Based on the environment, I am trying to set the URL for a variable: It staging my URL should be https://staging.DNHostedZoneName , if prod - it should just be https://DNSHostedZoneName:
Here's my condition:
Conditions:
IsEnvProd: Fn::Equals [ !Ref Env, 'prod' ]
IsEnvStage: Fn::Equals [ !Ref Env, 'stage' ]
Here's where its been evaluated:
Environment:
- Name: NODE_ENV
Value: !Ref NodeEnv
- Fn::If:
- IsEnvStage
- Name: CORE_URL
Value:
Fn::Join:
- ""
- - "https://"
- "staging"
- "."
- !Ref DnsHostedZoneName
- Name: NCVCORE_URL
Value:
Fn::Join:
- ""
- - "https://"
- !Ref DnsHostedZoneName
I am getting the following error:
Template format error: Conditions can only be boolean operations on parameters and other conditions
Without the full template, it is difficult to try to recreate the issue, but here your snippets refactored with a possible error removed.
Adjusted the conditionals to use all shorthand.
Conditions:
IsEnvProd: !Equals [!Ref "Env", "prod"]
IsEnvStage: !Equals [!Ref "Env", "stage"]
There was an additional space in the YAML so that has been removed, and reformatted.
Environment:
- Name: "NODE_ENV"
Value: !Ref "NodeEnv"
- !If
- "IsEnvStage"
- Name: "CORE_URL"
Value: !Sub "https://staging.${DnsHostedZoneName}"
- Name: "NCVCORE_URL"
Value: !Sub "https://${DnsHostedZoneName}"
Usually the conditions defined are used as an attribute to an aws resource and you specify the name of the condition as a value. You can try https://krunal4amity.github.io - it is an online cloudformation template generator. It takes away a lot of such dreadful work.
You can try to orchestrate creation of specific resources using AWS::NoValue
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
Below is taken from variables creation for LambdaFunction
Conditions:
IsProd: !Equals [!Ref Env, "production"]
Environment:
Variables:
USER: !If [IsProd, !GetAtt ...., Ref: AWS::NoValue]
Related
I currently have this cloud formation template that is supposed to create an event bridge resource with all the necessary configurations, but I can't get it to create because I can't get cloud formation to verify if a key exists in the secrets manager or not.
to be more clear, I want my event-bridge.yml template resource to only be created if my key ${Stage}/${SubDomain}/django-events-api-key is already defined in the secrets manager and has a valid value(meaning it does not only have an empty string or a AWS::NoValue); this because I need to create the key after the stack is created and deployed, before the stack is not deployed, so I can't execute my command to generate the key
I have this:
event-bridge.yml
AWSTemplateFormatVersion: "2010-09-09"
Description: "Event scheduling for sending the email digest"
Parameters:
SubDomain:
Description: The part of a website address before your DomainName - e.g. www or img
Type: String
DomainName:
Description: The part of a website address after your SubDomain - e.g. example.com
Type: String
Stage:
Description: Stage name (e.g. dev, test, prod)
Type: String
DjangoApiKey:
Description: Api key for events bridge communication
Type: String
Conditions:
DjangoApiKeyExists: !Or [ !Not [ !Equals [ !Ref DjangoApiKey, !Ref AWS::NoValue ] ], !Not [ !Equals [ !Ref DjangoApiKey, "" ] ] ]
Outputs:
DjangoEventsConnection:
Description: Connection to the Django backend for Event Bridge
Value: !Ref DjangoEventsConnection
Resources:
MessageDigestEventsRule:
Type: AWS::Events::Rule
Properties:
Name: !Sub "${SubDomain}-chat-digest"
Description: "Send out email digests for a chat"
ScheduleExpression: "rate(15 minutes)"
State: "ENABLED"
Targets:
- Arn: !GetAtt MessageDigestEventsApiDestination.Arn
HttpParameters:
HeaderParameters: { }
QueryStringParameters: { }
Id: !Sub "${SubDomain}-chat-digest-api-target"
RoleArn: !GetAtt MessageDigestEventsRole.Arn
EventBusName: "default"
DjangoEventsConnection:
Type: AWS::Events::Connection
Properties:
Name: !Sub "${SubDomain}-django"
AuthorizationType: "API_KEY"
AuthParameters:
ApiKeyAuthParameters:
ApiKeyName: "Authorization"
ApiKeyValue: !Ref DjangoApiKey
in a main.yml template I pass the key variable like this:
EventBridge:
DependsOn: [ VpcStack, DjangoEventBridgeApiKey ]
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SubDomain}/django-events-api-key}}' <--
but that will always fail because the key is not defined, I would like to pass an empty string or something I can use as a conditional
I have also tried defining the secret, so it exists:
Resources:
DjangoEventBridgeApiKey:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${Stage}/${SubDomain}/django-events-api-key
Description: !Sub Credentials for the event bridge integration https://api.${SubDomain}.circular.co
Tags:
- Key: Name
Value: django-events-api-key
EventBridge:
DependsOn: [ VpcStack, DjangoEventBridgeApiKey ]
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:${DjangoEventBridgeApiKey}}}'
But that for some reason, is still making my condition above fail, making the stack attempt to execute, I still cant figure out why is my condition not working
Any ideas on how to make this better? any help provided will be super useful to me
Okay found out the biggest problem with my implementation, on event-bridge.yml:
AWSTemplateFormatVersion: "2010-09-09"
Description: "Event scheduling for sending the email digest of chat messages"
Parameters:
SubDomain:
Description: The part of a website address before your DomainName - e.g. www or img
Type: String
DomainName:
Description: The part of a website address after your SubDomain - e.g. example.com
Type: String
Stage:
Description: Stage name (e.g. dev, test, prod)
Type: String
DjangoApiKey:
Description: Api key for events bridge communication
Type: String
Conditions:
DjangoApiKeyExists: !Not [ !Equals [ !Ref DjangoApiKey, "" ] ] # <-- this works
Outputs:
DjangoEventsConnection:
Condition: DjangoApiKeyExists
Description: Connection to the django backend for Event Bridge
Value: !Ref DjangoEventsConnection
Resources:
DjangoEventsConnection:
Type: AWS::Events::Connection
Condition: DjangoApiKeyExists
Properties:
Name: !Sub "${SubDomain}-django"
AuthorizationType: "API_KEY"
AuthParameters:
ApiKeyAuthParameters:
ApiKeyName: "Authorization"
ApiKeyValue: !Ref DjangoApiKey
# This does not update when we change the secret - so we need to force an update - need a more permanent solution
# ApiKeyValue: pop
MessageDigestEventsApiDestination:
Type: AWS::Events::ApiDestination
Condition: DjangoApiKeyExists
DependsOn: DjangoEventsConnection
on main.yml
...
DjangoEventBridgeApiKey:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub ${Stage}/${SubDomain}/django-events-api-key # <- this was missing ${Stage}
SecretString: " "
Tags:
- Key: Name
Value: django-events-api-key
EventBridge:
DependsOn: DjangoEventBridgeApiKey
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: ./event-bridge.yaml
Parameters:
SubDomain: !Ref SubDomain
DomainName: !Ref DomainName
Stage: !Ref Stage
DjangoApiKey: !Sub '{{resolve:secretsmanager:arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${Stage}/${SubDomain}/django-events-api-key}}'
Tags:
- Key: Stage
Value: !Ref Stage
- Key: SubDomain
Value: !Ref SubDomain
- Key: SecretKeyName
Value: !Ref DjangoEventBridgeApiKey
I want my codebuild to be success all the time.Please help me with what i should be adding in Envt Variables
ServiceRole: !GetAtt CodeBuildRole.Arn
Environment:
Type: LINUX_CONTAINER
Image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
ComputeType: BUILD_GENERAL1_SMALL
EnvironmentVariables:
- Name: CROSS_ACCOUNT_ROLE
Type: PLAINTEXT
Value: !Sub 'arn:aws:iam::${TargetAccountID}:role/${CodePipelineAssumeRoleName}'
- Name: TARGET_ACCOUNT_ID
Type: PLAINTEXT
Value: !Ref TargetAccountID
in your buildspec.yml set CODEBUILD_BUILD_SUCCEEDING=1
see https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html
I have the following resource in my CloudFormation template that's trying to create a listener rule. The idea is, based on the passed-in EnvironmentType, and the AWS Region, I want to import the listener ARN from the appropriate CloudFormation stack that exported it.
Parameters:
EnvironmentType:
Type: String
Default: "sandbox"
ECSClusterStackNameParameter:
Type: String
Default: "ECS-US-Sandbox"
Mappings:
production:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Prod"
eu-north-1:
stackWithAlbListenerInfo: "ECS-EU-Prod"
staging:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Staging"
eu-north-1:
stackWithAlbListenerInfo: ""
sandbox:
us-east-1:
stackWithAlbListenerInfo: "ECS-US-Sandbox"
eu-north-1:
stackWithAlbListenerInfo: ""
Conditions:
StackExists:
!Not [ !Equals [ !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ], ""] ]
Resources:
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Condition: UseListenerRule
Properties:
ListenerArn:
!If
- StackExists
-
- Fn::ImportValue:
!Join
- "-"
- - !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ]
- "ListenerArn"
- Fn::ImportValue:
- !Sub "${ECSClusterStackNameParameter}-ListenerArn"
However, it fails validation due to this error, and seems like the first Fn::ImportValue: doesn't like the !Join. But !Join returns a concatenated string correct? What am I missing?
ERROR: Service: marcom-stats-service, cfnUpdate error: com.amazonaws.services.cloudformation.model.AmazonCloudFormationException: Template error: the attribute in Fn::ImportValue must be a string or a function that returns a string (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: 2678552e-cf6c-46e1-b640-a7c07de385c2; Proxy: null)
UPDATE:
Though Robert Kossendey's answer fixed my error, my original template was wrong. This is really what I wanted to do. I hope it helps someone.
AlbListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
Condition: UseListenerRule
Properties:
ListenerArn:
Fn::ImportValue: !Sub
- ${StackName}-ListenerArn
- { StackName: !If [ StackExists, !FindInMap [ !Ref EnvironmentType, !Ref "AWS::Region", stackWithAlbListenerInfo ], !Ref ECSClusterStackNameParameter ] }
Now I see it I think. At the second import you need to remove the dash in front of the !Sub:
- Fn::ImportValue:
!Sub "${ECSClusterStackNameParameter}-ListenerArn"
The documentation addresses shared paths:
service: service-b
provider:
apiGateway:
restApiId: xxxxxxxxxx
restApiRootResourceId: xxxxxxxxxx
restApiResources:
/reports: xxxxxxxxxx
functions:
...
However, how can I reference the ID of the resource (the path, that is)? In the first service I have:
Outputs:
apiGatewayRestApiId:
Value:
Ref: ApiGatewayRestApi
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-restApiId
apiGatewayRestApiRootResourceId:
Value:
Fn::GetAtt:
- ApiGatewayRestApi
- RootResourceId
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-rootResourceId
apiGatewayResourceReports:
Value: !Ref ApiGatewayResource/reports
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-reportPath
The first two work, and can be referred to with FN::ImportValue in the 2nd service. However, the third doesn't work. I presume the problem is
that I have to explicitly create the resource ApiGatewayResource/reports
rather than have it created as a side effect of the function definitions in the first service. But how should I do that? And won't it conflict with the function definitions?
After some floundering, I hit upon the following: the first service should
define the resource path, but leave the rest of the gateway definition implicit. And it should output the relevant ids:
provider:
apiGateway:
restApiResources:
/reports: !Ref ReportPath
...
resources:
Resources:
ReportPath:
Type: AWS::ApiGateway::Resource
Properties:
RestApiId: !Ref ApiGatewayRestApi
ParentId:
Fn::GetAtt: [ ApiGatewayRestApi, RootResourceId ]
PathPart: 'reports'
Outputs:
apiGatewayRestApiId:
Value:
Ref: ApiGatewayRestApi
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-restApiId
apiGatewayRestApiRootResourceId:
Value:
Fn::GetAtt:
- ApiGatewayRestApi
- RootResourceId
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-rootResourceId
apiGatewayResourceReports:
Value: !Ref ReportPath
Export:
Name: ${self:service}-${opt:stage, 'dev'}-apiGateway-reportPath
The 2nd service can reference all three ids:
provider:
apiGateway:
restApiId:
'Fn::ImportValue': crane-mg-reports-${opt:stage, 'dev'}-apiGateway-restApiId
restApiRootResourceId:
'Fn::ImportValue': crane-mg-reports-${opt:stage, 'dev'}-apiGateway-rootResourceId
restApiResources:
/reports:
'Fn::ImportValue': crane-mg-reports-${opt:stage, 'dev'}-apiGateway-reportPath
In both cases, the function definition can define paths using /reports prefix without conflict.
I have the following cloud formation template that creates a code pipeline. The pipeline has three stages:
Stages:
-
Name: "Source"
Actions:
-
Name: "Source"
ActionTypeId:
Category: "Source"
Owner: "ThirdParty"
Version: "1"
Provider: "GitHub"
OutputArtifacts:
- Name: "MyApp"
Configuration:
Owner: !Ref GithubOwner
Repo: !Ref GithubRepo
PollForSourceChanges: "true"
Branch: !Ref GithubBranch
OAuthToken: !Ref GithubTokenParameter
RunOrder: 1
-
Name: "Run-Unit-Tests"
Actions:
-
InputArtifacts:
- Name: "MyApp"
Name: "UnitTests"
ActionTypeId:
Category: "Test"
Owner: "AWS"
Version: "1"
Provider: "CodeBuild"
OutputArtifacts:
- Name: "MyTests"
Configuration:
ProjectName: !Ref CodeBuildName
RunOrder: 1
-
Name: "Deploy-Staging"
Actions:
-
InputArtifacts:
- Name: "MyApp"
Name: "Deploy-Staging"
ActionTypeId:
Category: "Deploy"
Owner: "AWS"
Version: "1"
Provider: "ElasticBeanstalk"
Configuration:
ApplicationName: !Ref BeanstalkApplicationName
EnvironmentName: !Ref BeanstalkEnvironmentStaging
RunOrder: 1
I also have a condition:
IncludeStagingEnv: !Equals [Staging, !Ref CodePipelineEnvironment]
When the condition is false, I would like to omit the 3rd item in the Code Pipeline stages list.
I tried using !If with AWS::NoValue, but NoValue is not a valid list item:
Stages:
- !IF
- IncludeStagingEnv
- Name: "Deploy-Staging"
Actions:
-
InputArtifacts:
- Name: "MyApp"
Name: "Deploy-Staging"
ActionTypeId:
Category: "Deploy"
Owner: "AWS"
Version: "1"
Provider: "ElasticBeanstalk"
Configuration:
ApplicationName: !Ref BeanstalkApplicationName
EnvironmentName: !Ref BeanstalkEnvironmentStaging
RunOrder: 1
- AWS::NoValue
How can I omit the last item when IncludeStagingEnv==false?
Same problem occurs on my template for a Cloudfront distribution.
The solution was to use AWS::NoValue with the Ref attribute.
...
LambdaFunctionAssociations:
Fn::If:
- Authentication
- - EventType: "viewer-request"
LambdaFunctionARN: "arn:aws:lambda:us-east-1:..."
- - Ref: "AWS::NoValue"
...
If this work for all resources same, you should change your conditional part to:
Stages:
- !If
- IncludeStagingEnv
- - Name: "Deploy-Staging"
Actions:
- InputArtifacts:
...
- - Ref: "AWS::NoValue"
Hope this helps!
#Fabi755's answer put me on the right path thank you!
I was fighting with the same LambdaFunctionAssociations challenge. I settled on a slightly different, slightly better approach as follows. I think it is better in that it works for multiple optional list items.
LambdaFunctionAssociations:
- !If
- HasOriginResponseFunctionArn
- EventType: origin-response
LambdaFunctionARN: !Ref OriginResponseFunctionArn
- !Ref AWS::NoValue
- !If
- HasViewerRequestFunctionArn
- EventType: viewer-request
LambdaFunctionARN: !Ref ViewerRequestFunctionArn
- !Ref AWS::NoValue