Cloudformation模板错误:每个Fn :: GetAtt对象都需要两个非空参数

时间:2018-03-09 18:47:31

标签: amazon-web-services nested stack amazon-cloudformation

我创建了一个嵌套的cloudformation堆栈,在这种情况下引用了一个Lambda子堆栈。 因为我有多个LambdaFunction,所以我在Lambda子节点中设计了LambdaFunction资源 模板,以便它可以在父模板中指定的所有Lambda函数中重复相同的操作。

但是,一旦执行create-stackTemplate error: every Fn::GetAtt object requires two non-empty parameters, the resource name and the resource attribute,我就会收到以下错误,它指向Lambda Child模板。

我尝试添加一个 DependsOn子句,其中列出了所有LambdaExecutionRoles,因为LambdaFunction引用了那些,但是 似乎没有解决问题。因此,接收LambdaName参数会出错 或者抓住Arn。有什么想法吗?

父模板的部分

AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  AlignmentLambdaFuncS3BucketName:
    Type: String
  AlignmentLambdaFuncS3KeyName:
    Type: String
  AlignmentLambdaFuncModuleName:
    Type: String
  HaploLambdaFuncS3BucketName:
    Type: String
  HaploLambdaFuncS3KeyName:
    Type: String
  HaploLambdaFuncModuleName:
    Type: String

Resources:
  AlignmentLambdaFunction:
    Type: "AWS::CloudFormation::Stack"
    Properties:
      Parameters:
        LambdaName: Alignment
        BucketName: LambdaFuncS3BucketName
        S3KeyName: LambdaFuncS3KeyName
        ModuleName: LambdaFuncModuleName
      TemplateURL: https://s3.amazonaws.com/CFNTemplate/lambda_resources.stack.yaml
      TimeoutInMinutes: 1

  HaploLambdaFunction:
    Type: "AWS::CloudFormation::Stack"
    Properties:
      Parameters:
        LambdaName: Haplo
        BucketName: LambdaFuncS3BucketName
        S3KeyName: LambdaFuncS3KeyName
        ModuleName: LambdaFuncModuleName
      TemplateURL: https://s3.amazonaws.com/CFNTemplate/lambda_resources.stack.yaml
      TimeoutInMinutes: 1

Lambda子模板的部分

AWSTemplateFormatVersion: '2010-09-09'
Description: lambda function and execution role stack.
Parameters:
  LambdaName:
    Type: String
  BucketName:
    Type: String
  S3KeyName:
    Type: String
  ModuleName:
    Type: String
  KMSAdminUserARN:
    Type: String
  KMSEndUserARN:
    Type: String

Resources:
  LambdaFunction: 
    Type: "AWS::Lambda::Function"
    Properties:
      Handler: !Sub '${LambdaName}-{ModuleName}.handler'
      Role:
        Fn::GetAtt: [ !Sub '${LambdaName}LambdaExecutionRole', Arn ]
      Code:
        S3Bucket: !Sub '${LambdaName}{BucketName}'
        S3Key: !Sub '${LambdaName}{S3KeyName}'
      Runtime: "python3.6"



  AlignmentLambdaExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: CanListBuckets
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "s3:GetBucketLocation"
                  - "s3:ListAllMyBuckets"
                Resource: "arn:aws:s3:::*"
        - PolicyName: CanCallBatch
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "batch:*"
                Resource: "*"
        - PolicyName: CanLog
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - logs:*
              Resource: arn:aws:logs:*:*:*

  HaploLambdaExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: CanListBuckets
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "s3:GetBucketLocation"
                  - "s3:ListAllMyBuckets"
                Resource: "arn:aws:s3:::*"
        - PolicyName: CanCallBatch
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "batch:*"
                Resource: "*"
        - PolicyName: CanLog
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Action:
              - logs:*
              Resource: arn:aws:logs:*:*:*

1 个答案:

答案 0 :(得分:1)

不幸的是,你不能在Sub的逻辑资源名称中使用任何函数(例如Fn::GetAtt):

  

对于Fn :: GetAtt逻辑资源名称,您不能使用函数。您必须指定一个作为资源逻辑ID的字符串。

来源:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html