I’m constructing a small CloudFormation build in AWS with YAML. Currently, I’ve created a VPC, and a Subnet. The first process I am trying is to modify the inbound and outbound rules on the NACL created, when the VPC is created. This is where I am experiencing issues. Below is the YAML Template being used:
Resources:
InboundRule:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !GetAtt CSETrainingSubnet.NetworkAclAssociationId
RuleNumber: 1
Protocol: -1
RuleAction: deny
CidrBlock: 0.0.0.0/0
OutboundRule:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !GetAtt CSETrainingSubnet.NetworkAclAssociationId
RuleNumber: 1
Protocol: -1
Egress: true
RuleAction: deny
CidrBlock: 0.0.0.0/0
CSETrainingVPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.146.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: Training VPC
CSETrainingSubnet:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref CSETrainingVPC
CidrBlock: 10.146.1.0/24
AvailabilityZone: us-east-1a
Tags:
- Key: Name
Value: CSETrainingSubnet
Outputs:
DefaultNetworkACLID:
Description: "ID of Training VPC Network ACL"
Value: !GetAtt CSETrainingSubnet.NetworkAclAssociationId
The issue is when I’m calling “!GetAtt CSETrainingSubnet.NetworkAclAssociationId” under InBoundRule OutBoundRule, and Outputs, I get the following error: “Attribute ‘NetworkAclAssociationId’ does not exist.” (also shown in the screenshot)
Thie same Attribute ‘NetworkAclAssociationId’ does not exist. error generates whether I call !GetAtt using the Subnet Association, or the VPC.DefaultNetworkAcl association.
Ive also attached a screenshot showing the the NACL does indeed exist, along with the VPC, and subnet.
Ive tried grabbing the association from the Subnet creation, instead of the VPC creation due to a recommendation from ChatGPT, but that did not help. I also attempted to grab the association from the output’s area, after everything else completed, but I still get the same error message.
Only thing I have not tried is potentially issuing a wait command, as that is the only other thing I can think of. I was unsuccessful in researching topics for this exact issue where !getAtt does not work when a resource was created successfully.
2
Answer to the above issue “Attribute ‘DefaultNetworkAcl’ does not exist” or “Attribute ‘NetworkAclAssociationId’ does not exist.” Was that my IAM role that Cloudformation uses was missing the following permissions:
“ec2:DescribeNetworkAcls”
“ec2:CreateNetworkAclEntry”
if your going for least priviledge, these are necessary, and is not indicated well via the error message. Figured I would try and use the admin role for testing, and after using the admin role, the issue was solved. Thus, had to find the right permissions to add.