I am trying to add auto-scaling to multiple Dynamodb tables, since all the tables would have the same pattern for the auto-scaling configuration.
I can of course create scalableTarget again and again but it’s repetitive.
I was wondering if it is possible to re-use the scalable targets
"DDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"TableName": "Banner_v1",
...
}
},
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"MaxCapacity": 15,
"MinCapacity": 5,
"ResourceId": {
"Fn::Join": [
"/",
[
"table",
{
"Ref": "DDBTable"
}
]
]
},
"RoleARN": {
"Fn::ImportValue" : "ScalingRoleArn"
},
"ScalableDimension": "dynamodb:table:WriteCapacityUnits",
"ServiceNamespace": "dynamodb"
}
},
"WriteScalingPolicy": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
"Properties": {
"PolicyName": "WriteAutoScalingPolicy",
"PolicyType": "TargetTrackingScaling",
"ScalingTargetId": {
"Ref": "WriteCapacityScalableTarget"
},
"TargetTrackingScalingPolicyConfiguration": {
"TargetValue": 50,
"ScaleInCooldown": 60,
"ScaleOutCooldown": 60,
"PredefinedMetricSpecification": {
"PredefinedMetricType": "DynamoDBWriteCapacityUtilization"
}
}
}
},
Tried this but not working.
"WriteCapacityScalableTarget": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
"Properties": {
"ResourceId": {
...
"Fn::Join": [
"/",
[
"table",
{
"Ref": "DDBTable"
},
"table",
{
"Ref": "AnotherTable2"
}
]
]
},
...
}
I can of course create scalableTarget again and again but it’s repetitive
Using plain CFN, this is how you have to do it. The reason is that ResourceId is just a string, rather then a list of strings.
The only other alternative in CFN would be to use custom resource or macros. In both cases you would have to develop some lambda function to do automatically the repetitive stuff.
Related
Error:
Template is undeployable, these resources have a dependency cycle: efsVpcAccessGroupfromtestwfmIngestionStackathenaHandlerSecurityGroup1FCBA9852049987DD57E -> IngestionStackNestedStackIngestionStackNestedStackResource9E86246D -> efsVpcAccessGroupfromtestwfmIngestionStackathenaHandlerSecurityGroup1FCBA9852049987DD57E:
{
"efsVpcAccessGroupfromtestwfmIngestionStackathenaHandlerSecurityGroup1FCBA9852049987DD57E": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"IpProtocol": "tcp",
"Description": "from testwfmIngestionStackathenaHandlerSecurityGroup1FCBA985:2049",
"FromPort": 2049,
"GroupId": {
"Fn::GetAtt": [
"efsVpcAccessGroup1302B656",
"GroupId"
]
},
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"IngestionStackNestedStackIngestionStackNestedStackResource9E86246D",
"Outputs.testwfmIngestionStackathenaHandlerSecurityGroup98F12823GroupId"
]
},
"ToPort": 2049
}
},
"IngestionStackNestedStackIngestionStackNestedStackResource9E86246D": {
"Type": "AWS::CloudFormation::Stack",
"Properties": {
"TemplateURL": {
"Fn::Join": [
"",
[
"https://s3.",
{
"Ref": "AWS::Region"
},
".",
{
"Ref": "AWS::URLSuffix"
},
"/",
{
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"/60e5412e4ade9e638240a08786ab65fc32b6e800457ae9083d0e6717a1d3fd54.json"
]
]
},
"Parameters": {
"referencetotestwfmWfmFileSystemAccessPoint945E440BRef": {
"Ref": "WfmFileSystemAccessPointD78EC1FC"
},
"referencetotestwfmWfmFileSystemF61F523ERef": {
"Ref": "WfmFileSystemC64F6910"
},
"referencetotestwfmEfsVpc536202AARef": {
"Ref": "EfsVpc44B26922"
},
"referencetotestwfmEfsVpcPrivateSubnet1SubnetE760B7B6Ref": {
"Ref": "EfsVpcPrivateSubnet1SubnetEABC52AC"
},
"referencetotestwfmEfsVpcPrivateSubnet2SubnetF51009E2Ref": {
"Ref": "EfsVpcPrivateSubnet2SubnetB4120230"
}
}
},
"DependsOn": [
"efsVpcAccessGroupfromtestwfmIngestionStackathenaHandlerSecurityGroup1FCBA9852049987DD57E",
"WfmFileSystemEfsMountTarget1CEA97701",
"WfmFileSystemEfsMountTarget2284AE797"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete"
}
}
Goal: Configure lambda within a NestedStack to have access to a EFS & VPC defined in parent stack.
Context: Parent stack defines the EFS and VPC combo, due to multiple child NestedStacks needing access to the EFS. Upon passing to child stacks, CDK attempts to synthesize an IngressRule on the VPC even if I've already manually configured a IPv4 wildcard on that port. Unsure on how to proceed, as doing a lookup in the NestedStacks feels like bad practice.
I'm trying to assign a static ip to multiple lambdas so that when a lambda makes a call to a specific service I can whitelist that ip.
I was able to get this working but as far as I can tell, it will randomly start either taking almost exactly 2 minutes to return where before it was 500ms or just start timing out all together.
Below is the cloudformation I used to setup this VPC and in this cloudformation I setup the following:
Public Subnet
Private Subnet
NAT Gateway
Elastic IP
2 Routes (public/private)
Internet Gateway
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation for VPC",
"Parameters": {
"env": {
"Type": "String"
}
},
"Resources": {
"VPCStaticIP": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "11.0.0.0/16",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }]
]
}
}
]
}
},
"SubnetPublic": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "11.0.0.0/24",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"public-subnet"
]
]
}
}
],
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"SubnetPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "11.0.1.0/24",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"private-subnet"
]
]
}
}
],
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "igw"]
]
}
}
]
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "InternetGateway"
},
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"RouteTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPCStaticIP"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"public-route"
]
]
}
}
]
}
},
"RoutePublic": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
},
"RouteTableId": {
"Ref": "RouteTablePublic"
}
}
},
"SubnetRouteTableAssociationPublic": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "RouteTablePublic"
},
"SubnetId": {
"Ref": "SubnetPublic"
}
}
},
"EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "eip"]
]
}
}
]
}
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": ["EIP", "AllocationId"]
},
"SubnetId": {
"Ref": "SubnetPublic"
}
}
},
"RouteTablePrivate": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPCStaticIP"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"private-route"
]
]
}
}
]
}
},
"RoutePrivate": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NatGateway"
},
"RouteTableId": {
"Ref": "RouteTablePrivate"
}
}
},
"SubnetRouteTableMainAssociationPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "RouteTablePrivate"
},
"SubnetId": {
"Ref": "SubnetPrivate"
}
}
}
},
"Outputs": {}
}
I've done quite a bit of research and turned up these references:
https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
but I can't seem to reason what the delta is between what I'm doing and what they are suggesting.
Any suggestions would be greatly appreciated it!
The EIP timeouts probably because you do not have DependsOn attribute on your AWS::EC2::VPCGatewayAttachment. This is required in your case:
If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the DependsOn Attribute on this resource.
Thus, you could try the following which adds the dependency:
"EIP": {
"Type": "AWS::EC2::EIP",
"DependsOn" : "VPCGatewayAttachment",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "eip"]
]
}
}
]
}
}
Also, if possible, I would consider using a private IP range of 10.0.0.0/16 for your VPC and subnets instead of 11.0.0.0/16. The range is recommended to be used by AWS:
When you create a VPC, we recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges as specified in RFC 1918:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
You don't show how you are creating the Lambda function, is that created outside of CloudFormation? It sounds like you have the Lambda function configured to use both VPC subnets, and when it runs inside the public subnet it is getting timeouts. You need to configure the Lambda function to only use the private subnet with a route to the NAT Gateway.
I have a CD pipeline built with AWS CDK and CodePipeline. It compiles the code for 5 lambdas, each of which it pushes to a secondary artifact.
The S3 locations of each of the artifacts are assigned to the parameters of a CloudFormation template which are attached to the Code parts of the lambdas.
This is working fine!
My problem is, I cannot add a sixth secondary artifact to CodeBuild (hard limit). I also cannot combine all of my lambda code into a single artifact as (as far as I can see) CodePipeline is not smart enough to look inside an artifact when assigning Code to a lambda in CloudFormation.
What is the recommendation for deploying multiple lambdas from a CodeBuild/CodePipeline? How have other people solved this issue?
EDIT: Code pipeline CF template
note: I have only included 2 lambdas as an example
Lambda application template
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"Lambda1": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Ref": "lambda1SourceBucketNameParameter3EE73025"
},
"S3Key": {
"Ref": "lambda1SourceObjectKeyParameter326E8288"
}
}
}
},
"Lambda2": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": {
"Ref": "lambda2SourceBucketNameParameter3EE73025"
},
"S3Key": {
"Ref": "lambda2SourceObjectKeyParameter326E8288"
}
}
}
}
},
"Parameters": {
"lambda1SourceBucketNameParameter3EE73025": {
"Type": "String"
},
"lambda1SourceObjectKeyParameter326E8288": {
"Type": "String"
},
"lambda2SourceBucketNameParameterA0D2319B": {
"Type": "String"
},
"lambda2SourceObjectKeyParameterF3B3F2C2": {
"Type": "String"
}
}
}
Code Pipeline template:
{
"Resources": {
"Pipeline40CE5EDC": {
"Type": "AWS::CodePipeline::Pipeline",
"Properties": {
"Stages": [
{
"Actions": [
{
"ActionTypeId": {
"Provider": "CodeBuild"
},
"Name": "CDK_Build",
"OutputArtifacts": [
{
"Name": "CdkbuildOutput"
}
],
"RunOrder": 1
},
{
"ActionTypeId": {
"Provider": "CodeBuild"
},
"Name": "Lambda_Build",
"OutputArtifacts": [
{ "Name": "CompiledLambdaCode1" },
{ "Name": "CompiledLambdaCode2" }
],
"RunOrder": 1
}
],
"Name": "Build"
},
{
"Actions": [
{
"ActionTypeId": {
"Provider": "CloudFormation"
},
"Configuration": {
"StackName": "DeployLambdas",
"ParameterOverrides": "{\"lambda2SourceBucketNameParameterA0D2319B\":{\"Fn::GetArtifactAtt\":[\"CompiledLambdaCode1\",\"BucketName\"]},\"lambda2SourceObjectKeyParameterF3B3F2C2\":{\"Fn::GetArtifactAtt\":[\"CompiledLambdaCode1\",\"ObjectKey\"]},\"lambda1SourceBucketNameParameter3EE73025\":{\"Fn::GetArtifactAtt\":[\"CompiledLambdaCode2\",\"BucketName\"]},\"lambda1SourceObjectKeyParameter326E8288\":{\"Fn::GetArtifactAtt\":[\"CompiledLambdaCode2\",\"ObjectKey\"]}}",
"ActionMode": "CREATE_UPDATE",
"TemplatePath": "CdkbuildOutput::CFTemplate.template.json"
},
"InputArtifacts": [
{ "Name": "CompiledLambdaCode1" },
{ "Name": "CompiledLambdaCode2" },
{ "Name": "CdkbuildOutput" }
],
"Name": "Deploy",
"RunOrder": 1
}
],
"Name": "Deploy"
}
],
"ArtifactStore": {
"EncryptionKey": "the key",
"Location": "the bucket",
"Type": "S3"
},
"Name": "Pipeline"
}
}
}
}
Reviewed templates.
So, I don't see five inputs to a CodeBuild action, but I do see 2 inputs to a CloudFormation action (Deploy).
I assume your problem was a perceived limit of 5 input to the CloudFormation action. Is that assumption correct?
The limits for a CloudFormation action are actually 10. See "Action Type Constraints for Artifacts
" # https://docs.aws.amazon.com/codepipeline/latest/userguide/reference-pipeline-structure.html#reference-action-artifacts
So if you can use up to 10, will that suffice?
If not, I have other ideas that would take a lot longer to document.
I'm creating my infrastructure using CloudFormation.
I'm hoping to create the API using "API Gateway Extensions to OpenAPI"
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions.html
Relevant code segment looks like this.
"MorningApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Description": {
"Fn::Sub": "${Stage}-MorningApi"
},
"Name": {
"Fn::Sub": "${Stage}-MorningApi"
},
"EndpointConfiguration": {
"Types": [
"REGIONAL"
]
},
"BodyS3Location": {
"Bucket" : "cf-morning",
"Key" : "nested-templates-stack/MorningApiStatusStackSwagger.json"
}
}
},
"MorningApiloadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Name": {
"Fn::Sub": "${Stage}-MorningApiloadBalancer"
},
"Subnets": [
{
"Ref": "PrivateASubnet"
},
{
"Ref": "PrivateBSubnet"
},
{
"Ref": "PrivateCSubnet"
}
],
"Type": {
"Ref": "ELBType"
},
"Scheme": "internal",
"IpAddressType": {
"Ref": "ELBIpAddressType"
}
}
}
I need to pass "DNSName" of the "MorningApiloadBalancer" to the swagger file located in the S3 location. I cannot find a way to do this.
Any help is appreciated.
I haven't tried using swagger with API gateway before.
Using Fn::Transform
Using the Swagger file stored in S3 using the Fn::Tranform macro, it basically takes the content of the swagger file and tranforms into cloudformation.
{
"APIGateway": {
"Type": "AWS::ApiGateway::RestApi",
"Name": "myapi",
"Properties": {
"Body": {
"Fn::Transform": {
"Name": "AWS::Include",
"Parameters": {
"Location": {
"Fn::Sub": "s3://${AWS::AccountId}-swagger-files/${SwaggerFile}"
}
}
}
}
}
}
}
Reference:
https://medium.com/#nabtechblog/integrating-swagger-with-aws-lambda-and-api-gateway-using-cloud-formation-macro-functions-7432dec50dd
Inline swagger definition
I saw an example where the swagger definition is embedded into the cloudformation template. If you do so, you can use intrinsic functions inside the swagger definition. In your case, you can use Ref to get the dns name of the load balancer.
"GreetingApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": "Greeting API",
"Description": "API used for Greeting requests",
"FailOnWarnings": true,
"Body": {
"swagger": "2.0",
"paths": {
"/greeting": {
"get": {
"x-amazon-apigateway-integration": {
"uri": {
"Fn::Join": [
"",
[
"arn:aws:apigateway:",
{
"Ref": "AWS::Region"
},
":lambda:path/2015-03-31/functions/",
{
"Fn::GetAtt": [
"GreetingLambda",
"Arn"
]
},
"/invocations"
]
]
}
}
}
}
}
}
}
}
Reference:
https://blog.jayway.com/2016/09/18/introduction-swagger-cloudformation-api-gateway/
Getting DNS Name
I think you know this already.
"Fn::GetAtt" : [ "MorningApiloadBalancer" , "DNSName" ]
Hope this helps.
I am crafting a monstrosity of a CloudFormation template that uses the AWS::CloudFormation::Stack resource to spawn other nested stacks. The purpose of this is the classic separation of duties and management.
The overall goal is to build an application environment from the ground up (starting with VPC and ending with the application instances).
So far, most of it works. But I've hit a road block with referencing the outputs of the subnet CF template and the securitygroup CF template for use in creating the EC2 instances.
It works like this:
Master template --> Builds VPC --> Calls child template to build subnets --> Calls child template to build security groups --> Calls child template to build EC2 instances
I need to pass the outputs from the subnet and security group templates to the EC2 instance template so the instances can be provisioned into the correct part of the architecture. The VPC ID ref and KeyPairs pass in fine, but the subnetID and securitygroupID do not.
Here's the portion of the master template that calls the security group/subnet templates:
"DevNetworkStack": {
"Type": "AWS::CloudFormation::Stack",
"DependsOn": [
"SNVPC",
"SNIGW"
],
"Properties": {
"TemplateURL": {
"Fn::FindInMap": [
"TemplateURLs",
"DevNetworkStack",
"URL"
]
},
"TimeoutInMinutes": "30",
"Parameters": {
"VPCID": {
"Ref": "SNVPC"
},
"SNIGW": {
"Ref": "SNIGW"
}
}
}
},
"DevSecurityGroupsStack": {
"Type": "AWS::CloudFormation::Stack",
"DependsOn": "DevNetworkStack",
"Properties": {
"TemplateURL": {
"Fn::FindInMap": [
"TemplateURLs",
"DevSecurityGroupsStack",
"URL"
]
},
"TimeoutInMinutes": "30",
"Parameters": {
"VPCID": {
"Ref": "SNVPC"
}
}
}
},
These work fine. They create and everything is fine. The templates offer outputs like so:
"Outputs": {
"DevAdminSubnetID": {
"Description": "DevAdminSubnetID",
"Value": {
"Ref": "DevAdminSubnet"
}
},
...
"Outputs": {
"DevAdminSecurityGroupID": {
"Description": "DevAdminSecurityGroupID",
"Value": {
"Ref": "DevAdminSecurityGroup"
}
},
I can see the outputs in the CF console.
Now, the next template is trying to use the Security Group ID and the Subnet ID. But it's not working.
Master template calls the next child as:
"DevAdminStack": {
"Type": "AWS::CloudFormation::Stack",
"DependsOn": [
"DevNetworkStack",
"DevSecurityGroupsStack",
"EC2DevRoleInstanceProfile",
"S3DevUserDataBucket",
"S3DevHomeDirsDataBucket"
],
"Properties": {
"TemplateURL": {
"Fn::FindInMap": [
"TemplateURLs",
"DevAdminStack",
"URL"
]
},
"TimeoutInMinutes": "30",
"Parameters": {
"AdminKeyPair": {
"Ref": "AdminServersKeyPair"
},
"VPCID": {
"Ref": "SNVPC"
},
"DevAdminSecurityGroupID": [
{
"Fn::GetAtt": [
"DevSecurityGroupsStack",
"Outputs.DevAdminSecurityGroupID"
]
}
],
"DevAdminSubnetID": [
{
"Fn::GetAtt": [
"DevNetworkStack",
"Outputs.DevAdminSubnetID"
]
}
]
}
}
}
...and the child template looks like this (removed some portions for brevity because I'm just testing right now)
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Dev-Admin",
"Mappings": {
"RegionMap": {
"DevAdminServer": {
"AMI": "ami-6fc9770e",
"InstanceType": "t2.micro"
}
}
},
"Parameters": {
"AdminKeyPair": {
"Type": "AWS::EC2::KeyPair::KeyName"
},
"VPCID": {
"Type": "AWS::EC2::VPC::Id"
},
"DevAdminSecurityGroupID": {
"Type": "AWS::EC2::SecurityGroup::Id"
},
"DevAdminSubnetID": {
"Type": "AWS::EC2::Subnet::Id"
}
},
"Resources": {
"DevAdminServer": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"Comment": "Sets up administrative tools for the server",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {}
},
"files": {},
"services": {}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
"DevAdminServer",
"AMI"
]
},
"SecurityGroupIds": [
{
"Ref": "DevAdminSecurityGroupID"
}
],
"SubnetId": {
"Ref": "DevAdminSubnetID"
},
"InstanceType": {
"Fn::FindInMap": [
"RegionMap",
"DevAdminServer",
"InstanceType"
]
},
"KeyName": {
"Ref": "AdminKeyPair"
},
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackId"
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[]
]
}
}
}
}
}
}
But this resource fails on creation with the error:
Value of property Parameters must be an object with String (or simple type) properties
I know it's the last two variables causing the trouble (subnetID and securitygroupID), because I removed them and the provisioning the child template works just fine.
What am I doing wrong?
The values of DevAdminSecurityGroupID and DevAdminSubnetID are defined as JSON arrays [] in your master template, but they should be Strings (after the Fn::GetAtt intrinsic function expansion):
"DevAdminSecurityGroupID":
{
"Fn::GetAtt": [
"DevSecurityGroupsStack",
"Outputs.DevAdminSecurityGroupID"
]
},
"DevAdminSubnetID":
{
"Fn::GetAtt": [
"DevNetworkStack",
"Outputs.DevAdminSubnetID"
]
}