Reputation: 1410
IAM nested stack fails to complete due to undefined resource policies
I have created a nested IAM stack, which constists of 3 templates: - iam-policies - iam-roles -iam user/groups
the masterstack template looks like this:
Resources:
Policies:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/xxx/iam/iam_policies.yaml
UserGroups:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/xxx/iam/iam_user_groups.yaml
Roles:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/xxx/iam/iam_roles.yaml
The policy ARNs are exported via Outputs section like:
Outputs:
StackName:
Description: Name of the Stack
Value: !Ref AWS::StackName
CodeBuildServiceRolePolicy:
Description: ARN of the managed policy
Value: !Ref CodeBuildServiceRolePolicy
in the Role template the policies ARNs are imported like
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${EnvironmentName}-CodeBuildRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Path: /
ManagedPolicyArns:
- !GetAtt
- Policies
- Outputs.CodeBuildServiceRolePolicy
But when I try create the stack, it fails saying the Roles stack cannot be created because
Template error: instance of Fn::GetAtt references undefined resource Policies
How can I force the creation of the policies first so the second and third template can use the policies to create roles and user/ groups? Or is the issue elsewhere?
merci A
Upvotes: 1
Views: 538
Answers (2)
Reputation: 785
Your question,
How can I force the creation of the policies first so the second and third template can use the policies to create roles and user/ groups? Or is the issue elsewhere?
You can use "DependsOn" attribute. It automatically determines which resources in a template can be parallelized and which have dependencies that require other operations to finish first. You can use DependsOn to explicitly specify dependencies, which overrides the default parallelism and directs CloudFormation to operate on those resources in a specified order.
In your case second and third template DependsOn Policies
More details : DependsOn
Upvotes: 2
Reputation: 1436
The reason on why you aren't able to access the outputs is that, you haven't exposed the outputs for other stacks.
Update your Outputs with the data you want to export. Ref - Outputs for the same.
Then, use the function Fn::ImportValue in the dependent stacks to consume the required data. Ref - ImportValue for the same.
Hope this helps.
Upvotes: -1
Related Questions
- InsufficientCapabilitiesException [CAPABILITY_NAMED_IAM] when creating a stack with IAM policies
- Stack creation gives error with Multiple layers reference with FindInMap
- AWS cloudformation nested stacks failed by template URL
- AWS Cloudformation Error: Policy has invalid resource
- Cloudformation Unable to Use Outputted Parameters with Nested Stacks
- AWS Cloudformation nested stack parameter type for parameter name does not exist
- Getting Cloudformation error: Embedded stack was not successfully created
- Resource dependency issues in nested cloudformation stack
- Cloudformation nested stack template ValidationError for child-to-child parameter
- AWS CloudFormation: Nested Stacks - Unresolved dependencies