I have a ApiGateway made with Serverless-model-application that I made a integration with GitHub via CodePipeline, everything is running fine, the pipeline reads the webhook, builds the buildpsec.yml and deploys the CloudFormation file, creating the updating the stack.
The thing is after the stack is updated it still needs a approval on the console, how can I make the execute on the stack update be auto-run?

It sounds like your pipeline is doing one of two things, unless I'm misunderstanding you:
Making a change set but not executing it in the cloudformation console.
Proceeding to a manual approval step in the pipeline and awaiting your confirmation.
Since #2 is simply solved by removing that step, let's talk about #1.
Assuming you are successfully creating a change set called ChangeSetName, you need a step in your pipeline with the following (cfn JSON template syntax):
"Name": "StepName",
"ActionTypeId": {"Category": "Deploy",
"Owner": "AWS",
"Provider": "CloudFormation",
"Version": "1"
"Configuration": {
"ChangeSetName": {
"Ref": "ChangeSetName"
Keep the other parameters (e.g. RoleArn) consistent per usual.


Can the cdk.context.json file be auto-generated for a specific CDK environment?

I have inherited a small CDK project that features a cdk.context.json file:
"vpc-provider:account=9015xxxxxxxx:filter.tag:Name=preprod-eu-west-1:region=eu-west-1:returnAsymmetricSubnets=true": {
"vpcId": "vpc-0d891xxxxxxxxxxxx",
"vpcCidrBlock": "",
"availabilityZones": [],
"subnetGroups": [
"name": "Private",
"type": "Private",
"subnets": [
"subnetId": "subnet-0ad04xxxxxxxxxxxx",
"cidr": "172.35.a.0/22",
"availabilityZone": "eu-west-1b",
"routeTableId": "rtb-0fee4xxxxxxxxxxxx"
"subnetId": "subnet-08598xxxxxxxxxxxx",
"cidr": "172.35.z.0/22",
"availabilityZone": "eu-west-1c",
"routeTableId": "rtb-0f477xxxxxxxxxxxx"
"name": "Public",
"type": "Public",
"subnets": [
"subnetId": "subnet-0fba3xxxxxxxxxxxx",
"cidr": "172.35.y.0/22",
"availabilityZone": "eu-west-1b",
"routeTableId": "rtb-02dfbxxxxxxxxxxxx"
"subnetId": "subnet-0a3b8xxxxxxxxxxxx",
"cidr": "172.35.x.0/22",
"availabilityZone": "eu-west-1c",
"routeTableId": "rtb-02dfbxxxxxxxxxxxx"
This works fine for the preprod environment it connects to, but I now need to deploy to production. I could generate the same file by hand, but this feels like a waste of time - I suspect this is a generated file.
I have tried cdk context --build in the hope that it would produce this file, but it seems not - it appears just to echo the preprod one that already exists. What can I do to avoid having to hand-build this (and to avoid all the guessing which VPCs and subnets it wants)?
The file is generated for whatever environment your CDK stacks are being deployed to.
If you want to populate it with values for both your staging environment and production, you should simply run cdk synth after activating your production AWS credentials (using --profile, for example). This will populate the context with new values (in addition to the ones that are already there), and you should commit these changes to VCS.
It is advised to keep the file in your VCS specifically to avoid having it re-populated on each deployment. This makes your CDK app deterministic.
From the best practices:
Commit cdk.context.json to avoid non-deterministic behavior
AWS CDK includes a mechanism called context providers to record a snapshot of non-deterministic values, allowing future synthesis operations produce exactly the same template. The only changes in the new template are the changes you made in your code. When you use a construct's .fromLookup() method, the result of the call is cached in cdk.context.json, which you should commit to version control along with the rest of your code to ensure future executions of your CDK app use the same value.
A better way to organize this would be to make your stacks environment-specific - that is, to instantiate your top-level stack or stage once for each environment you want to deploy to, specifying the env prop. Deploying then becomes cdk deploy MyStaginStack and cdk deploy MyProductionStack. Although this is off-topic for the question.
This file is auto generated per deployment. You should exclude this file from your code repo.

Error publishing ASP.NET Core Web API to AWS Serverless Lambda: 'AWSLambdaFullAccess' at 'policyArn' ... Member must have length greater than

For over a year I have been able to publish a ASP.NET Core Web API application using Visual Studio 2019 by selecting "Publish to AWS Lambda..." without incident (via a right click on the project). Until yesterday. Now it consistently fails to publish and rolls back.
The following two reasons are given as to why it has failed.
1 validation error detected: Value 'AWSLambdaFullAccess' at 'policyArn' failed to satisfy constraint: Member must have length greater than or equal to 20 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: ...; Proxy: null)
The following resource(s) failed to create: [AspNetCoreFunctionRole, Bucket]. Rollback requested by user.
I have looked at AWSLambdaFullAccess and AWSLambda_FullAccess and the other things and just have no model to follow or even know what it is referring to in any sense where I can imagine a fruitful path to proceed. What exactly is the "Member" it is referring to? Extensive research has yielded nothing of use.
I want to successfully publish my Web API. What can I look into to proceed?
This may not be the correct or ideal solution, I tried this approach and it worked
Step 1:
Changed the Access from "AWSLambdaFullAccess" to "AWSLambda_FullAccess" in serverless.template
"Resources": {
"AspNetCoreFunction": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Handler": "SampleAPI::SampleAPI.LambdaEntryPoint::FunctionHandlerAsync",
"Runtime": "dotnetcore3.1",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": null,
"Policies": [
"Environment": {
"Variables": {
"AppS3Bucket": {
Lambda publishing was successful after this step.
Step 2:
Then I faced an issue in accessing the DynamoDb table. I went to IAM role added the DynamoDb Execution role. (Previously I don't remember adding this role explicitly)
According to https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html the AWSLambdaFullAccess policy has just been deprecated and as a result my stack which I tried to update was stuck in UPDATE_ROLLBACK_FAILED.
To fix this I had to take the following steps:
Manually continue the rollback of the stack from the CloudFormation page and ensuring that I was skipping the role which was referencing AWSLambdaFullAccess.
Change my AWSLambdaFullAccess reference to AWSLambda_FullAccess in the CloudFormation template
Update the stack using my newly updated CloudFormation template
Hope this is able to help someone!

How much of Amazon Connect is scriptable, either through Terraform, Ansible or another approach?

This question concerns AWS Connect, the cloud-based call center. For those people who have been involved in the setup and configuration of AWS Connect, is there any portion of Amazon Connect that is configurable through a continuous integration flow other than any possible Lambda touchpoints. What I am looking for is scripting various functions such as loading exported flows, etc.
Looking at the AWS CLI, I see a number of AWS Connect calls but a majority is getting access to information (https://docs.aws.amazon.com/cli/latest/reference/connect/index.html) but very few that are available to configure portions of AWS Connect.
There is basically nothing at this time. All contact flows must be imported/exported by hand. Other settings (e.g. routing profiles, prompts, etc.) must be re-created manually.
Someone has created a "beta" Connect CloudFormation template though that actually uses puppeteer behind the scenes to automate the import/export process. I imagine that Amazon will eventually support this, because devops is certainly one of the rough edges of the platform right now.
For new people checking this question. Amazon has recently published the APIs you are looking for. create-contact-flow
It uses a JSON-based language specific to Amazon Connect, below is an example:
"Version": "2019-10-30",
"StartAction": "12345678-1234-1234-1234-123456789012",
"Metadata": {
"EntryPointPosition": {"X": 88,"Y": 100},
"ActionMetadata": {
"12345678-1234-1234-1234-123456789012": {
"Position": {"X": 270, "Y": 98}
"abcdef-abcd-abcd-abcd-abcdefghijkl": {
"Position": {"X": 545, "Y": 92}
"Actions": [
"Identifier": "12345678-1234-1234-1234-123456789012",
"Type": "MessageParticipant",
"Transitions": {
"NextAction": "abcdef-abcd-abcd-abcd-abcdefghijkl",
"Errors": [],
"Conditions": []
"Parameters": {
"Prompt": {
"Text": "Thanks for calling the sample flow!",
"TextType": "text",
"PromptId": null
"Identifier": "abcdef-abcd-abcd-abcd-abcdefghijkl",
"Type": "DisconnectParticipant",
"Transitions": {},
"Parameters": {}
Exporting from the GUI does not produce a JSON in this format. Obviously, a problem with this is keeping a state. I am keeping a close eye on Terraform/CloudFormation/CDK and will update this post if there is any support (that does not use puppeteer).
I think it's doable now; with the newest APIs, you can do many things to script the entire process. There are some issues with the contact flows themself, but I think this will improve over the next few months.
In the meantime, there is some effort to add Amazon Connet to Terraform. here are the issues and the WIP PRs
Github Issue
Service PR
Resource PR

Is it possible to update existing Google cloud dataflow pipelines when using template for deployment ?

When deploying google dataflow pipeline as templates, Is it possible to update the pipeline using another version of the template?
Basically, I am looking for a combination https://cloud.google.com/dataflow/pipelines/updating-a-pipeline with https://cloud.google.com/dataflow/docs/templates/overview
The feature of updating an existing job from template API is not ready yet. (We are working on it).
At the time, you can probably make use our public repo (basically the source code for these templates) to do it. Basically, you can just build and launch the job to "update" the running job from a shell.
Now it's possible to update a template streaming Dataflow job.
Using the REST API, set the update parameter to true:
POST https://dataflow.googleapis.com/v1b3/projects/YOUR_PROJECT_ID/locations/LOCATION/templates:launch?gcsPath=gs://YOUR_BUCKET_NAME/templates/TemplateName
"jobName": "JOB_NAME",
"parameters": {
"topic": "projects/YOUR_PROJECT_ID/topics/YOUR_TOPIC_NAME",
"environment": {
"tempLocation": "gs://YOUR_BUCKET_NAME/temp",
"zone": "us-central1-f"
"update": true
The update option is not present using gcloud dataflow jobs run.

Want to server-side encrypt S3 data node file created by ShellCommandActivity

I created a ShellCommandActivity with stage = "true". Shell command creates a new file and store it in ${OUTPUT1_STAGING_DIR}. I want this new file to be server-side encrypted in S3.
According to document all files created in s3 data node are server-side encrypted by default. But after my pipeline completes an un-encrypted file gets created in s3. I tried setting s3EncryptionType as SERVER_SIDE_ENCRYPTION explicitly in S3 datanode but that doesn't help either. I want to encrypt this new file.
Here is relevant part of pipeline:
"id": "DataNodeId_Fdcnk",
"schedule": {
"ref": "DefaultSchedule"
"directoryPath": "s3://my-bucket/test-pipeline",
"name": "s3DataNode",
"s3EncryptionType": "SERVER_SIDE_ENCRYPTION",
"type": "S3DataNode"
"id": "ActivityId_V1NOE",
"schedule": {
"ref": "DefaultSchedule"
"name": "FileGenerate",
"command": "echo 'This is a test' > ${OUTPUT1_STAGING_DIR}/foo.txt",
"workerGroup": "my-worker-group",
"output": {
"ref": "DataNodeId_Fdcnk"
"type": "ShellCommandActivity",
"stage": "true"
Short answer: Your pipeline definition looks correct. You need to ensure you're running the latest version of the Task Runner. I will try to reproduce your issue and let you know.
P.S. Let's keep conversation within a single thread here or in AWS Data Pipeline forums to avoid confusion.
Answer on official AWS Data Pipeline Forum page
This issue is resolved when I downloaded new TaskRunner-1.0.jar. I was running older version.