Using a Parameter value as a key in Cloudformation

Question

AWS docs and references online don't seem to suggest it's possible to allow a CloudFormation template key (YAML in my case) to be populated by a Parameter.

I need to create IAM policies which lock down the AssumeRoleWithWebIdentity to only EKS Service Accounts to the EKS OIDC provider.

Effect: "Allow"
Principal:
  Federated:
    - !Ref MasterARN
Condition:
  StringLike:
    !Ref MasterOIDC: !Ref ServiceAccount
Action:
 - "sts:AssumeRoleWithWebIdentity"

I can see why CloudFormation wouldn't allow this as you can abuse the 'template' but I think this is an edge case.

Tags (key: value) get around this by making you pass the key under a 'Name' key (e.g. Name: key; Value: value).

Answer 1

If I understood correctly your question (you want the condition name to depend on the parameters), you can use the PyPlate macro for this.

AWSTemplateFormatVersion: "2010-09-09"
Transform: [PyPlate]
Description: A stack that provisions a bunch of s3 buckets based on param names
Parameters:
  CreateOne:
    Type: String
    Default: "a"
  CreateTwo:
    Type: String
    Default: "a"

Conditions: 
  |
    #!PyPlate
    output = {}
    for k in params:
      output[k] = {"Fn::Equals" : ["prod", "prod"]}

Resources:
  myBucket:
    Type: AWS::S3::Bucket
    Condition: CreateOne

The processed template will be:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A stack that provisions a bunch of s3 buckets based on param names",
  "Parameters": {
    "CreateOne": {
      "Type": "String",
      "Default": "a"
    },
    "CreateTwo": {
      "Type": "String",
      "Default": "a"
    }
  },
  "Resources": {
    "myBucket": {
      "Type": "AWS::S3::Bucket",
      "Condition": "CreateOne"
    }
  },
  "Conditions": {
    "CreateOne": {
      "Fn::Equals": [
        "prod",
        "prod"
      ]
    },
    "CreateTwo": {
      "Fn::Equals": [
        "prod",
        "prod"
      ]
    }
  }
}