I have the following resource in my CloudFormation template that's trying to create a listener rule. The idea is, based on the passed-in EnvironmentType, and the AWS Region, I want to import the listener ARN from the appropriate CloudFormation stack that exported it.
Parameters:
EnvironmentType:
Type: String
Default: "sandbox"
ECSClusterStackNameParameter:
Type: String
Default: "ECS-US-Sandbox"
Mappings:
production:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Prod"
eu-north-1:
stackWithAlbListenerInfo: "ECS-EU-Prod"
staging:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Staging"
eu-north-1:
stackWithAlbListenerInfo: ""
sandbox:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Sandbox"
eu-north-1:
stackWithAlbListenerInfo: ""
Conditions:
StackExists:
!Not [ !Equals [ !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ], ""] ]
Resources:
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Condition: UseListenerRule
Properties:
ListenerArn:
!If
- StackExists
-
- Fn::ImportValue:
!Join
- "-"
- - !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ]
- "ListenerArn"
- Fn::ImportValue:
- !Sub "${ECSClusterStackNameParameter}-ListenerArn"
However, it fails validation due to this error, and seems like the first Fn::ImportValue: doesn't like the !Join. But !Join returns a concatenated string correct? What am I missing?
ERROR: Service: marcom-stats-service, cfnUpdate error: com.amazonaws.services.cloudformation.model.AmazonCloudFormationException: Template error: the attribute in Fn::ImportValue must be a string or a function that returns a string (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: 2678552e-cf6c-46e1-b640-a7c07de385c2; Proxy: null)
UPDATE:
Though Robert Kossendey's answer fixed my error, my original template was wrong. This is really what I wanted to do. I hope it helps someone.
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Condition: UseListenerRule
Properties:
ListenerArn:
Fn::ImportValue: !Sub
- ${StackName}-ListenerArn
- { StackName: !If [ StackExists, !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ], !Ref ECSClusterStackNameParameter ] }
Now I see it I think. At the second import you need to remove the dash in front of the !Sub:
- Fn::ImportValue:
!Sub "${ECSClusterStackNameParameter}-ListenerArn"
Related
Im working with 2 nested stacks. I need to use security group ids exported from NestedA in NestedB. The exported security group ids are to be used in a SecurityGroupIds property in NestedB based on conditions.
However cloudformation returns error: Property validation failure: [Value of property {/LaunchTemplateData/SecurityGroupIds/0} does not match type {String}]
The following are snippets of what I have tried:
NestedA export
Outputs:
SG1
Value: !Join
- ','
- - !Ref securitygroup1
- !Ref securitygroup2
Export:
Name: !Sub ${ExportVpcStackName}-SG1
SG2
Value: !Join
- ','
- - !Ref securitygroup3
- !Ref securitygroup4
Export:
Name: !Sub ${ExportVpcStackName}-SG2
ParentStack
Resources:
...
launchtemplate:
Type: AWS::Cloudformation::Stack
Properties:
TemplateURL: https://s3/nestedB.yaml
...
SG1:
Fn::ImportValue: !Sub ${ExportVpcStackName}-SG1
SG2:
Fn::ImportValue: !Sub ${ExportVpcStackName}-SG2
NestedB import
Parameters:
SG1
Type: List<AWS::EC2::SecurityGroup::Id>
SG2
Type: List<AWS::EC2::SecurityGroup::Id>
Resources:
launchtemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
...
SecurityGroupIds:
!If
- Condition1
-
- !Ref SG1
- !Ref SG2
- !If
- Condition2
-
- !Ref SG1
- !Ref AWS::NoValue
Ive also tried importing each of the security groups directly/individually into NestedB with no success ie:
NestedA export
Outputs:
securitygroup1:
Value: !Ref securitygroup1
Export:
Name: !Sub ${ExportVpcStackName}-securitygroup1
securitygroup2:
Value: !Ref securitygroup2
Export:
Name: !Sub ${ExportVpcStackName}-securitygroup2
securitygroup3:
Value: !Ref securitygroup3
Export:
Name: !Sub ${ExportVpcStackName}-securitygroup3
securitygroup4:
Value: !Ref securitygroup4
Export:
Name: !Sub ${ExportVpcStackName}-securitygroup4
NestedB import
Resources:
launchtemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateData:
...
SecurityGroupIds:
!If
- Condition1
-
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup1
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup2
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup3
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup4
- !If
- Condition2
-
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup1
- Fn::ImportValue: !Sub ${ExportVpcStackName}-securitygroup2
- !Ref AWS::NoValue
Whats the error Im making?
Edit: I have tried #marcin suggestion but still get the error:
Property validation failure: [Value of property {/LaunchTemplateData/SecurityGroupIds/0} does not match type {String}]
Instead of Type: List<AWS::EC2::SecurityGroup::Id>, please use CommaDelimitedList.
Also your SG1 is a list of SGs. You have to use Fn::Select to get individual SG values from the list.
I am trying to get a value from one stack to another using the below syntax.
stack one-
Outputs:
CompRestAPI:
Description: Rest Api Id
Value: !Ref CompRestAPI
Export:
Name: 'CompRestAPI'
Stack two -
CompRestApiWaf:
Type: AWS::WAFv2::WebACLAssociation
DependsOn: CompApiGatewayStage
Properties:
RestApiId: !ImportValue 'CompRestAPI'
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/${RestApiId}/${STAGENAME}-apistage'
WebACLArn: !Ref WafId
I am able to get the values for other resources using 1st syntax, but I am not able to get the value for RestApiId under !Sub
RestApiId: !ImportValue 'CompRestAPI'
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/${RestApiId}/apistage'
So is there any way to use !ImportValue under !Sub condition?
I tried it using below code, validation is pass but still showing me an error
Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter:
CompRestApiWaf:
Type: AWS::WAFv2::WebACLAssociation
DependsOn: CompApiGatewayStage
Properties:
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/{!ImportValue CompRestAPI}/stages/apistage'
WebACLArn: !Ref WafId
I am done with it using Fn::join:
SourceArn:
Fn::Join:
- ""
- - 'arn:aws:execute-api:'
- !Ref AWS::Region
- ':'
- !Ref AWS::AccountId
- ':'
- !Ref ApiGatewayRestApiResource
- '/*'
this should work
ResourceArn: !Sub
- 'arn:aws:apigateway:${REGION}:/${CompRestAPI}/stages/apistage'
- CompRestAPI: !ImportValue CompRestAPI
you can expand the second parameter to have multiple keys for multiple imports like so
SecretString: !Sub
- 'postgres://${username}:${password}#${dbhost}:${dbport}/${dbname}'
- username: !Ref 'DBUser'
password: !Ref 'DBPassword'
dbhost: !Ref DbMasterDnsEntry
dbport: !GetAtt AuroraPgCluster.Endpoint.Port
dbname: !Ref 'DBName'
I have a below cloudformation code, i dont want to setup a VPC Configuration if the account is XXXXX
AWSTemplateFormatVersion: '2010-09-09'
Description: VPC function.
Mappings:
"129921924252":
"ap-southeast-1":
Subnets:
- "vpc-PrivateSubnetId1"
- "vpc-PrivateSubnetId2"
Conditions:
CheckAccount: {"Fn::Equals": [ !Ref AWS::AccountId, "123456780976"]}
Resources:
Function:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Role: arn:aws:iam::129921924252:role/service-role/ASG-Lambda-role-n27an6nj
Code:
ZipFile:
Fn::Sub: |
import json
import boto3
import os
from botocore.exceptions import ClientError
Runtime: nodejs12.x
Timeout: 5
TracingConfig:
Mode: Active
VpcConfig:
- Fn::If:
- CheckAccount
SecurityGroupIds:
- sg-0305baf25b2dd4891
SubnetIds:
-
Fn::ImportValue:
Fn::Select: [0, Fn::FindInMap : [!Ref AWS::AccountId, !Ref AWS::Region, Subnets]]
-
Fn::ImportValue:
Fn::Select: [1, Fn::FindInMap : [!Ref AWS::AccountId, !Ref AWS::Region, Subnets]]
- !Ref AWS::NoValue
Im getting error when trying above code:
Properties validation failed for resource Function with message: #/VpcConfig: expected type: JSONObject, found: JSONArray
The syntax of your Fn::If statement seems to be incorrect. Have a look at the following example from the documentation:
UpdatePolicy:
AutoScalingRollingUpdate:
!If
- RollingUpdates
-
MaxBatchSize: 2
MinInstancesInService: 2
PauseTime: PT0M30S
- !Ref "AWS::NoValue"
So in your case that would be:
VpcConfig:
- Fn::If:
- CheckAccount
- SecurityGroupIds:
- sg-0305baf25b2dd4891
SubnetIds:
- Fn::ImportValue:
Fn::Select: [0, Fn::FindInMap : [!Ref AWS::AccountId, !Ref AWS::Region, Subnets]]
- Fn::ImportValue:
Fn::Select: [1, Fn::FindInMap : [!Ref AWS::AccountId, !Ref AWS::Region, Subnets]]
- !Ref AWS::NoValue
I am writing CF code to launch ec2 instance, this is what my code looks like:
I am facing these 2 issues:
1) I get this error "Template validation error: Template error: unresolved condition dependency BackupSize in Fn::If"
2) I want to join Parameter Name and from Mappings USERDATA. (The remaining userdata works fine, but this join is not working and just puts the same code in the userdata.
Can anyone help me out please?
AWSTemplateFormatVersion: "2010-09-09"
Description: "This template should be used to deploy ONLY test servers"
Mappings:
Regions:
us-east-1:
"AMI": "ami-x"
"VPC": "vpc-x"
"SUBNET": "subnet-x"
"USERDATA": ".example.com"
"SHARE": "server1:/share"
"SecurityGroups": "sg-x"
"SecurityGroups2": "sg-y"
Parameters:
ApplSize:
Description: "Please enter application vol. size"
Type: "String"
BackupSize:
Description: "Please enter backup vol. size"
Type: "String"
Resources:
EC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !FindInMap [Regions, !Ref "AWS::Region", AMI]
InstanceType: !Ref InstanceType
SubnetId: !FindInMap [Regions, !Ref "AWS::Region", SUBNET]
SecurityGroupIds:
- !FindInMap [Regions, !Ref "AWS::Region", SecurityGroups]
- !FindInMap [Regions, !Ref "AWS::Region", SecurityGroups2]
BlockDeviceMappings:
-
DeviceName : "/dev/sda1"
Ebs:
VolumeSize: "20"
VolumeType: gp2
-
DeviceName : "/dev/sde"
Ebs:
VolumeSize: !Ref ApplSize
VolumeType: gp2
-
DeviceName : "/dev/sdc"
Ebs:
VolumeSize: "5"
VolumeType: gp2
- Fn::If:
- BackupSize
-
DeviceName : "/dev/sdg"
Ebs:
VolumeSize: !Ref BackupSize
VolumeType: gp2
- !Ref "AWS::NoValue"
UserData:
Fn::Base64: !Sub |
#!/bin/bash
NEW_HOSTNAME=Fn::Join: [ " ", [ !Ref Name, Fn::FindInMap:
[Regions, !Ref "AWS::Region", USERDATA] ] ]
hostname $NEW_HOSTNAME
myshortname=`hostname -s`
I expect the template to create Backup volume if I put any value in the parameter, and if I leave backupsize value blank, it should not create this disk.
AWSTemplateFormatVersion: "2010-09-09"
Description: "This template should be used to deploy ONLY test servers"
Mappings:
Regions:
us-east-1:
"AMI": "ami-x"
"VPC": "vpc-x"
"SUBNET": "subnet-x"
"USERDATA": ".example.com"
"SHARE": "server1:/share"
"SecurityGroups": "sg-x"
"SecurityGroups2": "sg-y"
Parameters:
ApplSize:
Description: "Please enter application vol. size"
Type: "String"
BackupSize:
Description: "Please enter backup vol. size"
Type: "String"
VaultSize:
Description: "Please enter secret vol. size"
Type: "String"
InstanceType:
Description: "Please select the instance type"
Type: "String"
Name:
Description: "Please mention server name"
Type: "String"
CustomerName:
Description: "Please mention customer name"
Type: "String"
Url:
Description: "Please mention url without the domain name"
Type: "String"
Conditions:
BackupVol: !Equals [!Ref BackupSize, ""]
Resources:
EC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: !FindInMap [Regions, !Ref "AWS::Region", AMI]
InstanceType: !Ref InstanceType
SubnetId: !FindInMap [Regions, !Ref "AWS::Region", SUBNET]
SecurityGroupIds:
- !FindInMap [Regions, !Ref "AWS::Region", SecurityGroups]
- !FindInMap [Regions, !Ref "AWS::Region", SecurityGroups2]
BlockDeviceMappings:
-
DeviceName : "/dev/sda1"
Ebs:
VolumeSize: "20"
VolumeType: gp2
-
DeviceName : "/dev/sde"
Ebs:
VolumeSize: !Ref ApplSize
VolumeType: gp2
-
DeviceName : "/dev/sdc"
Ebs:
VolumeSize: "5"
VolumeType: gp2
- Fn::If:
- BackupVol
- !Ref "AWS::NoValue"
- DeviceName : "/dev/sdg"
Ebs:
VolumeSize: !Ref BackupSize
VolumeType: gp2
UserData:
Fn::Base64: !Sub
- |+
#!/bin/bash -xe
NEW_HOSTNAME=${test}
- test:
Fn::FindInMap: [Regions, !Ref "AWS::Region", Name]
The various versions of the template presented all have basic formatting problems. The latest version (attached in a comment below this answer):
▶ aws cloudformation validate-template --template-body file://cloudformation.yml
An error occurred (ValidationError) when calling the ValidateTemplate operation: [/Mappings/Regions] 'null' values are not allowed in templates
The formatting problems include duplicate keys, incorrect indentation, etc. These problems can't be detected by simply checking if the file is valid YAML. It can be valid YAML and still be invalid for Cloudformation. You need to use the validate-template command as I showed above.
After fixing up the various issues in the provided template (including the new version), I was unable to reproduce an error about
unresolved condition dependency BackupSize in Fn::If
What you have in Fn::If looks ok to me.
As for how to interpolate Fn::Join in the UserData:
I would consider refactoring so that complex logic lies outside of Cloudformation. For instance, you could pass the hostname as a separate parameter.
If you really want to do it this way you can do it like this:
UserData:
Fn::Base64: !Sub
- |
#!/bin/bash
NEWHOSTNAME=${newhostname}
hostname $NEW_HOSTNAME
myshortname=`hostname -s`
- newhostname: !Join ["", ["foo", "bar"]]
Simple ans..first condition of IF should be a CONDITIONS..Create a conditions block and use that in IF... Example:
Conditions:
mycondition: blah blah
IF [mycondition: blah1, blah2]
Description:
I am trying to define Serverless API resource. But having trouble in defining location of swagger specification file using function ImportValue.
Steps to reproduce the issue:
I am not able to define AWS::Serverless::Api resource having nested function ImportValue in Location. I have tried following three ways, none of them work.
Note: Stack parameters are defined properly and export value from other stack exists. Not showing them here for brevity reason.
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
Name: !Sub ${AWS::StackName}-API
StageName: !Ref ApiGatewayStageName
DefinitionBody:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location:
Fn::Sub:
- s3://${BucketName}/${SwaggerSpecificationS3Key}
- BucketName:
Fn::ImportValue:
!Sub "${EnvironmentName}-dist-bucket-${AWS::Region}"
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
Name: !Sub ${AWS::StackName}-API
StageName: !Ref ApiGatewayStageName
DefinitionBody:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location:
Fn::Sub:
- s3://${BucketName}/${SwaggerSpecificationS3Key}
- BucketName:
!ImportValue 'dev-dist-bucket-us-east-1'
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
Name: !Sub ${AWS::StackName}-API
StageName: !Ref ApiGatewayStageName
DefinitionBody:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location:
Fn::Sub:
- s3://${BucketName}/${SwaggerSpecificationS3Key}
- BucketName:
Fn::ImportValue: 'dev-dist-bucket-us-east-1'
Cloudformation shows following error.
FAILED - The value of parameter Location under transform Include must
resolve to a string, number, boolean or a list of any of these.
However, if I do not use ImportValue it works with a nested Fn::Sub
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
Name: !Sub ${AWS::StackName}-API
StageName: !Ref ApiGatewayStageName
DefinitionBody:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location:
Fn::Sub:
- s3://${BucketName}/${SwaggerSpecificationS3Key}
- BucketName:
Fn::Sub: dist-bucket-${EnvironmentName}-${AWS::Region}
Is it because of Fn::Transform or AWS::Include?