[AWS::S3::Bucket] - [BUG] - Validation allows upload and execution of change sets with invalid string values for UpdateReplacePolicy

[lexnihilo]

trafficstars

Name of the resource

AWS::S3::Bucket

Resource Name

No response

Issue Description

Validation allows upload and execution of change sets with templates that include invalid values for UpdateReplacePolicy when the value is wrapped in an IF with a conditional. This results in the update hanging and not responding to cancel update commands until the internal timeout throws an "Internal Failure" and rolls back the stack. This potentially risks a 45 minute outage for any stacks affected. Combined with events for these changes not showing up in the stack event log - #2095 - it makes it very difficult to locate the root cause.

Note that this behavior has been confirmed for S3 bucket resources, and may impact other resources, but not necessarily all. KMS keys, for example, appear to throw a validation error when the change set is submitted - but at least they don't allow execution of the change set.

Expected Behavior

I would expect template validation to fail in a similar way that it does for invalid values passed for the DeletionPolicy attribute under the same conditions

Observed Behavior

Template is allowed to be uploaded and an executable change is created.

Test Cases

Parameters:
  ResourceRetainOnDelete:
    Type: String
    AllowedValues:
      - 'true'
      - 'false'
    Default: 'true'

Conditions:
  ResourceRetainOnDeleteCond: !Equals [!Ref ResourceRetainOnDelete, 'true']

Resources:
  S3InventoryBucket:
    Type: AWS::S3::Bucket
    UpdateReplacePolicy: !If [ResourceRetainOnDeleteCond, 'INVALIDVALUE', 'Delete']

Other Details

No response