Questions tagged with AWS CloudFormation

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to deal with multiple duplicate keys (Fn::Sub) in a aws cloudformation template?

I have a policy that is being made in a cloudformation template. I want to add two resources to the policy, they end up being `arn::bucket` and `arn::bucket/*`. The issue is that the `arn` is a parameter and I get the error: `[cfn-lint] E0000: Duplicate resource found "Fn::Sub" (line 161)`. I understand that it doesn't like the duplicates. ``` "RolePolicies": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "GetGEBucketPutCustomerBucket", "PolicyDocument": { "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectAttributes", "s3:GetObjectTagging", "s3:ListBucket", "s3:DeleteObject" ], "Effect": "Allow", "Resource": { "Fn::Sub": [ "${arn}/*", { "arn": { "Ref": "CustomerS3BucketARN" } } ], "Fn::Sub": [ "${arn}", { "arn": { "Ref": "CustomerS3BucketARN" } } ] } } ] }, "Roles": [ { "Ref": "InstanceRole" } ] }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "a713fcc6-95c8-423f-a5b8-0020a81e5ce4" } } } ``` However, this cloudformation is allowed to run, but produces errors. When viewing the policy in IAM console window after create, I see that both of the resources were not created. ![IAM Console](/media/postImages/original/IM-C-6juMgR12vBi6kAOuH5Q) IAM policy editor gives me this error. `Ln 1, Col 0Missing Version: We recommend that you specify the Version element to help you with debugging permission issues.` since the resource than ends with `/*` wasn't created by cloud formation.
0
answers
0
votes
21
views
asked 2 days ago

Update Existing Cognito User Pool Group via CDK

Hi, I have a Cognito User Pool with a user group. This simple configuration deploys fine the first time. Any subsequent attempts to run `cdk deploy` with or without changes errors out with `group already exists in stack` error. I'm using Java for my CDK Here's the code I'm using to create the user poll + group ``` public void generateStack() { // Create User Pool UserPool userPool = Builder.create(scope, "some-id") .accountRecovery(AccountRecovery.EMAIL_ONLY) .autoVerify(AutoVerifiedAttrs.builder() .email(true) .phone(false) .build()) .email(UserPoolEmail.withCognito(REPLY_TO_EMAIL)) .enableSmsRole(false) .mfa(Mfa.OFF) .passwordPolicy(PasswordPolicy.builder() .minLength(8) .requireDigits(true) .requireLowercase(true) .requireUppercase(true) .tempPasswordValidity(Duration.days(TEMP_PWD_VALIDITY_IN_DAYS)) .build()) .removalPolicy(RemovalPolicy.RETAIN) .selfSignUpEnabled(true) .signInAliases(SignInAliases.builder() .email(true) .phone(false) .preferredUsername(false) .username(false) .build()) .signInCaseSensitive(false) .standardAttributes(StandardAttributes.builder() .email(StandardAttribute.builder() .mutable(false) .required(true) .build()) .givenName(StandardAttribute.builder() .mutable(true) .required(true) .build()) .familyName(StandardAttribute.builder() .mutable(true) .required(true) .build()) .phoneNumber(StandardAttribute.builder() .mutable(true) .required(true) .build()) .build()) .userPoolName("some-pool-name") .build(); Role adminRole = Role.Builder.create(scope, "role-id") .roleName("admin-role") .assumedBy(new AccountRootPrincipal()) .description("This is a full access admin role for Ops Team") .maxSessionDuration(Duration.hours(12)) .managedPolicies(List.of(ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess"))) .build(); // Add admin group new CfnUserPoolGroup(scope, "admin-users", CfnUserPoolGroupProps.builder() .description("Admin group for the Ops team") .groupName("admin-ops") .precedence(0) .roleArn(adminRole.getRoleArn()) .userPoolId(userPool.getUserPoolId()) .build()); } ``` Is there a way to stop CDK from trying to create a group if it already exists in the stack? Thanks Kunal
0
answers
0
votes
12
views
asked 8 days ago

Failure in Cloudformation template [ CommandRunenr] while running CLI command for Cloudtrail

Hi Guys, I am trying to run CLI command to update a CloudTrail but stack is getting failed. Requirement is to apply advanced data events to existing CloudTrail. Please find below details of CF template: 1. CF template AWSTemplateFormatVersion: 2010-09-09 Resources: UpdateTrail: Type: AWSUtility::CloudFormation::CommandRunner Properties: Role: ec2-role-name SubnetId: subnet-XXXXXXXXX LogGroup: log-group-name Command: aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX \ --advanced-event-selectors.... 2. Error Resource handler returned message: "Either the command failed to execute, the value written to /command-output.txt was invalid or the Subnet specified did not have internet access. The value written to /command-output.txt must be a non-empty single word value without quotation marks. Check cloud-init.log in the LogGroup specified for more information." 3. CLI command aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XX"] } ] } ]' Note : Command runs successfully in CLI. pre-requisites for commandRunner is installed. Also, Subnet specified does have internet access. I sense, it might be the issue with command format or may be something else. Any assistance would be appreciated. Thanks
1
answers
0
votes
43
views
Pradnya
asked 9 days ago