YML with multiple files: Unhandled rejection YAMLException: duplicated mapping key - yaml

I tried to separate my resources field in multiple files in project. Most of then worked fine, but only this file, where I declare CognitoUserPool + CognitoUserPoolClient trowed this exception:
Unhandled rejection YAMLException: duplicated mapping key in "/home/uriel/Desktop/Foo/Backend/MultipleFile/backend-foo/resources/cognitoUserPoolFoo.yml" at line 20, column 3:
Type: AWS::Cognito::UserPoolClient
^
at generateError (/home/uriel/.nvm/versions/node/v10.16.0/lib/node_modules/serverless/node_modules/js-yaml/lib/js-yaml/loader.js:167:10)
I've already checked logical and indentation problems. This same lines worked on single file, they only throw this error when I move them to another YML file and import it.
Main YML file importing the another one
plugins:
- serverless-webpack
- serverless-python-requirements
- serverless-offline
resources:
- ${file(resources/cognitoUserPoolFoo.yml)}
File imported, the one that throw error.
Resources:
CognitoUserPoolFoo:
Type: AWS::Cognito::UserPool
Properties:
MfaConfiguration: OFF
UserPoolName: foo-${self:provider.stage}
EmailConfiguration:
ReplyToEmailAddress: foo#test.com
SourceArn: "arn:aws:ses:us-east-1:123456789012:identity/foo#test.com"
AutoVerifiedAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 6
RequireLowercase: True
RequireNumbers: True
RequireSymbols: False
RequireUppercase: True
FooCognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: FooWebApp-${self:provider.stage}
GenerateSecret: false
UserPoolId:
Ref: "CognitoUserPoolFoo"

Related

AWS SAM - Apply policy template for a resource created conditionally

I create a DynamoDb table conditionally:
MyDynamoTable:
Type: AWS::DynamoDB::Table
Condition: IsDevAccount
and this is how IsDevAccount is defined using an input parameter:
Conditions:
IsDevAccount: !Equals [ !Ref Stage, dev ]
Now I'm creating a Lambda function that accepts the table's name (amongst other things) as input through environment variables. This is done conditionally, too. Within the function's code, I'd check if the table name is passed (pass empty if condition isn't met). If so, I'd put some items into it.
However, I'm not sure how to apply policy templates to the function's role conditionally. Normally I do it like this:
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- DynamoDBWritePolicy:
TableName: !Ref MyDynamoTable
What happens to the function's execution role if the table isn't created because the condition isn't met (e.g.: in another account)? Can I apply this policy template conditionally, as well?
What I don't want to do is to blindly give write permission to all DynamoDB tables within the account.
Yes, you could add the condition to the DB write policy so that only when the condition is met, it will allow the write policy.
You're creating the table only if the environment is staging or development, you could apply a condition on the policy to check for your table name then apply the write policy. Example below
MyDynamoTable:
Type: AWS::DynamoDB::Table
Condition: IsDevAccount
Conditions:
IsDevAccount: !Equals [ !Ref Stage, dev ]
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- DynamoDBWritePolicy:
Condition: !Equals [ !Ref MyDynamoTable, "myTableName" ],
TableName: !Ref MyDynamoTable
Update in response to comments:
!Ref returns the value of the specified parameter or resource. We need parameters with allowed values for the environment and DBtable for the condition.
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- stage
- prod
MyDynamoTable:
Description: table name for the db
Type: String
AllowedValues:
- tableOne
- tableTwo
- myTableName
Conditions:
IsDevAccount: !Equals [ !Ref Environment, "dev" ]
TableExists: !Equals [ !Ref MyDynamoTable, "myTableName" ]
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- DynamoDBWritePolicy:
Condition: !And [IsDevAccount, TableExists] // Only with TableExists condition, it'll work fine with the added parameters
TableName: !Ref MyDynamoTable
Ref:- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html
Update 2:
Agreed, I researched and confirmed, there is no way to check for resources created in the same stack template (That's why suggested parameter). Conditions are all parameter based.
However if the resource was created already in other stack, you could do this through Resource import. I don't think, resource import will be of help in your requirement.
However, a workaround would be to have Boolean parameters for TableExists condition and can pass the value through AWS CLI on the run like below,
MyDynamoTable:
Description: dynamo db table
Type: String
AllowedValues:
- true
- false
Conditions:
TableExists: !Equals [ !Ref MyDynamoTable, "true" ]
MyFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- DynamoDBWritePolicy:
Condition: !Ref TableExists
TableName: !Ref MyDynamoTable
AWS CLI on deploy pass required parameters
aws cloudformation deploy --template templateName.yml --parameter-overrides MyDynamoTable="true" dynamoDBtableName="myTableName" (any parameter required)

Lambda template fails for SubnetIds and SecurityGroupIds

I have the following template in my sam function:
Resources:
TagChangedFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: tag_changed_function
Handler: tag_changed/app.lambda_handler
Runtime: python3.8
Policies:
- VPCAccessPolicy: {}
- Statement:
- Sid: EC2DescribeInstancesPolicy
Effect: "Allow"
Action:
- ec2:DescribeInstances
Resource: '*'
VpcConfig:
SubnetIds:
- sg-061328bxxxxx
SecurityGroupIds:
- subnet-03afd77xxxxx
Events:
TagChanged:
Type: CloudWatchEvent
Properties:
Pattern:
source:
- aws.tag
detail-type:
- Tag Change on Resource
(I masked the SubnetIds and SecurityGroupIds in the template with xxxxx).
But when I build and try to upload my code to aws, I get the following error message:
2 validation errors detected: Value
'[subnet-061328bxxxxx]' at
'vpcConfig.securityGroupIds' failed to satisfy
constraint: Member must satisfy constraint: [Member must
have length less than or equal to 1024, Member must have
length greater than or equal to 0, Member must satisfy
regular expression pattern: ^sg-[0-9a-z]*$]; Value
'[sg-03afd77xxxxx]' at 'vpcConfig.subnetIds' failed
to satisfy constraint: Member must satisfy constraint:
[Member must have length less than or equal to 1024,
Member must have length greater than or equal to 0,
Member must satisfy regular expression pattern:
^subnet-[0-9a-z]*$] (Service: AWSLambdaInternal; Status
Code: 400; Error Code: ValidationException; Request ID:
641be279-a48f-4249-b0a1-3e221f8bbdf
(again masking with xxxxxx)
As far as I can see, the regex constraints are satisfied. Do anyone see what is wrong in the template?
If I remove the VpcConfig section, it uploads fine.
You're giving sg ID in subnet section and Subnet ID in SG section. Kindly try the below
Resources:
TagChangedFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: tag_changed_function
Handler: tag_changed/app.lambda_handler
Runtime: python3.8
Policies:
- VPCAccessPolicy: {}
- Statement:
- Sid: EC2DescribeInstancesPolicy
Effect: "Allow"
Action:
- ec2:DescribeInstances
Resource: '*'
VpcConfig:
SubnetIds:
- subnet-03afd77xxxxx
SecurityGroupIds:
- sg-061328bxxxxx
Events:
TagChanged:
Type: CloudWatchEvent
Properties:
Pattern:
source:
- aws.tag
detail-type:
- Tag Change on Resource

In CloudFormation, how do I target a Lambda alias in Events::Rule

I'm trying to trigger a Lambda:alias (the alias is key here) on a schedule. The following code errors out with
"SampleLambdaLiveAlias is not valid. Reason: Provided Arn is not in
correct format. (Service: AmazonCloudWatchEvents; Status Code: 400;
Error Code: ValidationException;"
How do I properly target the lambda:alias in CloudFormation? I've tried !Ref, !Sub and just the logical name.
My custom-resource approach to retrieving the latest lambda version appears to be a necessary evil of setting up the "live" alias because AWS maintains old lambda versions, even after you delete the lambda and stack AND a valid version is required for a new alias. If anyone knows a more elegant approach to that problem, please see: how-to-use-sam-deploy-to-get-a-lambda-with-autopublishalias-and-additional-alises
SampleLambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: SampleLambda
AutoPublishAlias: staging
CodeUri: src/
Handler: SampleLambda.handler
MemorySize: 512
Runtime: nodejs12.x
Role: !GetAtt SampleLambdaRole.Arn
SampleLambdaLiveAlias:
Type: AWS::Lambda::Alias
Properties:
FunctionName: !Ref SampleLambdaFunction
FunctionVersion: !GetAtt SampleLambdaGetMaxVersionFunction.version
Name: live
SampleLambdaFunctionScheduledEvent:
Type: AWS::Events::Rule
Properties:
State: ENABLED
ScheduleExpression: rate(1 minute) # same as cron(0/1 * * * ? *)
Description: Run SampleLambdaFunction once every 5 minutes.
Targets:
- Id: EventSampleLambda
Arn: SampleLambdaLiveAlias
Your error is in the last line of the piece of configuration you shared. In order to get the resource ARN you need to use Ref intrinsic function such as, !Ref SampleLambdaLiveAlias:
SampleLambdaFunctionScheduledEvent:
Type: AWS::Events::Rule
Properties:
State: ENABLED
ScheduleExpression: rate(1 minute) # same as cron(0/1 * * * ? *)
Description: Run SampleLambdaFunction once every 5 minutes.
Targets:
- Id: EventSampleLambda
Arn: !Ref SampleLambdaLiveAlias
Be aware that Ref intrinsic function may return different things for different types of resources. For Lambda alias it returns the ARN, just what you need.
You can check the official documentation for more detail.

Getting following error on serverless.yaml :can not read a block mapping entry; a multiline key may not be an implicit key

I am trying to deploy the lambda function along with the serverless.yml file to AWS, but it throw below error
The following is the function defined in the YAML file
functions:
s3-thumbnail-generator:
handler:handler.s3_thumbnail_generator
events:
- s3:
bucket: ${self:custom.bucket}
event: s3.ObjectCreated:*
rules:
- suffix: .png
plugins:
- serverless-python-requirements
Error I am getting:
can not read a block mapping entry; a multiline key may not be an implicit key in serverless.yml" at line 45, column 10:
I would need to understand how to fix this issue in YAML file in order to deploy to the function to AWS?
The problem is that there is no value indicator (:) at the end of the line:
handler:handler.s3_thumbnail_generator
so the parser continues to try and gather a multi-line plain scalar by adding events followed by a value indicator. But a multi-line plain scalar cannot be a key in YAML.
It is unclear what your actual error is. It might be that you need to add the value indicator and have a colon emmbedded in your key:
functions:
s3-thumbnail-generator:
handler:handler.s3_thumbnail_generator:
events:
- s3:
bucket: ${self:custom.bucket}
event: s3.ObjectCreated:*
rules:
- suffix: .png
plugins:
- serverless-python-requirements
Or it could be that that colon should have been a value indicator (which usually needs a following space) and you were sloppy with indentation:
functions:
s3-thumbnail-generator:
handler: handler.s3_thumbnail_generator
events:
- s3:
bucket: ${self:custom.bucket}
event: s3.ObjectCreated:*
rules:
- suffix: .png
plugins:
- serverless-python-requirements
If it is your original file there is a syntax error in your YAML file. I added a note under the line of possible error:
functions:
s3-thumbnail-generator:
handler:handler.s3_thumbnail_generator
events:
- s3:
bucket: ${self:custom.bucket}
event: s3.ObjectCreated:*
rules:
- suffix: .png
^^^ this line should be indented one level
plugins:
- serverless-python-requirements

How to use the security group existing in horizon in heat template

I'm newbies on heat yaml template loaded by OpenStack
I've got this command which works fine :
openstack server create --image RHEL-7.4 --flavor std.cpu1ram1 --nic net-id=network-name.admin-network --security-group security-name.group-sec-default value instance-name
I tried to write this heat file with the command above :
heat_template_version: 2014-10-16
description: Simple template to deploy a single compute instance with an attached volume
resources:
my_instance:
type: OS::Nova::Server
properties:
name: instance-name
image: RHEL-7.4
flavor: std.cpu1ram1
networks:
- network: network-name.admin-network
security_group:
- security_group: security-name.group-sec-default
security-group:
type: OS::Neutron::SecurityGroup
properties:
rules: security-name.group-sec-default
my_volume:
type: OS::Cinder::Volume
properties:
size: 10
my_attachment:
type: OS::Cinder::VolumeAttachment
properties:
instance_uuid: { get_resource: my_instance }
volume_id: { get_resource: my_volume }
mountpoint: /dev/vdb
The stack creation failed with the following message error :
openstack stack create -t my_first.yaml First_stack
openstack stack show First_stack
.../...
| stack_status_reason | Resource CREATE failed: BadRequest: resources.my_instance: Unable to find security_group with name or id 'sec_group1' (HTTP 400) (Request-ID: req-1c5d041c-2254-4e43-8785-c421319060d0)
.../...
Thanks for helping,
According to the template guide it is expecting the rules type is of list.
So, change the content of template as below for security-group:
security-group:
type: OS::Neutron::SecurityGroup
properties:
rules: [security-name.group-sec-default]
OR
security-group:
type: OS::Neutron::SecurityGroup
properties:
rules:
- security-name.group-sec-default
After digging, I finally found what was wrong in my heat file. I had to declare my instance like this :
my_instance:
type: OS::Nova::Server
properties:
name: instance-name
image: RHEL-7.4
flavor: std.cpu1ram1
networks:
- network: network-name.admin-network
security_groups: [security-name.group-sec-default]
Thanks for your support

Resources