I'm trying to deploy scheduled AWS Lambda function using CodeStar.
I have started from the webserver template of CodeStart and I have modified the template.yml in order to use the scheduled events.
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: app.handler
Runtime: nodejs6.10
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region','LambdaTrustRole']]
Events:
MyEvent:
Type: Schedule
Properties:
Schedule: rate(5 minutes)
I had attached the Policie CloudWatchEventsFullAccess to the Role CodeStarWorker-xxxxx-CloudFormation in order to allow the events:PutRule.
When I launch the CodePipeline I end getting an error in the deploy stage (CloudFormation) saying:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources1493352569577 com.amazon.coral.service.InternalFailure
No resources in your CloudFormation template are related to CodeStar so I think removing the 'AWS::CodeStar' line one the top should fix it.
Related
I have two sam applications one 'App1' having a lambda function and another one 'App2' that will consume its Arn to create a permission like the following:
App2 template:
Parameters:
LambdaFunctionArnFromApp1:
Type: String
Description: The shared value will be passed to this parameter by parent stack.
DACAdminsLoginPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: LambdaFunctionArnFromApp1
Principal: apigateway.amazonaws.com
SourceArn: !Sub arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${HttpWebServer}/*/*/digitalatcore/admins/login
App1 template:
LambdaFunctionArnFromApp1:
Type: AWS::Serverless::Function
Properties:
CodeUri: 'URL'
Runtime: nodejs12.x
Handler: app.handler
Outputs:
LambdaFunctionArnFromApp1:
Value: !GetAtt LambdaFunctionFromApp1.Arn
Export:
Name: LambdaFunctionArnFromApp1
When i try to deploy the full stack with sam i get the following error :
"*** was not successfully created: The following resource(s) failed to create: [DACAdminsLoginPermission]. ROLLBACK_IN_PROGRESS"
Can anyone please help me with this.
thank you.
Assuming both nested stacks have the same parent stack, you can pass the output from the App1 stack to the App2 stack like this:
App1Stack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: app1-template.yaml
App2Stack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: app2-template.yaml
Parameters:
LambdaFunctionArnFromApp1: !GetAtt App1Stack.Outputs.LambdaFunctionArnFromApp1
Another option could be to use the ImportValue intrinsic function in your App2 template to get the export that you defined in the App1 template: FunctionName: !ImportValue LambdaFunctionArnFromApp1
I want to be able to call cognito functions through boto3 from my Lambda function in Python environment. What's the best way to give this type of access? I've done the following yaml but not sure if that's the best practice or I'm making the template longer.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
sam-app
Sample SAM Template for sam-app
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: hello_world/
Handler: app.lambda_handler
Runtime: python3.7
Policies:
- AWSLambdaExecute # Managed Policy
- Version: '2012-10-17' # Policy Document
Statement:
- Effect: Allow
Action:
- cognito-idp:ListUsers
Resource: 'arn:aws:cognito-idp:us-east-2:****:*****'
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /hello
Method: get
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
HelloWorldApi:
Description: "API Gateway endpoint URL for Prod stage for Hello World function"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/hello/"
HelloWorldFunction:
Description: "Hello World Lambda Function ARN"
Value: !GetAtt HelloWorldFunction.Arn
HelloWorldFunctionIamRole:
Description: "Implicit IAM Role created for Hello World function"
Value: !GetAtt HelloWorldFunctionRole.Arn
I'm talking about the "Policies", is my template up to the standards? or is there a shortcut I can take?
I am using Sam template to deploy a lambda with a api gateway.
Trying to generate a custom resource Logical Id based on a Timestamp. for eg in example below: ApiDeployment$TIMESTAMP$: which is not working. Any ideas how I may achieve a dynamically configurable resource Logical Id name, using Sam template?
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Setup our API Gateway instances
Parameters:
StageName:
Type: String
Default: 'example_stage'
Description: 'The name of the stage to be created and managed within our API Gateway instance.'
Resources:
Api:
Type: AWS::ApiGateway::RestApi
Properties:
Name: ExampleApi
EndpointConfiguration:
Types:
- REGIONAL
# The body should contain the actual swagger
Body: $SWAGGER_DEFINITION$
# Timestamp is added so that each deployment is unique. Without a new timestamp, the deployment will not actually occur
ApiDeployment$TIMESTAMP$:
Type: AWS::ApiGateway::Deployment
DependsOn: [ Api ]
# we want to retain our deployment history
DeletionPolicy: Retain
Properties:
RestApiId:
Ref: Api
ApiStage:
Type: AWS::ApiGateway::Stage
DependsOn: [ApiDeployment$TIMESTAMP$]
Properties:
RestApiId:
Ref: Api
DeploymentId:
Ref: ApiDeployment$TIMESTAMP$
StageName: {Ref: StageName}
MethodSettings:
- ResourcePath: "/*"
HttpMethod: "*"
LoggingLevel: INFO
MetricsEnabled: true
DataTraceEnabled: true
Outputs:
Endpoint:
Description: Endpoint url
Value:
Fn::Sub: 'https://${Api}.execute-api.${AWS::Region}.amazonaws.com'
Im writing a lambda function that i want to be triggered by somebody updating the master branch of a repo. The repo already exists on the account.
Is there a way in cloudformation that i can add the trigger to the lambda function? I guess at a snip i could cretae some cloudwatch rule to trigger the lambda, but would rather keep it all inside the lambda.
Thanks
R
If you are using AWS serverless transform then you can self contain it within the lambda. Although the transform generates the cloudwatch rule and the lambda permission, so it's basically the same you mentioned.
nevertheless here's an example to do what you want
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Pipeline which triggers lambda for codecommit changes
Parameters:
BranchName:
Default: master
Description: The GIT branch
Type: String
RepositoryName:
Description: The GIT repository
Type: String
StackOwner:
Description: The stack owner
Type: String
Resources:
BasicLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: logs:*
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action: '*'
Resource: '*'
PipelineTriggerFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/trigger
Handler: codetrigger.handler
MemorySize: 256
Role: !GetAtt BasicLambdaRole.Arn
Runtime: python3.6
Timeout: 900
Environment:
Variables:
TestVariable: "TestValue"
Events:
CodeCommitPushEvent:
Type: CloudWatchEvent
Properties:
Pattern:
source:
- aws.codecommit
resources:
- !Sub 'arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}'
detail:
event:
- referenceCreated
- referenceUpdated
repositoryName:
- !Ref RepositoryName
referenceName:
- !Ref BranchName
Tags:
'owner': !Ref StackOwner
'task': !Ref RepositoryName
Obviously, specify the lambda role better and not give all permissions as provided in the example.
I created a template.yaml file to declare a simple lambda function that is invoked by api gateway. When I try to invoke the function from the api gateway url the request fails with {"message": "Internal server error"} and in cloudwatch api gateway logs I see the error message Invalid permissions on Lambda function.
This is my template.yaml:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
AliasName:
Type: String
Default: dev
Resources:
DynamoDBTenantTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: clientApiKey
AttributeType: S
KeySchema:
- AttributeName: clientApiKey
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
TableName: !Sub "authtable-${AliasName}"
AmeAuthenticatorLambda:
Type: AWS::Serverless::Function
Properties:
Handler: authenticator.handler
Policies: AmazonDynamoDBFullAccess
Runtime: nodejs8.10
CodeUri: src/
Environment:
Variables:
TABLE_NAME: !Sub "authtable-${AliasName}"
Events:
AuthenticatorEvent:
Type: Api
Properties:
Path: /authentication/
Method: POST
The SAM Documentation says that the syntax above is able to create the necessary permissions and API declaration implicitly.
I also followed an example from AWS website.
If I add to the template.yaml file a lambda:InvokeFunction permission then the invocation works, but by reading the documentation doing that should not be necessary.
What can be going wrong?