ROS Features Support

InfraGuard supports a wide range of ROS (Resource Orchestration Service) template features for static analysis and validation of your infrastructure code.

Functions

InfraGuard supports the following ROS functions:

String Functions

Fn::Join - Joins strings with a delimiter
Fn::Sub - Substitutes variables in a string
Fn::Split - Splits a string into a list
Fn::Replace - Replaces strings in text
Fn::Str - Converts values to strings
Fn::Indent - Indents text

Encoding Functions

Fn::Base64Encode - Encodes to Base64
Fn::Base64Decode - Decodes from Base64

List Functions

Fn::Select - Selects an element from a list
Fn::Index - Finds the index of an element
Fn::Length - Returns the length of a list or string
Fn::ListMerge - Merges multiple lists

Map Functions

Fn::FindInMap - Retrieves values from a mapping
Fn::SelectMapList - Selects values from a list of maps
Fn::MergeMapToList - Merges maps into a list

Mathematical Functions

Fn::Add - Adds numbers
Fn::Avg - Calculates average
Fn::Max - Returns maximum value
Fn::Min - Returns minimum value
Fn::Calculate - Evaluates mathematical expressions

Conditional Functions

Fn::If - Returns values based on conditions
Fn::Equals - Compares two values
Fn::And - Logical AND
Fn::Or - Logical OR
Fn::Not - Logical NOT
Fn::Contains - Checks if a value is in a list
Fn::Any - Checks if any condition is true
Fn::EachMemberIn - Checks if all elements are in another list
Fn::MatchPattern - Matches against a pattern

Utility Functions

Fn::GetJsonValue - Extracts values from JSON
Ref - References parameters and resources

Conditions

InfraGuard fully supports the ROS Conditions feature, including:

Condition Definition - Define conditions in the Conditions section
Condition Functions - Use Fn::Equals, Fn::And, Fn::Or, Fn::Not, Fn::If in conditions
Condition References - Reference conditions in resources and outputs
Dependency Resolution - Automatically resolves condition dependencies

YAML Short Syntax

InfraGuard supports the YAML short syntax (tag notation) for ROS functions:

!Ref - Short form of Ref
!GetAtt - Short form of Fn::GetAtt
All other Fn::* functions can be written as !FunctionName

The YAML parser automatically converts these short forms to their standard map representation during template loading.

Unsupported Features

InfraGuard focuses on static analysis and currently does not support the following features in static mode:

Runtime Functions

Fn::GetAtt - Requires actual resource creation to retrieve attributes
Fn::GetAZs - Requires runtime query to cloud provider
Fn::GetStackOutput - Requires access to other stack outputs

Template Sections

Locals - Local variable definitions
Transform - Template transformations and macros
Rules - Template validation rules
Mappings - Static value mappings (not analyzed for policy violations)

Special References

Pseudo parameters (e.g., ALIYUN::StackId, ALIYUN::Region, etc.) - System-provided parameters

These features will be preserved as-is in the analysis output without evaluation or validation when using static mode.

Tip: For templates that use features not supported by static analysis (such as Fn::GetAtt, Fn::GetAZs, etc.), we recommend using --mode preview to leverage the ROS PreviewStack API for more accurate analysis. Preview mode evaluates templates with actual cloud provider context, enabling support for runtime functions and other dynamic features.

Functions​

String Functions​

Encoding Functions​

List Functions​

Map Functions​

Mathematical Functions​

Conditional Functions​

Utility Functions​

Conditions​

YAML Short Syntax​

Unsupported Features​

Runtime Functions​

Template Sections​

Special References​

Related Resources​