We Keep Coding

S3 NotificationConfiguration - unable to validate destination configuration

I'm trying to setup an S3 bucket which notifies a Lambda function when a new object is created.
The stack below works fine but I want to added the SourceArn to the Lambda permission, following best practices.
There's some literature on this which suggests the way to do it is via a string rather than Fn::GetAtt/Arn -
https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-circular-dependency-cloudformation/
But if I uncomment the relevant SourceArn line and redeploy, I get -
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: TBZDEVZ1HVD9EN0Q; S3 Extended Request ID: gL3CRz6UayvHup5i5oC4+/RMm0p1oRaRrPVtfZrykeAaJ1BVuhNSKkqxQ8TL5sy749d9PtbMOEQ=; Proxy: null)
Ho hum. Looking at the article again, I see that MyBucket needs to depend on MyBucketFunctionPermission - but if I uncomment that and redeploy I now get -
An error occurred (ValidationError) when calling the CreateChangeSet operation: Circular dependency between resources: [MyBucketFunctionPermission, MyBucket]
This is some fresh circle of hell. Am I missing something from the article or is there some other combination of SourceArn format + DependsOn that would get this to work ?
TIA.
AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
MyBucket:
# DependsOn:
# - MyBucketFunctionPermission
Properties:
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- MyBucketFunction
- Arn
Type: AWS::S3::Bucket
MyBucketFunction:
Properties:
Code:
ZipFile: "def handler(event, context):\n print (event)"
Handler: index.handler
Role:
Fn::GetAtt:
- MyBucketRole
- Arn
Runtime: "python3.8"
Type: AWS::Lambda::Function
MyBucketFunctionPermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: MyBucketFunction
Principal: s3.amazonaws.com
# SourceArn:
# Fn::Sub: arn:aws:s3:::${MyBucket}
Type: AWS::Lambda::Permission
MyBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: my-bucket-role-policy-1234567890
Type: AWS::IAM::Role

There is nothing seemingly wrong with your template. It works fine, at least for me. But a race condition is possible between MyBucket and MyBucketFunctionPermission. Thus, protect against this, you have to use DependsOn. But for that to work you have to explicitly set your bucket name. For example:
AWSTemplateFormatVersion: '2010-09-09'
Outputs: {}
Parameters: {}
Resources:
MyBucket:
DependsOn:
- MyBucketFunctionPermission
Properties:
BucketName: !Sub "my-bucket-323323-${AWS::StackName}-${AWS::Region}"
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:ObjectCreated:*
Function:
Fn::GetAtt:
- MyBucketFunction
- Arn
Type: AWS::S3::Bucket
MyBucketFunction:
Properties:
Code:
ZipFile: "def handler(event, context):\n print (event)"
Handler: index.handler
Role:
Fn::GetAtt:
- MyBucketRole
- Arn
Runtime: "python3.8"
Type: AWS::Lambda::Function
MyBucketFunctionPermission:
Properties:
Action: lambda:InvokeFunction
FunctionName:
Ref: MyBucketFunction
Principal: s3.amazonaws.com
SourceArn: !Sub "arn:aws:s3:::my-bucket-323323-${AWS::StackName}-${AWS::Region}"
Type: AWS::Lambda::Permission
MyBucketRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action: logs:*
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: my-bucket-role-policy-1234567890
Type: AWS::IAM::Role

Configure all AWS Managed rules in AWS Config through Cloudformation

I have a requirement to select all the rules in AWS Config while deploying the resources in newly created account through Cloudformation. But I don't know how to select all the AWS Managed rules as in Console through Cloudformation. Any help would be very helpful.
AWSTemplateFormatVersion: 2010-09-09
Description: Enable AWS Config
Parameters:
AllSupported:
Type: String
Default: True
Description: Indicates whether to record all supported resource types.
AllowedValues:
- True
- False
IncludeGlobalResourceTypes:
Type: String
Default: True
Description: Indicates whether AWS Config records all supported global resource types.
AllowedValues:
- True
- False
ResourceTypes:
Type: List<String>
Description: A list of valid AWS resource types to include in this recording group, such as AWS::EC2::Instance or AWS::CloudTrail::Trail.
Default: <All>
DeliveryChannelName:
Type: String
Default: <Generated>
Description: The name of the delivery channel.
Frequency:
Type: String
Default: 24hours
Description: The frequency with which AWS Config delivers configuration snapshots.
AllowedValues:
- 1hour
- 3hours
- 6hours
- 12hours
- 24hours
Conditions:
IsAllSupported: !Equals
- !Ref AllSupported
- True
IsGeneratedDeliveryChannelName: !Equals
- !Ref DeliveryChannelName
- <Generated>
Mappings:
Settings:
FrequencyMap:
1hour : One_Hour
3hours : Three_Hours
6hours : Six_Hours
12hours : Twelve_Hours
24hours : TwentyFour_Hours
Resources:
ConfigBucket:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ConfigBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref ConfigBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AWSConfigBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- Sid: AWSConfigBucketDelivery
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/AWSLogs/${AWS::AccountId}/*"
- Sid: AWSConfigBucketSecureTransport
Action:
- s3:*
Effect: Deny
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${ConfigBucket}/*"
Principal: "*"
Condition:
Bool:
aws:SecureTransport:
false
ConfigRecorderRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWS_ConfigRole"
ConfigRecorder:
Type: AWS::Config::ConfigurationRecorder
DependsOn:
- ConfigBucketPolicy
Properties:
RoleARN: !GetAtt ConfigRecorderRole.Arn
RecordingGroup:
AllSupported: !Ref AllSupported
IncludeGlobalResourceTypes: !Ref IncludeGlobalResourceTypes
ResourceTypes: !If
- IsAllSupported
- !Ref AWS::NoValue
- !Ref ResourceTypes
ConfigDeliveryChannel:
Type: AWS::Config::DeliveryChannel
DependsOn:
- ConfigBucketPolicy
Properties:
Name: !If
- IsGeneratedDeliveryChannelName
- !Ref AWS::NoValue
- !Ref DeliveryChannelName
ConfigSnapshotDeliveryProperties:
DeliveryFrequency: !FindInMap
- Settings
- FrequencyMap
- !Ref Frequency
S3BucketName: !Ref ConfigBucket
ConfigRuleForVolumeTags:
DependsOn: ConfigRecorder
Type: AWS::Config::ConfigRule
Properties:
InputParameters:
tag1Key: CostCenter
Scope:
ComplianceResourceTypes:
- "AWS::EC2::Volume"
Source:
Owner: AWS
SourceIdentifier: "REQUIRED_TAGS"
# Like this I need all the AWS Managed rules

You can't do this. There are no loops in cloudformation. But you could create a macro if you want such a functionality.

Getting ValidationError when calling the CreateChangeSet operation: Template error: instance of Fn::GetAtt references undefined resource"

i am trying to deploy below stack using sam template where it supposed to deploy lambda and would add a s3 trigger, but iam getting following error
Getting ValidationError when calling the CreateChangeSet operation: Template error: instance of Fn::GetAtt references undefined resource"
i am not sure whats went wrong here to get such error
yml template
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
Environment:
Type: String
S3:
Type: String
Key:
Type: String
SecretMgr:
Type: String
Resources:
LambdaS3ToKinesis:
Type: AWS::Serverless::Function
Properties:
Handler: lambda_function.lambda_handler
Runtime: python3.7
Timeout: 60
FunctionName: !Sub "my_s3_to_kinesis"
CodeUri: ./test/src
Role: !GetAtt testKinesisRole.Arn
Description: "My lambda"
Environment:
Variables:
KINESIS_STREAM: !Sub "test_post_kinesis"
DDB_TRACKER_TABLE: my_tracker_table
ENVIRONMENT: !Sub "${Environment}"
BUCKET_NAME: !Sub "${S3}"
Events:
FileUpload:
Type: S3
Properties:
Bucket: !Sub "${S3}"
Events: s3:ObjectCreated:*
Filter:
S3Key:
Rules:
- Name: prefix
Value: "${Environment}/test1/INPUT/"
- Name: suffix
Value: ".json"
- Name: prefix
Value: "${Environment}/test2/INPUT/"
- Name: suffix
Value: ".json"
LambdaTest1KinesisToDDB:
Type: AWS::Serverless::Function
Properties:
Handler: lambda_function.lambda_handler
Runtime: python3.7
Timeout: 60
FunctionName: !Sub "${Environment}_test1_to_ddb"
CodeUri: test1_kinesis_to_ddb/src/
Role: !GetAtt testKinesisToDDBRole.Arn
Description: "test post kinesis"
Layers:
- !Ref LambdaLayertest1
Environment:
Variables:
BUCKET_NAME: !Sub "${S3}"
DDB_ACC_PLCY_TABLE:test1
DDB_TRACKER_TABLE: test_tracker
ENVIRONMENT: !Sub "${Environment}"
S3_INVALID_FOLDER_PATH: invalid_payload/
S3_RAW_FOLDER_PATH: raw_payload/
S3_UPLOAD_FLAG: false
Events:
KinesisEvent:
Type: Kinesis
Properties:
Stream: !GetAtt Kinesistest1.Arn
StartingPosition: LATEST
BatchSize: 1
Enabled: true
MaximumRetryAttempts: 0
LambdaLayerTest1KinesisToDDB:
Type: AWS::Serverless::LayerVersion
Properties:
LayerName: !Sub "${Environment}_test1_kinesis_to_ddb_layer"
ContentUri: test1_kinesis_to_ddb/dependencies/
CompatibleRuntimes:
- python3.7
Metadata:
BuildMethod: python3.7
testKinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${Environment}_s3_to_kinesis_role"
Description: Role for first lambda
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- s3.amazonaws.com
- lambda.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: !Sub "${Environment}_s3_to_kinesis_policy"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
Resource:
- !Sub "arn:aws:s3:::${S3}/*"
- !Sub "arn:aws:s3:::${S3}"
- Effect: Allow
Action:
- kinesis:PutRecord
Resource:
- !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:mystream1/${Environment}_test1"
- !Sub "arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:mystream2/${Environment}_test2"
- Effect: Allow
Action:
- lambda:*
- cloudwatch:*
Resource: "*"
- Effect: Allow
Action:
- dynamodb:Put*
- dynamodb:Get*
- dynamodb:Update*
- dynamodb:Query
Resource:
- !GetAtt Dynamomytracker.Arn
- Effect: Allow
Action:
- kms:*
Resource:
- !Sub "${Key}"
testKinesisToDDBRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${Environment}_test1_to_ddb_role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- kinesis.amazonaws.com
- lambda.amazonaws.com
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:test/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: !Sub "${Environment}_test1_kinesis_to_ddb_policy"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:DeleteObject
Resource:
- !Sub "arn:aws:s3:::${S3}/*"
- !Sub "arn:aws:s3:::${S3}"
- Effect: Allow
Action:
- kinesis:Get*
- kinesis:List*
- kinesis:Describe*
Resource:
- !GetAtt KinesisTest1.Arn
- !GetAtt KinesisTest2.Arn
- Effect: Allow
Action:
- dynamodb:Put*
- dynamodb:Get*
- dynamodb:Describe*
- dynamodb:List*
- dynamodb:Update*
- dynamodb:Query
- dynamodb:DeleteItem
- dynamodb:BatchGetItem
- dynamodb:BatchWriteItem
- dynamodb:Scan
Resource:
- !Sub
- "${Table}*"
- { Table: !GetAtt "Dynamotest.Arn" }
- !Sub
- "${Table}*"
- { Table: !GetAtt "Dynamotest.Arn" }
- Effect: Allow
Action:
- kms:*
Resource:
- !Sub "${Key}"
######################################
# Update for TEst2
######################################
KinesisTest2:
Type: AWS::Kinesis::Stream
Properties:
Name: !Sub ${Environment}_test2_kinesis
StreamEncryption:
EncryptionType: KMS
KeyId: !Sub "${Key}"
RetentionPeriodHours: 24
ShardCount: 1
LambdaLayerTest2KinesisToDDB:
Type: AWS::Serverless::LayerVersion
Properties:
LayerName: !Sub "${Environment}_test2_kinesis_to_ddb_layer"
ContentUri: test2_kinesis_to_ddb/dependencies/
CompatibleRuntimes:
- python3.7
Metadata:
BuildMethod: python3.7
LambdaTest2KinesisToDDB:
Type: AWS::Serverless::Function
Properties:
Handler: lambda_function.lambda_handler
Runtime: python3.7
Timeout: 60
FunctionName: !Sub "${Environment}_Test2_kinesis_to_ddb"
CodeUri: Test2_kinesis_to_ddb/src/
Role: !GetAtt testKinesisToDDBRole.Arn
Description: "Test2"
Layers:
- !Ref LambdaLayerTest2KinesisToDDB
Environment:
Variables:
BUCKET_NAME: !Sub "${S3}"
DDB_ACC_PLCY_TABLE: my_table2
DDB_TRACKER_TABLE: my_log
ENVIRONMENT: !Sub "${Environment}"
S3_INVALID_FOLDER_PATH: invalid_payload/
S3_RAW_FOLDER_PATH: raw_payload/
S3_UPLOAD_FLAG: false
Events:
KinesisEvent:
Type: Kinesis
Properties:
Stream: !GetAtt KinesisTest2.Arn
StartingPosition: LATEST
BatchSize: 1
Enabled: true
MaximumRetryAttempts: 0
can anybody help me how can resolve this? i am not sure what exactly missed in the template and how to resolve this error

You are using AWS Serverless Application Model and your template does not conform to its format. For example, its missing required Transform statement:
Transform: AWS::Serverless-2016-10-31
There could be many other things wrong, as your template is nor CloudFormation nor Serverless at this point.

Add event on S3 using CloudFormation - 'bucket already exists' error

I am trying to create a lambda function with a S3 trigger. While executing the templates, I am getting S3 bucket already exist error. There is no any buckets with the same name in my S3 and even in this code I am creating bucket only once but somehow it seems it is creating buckets twice.
Below are the my cloudformation templates.
'''python
AWSTemplateFormatVersion : 2010-09-09
Parameters:
BucketName:
Type: String
Resources:
Bucket:
Type: AWS::S3::Bucket
DependsOn:
- ProcessingLambdaPermission
Properties:
BucketName: !Ref BucketName
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:PutObject:*
Function: !GetAtt ProcessingLambdaFunction.Arn
Filter:
S3Key:
Rules:
- Name: suffix
Value: .txt
ProcessingLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !Ref ProcessingLambdaFunction
Principal: s3.amazonaws.com
SourceArn: 'arn:aws:s3:::hope'
SourceAccount: !Ref AWS::AccountId
ProcessingLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: allowLogging
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
- PolicyName: getAndDeleteObjects
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:DeleteObject
Resource: !Sub 'arn:aws:s3:::${BucketName}/*'
ProcessingLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Code:
ZipFile: !Sub |
import json
import boto3
s3 = boto3.client("s3")
def lambda_handler(event,context):
print("hello")
Handler: index.handler
Role: !GetAtt ProcessingLambdaExecutionRole.Arn
Runtime: python2.7
MemorySize: 512
Timeout: 120
'''

How to add S3 trigger for existing bucket to lambda function in cloudformation

I'm trying to create a template.yml for a lambda function pipeline, this is my template:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
ImageUri:
Type: String
LambdaName:
Type: String
RoleName:
Type: String
BucketName:
Type: String
Resources:
S3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName: !Ref BucketName
AllowS3ToCallLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Ref LambdaFunction
Principal: s3.amazonaws.com
SourceArn: !GetAtt S3Bucket.Arn
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Ref LambdaName
PackageType: Image
MemorySize: 256
Timeout: 5
ImageUri: !Ref ImageUri
Events:
S3Bucket:
Type: S3
Properties:
Bucket: !Ref S3Bucket
Events: 's3:ObjectCreated:*'
Role:
Fn::GetAtt:
- LambdaRole
- Arn
This template contains an S3 event, with the template above it tries to create a new bucket. Is there a way to specify an existing bucket for the trigger?
No matter how much I tried to make LambdaFunction resource to use an existing S3 bucket, I failed.