2024, 10:56:51",
     "recorded-content": {
       "validate-invalid-json": {
         "Error": {
           "Code": "ValidationError",
-          "Message": "Template format error: JSON not well-formed. (line 1, column 25)",
+          "Message": "Template Validation Error",
           "Type": "Sender"
         },
         "ResponseMetadata": {
@@ -109,5 +116,52 @@
         }
       }
     }
+  },
+  "tests/aws/services/cloudformation/api/test_templates.py::test_describe_stacks_noecho": {
+    "recorded-date": "22-11-2024, 10:56:49",
+    "recorded-content": {
+      "stacks": {
+        "Stacks": [
+          {
+            "Capabilities": [
+              "CAPABILITY_AUTO_EXPAND",
+              "CAPABILITY_IAM",
+              "CAPABILITY_NAMED_IAM"
+            ],
+            "ChangeSetId": "arn:<partition>:cloudformation:<region>:111111111111:changeSet/<resource:1>",
+            "CreationTime": "datetime",
+            "DisableRollback": false,
+            "DriftInformation": {
+              "StackDriftStatus": "NOT_CHECKED"
+            },
+            "EnableTerminationProtection": false,
+            "LastUpdatedTime": "datetime",
+            "NotificationARNs": [],
+            "Outputs": [
+              {
+                "Description": "Secret value from parameter",
+                "OutputKey": "SecretValue",
+                "OutputValue": "SecretValue"
+              }
+            ],
+            "Parameters": [
+              {
+                "ParameterKey": "MySecretParameter",
+                "ParameterValue": "***********"
+              }
+            ],
+            "RollbackConfiguration": {},
+            "StackId": "arn:<partition>:cloudformation:<region>:111111111111:stack/<stack-name:1>/<resource:2>",
+            "StackName": "<stack-name:1>",
+            "StackStatus": "CREATE_COMPLETE",
+            "Tags": []
+          }
+        ],
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      }
+    }
   }
 }
@@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+  MySecretParameter:
+    Type: String
+    NoEcho: true
+    Description: "Secret value here"
+
+Resources:
+  LocalBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: cfn-noecho-bucket
+
+Outputs:
+  SecretValue:
+    Description: "Secret value from parameter"
+    Value: !Ref MySecretParameter
@@ -3,6 +3,11 @@
       "KeyExample": {
         "Description": "The EC2 Key Pair to allow SSH access to the instance",
         "Type": "AWS::EC2::KeyPair::KeyName"
+      },
+      "SecretKeyExample": {
+        "Description": "Secret value here",
+        "NoEcho": true,
+        "Type": "String"
       }
     },
     "Resources": {