We Keep Coding

Export and ImportValue in another stack under sub

I am trying to get a value from one stack to another using the below syntax.
stack one-
Outputs:
CompRestAPI:
Description: Rest Api Id
Value: !Ref CompRestAPI
Export:
Name: 'CompRestAPI'
Stack two -
CompRestApiWaf:
Type: AWS::WAFv2::WebACLAssociation
DependsOn: CompApiGatewayStage
Properties:
RestApiId: !ImportValue 'CompRestAPI'
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/${RestApiId}/${STAGENAME}-apistage'
WebACLArn: !Ref WafId
I am able to get the values for other resources using 1st syntax, but I am not able to get the value for RestApiId under !Sub
RestApiId: !ImportValue 'CompRestAPI'
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/${RestApiId}/apistage'
So is there any way to use !ImportValue under !Sub condition?
I tried it using below code, validation is pass but still showing me an error
Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter:
CompRestApiWaf:
Type: AWS::WAFv2::WebACLAssociation
DependsOn: CompApiGatewayStage
Properties:
ResourceArn: !Sub 'arn:aws:apigateway:${REGION}:/{!ImportValue CompRestAPI}/stages/apistage'
WebACLArn: !Ref WafId

I am done with it using Fn::join:
SourceArn:
Fn::Join:
- ""
- - 'arn:aws:execute-api:'
- !Ref AWS::Region
- ':'
- !Ref AWS::AccountId
- ':'
- !Ref ApiGatewayRestApiResource
- '/*'

this should work
ResourceArn: !Sub
- 'arn:aws:apigateway:${REGION}:/${CompRestAPI}/stages/apistage'
- CompRestAPI: !ImportValue CompRestAPI
you can expand the second parameter to have multiple keys for multiple imports like so
SecretString: !Sub
- 'postgres://${username}:${password}#${dbhost}:${dbport}/${dbname}'
- username: !Ref 'DBUser'
password: !Ref 'DBPassword'
dbhost: !Ref DbMasterDnsEntry
dbport: !GetAtt AuroraPgCluster.Endpoint.Port
dbname: !Ref 'DBName'

Getting Fn::GetAtt error in the AWS SAM template

I have declared the SNS topic and Subscription like below in my AWS Serverless Application Model template :-
MyTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: !Sub 'test-${Environment}-${AWS::AccountId}-${AWS::Region}'
Tags:
- Key: Environment
Value: !FindInMap [Environment, FullForm, !Ref Environment]
TopicName: !Sub 'test-${Environment}-${AWS::AccountId}-${AWS::Region}'
MySubscription:
Type: AWS::SNS::Subscription
Properties:
Endpoint: !Ref SubscriptionEndPoint
Protocol: !Ref SubscriptionProtocol
Region: !Ref 'AWS::Region'
TopicArn: !Ref MyTopic
And then using the SNS Topic ARN in my Lambda function's environment as following in the same template file :-
MyLambda:
Type: AWS::Serverless::Function
Properties:
Environment:
Variables:
RUNTIME_SNS_TOPIC_ARN: !GetAtt MyTopic.Arn
Outputs (in SAM template):-
MyTopic:
Description: SNS Topic for the Ingest to send notification to
Export:
Name: !Sub
- ${ExportPrefix_}:${AWS::Region}:MyTopic
- ExportPrefix_: !If
- HasExportPrefix
- !Join ['-', [!Ref ExportPrefix, !Ref Environment]]
- !Join ['-', [!Select [0, !Split ["-", !Ref "AWS::StackName"]], !Ref Environment]]
Value: !Sub "${MyTopic.Arn}:${MyTopic.Version.Version}"
MySubscription:
Description: Subscription to get messages from a topic
Export:
Name: !Sub
- ${ExportPrefix_}:${AWS::Region}:MySubscription
- ExportPrefix_: !If
- HasExportPrefix
- !Join ['-', [!Ref ExportPrefix, !Ref Environment]]
- !Join ['-', [!Select [0, !Split ["-", !Ref "AWS::StackName"]], !Ref Environment]]
Value: !Sub "${MySubscription.Arn}:${MySubscription.Version.Version}"
However, I'm getting following error :-
13:30:30 Error: Failed to create changeset for the stack: my-stack, ex: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Template error: resource MyTopic does not support attribute type Arn in Fn::GetAtt

An AWS::SNS:Topic returns the ARN when you use Ref
Check out the Docs on the return values.
Try with
MyLambda:
Type: AWS::Serverless::Function
Properties:
Environment:
Variables:
RUNTIME_SNS_TOPIC_ARN: !Ref MyTopic # Using !Ref

Recommend trying the CloudFormation Linter in VSCode to see some of these errors inline while authoring templates:
[cfn-lint] E1010: Invalid GetAtt MyTopic.Arn for resource MyLambda
[cfn-lint] E1019: Parameter MyTopic.Arn for Fn::Sub not found at Outputs/MyTopic/Value/Fn::Sub
[cfn-lint] E1019: Parameter MyTopic.Version.Version for Fn::Sub not found at Outputs/MyTopic/Value/Fn::Sub
[cfn-lint] E1019: Parameter MySubscription.Arn for Fn::Sub not found at Outputs/MySubscription/Value/Fn::Sub
[cfn-lint] E1019: Parameter MySubscription.Version.Version for Fn::Sub not found at Outputs/MySubscription/Value/Fn::Sub
It'll also point out that Value needs to be indented less in the Outputs
AWS::SNS::Topic return values
AWS::SNS::Subscription

CloudFormation Combine Sub - Import - Sub

I am trying to create a parameter and would like to combine !Sub and !Import several times.
Parameters:
Environment:
Description: Stackname of Environment
Type: String
Resources:
IAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: '*'
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: S3Files
PolicyDocument:
Statement:
- Sid: 'S3Files'
Effect: Allow
Action:
- 's3:DeleteObjectTagging'
- 's3:GetObjectRetention'
- 's3:ListMultipartUploadParts'
- 's3:PutObject'
- 's3:GetObjectAcl'
- 's3:GetObject'
- 's3:AbortMultipartUpload'
- 's3:PutObjectRetention'
- 's3:GetObjectVersionAcl'
- 's3:GetObjectTagging'
- 's3:PutObjectTagging'
- 's3:DeleteObject'
- 's3:PutObjectAcl'
- 's3:GetObjectVersion'
Resource: !Sub
- '${ARN}/*'
- ARN:
Fn::ImportValue: !Sub ${Environment}:S3:Arn
According to the documentation it should be possible, but unfortunately I always get an error message
Template contains errors.: [/Resources/IAMRole/Type/Policies/0/PolicyDocument/Statement/0/Resource/Fn::Sub/1/ARN] 'null' values are not allowed in templates
How could the UseCase work?

There is a space issue in the Resource section.
Resource: !Sub
- '${ARN}/*'
- ARN:
Fn::ImportValue: !Sub ${Environment}:S3:Arn
It should be
Resource: !Sub
- '${ARN}/*'
- ARN:
Fn::ImportValue: !Sub ${Environment}:S3:Arn
Note: Fn starts under N of ARN instead of A.
Explanation: With the first indentation the line with Fn::ImportValue is considered as an input for !Sub, with the second indentation it becomes the value for ARN: defined the line above it.
Side note: Use 2 spaces or 4 spaces or tabs uniformly throughout the template.

Every DependsOn value must be a string - How to explode a Mapping for the DependsOn property

I am using the explode transform macro in the following manner.
ServiceMap:
Private:
Prefix: Private
Public:
Prefix: Public
Service:
ExplodeMap: ServiceMap
Type: AWS::ECS::Service
DependsOn:
- !Sub 'LoadBalancerRule${!Explode Prefix}'
Properties:
Cluster: !Ref "ECSCluster"
...
TaskDefinition: !Ref TaskDefinition!Explode Prefix
LoadBalancers:
- ContainerName: !Sub '!Explode Prefix${ServiceName}'
ContainerPort: !Ref "ContainerPort"
TargetGroupArn: !Ref TargetGroup!Explode Prefix
LoadBalancerRule:
ExplodeMap: ServiceMap
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Properties:
Actions:
...
ListenerArn: !Ref "LoadBalancerListener"
Priority: !Ref "Priority"
This seems to be successful, but for transformation specified within the DependsOn property. As I create the stack, this is the error I receive:
Template format error: Every DependsOn value must be a string.
Questions:
- I don't know how to actually view the transformed template
- Why does this happen? As per the doc, !Sub creates a string
Any ideas how t

Not really sure what the difference between !Sub 'LoadBalancerRule${!Explode Prefix}' & - LoadBalancerRule!Explode Prefix is, but this worked out
Service:
ExplodeMap: ServiceMap
Type: AWS::ECS::Service
DependsOn:
- LoadBalancerRule!Explode Prefix
Properties:
Cluster: !Ref "ECSCluster"
...
TaskDefinition: !Ref TaskDefinition!Explode Prefix
LoadBalancers:
- ContainerName: !Sub '!Explode Prefix${ServiceName}'
ContainerPort: !Ref "ContainerPort"
TargetGroupArn: !Ref TargetGroup!Explode Prefix

Set Event Value for Cloudtrail - all S3 buckets

I'm trying to get a cloudtrail for all S3 bucket Data but it keeps throwing an error. The template looks like:
DataTrail:
Type: AWS::CloudTrail::Trail
Properties:
CloudWatchLogsLogGroupArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudtrailLogGroupARN
CloudWatchLogsRoleArn:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailLogsRoleARN
EnableLogFileValidation: true
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- 'arn:aws:s3:::*'
- IncludeManagementEvents: false
- ReadWriteType: All
IncludeGlobalServiceEvents: true
IsLogging: true
IsMultiRegionTrail: true
KMSKeyId:
Fn::ImportValue:
!Sub ${EnvironmentName}-InvoicegenKey-CMK-Arn
S3BucketName:
Fn::ImportValue:
!Sub ${EnvironmentName}-CloudTrailBucket-Name
the AWS Doku says it must be a list of string, so I did:
Values:
- 'arn:aws:s3:::*'
But it keeps failing...
Merci in Advance
A

In the end it was pretty easy; I just created a trail via Console and then used aws cloudtrail get-event-selectors --trail-name <name> to get the result. then transferred it to my template like this:
DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3

yeah, pretty close though but correct indent should be
cloudtrail:
Type: AWS::CloudTrail::Trail
Properties:
EnableLogFileValidation: Yes
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::s3-event-step-bucket/
IncludeManagementEvents: Yes
ReadWriteType: All
IncludeGlobalServiceEvents: Yes
IsLogging: Yes
IsMultiRegionTrail: Yes
S3BucketName: s3-event-step-bucket-storage
TrailName: xyz