For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-stack-without-template.md.
A documentation index is available at /llms.txt.
CloudFormation stack tasks must specify exactly one template source. Missing or ambiguous templates can cause failed deployments or unintended resource changes that increase security and availability risks.
For Ansible modules amazon.aws.cloudformation, cloudformation, community.aws.cloudformation_stack_set, and cloudformation_stack_set, one of the properties template, template_body, or template_url must be present and non-empty. Resources that omit all three properties are flagged as missing a template. Resources that set more than one are flagged because multiple template sources are ambiguous and can lead to unexpected template selection.
Secure examples (valid configurations):
- name:Create CloudFormation stack from local templateamazon.aws.cloudformation:stack_name:my-stacktemplate:/path/to/template.yaml- name:Create CloudFormation stack from S3 URLamazon.aws.cloudformation:stack_name:my-stacktemplate_url:https://s3.amazonaws.com/bucket/my-template.yaml
Compliant Code Examples
- name:create a stack, pass in the template body via lookup template v3amazon.aws.cloudformation:stack_name:ansible-cloudformationstate:presentregion:us-east-1disable_rollback:truetemplate_body:"{{ lookup('template', 'cloudformation.j2') }}"template_parameters:KeyName:jmartinDiskType:ephemeralInstanceType:m1.smallClusterSize:3tags:Stack:ansible-cloudformation- name:create a stack, pass in the template via an URL v4amazon.aws.cloudformation:stack_name:ansible-cloudformationstate:presentregion:us-east-1disable_rollback:truetemplate_url:https://s3.amazonaws.com/my-bucket/cloudformation.templatetemplate_parameters:KeyName:jmartinDiskType:ephemeralInstanceType:m1.smallClusterSize:3tags:Stack:ansible-cloudformation- name:Create a stack set with instances in two accounts v5community.aws.cloudformation_stack_set:name:my-stackdescription:Test stack in two accountsstate:presenttemplate_url:https://s3.amazonaws.com/my-bucket/cloudformation.templateaccounts:[1234567890,2345678901]regions:- us-east-1
Non-Compliant Code Examples
- name:create a stack, pass in the template via an URLamazon.aws.cloudformation:stack_name:"ansible-cloudformation"state:presentregion:us-east-1disable_rollback:truetemplate_parameters:KeyName:jmartinDiskType:ephemeralInstanceType:m1.smallClusterSize:3tags:Stack:ansible-cloudformation- name:create a stack, pass in the template via an URL v2amazon.aws.cloudformation:stack_name:"ansible-cloudformation"state:presentregion:us-east-1disable_rollback:truetemplate_url:https://s3.amazonaws.com/my-bucket/cloudformation.templatetemplate_body:"{{ lookup('template', 'cloudformation.j2') }}"template_parameters:KeyName:jmartinDiskType:ephemeralInstanceType:m1.smallClusterSize:3tags:Stack:ansible-cloudformation- name:Create a stack set with instances in two accountscommunity.aws.cloudformation_stack_set:name:my-stackdescription:Test stack in two accountsstate:presenttemplate_url:https://s3.amazonaws.com/my-bucket/cloudformation.templatetemplate_body:"{{ lookup('template', 'cloudformation.j2') }}"accounts:[1234567890,2345678901]regions:- us-east-1- name:Create a stack set with instances in two accounts v2community.aws.cloudformation_stack_set:name:my-stackdescription:Test stack in two accountsstate:presentaccounts:[1234567890,2345678901]regions:- us-east-1
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
