I've created a lambda and EventBridge stack with cloudformation, I have two lambda with exact same cloudformation template with different cron expressions, one is cron(0 8 1 * ? *) for every month 8:00Am and one is cron(0 16 ? * 2 *) for every monday 4:00Pm, but my lambda are not logging means they haven't been executed, here's the cloudformation template.yml:
Transform: AWS::Serverless-2016-10-31
Parameters:
ImageUri:
Type: String
LambdaName:
Type: String
RoleName:
Type: String
DatabaseHost:
Type: String
DatabaseUsername:
Type: String
DatabasePassword:
Type: String
DatabaseName:
Type: String
SQSQueueUrl:
Type: String
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref LambdaName]]
ScheduledRule:
Type: AWS::Events::Rule
Properties:
Description: "Montly Collision Cronjob"
ScheduleExpression: "cron(0 8 1 * ? *)"
State: "ENABLED"
Targets:
-
Arn:
Fn::GetAtt:
- LambdaFunction
- Arn
Id: !Join
- ''
- - "monthly-collision-cronjob"
- !Ref LambdaName
LambdaPermission:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !Join
- ''
- - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:"
- !Ref LambdaName
Principal: "events.amazonaws.com"
SourceArn: !GetAtt ScheduledRule.Arn
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole # For cloudwatch logging
- arn:aws:iam::aws:policy/AmazonSQSFullAccess
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 45
ImageUri: !Ref ImageUri
Environment:
Variables:
DATABASE_HOST: !Ref DatabaseHost
DATABASE_USERNAME: !Ref DatabaseUsername
DATABASE_PASSWORD: !Ref DatabasePassword
DATABASE_NAME: !Ref DatabaseName
SQS_QUEUE_URL: !Ref SQSQueueUrl
Role: !GetAtt
- LambdaRole
- Arn
Any help is more than welcome!
First of all, what you can do to save code is to directly use the Event property of the serverless function:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 45
ImageUri: !Ref ImageUri
Environment:
Variables:
DATABASE_HOST: !Ref DatabaseHost
DATABASE_USERNAME: !Ref DatabaseUsername
DATABASE_PASSWORD: !Ref DatabasePassword
DATABASE_NAME: !Ref DatabaseName
SQS_QUEUE_URL: !Ref SQSQueueUrl
Role: !GetAtt
- LambdaRole
- Arn
Events:
EveryFirstOfTheMonth:
Type: Schedule
Properties:
Schedule: cron(0 8 1 * ? *)
Your cron expressions look right, I am not sure what the problem is, but maybe you can try this solution and it works.
Related
I try to import a resource's arn string from another cloudformation stack's output. But I get this error:
mapping values are not allowed here
in "<unicode string>", line 22, column 28:
Role: Fn::ImportValue: LocalLambdaExecRole.Arn
^ (line: 22)
Stack 1 with the output:
Resources:
LocalLambdaExecRole:
Type: AWS::IAM::Role
Properties:
RoleName: LocalLambdaExecRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Outputs:
LocalLambdaExecRole:
Description: Lambda Execution Role
Value: !Ref LocalLambdaExecRole
Export:
Name: !Sub "${AWS::StackName}-LocalLambdaExecRole"
And in stack 2 I want to import the Arn from the LocalLambdaExecRole:
Resources:
LogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: "TestGroup"
HtmlRendererFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: "TestLambda"
Role: !ImportValue: LocalLambdaExecRole.Arn
Runtime: python3.9
Architectures:
- arm64
Handler: app.handler
Timeout: 40
MemorySize: 8000
PackageType: Image
Code:
ImageUri: "123.dkr.ecr.eu-west-1.amazonaws.com/test:latest"
VpcConfig:
SecurityGroupIds:
- sg-0e640b53f5ba70c4e
SubnetIds:
- subnet-037112f9a752f20c8
- subnet-0abd66e55d4b9f967
- subnet-053e223fd30ba07de
How do I properly import the LocalLambdaExecRole.Arn? I have a hard time wrapping my head around the syntax here.
Instead of
Role: !ImportValue: LocalLambdaExecRole.Arn
it should be:
Role: !ImportValue LocalLambdaExecRole
and your output should be:
Outputs:
LocalLambdaExecRole:
Description: Lambda Execution Role
Value: !GetAtt LocalLambdaExecRole.Arn
Export:
Name: !Sub "${AWS::StackName}-LocalLambdaExecRole"
I am trying to set-up a websocket gateway to a Lambda function in AWS. When I do this manually I can successfully deploy the websocket and try it out using wscat. However I would like to build the architecture up using CloudFormation.
The structure of my CloudFormation yaml file looks like this:
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
lambdaRole:
Type: String
Default: ...
backendRole:
Type: String
Default: ...
lambdaImage:
Type: String
Default: ...
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Code:
ImageUri: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${backendRole}:${lambdaImage}
Description: lambda connect function
FunctionName: myLambdaFunction
MemorySize: 128
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/${lambdaRole}
Timeout: 3
PackageType: Image
MyWebSocket:
Type: AWS::ApiGatewayV2::Api
Properties:
Name: MyWebSocket
ProtocolType: WEBSOCKET
RouteSelectionExpression: $request.body.action
MyIntegration:
Type: AWS::ApiGatewayV2::Integration
Properties:
ApiId: !Ref MyWebSocket
Description: Lambda Integration
IntegrationType: AWS_PROXY
IntegrationUri: !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':apigateway:'
- !Ref 'AWS::Region'
- ':lambda:path/2015-03-31/functions/'
- !GetAtt MyLambdaFunction.Arn
- /invocations
IntegrationMethod: POST
MyConnectRoute:
Type: AWS::ApiGatewayV2::Route
Properties:
ApiId: !Ref MyWebSocket
RouteKey: $connect
Target: !Join
- /
- - integrations
- !Ref MyIntegration
MyDefaultRoute:
Type: AWS::ApiGatewayV2::Route
Properties:
ApiId: !Ref MyWebSocket
RouteKey: $default
Target: !Join
- /
- - integrations
- !Ref MyIntegration
MyResponseRoute:
Type: AWS::ApiGatewayV2::Route
Properties:
ApiId: !Ref MyWebSocket
RouteKey: add
RouteResponseSelectionExpression: $default
Target: !Join
- /
- - integrations
- !Ref MyIntegration
MyRouteResponse:
Type: AWS::ApiGatewayV2::RouteResponse
Properties:
RouteId: !Ref MyResponseRoute
ApiId: !Ref MyWebSocket
RouteResponseKey: $default
MyIntegrationResponse:
Type: AWS::ApiGatewayV2::IntegrationResponse
Properties:
IntegrationId: !Ref MyIntegration
IntegrationResponseKey: /201/
ApiId: !Ref MyWebSocket
testStage:
Type: AWS::ApiGatewayV2::Stage
DependsOn:
- MyConnectRoute
- MyDefaultRoute
- MyResponseRoute
Properties:
ApiId: !Ref MyWebSocket
StageName: testStage
MyDeployment:
Type: AWS::ApiGatewayV2::Deployment
Properties:
ApiId: !Ref MyWebSocket
Description: My Deployment
StageName: !Ref testStage
The stack is build without any errors and (almost) everything looks like I intended. However other than in the manually build version the integration of the Lambda function into the websocket does not seem to add the required trigger for the Lambda function. When I manually add a Lambda function to an API Gateway, this automatically adds the trigger.
What do I need to change in my CloudFormation Yaml file to also add the trigger to the Lambda function?
Trigger automatically added to Lambda function when Lambda function is manually added to API Gateway:
No trigger added when Lambda function is added to API Gateway using CloudFormation:
It looks like you may just need to include the Lambda permission for api gateway.
LambdaFunctionPermission:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
Principal: apigateway.amazonaws.com
FunctionName: !Ref MyLambdaFunction
DependsOn: MyWebSocket
If you are having issues with Cloudformation creation it would probably be helpful to also create an account config for logging and chain the dependsOn order of the gateway resources like this.
ApiGwAccountConfig:
Type: "AWS::ApiGateway::Account"
Properties:
CloudWatchRoleArn: !GetAtt "rRoleForCloudtrail.Arn"
rRoleForCloudtrail:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action:
- sts:AssumeRole
Policies:
-
PolicyName: "apigateway-cloudwatch"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvents
Resource: "*"
testStage:
Type: AWS::ApiGatewayV2::Stage
Properties:
ApiId: !Ref MyWebSocket
StageName: testStage
DefaultRouteSettings:
DetailedMetricsEnabled: true
LoggingLevel: INFO
DataTraceEnabled: true
DependsOn: ApiGwAccountConfig
MyDeployment:
Type: AWS::ApiGatewayV2::Deployment
DependsOn:
- MyConnectRoute
- MyDefaultRoute
- MyResponseRoute
Properties:
ApiId: !Ref MyWebSocket
Description: My Deployment
StageName: !Ref testStage
I guess you need AWS::Lambda::Permission resource, e.g.:
LambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:invokeFunction
FunctionName: !GetAtt MyLambdaFunction.Arn
Principal: apigateway.amazonaws.com
SourceArn:
Fn::Join:
- ''
- - 'arn:aws:execute-api:'
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":"
- Ref: MyWebSocket
- "/*"
It may need some tweaking - it works with AWS::ApiGateway::RestApi, not sure if there is difference for AWS::ApiGatewayV2::Api.
Please help. I have an AWS Lambda defined in an AWS SAM YAML file that has been deployed but does not create the event source along with it. Please, what could I likely be missing here? I have already tried adding certain permissions to the SQS and SQSPoller permissions to the Lambda but that did not work. I have already spent too much time on this already. Thank you very much
BootstrapFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Zip
FunctionName: !Sub '${appName}-${env}-${sourceCodeName}-bootstrap'
CodeUri:
Bucket: !Ref sourceCodeBucketName
Key: !Sub '${sourceCodeName}/${sourceCodeTag}.zip'
Description: Bootstrap the Project State Machine
Handler: build/src/bootstrapHandler.bootstrap
Policies:
- AWSLambdaExecute
Runtime: nodejs14.x
MemorySize: 1024
Timeout: 30
Environment:
Variables:
LOG_LEVEL: 'debug'
REGION: !Ref AWS::Region
VpcConfig:
SecurityGroupIds:
- !Ref clusterSecurityGroupId
SubnetIds: !Ref subnetIds
Events:
BootstrapFunctionSQSEvent:
Type: SQS
Properties:
Queue: !GetAtt TaskQueue.Arn
BatchSize: 1
Enabled: true
TaskQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub '${appName}-${env}-${sourceCodeName}-task'
MessageRetentionPeriod: !Ref sqsMessageRetentionSeconds
RedrivePolicy:
deadLetterTargetArn: !GetAtt TaskDlQueue.Arn
maxReceiveCount: !Ref maxReceiveCountForDlq
TaskQueueWritePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub '${appName}-${env}-${sourceCodeName}-task-queue-write-policy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowQueueAccess
Effect: Allow
Action:
- sqs:SendMessage
- sqs:ChangeMessageVisibility
Resource:
- !GetAtt TaskQueue.Arn
TaskQueueReadPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub '${appName}-${env}-${sourceCodeName}-task-queue-read-policy'
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowQueueAccess
Effect: Allow
Action:
- sqs:ChangeMessageVisibility
- sqs:ReceiveMessage
- sqs:DeleteMessage
Resource:
- !GetAtt TaskQueue.Arn
Events should be indented underneath Properties in your BootstrapFunction resource:
BootstrapFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Zip
FunctionName: !Sub '${appName}-${env}-${sourceCodeName}-bootstrap'
CodeUri:
Bucket: !Ref sourceCodeBucketName
Key: !Sub '${sourceCodeName}/${sourceCodeTag}.zip'
Description: Bootstrap the Project State Machine
Handler: build/src/bootstrapHandler.bootstrap
Policies:
- AWSLambdaExecute
Runtime: nodejs14.x
MemorySize: 1024
Timeout: 30
Environment:
Variables:
LOG_LEVEL: 'debug'
REGION: !Ref AWS::Region
VpcConfig:
SecurityGroupIds:
- !Ref clusterSecurityGroupId
SubnetIds: !Ref subnetIds
Events:
BootstrapFunctionSQSEvent:
Type: SQS
Properties:
Queue: !GetAtt TaskQueue.Arn
BatchSize: 1
Enabled: true
I'm creating a pipeline with AWS Codepipeline which deploys a lambda function with a cloudformation template, here's my template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
ImageUri:
Type: String
LambdaName:
Type: String
RoleName:
Type: String
DatabaseName:
Type: String
DatabasePassword:
Type: String
DatabasePort:
Type: String
DatabaseURL:
Type: String
DatabaseUsername:
Type: String
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 5
ImageUri: !Ref ImageUri
Environment:
Variables:
DATABASE_DATABASE: !Ref DatabaseName
DATABASE_PASSWORD: !Ref DatabasePassword
DATABASE_PORT: !Ref DatabasePort
DATABASE_URL: !Ref DatabaseURL
DATABASE_USERNAME: !Ref DatabaseUsername
Role:
Fn::GetAtt:
- LambdaRole
- Arn
I'm trying to add override parmeters in codepipeline deployment stage under advanced but when I release changes it tells me that
"ParameterOverrides property is not valid".
Any help?!
I am trying to deploy a CloudFormation template for two lambdas and an elastic IP.
I am not sure how to fix this error in my template:
Fn::GetAtt object requires two non-empty parameters
Would you be able to give me some insights please ?
What are some best practices to debug a CloudFormation template ?
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description:
Parameters:
PrivateSubnets:
Type: AWS::SSM::Parameter::Value<List<AWS::EC2::Subnet::Id>>
Default: /vpc/subnets/private-ids
VpcId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::VPC::Id>
Default: /vpc/id
LogLevel:
Type: String
AllowedValues:
- debug
- warn
- info
- error
- critical
Default: debug
Xray:
Type: String
AllowedValues:
- Active
- PassThrough
Default: Active
Globals:
Function:
AutoPublishAlias: live
Runtime: nodejs10.x
Tracing:
Ref: Xray
Environment:
Variables:
NODE_ENV: production
LOG_LEVEL:
Ref: LogLevel
ALB_ENDPOINT:
Fn::GetAtt:
- LoadBalancer
- DNSName
SECRETS_ID:
Ref: ServiceSecrets
Resources:
ServiceSecrets:
Type: AWS::SecretsManager::Secret
Properties:
KmsKeyId:
Fn::ImportValue: kms-default-key-id
Description:
Ref: AWS::StackName
SecretString: '{ "refresh_token": "abc", "id_token": "abc" }'
LambdaPolicyCommon:
Type: AWS::IAM::ManagedPolicy
Properties:
Path: /
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource:
Ref: ServiceSecrets
- Effect: Allow
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource:
Fn::ImportValue: kms-default-key-arn
LambdaFunctionCronJob:
Type: AWS::Serverless::Function
Properties:
ReservedConcurrentExecutions: 1
CodeUri: s3://s3bucket-881
Handler: index.handler
Timeout: 60
Policies:
- Ref: LambdaPolicyCommon
- Fn::ImportValue: iam-policy-lambda-common-arn
VpcConfig:
SubnetIds:
Ref: PrivateSubnets
SecurityGroupIds:
- Ref: LoadBalancerSecurityGroup
Events:
Cron:
Type: Schedule
Properties:
Schedule: rate(1 minute)
LambdaFunctionProxy:
Type: AWS::Serverless::Function
Properties:
ReservedConcurrentExecutions: 1
CodeUri: s3://cicd-buildartifactsbucket-3d345d2c
Handler: index.handler
Timeout: 60
Policies:
- Ref: LambdaPolicyCommon
- Fn::ImportValue: iam-policy-lambda-common-arn
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internal
Subnets:
Ref: PrivateSubnets
SecurityGroups:
- Ref: LoadBalancerSecurityGroup
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
DependsOn: AlbLambdaFunctionInvokePermission
Properties:
TargetType: lambda
Targets:
- Id:
Fn::GetAtt:
- LambdaFunctionCronJob
- Alias
HttpListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn:
Ref: TargetGroup
Type: forward
LoadBalancerArn:
Ref: LoadBalancer
Port: 80
Protocol: HTTP
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: group description
VpcId:
Ref: VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
AlbLambdaFunctionInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Fn::GetAtt:
- LambdaFunctionProxy
- Alias
Action: lambda:InvokeFunction
Principal: elasticloadbalancing.amazonaws.com
Try to change:
Fn::GetAtt:
- LambdaFunctionProxy
- Alias
To:
Fn::GetAtt:
- "LambdaFunctionProxy"
- "Alias"
You should either use full function name:
Fn::GetAtt: [ LoadBalancer, DNSName ]
or short form:
!GetAtt LoadBalancer.DNSName
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html
From AWS Support
For serverless function alias can be referenced as "Ref": "MyLambdaFunction.Alias"
Since for serverless function cloudformation does not accept the format logical name, attribute name it is finding ''alias" attribute as empty
and it does not resolve it
It will need to be mentionned like this:
Properties:
FunctionName: !Ref LambdaFunctionProxyToHc.Alias