We Keep Coding

Cloudformation: substitute variable in map key

I have a role defined like this:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
AWSAccountId:
Type: String
OidcProvider:
Type: String
AppNamespace:
Type: String
AppServiceAccountName:
Type: String
Resources:
CloudWatchRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Federated:
- !Join ["", [ "arn:aws:iam::", !Ref AWSAccountId, ":oidc-provider/", !Ref OidcProvider ] ]
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
!Sub ${OidcProvider}:sub: "system:serviceaccount:${AppNamespace}:${AppServiceAccountName}"
My challenge is how to substitute parameters in the StringEquals section. Everything works in the Federated block. But in the StringEquals block I couldn't get join or sub to work.
With the code as is, I get error message:
An error occurred (ValidationError) when calling the CreateStack operation:
Template format error[/Resources/CloudWatchRole/Properties/AssumeRolePolicyDocument/
Statement/0/Condition/StringEquals] map keys must be strings; received a map instead
So, I guess my issue is how to substitute variables in the keys of a map. UserData didn't help either.

You problem is on Federated not on StringEquals.
Federated value needs to be string but you define it as Map. Please remove - before !Join.
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
AWSAccountId:
Type: String
OidcProvider:
Type: String
AppNamespace:
Type: String
AppServiceAccountName:
Type: String
Resources:
CloudWatchRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument: !Sub
- |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "${IamOidcProviderArn}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OidcProvider}:sub": "system:serviceaccount:${AppNamespace}:${AppServiceAccountName}"
}
}
}
]
}
- IamOidcProviderArn: !Join
- ''
- - 'arn:aws:iam::'
- !Ref AWSAccountId
- ':oidc-provider/'
- !Ref OidcProvider
OidcProvider: !Ref OidcProvider
AppNamespace: !Ref AppNamespace
AppServiceAccountName: !Ref AppServiceAccountName

AWS::Serverless::Api - Cache Cluster set cache time to live

I have set a HTTP proxy with AWS::Serverless::Api using SAM. Although I was able to set CacheClusterEnabled and CacheClusterSize. I have not found a property to set the time to live of cache data. Where can I set this config?
Here is my templates.yml file:
Resources:
ProxyApi:
Type: AWS::Serverless::Api
Properties:
CacheClusterEnabled: !FindInMap [EnvMap, !Ref Env, cacheClusterEnabled]
CacheClusterSize: !FindInMap [EnvMap, !Ref Env, cacheClusterSize]
Name: !Join [ '-', [!Ref Env, 'lead-generation-proxy'] ]
StageName: !Ref Env
DefinitionBody:
Fn::Transform:
Name: AWS::Include
Parameters:
Location: openapi/proxy.yml
And here is the API created:
openapi: 3.0.1
info:
version: 1.0.0
paths:
"/{proxy+}":
x-amazon-apigateway-any-method:
parameters:
- name: proxy
in: path
required: true
schema:
type: string
responses: {}
x-amazon-apigateway-integration:
responses:
default:
statusCode: '200'
requestParameters:
integration.request.path.proxy: method.request.path.proxy
uri:
Fn::FindInMap : [EnvMap, Ref: Env, proxyUrl]
passthroughBehavior: when_no_match
httpMethod: ANY
type: http_proxy

Anyone interested in the answer. I have found that we could configure these attributes with https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-datatraceenabled. Here is my template with this configuration:
ProxyApi:
Type: AWS::Serverless::Api
Properties:
Name: !Join ["-", [!Ref Env, "lead-generation-proxy"]]
StageName: !Ref Env
TracingEnabled: !FindInMap [EnvMap, !Ref Env, tracingEnabled]
CacheClusterEnabled: !FindInMap [EnvMap, !Ref Env, cacheClusterEnabled]
CacheClusterSize: !FindInMap [EnvMap, !Ref Env, cacheClusterSize]
MethodSettings:
- HttpMethod: '*'
ResourcePath: '/*'
LoggingLevel: INFO
CacheTtlInSeconds: 400
CachingEnabled: !FindInMap [EnvMap, !Ref Env, cacheClusterEnabled]
DataTraceEnabled: !FindInMap [EnvMap, !Ref Env, cacheClusterEnabled]
MetricsEnabled: !FindInMap [EnvMap, !Ref Env, cacheClusterEnabled]
DefinitionBody:
Fn::Transform:
Name: AWS::Include
Parameters:
Location: openapi/proxy.yml

requestTemplates and responseTemplates not working in AWS API Gateway SAM template

I am having a problem getting the requestTemplates and responseTemplates I define to work.
The relevant piece of my (processed) template is here:
/cse:
options:
x-amazon-apigateway-integration:
type: mock
requestTemplates:
application/json: |
{
"statusCode" : 200
}
responses:
default:
statusCode: '200'
responseTemplates:
application/json: |
{}
responseParameters:
method.response.header.Access-Control-Allow-Origin: '''*'''
method.response.header.Access-Control-Allow-Methods: '''GET,OPTIONS'''
summary: CORS support
responses:
'200':
headers:
Access-Control-Allow-Origin:
schema:
type: string
Access-Control-Allow-Methods:
schema:
type: string
description: Default response for CORS method
get:
x-amazon-apigateway-integration:
httpMethod: POST
requestTemplates:
application/json: |
{
"body": $input.json('$'),
"headers": {
#foreach($header in $input.params().header.keySet())
"$header": "$util.escapeJavaScript($input.params().header.get($header))" #if($foreach.hasNext),#end
#end
},
"method": "$context.httpMethod",
"params": {
#foreach($param in $input.params().path.keySet())
"$param": "$util.escapeJavaScript($input.params().path.get($param))" #if($foreach.hasNext),#end
#end
},
"query": {
#foreach($queryParam in $input.params().querystring.keySet())
"$queryParam": "$util.escapeJavaScript($input.params().querystring.get($queryParam))" #if($foreach.hasNext),#end
#end
}
}
type: aws
responses:
default:
statusCode: 200
responseTemplates:
text/html: $input.path('$')
responseParameters:
method.response.header.Access-Control-Allow-Origin: '''*'''
method.response.header.Access-Control-Allow-Methods: '''GET,OPTIONS'''
uri: !Sub >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${CSELambda.Arn}/invocations
responses:
'200':
headers:
Access-Control-Allow-Origin:
type: string
Access-Control-Allow-Methods:
type: string
description: OK
The options bit is auto-generated by AWS by adding a Cors entry in the template and works fine.
See how it defines a responseTemplates and requestTemplates and it works.
The get bit is the one I am trying to get to work. As far as I can tell, I am following the same format as the auto-generated options bit, but the API Gateway is not setting these 2 templates, and I am at a loss.
Been Googling, trying different things to no avail, so far. Any help appreciated.

Adding parameters to api using cloudformation

I tried the cloudformation template that I found here...
https://bl.ocks.org/magnetikonline/c314952045eee8e8375b82bc7ec68e88
It works as expected. But I will like to provide parameters to the post request. My Curl command should look something like this...
curl -d "mynumber=12345" -X POST https://tyin2sswj2.execute-api.us-east-1.amazonaws.com/mycall
How do I handle it at API gateway in the cloudformation template? I have already set the environment variable at lambda function level.
The template that does not work is this...
https://raw.githubusercontent.com/shantanuo/cloudformation/master/updated/lambda_api.tpl.txt
As it is clear that I am not able to pass the "mnumber" variable through the gateway.
I have updated my template and now it deploys function and gateway corretly. And still the URL generated does not work and shows "internal server error" message.
https://raw.githubusercontent.com/shantanuo/cloudformation/master/testapi.tpl.txt

You should change to using HTTP proxy integration.
Here is some info from AWS on proxy integration: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-http-integrations.html
Try changing your RequestParameters from:
RequestParameters:
method.request.querystring.mnumber: false
to
RequestParameters:
method.request.path.proxy: true
and under integration from:
RequestParameters:
integration.request.querystring.mnumber: "method.request.querystring.mnumber"
to
RequestParameters:
integration.request.path.proxy: 'method.request.path.proxy'
This is a good tutorial on proxy integration with API Gateway:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-create-api-as-simple-proxy-for-http.html

There are two ways you can access mynumber
Method 1 which works best with the SAM serverless API template. Define "API Gateway" and "Lambda". In Lambda definitions, call Events of type API:
This makes it where query strings are automatically picked up due to the event property. The parameters can be found in the event response that is passed into all lambda functions. It can be accessed with multiValueQueryStringParameters or queryStringParameters from the event object.
exports.getByDateHandler = async (event) => {
console.info(event.queryStringParameters);
console.info(event.multiValueQueryStringParameters);
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Description",
"Transform": ["AWS::Serverless-2016-10-31"],
"Resources": {
"getByDateFunction": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Handler": "src/handlers/getByDate/get-by-date.getByIdHandler",
"Runtime": "nodejs14.x",
"Architectures": ["x86_64"],
"MemorySize": 128,
"Timeout": 100,
"Events": {
"Api": {
"Type": "Api",
"Properties": {
"Path": "/date",
"Method": "GET"
}
}
}
}
}
},
"Outputs": {
"WebEndpoint": {
"Description": "API Gateway endpoint URL for Prod stage",
"Value": {
"Fn::Sub": "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
}
}
}
}
Method 2 which I havent tested is by defining the "Lambda", "API Gateway", "API Resource" and "API Methods". Linking the Lambda using the URI statement under "API Method".
for this method I only have a yaml example
MyLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Description: "Node.js Express REST API"
FunctionName: "get_list_function" (The name in AWS console)
Handler: lambda.handler
Runtime: nodejs12
MemorySize: 128
Role: <ROLE ARN>
Timeout: 60
apiGateway:
Type: "AWS::ApiGateway::RestApi"
Properties:
Name: "example-api-gw"
Description: "Example API"
ProxyResource:
Type: "AWS::ApiGateway::Resource"
Properties:
ParentId: !GetAtt apiGateway.RootResourceId
RestApiId: !Ref apiGateway
PathPart: '{proxy+}' OR "a simple string like "PetStore"
apiGatewayRootMethod:
Type: "AWS::ApiGateway::Method"
Properties:
AuthorizationType: NONE
HttpMethod: ANY
Integration:
IntegrationHttpMethod: POST
Type: AWS_PROXY
IntegrationResponses:
- StatusCode: 200
Uri: !Sub >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyLambdaFunction.Arn}/invocations
ResourceId: !Ref ProxyResource
RestApiId: !Ref "apiGateway"

Two HTTP Methods for one AWS API Gateway Resource

There is this wicked post about configuring an API Gateway method for CORS through CloudFormation, and I'm giving it a go. I want to create the following endpoint with two methods, "options" and "post":
/image/submit
Here is my CF template snippet:
ApiDefault:
Type: "AWS::ApiGateway::RestApi"
Properties:
Name: "Stash-Default"
FailOnWarnings: true
ApiDefaultDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- "ApiMethodImageSubmitPost"
- "ApiMethodImageSubmitOption"
Properties:
RestApiId: !Ref "ApiDefault"
StageName: "v1"
ApiResourceImage:
Type: "AWS::ApiGateway::Resource"
Properties:
ParentId: !GetAtt ["ApiDefault", "RootResourceId"]
PathPart: "image"
RestApiId: !Ref "ApiDefault"
ApiResourceImageSubmit:
Type: "AWS::ApiGateway::Resource"
Properties:
ParentId: !Ref "ApiResourceImage"
PathPart: "submit"
RestApiId: !Ref "ApiDefault"
ApiMethodImageSubmitPost:
Type: "AWS::ApiGateway::Method"
Properties:
HttpMethod: "POST"
AuthorizationType: "NONE"
MethodResponses:
- StatusCode: "200"
Integration:
IntegrationHttpMethod: "POST"
Type: "AWS_PROXY"
IntegrationResponses:
- StatusCode: "200"
Credentials: !GetAtt [ "ExecuteApiMethodImageSubmit", "Arn" ]
Uri: !Sub
- "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${lambdaArn}/invocations"
- lambdaArn: !GetAtt [ "ImageReceive", "Arn" ]
RestApiId: !Ref "ApiDefault"
ResourceId: !Ref "ApiResourceImageSubmit"
ApiMethodImageSubmitOption:
Type: "AWS::ApiGateway::Method"
Properties:
HttpMethod: "OPTIONS"
AuthorizationType: "NONE"
Integration:
Type: "MOCK"
IntegrationResponses:
- StatusCode: "200"
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS'"
method.response.header.Access-Control-Allow-Origin: "'*'"
MethodResponses:
- StatusCode: "200"
ResponseModels:
application/json: "Empty"
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: false
method.response.header.Access-Control-Allow-Methods: false
method.response.header.Access-Control-Allow-Origin: false
RestApiId: !Ref "ApiDefault"
ResourceId: !Ref "ApiResourceImageSubmit"
It bombs saying ApiMethodImageSubmitPost:
Method already exists for this resource (Service: AmazonApiGateway;
Status Code: 409; Error Code: ConflictException; Request ID:
454cf46a-b434-4626-bd4b-b6d4fe21142c)
Can you create two http-methods for a single API resource in this fashion? I'm not having a ton of luck with AWS' docs on this one.