fix: allow CloudFormation intrinsic functions for config fields (#638)

[sid88in]

Enable CloudFormation intrinsic functions for config fields

Fixes #638. Revives #640 (original work by @ronnyroeller).

Background

Before the v2 rewrite, several appSync config values could be set to CloudFormation intrinsic functions (Fn::Join, Fn::ImportValue, Ref, etc.). v2's stricter schema validation locked these fields to primitive boolean/string types, so configs like this stopped resolving:

openIdConnectConfig: {
  issuer: {
    'Fn::Join': ['', ['https://', { 'Fn::ImportValue': 'IssuerDomain' }]],
  },
}

…failing with at appSync/.../issuer: must be string.

What this changes

Restores intrinsic-function support for the config values that are passed straight through to the generated CloudFormation template:

• openIdConnectConfig.issuer
• xrayEnabled
• logging.excludeVerboseContent

Implementation:

• Adds a booleanOrIntrinsicFunction schema definition, mirroring the existing stringOrIntrinsicFunction.
• Points the three fields at the appropriate oneOf definition and widens the corresponding TypeScript types (boolean | IntrinsicFunction / string | IntrinsicFunction).
• No resource-generation changes needed — these values were already written through unchanged, and the validation snapshots now read must be a boolean/string or a CloudFormation intrinsic function.

Intentionally not included

waf.enabled, logging.enabled, caching.enabled, and domain.enabled remain plain booleans. These are synth-time toggles — the plugin checks === false in JS to decide whether to generate the resource at all, so a deploy-time intrinsic can't drive them. Accepting one would pass validation but silently always-create the resource, which would be worse than the current clear error.

Tests

• Added validation cases asserting intrinsic functions are accepted for xrayEnabled, openIdConnectConfig.issuer, and logging.excludeVerboseContent.
• Existing negative cases still fail correctly (a plain string for xrayEnabled, a number for issuer, etc.).
• Full suite green: npm test (334), npm run test:e2e (84), npm run lint (0 errors), npm run build.

Summary by CodeRabbit

• New Features

  • Configuration now accepts CloudFormation intrinsic functions for OIDC issuer, X-Ray enablement, and logging exclusion flags.

• Tests

  • Added tests covering validation of intrinsic-function values for those configuration fields.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4cedc0f7-c59a-4ff1-937e-5d64cbf0e4f6

📥 Commits

Reviewing files that changed from the base of the PR and between faa70a1 and 89c3173.

⛔ Files ignored due to path filters (2)

• src/__tests__/validation/__snapshots__/auth.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/base.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (7)

• src/__tests__/validation/auth.test.ts
• src/__tests__/validation/base.test.ts
• src/types/cloudFormation.ts
• src/types/common.ts
• src/types/index.ts
• src/types/plugin.ts
• src/validation.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• src/tests/validation/auth.test.ts
• src/tests/validation/base.test.ts
• src/types/index.ts
• src/validation.ts

---

📝 Walkthrough

Walkthrough

Widened configuration types and extended JSON-schema validation to accept CloudFormation intrinsic functions for OIDC issuer, top-level xrayEnabled, and logging.excludeVerboseContent, and added tests confirming validateConfig accepts intrinsic-based values.

Changes

CloudFormation Intrinsic Functions Support

Layer / File(s)	Summary
CloudFormation intrinsic type additions src/types/cloudFormation.ts	Adds FnImportValue and expands exported IntrinsicFunction union.
Type contracts for intrinsic functions src/types/index.ts, src/types/plugin.ts, src/types/common.ts	AppSyncConfig.xrayEnabled → boolean | IntrinsicFunction; OidcAuth.config.issuer → string | IntrinsicFunction; LoggingConfig.excludeVerboseContent → boolean | IntrinsicFunction.
Validation schema for intrinsics src/validation.ts	Introduces booleanOrIntrinsicFunction schema and switches oidcAuth.issuer, xrayEnabled, and logging.excludeVerboseContent to validate against intrinsic-capable definitions.
Test assertions for intrinsic function support src/__tests__/validation/auth.test.ts, src/__tests__/validation/base.test.ts	Adds tests asserting validateConfig accepts { 'Fn::ImportValue': ... } intrinsics for OIDC issuer, xrayEnabled, and logging.excludeVerboseContent.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• AlexHladin

Poem

🐇 I nibble through schema, types, and test,
Where Ref may nest and dynamic values rest.
No more plain booleans, strings confined—
Intrinsics bloom and play along the line.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: allowing CloudFormation intrinsic functions for specific config fields, which is the primary focus of all modifications.
Linked Issues check	✅ Passed	The PR directly addresses issue #638 by restoring support for CloudFormation intrinsic functions in openIdConnectConfig.issuer, xrayEnabled, and logging.excludeVerboseContent with proper type widening and validation schema updates.
Out of Scope Changes check	✅ Passed	All changes are in scope: type widening for intrinsic support, validation schema updates, and test coverage for the three target fields. Synth-time toggles remain restricted as intended per issue requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/638-intrinsic-functions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/types/common.ts`:
- Around line 102-103: The IntrinsicFunction union in
src/types/cloudFormation.ts is missing support for Fn::ImportValue, causing
fields typed as string | IntrinsicFunction (e.g., issuer and
excludeVerboseContent) to reject valid templates; add a new FnImportValue (or
ImportValue) interface/type representing { "Fn::ImportValue": string |
IntrinsicFunction } and include it in the IntrinsicFunction union (e.g., change
FnGetAtt | FnJoin | FnRef | FnSub to FnGetAtt | FnJoin | FnRef | FnSub |
FnImportValue), ensuring recursive nesting remains allowed so constructs like
Fn::Join containing Fn::ImportValue type-check correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a242d1f-fc77-42e1-ad3d-0d7615c07919

📥 Commits

Reviewing files that changed from the base of the PR and between 6bbd830 and 1e4935c.

⛔ Files ignored due to path filters (2)

• src/__tests__/validation/__snapshots__/auth.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/base.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (6)

• src/__tests__/validation/auth.test.ts
• src/__tests__/validation/base.test.ts
• src/types/common.ts
• src/types/index.ts
• src/types/plugin.ts
• src/validation.ts