Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Resources created through serverless transforms use hardcoded partitions
See original GitHub issue*cfn-lint version: v0.30.1
Resources (such as Lambda Roles and Permissions) created by resources using AWS::Serverless use hardcoded Partitions
Example Resource
rUploadRepo:
Type: AWS::Serverless::Function
Properties:
Description: >-
Used in CloudFormation to zip up and upload the repository to the
Specified S3 Bucket
Handler: uploader.lambda_handler
MemorySize: 128
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${pDeploymentAssetsBucket}/*'
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
Runtime: python3.8
CodeUri: CodeCommit/Lambda/Code/Uploader
Layers:
- !Ref rCodeCommitCustomResourceLayer
Timeout: 30
Tags:
Name: !Sub '${pProjectName}-repo-upload-lambda'
Hardcoded partition in resulting managed policy arn
Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:s3:::${pDeploymentAssetsBucket}/*"
}
]
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "rUploadRepoRolePolicy0"
}
],
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
},
{
"Key": "Name",
"Value": {
"Fn::Sub": "${pProjectName}-repo-upload-lambda"
}
}
]
},
"Type": "AWS::IAM::Role"
}
{
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "rCfnNagNotficationLambda"
},
"Principal": "logs.amazonaws.com",
"SourceArn": {
"Fn::Sub": [
"arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${__LogGroupName__}:*",
{
"__LogGroupName__": {
"Fn::GetAtt": [
"rDevelopPipeline",
"Outputs",
"oCfnNagLogGroupName"
]
}
}
]
}
},
"Type": "AWS::Lambda::Permission"
}
- Feature request:
- Replace that Partition that is generated with ${AWS::Partition} , this way custom checks can be made on whether or not templates will work cross Partition
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (7 by maintainers)
Top Results From Across the Web
Resources created through serverless transforms use ... - GitHub
I do know that the SAM spec does work across partitions, so perhaps CFn does the correct resource selection behind the scenes. Is...
Read more >AWS::Serverless transform - AWS CloudFormation
The AWS::Serverless transform, which is a macro hosted by CloudFormation, takes an entire template written in the AWS Serverless Application Model (AWS SAM) ......
Read more >AWS Infrastructure Resources - Serverless Framework
The Serverless Framework documentation for AWS Lambda, API Gateway, EventBridge, DynamoDB and much more.
Read more >Apache Beam Programming Guide
Apache Beam Programming Guide. The Beam Programming Guide is intended for Beam users who want to use the Beam SDKs to create data...
Read more >AWS Lambda Sink Connector for Confluent Cloud Quick Start
Records within different topic partitions can be processed in parallel. The response from AWS Lambda is written to success-<connector-id> topic.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
My ideal solution @jfuss would be to have a SAM CloudFormation spec file we could use to validate the templates. We need to transform for SAM since the transformed template is the only thing that would make sense to the spec files that exist.
Doing this for other Transforms has come up before but there isn’t as easy of a way to do it at scale as there is with SAM.
I agree it does cause some confusion. The other option would be to disable linting on SAM templates (or just lint them as is… which could cause a lot more false positives).
+1 to @kddejong’s preference for SAM to provide a spec cfn-lint can use rather than running the SAM translator library on the template before processing with cfn-lint. There’s a SAM issue for this: https://github.com/awslabs/serverless-application-model/issues/1133