I have a cloudformation template that is creating several resources, such as SQS, Lambda, and an IAM role for the listed services.
The IAM role is defined in the template; however, when trying to create the Stack I get an error saying the Role was not found.
Here is my template:
AWSTemplateFormatVersion: '2010-09-09'
Description: DP Test Set Entry Updated infrastructure.
Parameters:
Version:
Description: The version tag to use for pre-deployed lambda bundles
Type: String
Environment:
Type: String
AllowedValues:
- dev
- nonprod
- prod
DpTestSetEntrySnsTopicArn:
Description: the ARN of the SNS topic where test set entries are published
Type: String
AllowedValues:
- dev
Resources:
DpTseSubscription:
Type: AWS::SNS::Subscription
Properties:
TopicArn: !Sub ${DpTestSetEntrySnsTopicArn}
Endpoint: !GetAtt DpTestSetEntryUpdatedQueue.Arn
Protocol: sqs
RawMessageDelivery: 'true'
DpTestSetEntryUpdatedQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub viva-dp-tse-updated-${Environment}
MessageRetentionPeriod: 1209600
VisibilityTimeout: 500
RedrivePolicy:
deadLetterTargetArn: !GetAtt DpTestSetEntryUpdatedDLQ.Arn
maxReceiveCount: 5
Tags:
- Key: Name
Value: !Ref AWS::StackName
DpTestSetEntryUpdatedDLQ:
Type: AWS::SQS::Queue
DpTestSetEntryUpdatedSQSPolicy:
Type: AWS::SQS::QueuePolicy
Properties:
Queues:
- !Ref DpTestSetEntryUpdatedQueue
PolicyDocument:
Statement:
- Action:
- SQS:SendMessage
Effect: Allow
Resource: !GetAtt DpTestSetEntryUpdatedQueue.Arn
Principal:
Service: sns.amazonaws.com
Condition:
ArnEquals:
aws:SourceArn: !Sub ${DpTestSetEntrySnsTopicArn}
- Effect: Deny
Action:
- sqs:*
Resource: !GetAtt DpTestSetEntryUpdatedQueue.Arn
Condition:
Bool:
aws:SecureTransport: false
DpTseUpdatedFunction:
Type: AWS::Lambda::Function
Properties:
Architectures:
- arm64
Code:
S3Bucket: !Sub viva-${Environment}-${AWS::AccountId}
S3Key: !Sub ${Version}.zip
Role: !GetAtt DpTseUpdatedFunctionRole.Arn
FunctionName: !Sub viva-dp-tse-updated-${Environment}
Handler: events/dpTestSetEntryUpdated/index.handler
MemorySize: 256
PackageType: Zip
Runtime: nodejs20.x
Timeout: 500
DpTseUpdatedFunctionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join
- /
- - /aws/lambda
- !Ref DpTseUpdatedFunction
RetentionInDays: 1827
DpTseUpdatedFunctionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub viva-dp-tse-updated-role-${Environment}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
Policies:
- PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: secretsmanager:GetSecretValue
Resource: !Sub arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:viva-${Environment}*
- Effect: Allow
Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Resource: !Sub arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:viva-dp-tse-updated-${Environment}
PolicyName: ReadSecretsPolicy
And when I try to create the stack here is the error:
Since I am defining the role in this template I am expecting it to create the role. But it is saying there is a 404 error when trying to find an existing role.
Can I not create a role in the same template where it is being used?