We Keep Coding

CloudFormation template - Using existing IAM role in for Lambda functions

I'm trying to use an existing role (present in the AWS account) in a cloudformation template to setup a lambda function, i plan to be use this across multiple AWS accounts.
In the CF template, I'm using Parameters to set the name of the Role and then using Ref in the Role property for the Lambda function. This is what my template looks like,
"Parameters" : {
"ExistingRoleName" : {
"Type" : "String",
"Default" : "MyCustomRole"
}
"Resources" : {
"CustomLambdaFunction" : {
"Type" : "AWS::Lambda::Function",
"Properties" : {
"MemorySize" : "128",
"Role" : { "Ref" : "ExistingRoleName" },
}
},
...
However, the CF template fails with the following error :
Properties validation failed for resource CustomLambdaFunction with message: #/Role: failed validation constraint for keyword [pattern]
Is this because Lambda resource in Cloudformation needs the role arn instead of RoleName as i seen in this docaws-resource-lambda-function
Based on which i updated the CF like so,
"Resources" : {
"CustomLambdaFunction" : {
"Type" : "AWS::Lambda::Function",
"Properties" : {
"MemorySize" : "128",
"Role" : "arn:aws:iam::AccountID:role/MyCustomRole",
}
},
However, i still see the same error.
Properties validation failed for resource CustomLambdaFunction with message: #/Role: failed validation constraint for keyword [pattern]
I was wondering if i'm missing something here ?

The Ref of an IAM Role “returns the resource name”, not its ARN. But you can use GetAtt on the Arn attribute of the role instead.
In JSON:
{"Fn::GetAtt": ["MyRole", "Arn"]}
In YAML:
!GetAtt MyRole.Arn

Format to reference the iam role arn
"Role" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/MyCustomRole" }

In yaml if you are pointing to an already existing role the syntax is:
function:
...
role: !Sub arn:aws:iam::${AWS::AccountId}:role/MyRoleName
Somehow I have forgotten the !Sub in the beginning

This is what worked for me,
"Role": { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref" : "AWS::AccountId" }, ":role/MyCustomRole" ] ] }

I was getting the same problem with below syntax -
"Resources" : {
"CustomLambdaFunction" : {
"Type" : "AWS::Lambda::Function",
"Properties" : {
"Role" : "arn:aws:iam::<account-id>:role/MyCustomRole",
}
},
I solved it like this -
The issue was that when inserting my AWS account ID in place of "account-id", I was keeping it in the same format as is given on the AWS console i.e. xxxx-xxxx-xxxx. However, the "account-id" space expects "\d{12}" format, i.e. 12 digits only. Removing the '-' in between digits solved the problem for me.

Pass email address list to SNS subscription endpoint

Is it possible to pass a list of email addresses as the endpoint for an SNS subscription?
I've got something like this
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources" : {
"EmailSNSTopic": {
"Type" : "AWS::SNS::Topic",
"Properties" : {
"DisplayName" : "${display_name}"
}
},
"MySubscription": {
"Type": "AWS::SNS::Subscription",
"Properties": {
"TopicArn" : { "Ref" : "EmailSNSTopic" },
"Endpoint" : "foo#foo.com"
"Protocol" : "email"
}
}
},
"Outputs" : {
"ARN" : {
"Description" : "Email SNS Topic ARN",
"Value" : { "Ref" : "EmailSNSTopic" }
}
}
}
But what I'd like to do is pass a number of email addresses instead of just one.

As per the documentation
Endpoint should be a string
Cloudformation doesn't allow you to pass a list.
You dont want to have a custom resource as well.
There is one more way Running bash commands in AWS CloudFormation templates
You just run awscli command like below
Resources:
Command:
Type: 'AWSUtility::CloudFormation::CommandRunner'
Properties:
Command: aws s3 ls > /command-output.txt
Role: String
LogGroup: String #Optional
SubnetId: String #Optional
SecurityGroupId: String #Optional
KeyId: String #Optional

I don’t thing it is possible using native syntax.
You might want to try aws cloud formation custom resource and pass list to lambda for execution one by one.

AWS CLI encrypt the data?

I´m using AWS cloud formation, and I could not find in any documentation information about this. When I use cloudformation with AWS CLI the information sent to AWS it´s encrypted?.
Regards.

The information is sent over HTTPS, so the communication between your client and AWS servers is secure. On the other hand, if you are providing sensitive information with parameters you can enable NoEcho parameter to prevent them from being displayed on AWS Console. The NoEcho property is set to true to prevent describe stack calls, such as the aws cloudformation describe-stacks AWS CLI command, from returning the parameter value
"Parameters" : {
"DBPort" : {
"Default" : "3306",
"Description" : "TCP/IP port for the database",
"Type" : "Number",
"MinValue" : "1150",
"MaxValue" : "65535"
},
"DBPwd" : {
"NoEcho" : "true",
"Description" : "The database admin account password",
"Type" : "String",
"MinLength" : "1",
"MaxLength" : "41",
"AllowedPattern" : "[a-zA-Z0-9]*"
}
}

Error creating AWS CloudFormation stack : Cannot restore this instance based in Windows OS

I am using the following Cloudformation Json to create a new Sql Server RDS instance of more storage from an existing snapshot. THe Json is valid and i am able to initiate the stack creation. Its failing with the error
"Cannot restore this instance based in Windows OS because the request has a different storage type than the backup". What does this mean ? Am i missing any thing ?
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"DBInstance" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass" : "db.m2.xlarge",
"AllocatedStorage" : "400",
"MasterUsername" : "myusername",
"MasterUserPassword" : "mypassword",
"DBSnapshotIdentifier":"xxxxxxxx-2016-07-13-17-00"
}
}
}
}

Missed Iops, This is working now
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyDB" : {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceClass" : "db.t2.medium",
"AllocatedStorage" : "400",
"MasterUsername" : "xxxxxxxxxxxx",
"MasterUserPassword" : "xxxxxxxxxxxx",
"DBSnapshotIdentifier" : "xxxxxxxxxxxx-2016-07-13-1700",
"Iops":"2000",
"StorageType":"io1"
}
}
}
}

(year later, in case future googlers)
Had the same issue, however I missed "StorageType" (I see OP also missed it and probably added it at the same time as Iops). "StorageType" defaults to "standard" (i.e. magnetic) when using CloudFormation, however defaults to "gp2" (SSD) when using the console. Therefore a backup created from a console created DB is likely to be using SSD, but the instance generated in CF is using Magnetic, unless "StorageType" is declared as "gp2".

Publish S3 Bucket Notification to SQS

I am trying to set up my S3 to notify my SQS Queue for a "PUT" Object Creation Event.
I am able to achieve this using CLI by:
aws --profile QA s3api put-bucket-notification --bucket <BUCKET_NAME> --notification-configuration '{ "QueueConfiguration": { "Id": "<EVENT ID>", "Event": "s3:ObjectCreated:Put", "Queue": "<QUEUE ARN>" } }'
Also able to do the same using Java:
NotificationConfiguration notificationConfiguration = new QueueConfiguration(queueArn, EnumSet.of(S3Event.ObjectCreatedByPut));
BucketNotificationConfiguration bucketNotificationConfiguration = new BucketNotificationConfiguration("DropShipInboundQueueDelivery", notificationConfiguration);
client.setBucketNotificationConfiguration(bucketName, bucketNotificationConfiguration)
However when I tried to something similar using CloudFormation template, I cannot find any way to trigger a notification to SQS. The only option I see that works and is documented is to trigger notification to SNS.
I have referred the Cloud Formation Documentation:
I looked at the AWS::S3::Bucket docs to look at the outer syntax. I saw NotificationConfiguration which I need to set
However the Notification Configuration can only contain a list of TopicConfigurations with was the old constructor in JDK before QueueConfiguration was supported
I tried doing something like this:
"NotificationConfiguration" :{
"QueueConfiguration": {
"Id": "DropshipInboundEventNotification",
"Event": "s3:ObjectCreated:Put",
"Queue": "arn:aws:sqs:*:*:Dropship-Inbound-qa"
}
},
But this as expected threw an error: "Encountered unsupported property QueueConfiguration" from amazon.
Looked at this API documentation
I would like to know if someone has been able to do this using CloudFormation Templates as thats how I am maintaining all the other AWS resources and do not want to do anything special for this particular feature.
Any help is appreciated.

There is no need "Id" in Cloudformation Template ( You can check from QueueConfiguration Doc ) and your second mistake, that is not "QueueConfiguration", it's "QueueConfigurations". Because of that you get an error that says "Encountered unsupported property QueueConfiguration"
It must be something like that.
"S3Bucket":{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"AccessControl" : String,
"BucketName" : String,
"CorsConfiguration" : CORS Configuration,
"LifecycleConfiguration" : Lifecycle Configuration,
"LoggingConfiguration" : Logging Configuration,
"NotificationConfiguration" :
{ "QueueConfigurations" : [ {
"Event" : "s3:ObjectCreated:Put",
"Queue" : "arn:YOURQUEUEARN"
} ] },
"Tags" : [ Resource Tag, ... ],
"VersioningConfiguration" : Versioning Configuration,
"WebsiteConfiguration" : Website Configuration Type
}
}
While you are reading cloudformation template documents, you must be careful about "Required:" sections. If it is not required, you don't need to fill it, just remove that line from your template if you don't use it( Like S3 Tags ).
Other Docs about it:
S3BucketDocs
NotificationConfigurationDocs