# Resolve write-only properties
<a name="generate-IaC-write-only-properties"></a>

With the CloudFormation IaC generator, you can generate a template using resources provisioned in your account that are not already managed by CloudFormation. However, certain resource properties are designated as *write-only*, meaning they can be written but can't be read by CloudFormation, for example, a database password. 

When generating CloudFormation templates from existing resources, write-only properties pose a challenge. In most cases, CloudFormation converts these properties into parameters in the generated template. This allows you to enter the properties as parameter values during import operations. However, there are scenarios where this conversion is not possible, and CloudFormation handles these cases differently.

## Mutually exclusive properties
<a name="write-only-mutually-exclusive-properties"></a>

Some resources have multiple sets of mutually exclusive properties, at least some of which are write-only. In these cases, the IaC generator can't determine which set of exclusive properties was applied to the resource during creation. For example, you can provide the code for a [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) using one of these sets of properties. 
+ `Code/S3Bucket`, `Code/S3Key`, and optionally `Code/S3ObjectVersion`
+ `Code/ImageUri`
+ `Code/ZipFile`

All of these properties are write-only. The IaC generator selects one of the exclusive sets of properties and adds them to the generated template. Parameters are added for each of the write-only properties. The parameter names include `OneOf` and the parameter descriptions indicate that the corresponding property can be replaced with other exclusive properties. The IaC generator sets a warning type of `MUTUALLY_EXCLUSIVE_PROPERTIES` for the included properties.

## Mutually exclusive types
<a name="write-only-mutually-exclusive-types"></a>

In some cases, a write-only property can be of multiple data types. For example, the `Body` property of [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html) can be either an `object` or a `string`. When this is the case, the IaC generator includes the property in the generated template using the type of `string` and sets a warning type of `MUTUALLY_EXCLUSIVE_TYPES`.

## Array properties
<a name="write-only-array-properties"></a>

If a write-only property has a type of `array`, the IaC generator can't include it in the generated template because parameters can only be scalar values. In this case, the property is omitted from the template, and a warning type of `UNSUPPORTED_PROPERTIES` is set.

## Optional properties
<a name="write-only-optional-properties"></a>

For optional write-only properties, the IaC generator can’t detect if the property was used when setting up the resource. In this case, the property is omitted from the generated template, and a warning type of `UNSUPPORTED_PROPERTIES` is set.

## Warnings and next steps
<a name="write-only-properties-warnings-and-next-steps"></a>

To determine which properties are write-only, you must look at the warnings returned by the IaC generator console. The [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-template-resource-type-ref.html) doesn't indicate if a property is write-only, or if it supports multiple types.

Alternatively, you can see which properties are write-only from the resource provider schemas. To download the resource provider schemas, see the [CloudFormation resource provider schemas](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/resource-type-schemas.html). 

**To resolve issues with write-only properties**

1. Open the [IaC generator page](https://console.aws.amazon.com/cloudformation/home?#iac-generator) of the CloudFormation console.

1. On the navigation bar at the top of the screen, choose the AWS Region for your template.

1. Choose the **Templates** tab, and then choose the name of the template you created.

1. On the **Template definition** tab, when the generated template includes resources with write-only properties, the IaC generator console displays a warning with a summary of the type of issues. For example:  
![\[IaC generator console warning about write-only properties in generated template\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/IaC-generator-write-only-property-warning.png)

1. Choose **View warning details** for more details. The resources with write-only properties are identified by the logical ID used in the generated template and resource type.

   Use the list of warnings to identify resources with write-only properties and look at each resource to determine what changes (if any) need to be made to the generated template.  
![\[IaC generator console detailed warnings about write-only properties in generated template\]](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/images/IaC-generator-write-only-property-resource-warning.png)

1. If your template must be updated to resolve issues with write-only properties, do the following: 

   1. Choose **Download** to download a copy of the template.

   1. Edit your template.

   1. When the changes are complete, you can choose the **Import edited template** button to continue the import process.

# How to resolve issues with write-only properties in AWS::ApiGateway::RestAPI resources
<a name="generate-IaC-apigateway-restapi"></a>

This topic explains how to resolve issues with write-only properties in [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html) resources when using the IaC generator.

## Issue
<a name="apigateway-restapi-write-only-properties-issue"></a>

When a generated template contains `AWS::ApiGateway::RestApi` resources, then warnings are generated stating that `Body`, `BodyS3Location`, and `CloneFrom` properties are identified as `UNSUPPORTED_PROPERTIES`. This is because these are optional write-only properties. The IaC generator doesn't know whether these properties were ever applied to the resource. Therefore, it omits these properties in the generated template.

## Resolution
<a name="apigateway-restapi-write-only-properties-resolution"></a>

To set the `Body` property for your REST API, update your generated template.

1. Use the Amazon API Gateway [https://docs.aws.amazon.com/apigateway/latest/api/API_GetExport.html](https://docs.aws.amazon.com/apigateway/latest/api/API_GetExport.html) API action to download the API. For example, by using the [https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-export.html](https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-export.html) AWS CLI command. For more information, see [Export a REST API from API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-export-api.html) in the *API Gateway Developer Guide*.

1. Retrieve the `Body` property from the response of the `GetExport` API action. Upload it to an Amazon S3 bucket.

1. Download the generated template.

1. Add the `BodyS3Location/Bucket` and `BodyS3Location/Key` properties to the template, specifying the bucket name and key where the `Body` is stored.

1. Open the generated template in the IaC generator console and choose **Import edited template**.

# How to resolve issues with write-only properties in AWS::Lambda::Function resources
<a name="generate-IaC-lambda-function"></a>

This topic explains how to resolve issues with write-only properties in [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-lambda-function.html) resources when using the IaC generator.

## Issue
<a name="lambda-function-mutually-exclusive-properties-issue"></a>

The `AWS::Lambda::Function` resource has three mutually exclusive sets of properties for specifying the Lambda code:
+ `Code/S3Bucket` and `Code/S3Key` properties, and optionally the `Code/S3ObjectVersion` property
+ `Code/ImageUri` property
+ `Code/ZipFile` property

Only one of these sets can be used for a given `AWS::Lambda::Function` resource.

The IaC generator can't determine which set of exclusive write-only properties was used to create or update the resource. As a result, it includes only the first set of properties in the generated template. The `Code/ImageUri` and `Code/ZipFile` properties are omitted. 

Additionally, the IaC generator issues the following warnings:
+ **`MUTUALLY_EXCLUSIVE_PROPERTIES`** – Warns that `Code/S3Bucket` and `Code/S3Key` are identified as mutually exclusive properties.
+ **`UNSUPPORTED_PROPERTIES`** – Warns that the `Code/S3ObjectVersion` property is unsupported.

To include `AWS::Lambda::Function` resources in a generated template, you must download and update the template with the correct code properties.

## Resolution
<a name="lambda-function-mutually-exclusive-properties-resolution"></a>

**If you store your Lambda code in an Amazon S3 bucket and do not use the `S3ObjectVersion` property**, you can import the generated template without any modifications. The IaC generator will ask you for the Amazon S3 bucket and key as template parameters during the import operation.

****If you store your Lambda code as an Amazon ECR repository**, you can update your template using the following instructions:**

1. Download the generated template.

1. Remove the properties and corresponding parameters for the `Code/S3Bucket` and `Code/S3Key` properties from the generated template.

1. Replace the removed properties in the generated template with the `Code/ImageUri` property, specifying the URL for the Amazon ECR repository.

1. Open the generated template in the IaC generator console and choose the **Import edited template** button.

****If you store your Lambda code as in a zip file**, you can update your template using the following instructions:**

1. Download the generated template.

1. Remove the properties and corresponding parameters for the `Code/S3Bucket` and `Code/S3Key` properties from the generated template.

1. Replace the removed properties in the generated template with the `Code/ZipFile` property.

1. Open the generated template in the IaC generator console and choose the **Import edited template** button.

****If you don’t have a copy of your Lambda code**, you can update your template using the following instructions:**

1. Use the AWS Lambda [https://docs.aws.amazon.com/lambda/latest/api/API_GetFunction.html](https://docs.aws.amazon.com/lambda/latest/api/API_GetFunction.html) API action (for example, by using the [https://docs.aws.amazon.com/cli/latest/reference/lambda/get-function.html](https://docs.aws.amazon.com/cli/latest/reference/lambda/get-function.html) AWS CLI command.

1. In the response, the `RepositoryType` parameter is `S3` if the code is in a Amazon S3 bucket, or `ECR` if the code is in an Amazon ECR repository.

1. In the response, the `Location` parameter contains a pre-signed URL that you can use to download the deployment package for 10 minutes. Download the code.

1. Upload the code to a Amazon S3 bucket.

1. Run an import operation with t he generated template and provide the bucket name and key as parameter values.