We Keep Coding

How to use !ImportValue on a resource's Arn string in Cloudformation

I try to import a resource's arn string from another cloudformation stack's output. But I get this error:
mapping values are not allowed here
in "<unicode string>", line 22, column 28:
Role: Fn::ImportValue: LocalLambdaExecRole.Arn
^ (line: 22)
Stack 1 with the output:
Resources:
LocalLambdaExecRole:
Type: AWS::IAM::Role
Properties:
RoleName: LocalLambdaExecRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Outputs:
LocalLambdaExecRole:
Description: Lambda Execution Role
Value: !Ref LocalLambdaExecRole
Export:
Name: !Sub "${AWS::StackName}-LocalLambdaExecRole"
And in stack 2 I want to import the Arn from the LocalLambdaExecRole:
Resources:
LogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: "TestGroup"
HtmlRendererFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: "TestLambda"
Role: !ImportValue: LocalLambdaExecRole.Arn
Runtime: python3.9
Architectures:
- arm64
Handler: app.handler
Timeout: 40
MemorySize: 8000
PackageType: Image
Code:
ImageUri: "123.dkr.ecr.eu-west-1.amazonaws.com/test:latest"
VpcConfig:
SecurityGroupIds:
- sg-0e640b53f5ba70c4e
SubnetIds:
- subnet-037112f9a752f20c8
- subnet-0abd66e55d4b9f967
- subnet-053e223fd30ba07de
How do I properly import the LocalLambdaExecRole.Arn? I have a hard time wrapping my head around the syntax here.

Instead of
Role: !ImportValue: LocalLambdaExecRole.Arn
it should be:
Role: !ImportValue LocalLambdaExecRole
and your output should be:
Outputs:
LocalLambdaExecRole:
Description: Lambda Execution Role
Value: !GetAtt LocalLambdaExecRole.Arn
Export:
Name: !Sub "${AWS::StackName}-LocalLambdaExecRole"

Every-Monday and Every-month cron expression doesn't work properly

I've created a lambda and EventBridge stack with cloudformation, I have two lambda with exact same cloudformation template with different cron expressions, one is cron(0 8 1 * ? *) for every month 8:00Am and one is cron(0 16 ? * 2 *) for every monday 4:00Pm, but my lambda are not logging means they haven't been executed, here's the cloudformation template.yml:
Transform: AWS::Serverless-2016-10-31
Parameters:
ImageUri:
Type: String
LambdaName:
Type: String
RoleName:
Type: String
DatabaseHost:
Type: String
DatabaseUsername:
Type: String
DatabasePassword:
Type: String
DatabaseName:
Type: String
SQSQueueUrl:
Type: String
Resources:
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['/', ['/aws/lambda', !Ref LambdaName]]
ScheduledRule:
Type: AWS::Events::Rule
Properties:
Description: "Montly Collision Cronjob"
ScheduleExpression: "cron(0 8 1 * ? *)"
State: "ENABLED"
Targets:
-
Arn:
Fn::GetAtt:
- LambdaFunction
- Arn
Id: !Join
- ''
- - "monthly-collision-cronjob"
- !Ref LambdaName
LambdaPermission:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !Join
- ''
- - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:"
- !Ref LambdaName
Principal: "events.amazonaws.com"
SourceArn: !GetAtt ScheduledRule.Arn
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole # For cloudwatch logging
- arn:aws:iam::aws:policy/AmazonSQSFullAccess
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 45
ImageUri: !Ref ImageUri
Environment:
Variables:
DATABASE_HOST: !Ref DatabaseHost
DATABASE_USERNAME: !Ref DatabaseUsername
DATABASE_PASSWORD: !Ref DatabasePassword
DATABASE_NAME: !Ref DatabaseName
SQS_QUEUE_URL: !Ref SQSQueueUrl
Role: !GetAtt
- LambdaRole
- Arn
Any help is more than welcome!

First of all, what you can do to save code is to directly use the Event property of the serverless function:
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 45
ImageUri: !Ref ImageUri
Environment:
Variables:
DATABASE_HOST: !Ref DatabaseHost
DATABASE_USERNAME: !Ref DatabaseUsername
DATABASE_PASSWORD: !Ref DatabasePassword
DATABASE_NAME: !Ref DatabaseName
SQS_QUEUE_URL: !Ref SQSQueueUrl
Role: !GetAtt
- LambdaRole
- Arn
Events:
EveryFirstOfTheMonth:
Type: Schedule
Properties:
Schedule: cron(0 8 1 * ? *)
Your cron expressions look right, I am not sure what the problem is, but maybe you can try this solution and it works.

How to add S3 trigger for existing bucket to lambda function in cloudformation

I'm trying to create a template.yml for a lambda function pipeline, this is my template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
ImageUri:
Type: String
LambdaName:
Type: String
RoleName:
Type: String
BucketName:
Type: String
Resources:
S3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Ref BucketName
AllowS3ToCallLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref LambdaFunction
Principal: s3.amazonaws.com
SourceArn: !GetAtt S3Bucket.Arn
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 5
ImageUri: !Ref ImageUri
Events:
S3Bucket:
Type: S3
Properties:
Bucket: !Ref S3Bucket
Events: 's3:ObjectCreated:*'
Role:
Fn::GetAtt:
- LambdaRole
- Arn
This template contains an S3 event, with the template above it tries to create a new bucket. Is there a way to specify an existing bucket for the trigger?
No matter how much I tried to make LambdaFunction resource to use an existing S3 bucket, I failed.

Export with name ExRole is already exported by stack Root-role

I want to reuse this template but it when I up this template using nested stack it gives an error Export with name ExRole is already exported by stack Root-role. How can I improve the reuseability of the template. So that I can deploy same template in Prod, dev and other environments. I have tried using environment variable in the names of the role but how can I use it in the output and if the output is to be used in next template what should be the syntax?
Role:
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Env:
Type: String
Resources:
ExRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
RoleName: !Sub "excutionrole-${Env}"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
ContainerInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
Path: '/'
RoleName: !Sub "ContainerInstanceRole-${Env}"
InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref ContainerInstanceRole
Outputs:
ExRole:
Description: Task excution role
Value: !Ref ExRole
Export:
Name: "ExRole"
InstanceProfile:
Description: profile for container instances
Value: !Ref InstanceProfile
Export:
Name: "InstanceProfile"
Task:
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
ExRole:
Type: String
RDS:
Type: String
DBUSER:
Type: String
Default: mysqldb
DBPASSWORD:
Type: String
Default: 1234123a
DBNAME:
Type: String
Default: mysqldb
Resources:
Task:
Type: AWS::ECS::TaskDefinition
Properties:
Family: wordpress
Cpu: 1 vCPU
ExecutionRoleArn: !Ref ExRole
Memory: 1 GB
NetworkMode: bridge
RequiresCompatibilities:
- EC2
TaskRoleArn: !Ref ExRole
ContainerDefinitions:
- Essential: true
Image: wordpress:latest
Name: wordpress
PortMappings:
- ContainerPort: 80
HostPort: 0
Protocol: tcp
Environment:
- Name: WORDPRESS_DB_HOST
Value: !Ref RDS
- Name: WORDPRESS_DB_USER
Value: !Ref DBUSER
- Name: WORDPRESS_DB_PASSWORD
Value: !Ref DBPASSWORD
- Name: WORDPRESS_DB_NAME
Value: !Ref DBNAME
Outputs:
Task:
Description: Contains all the task specifications
Value: !Ref Task
Export:
Name: "Task"
Root:
Resources:
Vpcstack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc.yml"
Parameters:
Env: !Ref Env
Cidr: !Ref Cidr
Publicsubnet1: !Ref Publicsubnet1
Publicsubnet2: !Ref Publicsubnet2
Privatesubnet1: !Ref Privatesubnet1
Privatesubnet2: !Ref Privatesubnet2
role:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/role.yml"
Parameters:
Env: !Ref Env

Generally when people use output, if the template is being used multiple times within the same parent stack they will prefix the export with a variable (such as the stack name) to make it unique.
This can be done using the sub intrinsic function such as in the example below
Outputs:
ExRole:
Description: Task excution role
Value: !Ref ExRole
Export:
Name: !Sub "${AWS::StackName}-ExRole"
InstanceProfile:
Description: profile for container instances
Value: !Ref InstanceProfile
Export:
Name: !Sub "${AWS::StackName}-InstanceProfile"
Then you would need to pass in this stack ID value as a parameter into the nested stack that needs to reference this file. This would again used the sub intrinsic function to reference the export name.
To get this value in the ImportValue intrinsic function you would reference it like below, to do this you would need to pass the stack name as a parameter to the stack:
Fn::ImportValue: !Sub "${NestedStack}-ExRole"
If you call the other stack from the parent stack you can ignore exporting and instead pass the output into the next stack using the GetAtt intrinsic function instead.
Resources:
Vpcstack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc.yml"
Parameters:
Env: !Ref Env
Cidr: !Ref Cidr
Publicsubnet1: !Ref Publicsubnet1
Publicsubnet2: !Ref Publicsubnet2
Privatesubnet1: !Ref Privatesubnet1
Privatesubnet2: !Ref Privatesubnet2
role:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/role.yml"
Parameters:
Env: !Ref Env
dbStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/db.yml"
Parameters:
Role: !GetAtt role.Outputs.ExRole
You can also use the syntax of Fn::GetAtt: [role, Outputs.ExRole] also valid syntax.

Template contains errors.: Invalid template resource property 'Fn::ImportValue'

I have A template that creates IAM roles In cloud Formation YAML. I need service Anr in next template, But I am getting this error.
Template contains errors.: Invalid template resource property 'Fn::ImportValue'
IAMStack
Resources:
CodeDeployTrustRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Sid: '1'
Effect: Allow
Principal:
Service:
- codedeploy.us-east-1.amazonaws.com
- codedeploy.us-west-2.amazonaws.com
Action: sts:AssumeRole
Path: "/"
CodeDeployRolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: CodeDeployPolicy
PolicyDocument:
Statement:
- Effect: Allow
Resource:
- "*"
Action:
- ec2:Describe*
- Effect: Allow
Resource:
- "*"
Action:
- autoscaling:CompleteLifecycleAction
- autoscaling:DeleteLifecycleHook
- autoscaling:DescribeLifecycleHooks
- autoscaling:DescribeAutoScalingGroups
- autoscaling:PutLifecycleHook
- autoscaling:RecordLifecycleActionHeartbeat
Roles:
- Ref: CodeDeployTrustRole
InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
InstanceRolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: InstanceRole
PolicyDocument:
Statement:
- Effect: Allow
Action:
- autoscaling:Describe*
- autoscaling:EnterStandby
- autoscaling:ExitStandby
- cloudformation:Describe*
- cloudformation:GetTemplate
- s3:Get*
Resource: "*"
Roles:
- Ref: InstanceRole
InstanceRoleInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: InstanceRole
Outputs:
CodeDeployServiceRoleARN:
Value:
Fn::GetAtt:
- CodeDeployTrustRole
- Arn
==================================================================================
CodeDeploystack
---
AWSTemplateFormatVersion: '2010-09-09'
Description: This template will create an s3bucket
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: CodeDeploy
CodeDeployApplication:
Type: 'AWS::CodeDeploy::Application'
Properties:
ComputePlatform: ec2
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName:
!Ref CodeDeployApplication
Deployment:
Description: First time
IgnoreApplicationStopFailures: true
Revision:
RevisionType: S3
S3Location:
Bucket:
Ref: S3Bucket
ServiceRoleArn:
'Fn::ImportValue': !Sub '${IAMStack}-CodeDeployServiceRoleARN'
Outputs:
S3BucketName:
Value:
Ref: S3Bucket
Description: Name of S3 bucket

I tried rewriting your second template with the import function. Can you try something like this:
AWSTemplateFormatVersion: '2010-09-09'
Description: This template will create an s3bucket
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: CodeDeploy
CodeDeployApplication:
Type: "AWS::CodeDeploy::Application"
Properties:
ComputePlatform: ec2
DeploymentGroup:
Type: AWS::CodeDeploy::DeploymentGroup
Properties:
ApplicationName: !Ref CodeDeployApplication
Deployment:
Description: First time
IgnoreApplicationStopFailures: true
Revision:
RevisionType: S3
S3Location: !Ref S3Bucket
ServiceRoleArn:
Fn::ImportValue:
Fn::Sub "${IAMStack}-CodeDeployServiceRoleARN"
Outputs:
S3BucketName:
Value: !Ref S3Bucket
Description: Name of S3 bucket
I think some quotes may be off in your version.

Issue fixed, I just change the region