avatarTeri Radichel

Summary

The author encountered a misleading CloudFormation error message related to Fn::ImportValue and suggests that AWS should provide more meaningful error messages in the context of CloudFormation usage.

Abstract

Teri Radichel discusses a challenging CloudFormation error that occurred while using the Fn::ImportValue function. The error message indicated a template issue where an attribute should not depend on any resources, imported values, or Fn::GetAZs. After thorough examination and correcting a typo in the parameter name, the author resolved the issue by closely following the documentation and ensuring exact parameter matching. The post also touches on an unrelated concern about a URL in the article unexpectedly changing to a .cn top-level domain, which was blocked on the author's network. The author advocates for AWS to enhance the clarity of error messages, especially for unique cases in CloudFormation, to prevent confusion and improve the user experience.

Opinions

  • The author finds the CloudFormation error message to be misleading and unhelpful for the specific issue encountered.
  • The author believes that AWS should provide more contextually relevant error messages for CloudFormation users.
  • There is a suggestion that AWS ought to address the inconsistent syntax within CloudFormation to reduce the difficulty in remembering how to handle various cases.
  • The author indicates that the error message should directly address the existence of the value in the template rather than the general dependency issue.
  • The author disagrees with the response given to another user experiencing a similar error, where the issue was dismissed as "invalid YAML," emphasizing that CloudFormation has its own context beyond YAML syntax.

An error occurred (ValidationError) when calling the CreateChangeSet operation: Template error: the attribute in Fn::ImportValue must not depend on any resources, imported values, or Fn::GetAZs

Another misleading error from CloudFormation

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This error is kind of right but mostly unhelpful in the particular case I was having. I had named some parameters I passed into my template in a complex way, not to mention I probably need glasses.

I was looking at my template over and over and thought I had copied the documentation exactly for FN::Import — even the weird caveats.

Update: What is odd about this post is that somehow it got updated to a tld of .cn. That particular tld is blocked on my network. I would have never been able to visit that page therefore I do not believe I added that page to this post. Hopefully something odd isn’t going on with Medium.

Finally I copied and pasted the code from the documentation and then copied and pasted my parameter names into the sub name. That worked.

I think I probably had a typo in the Sub that was referencing a parameter. So the error message is telling me something that in this case doesn’t make sense.

It would be more appropriate to say:

The value referenced in your Sub does not exist in this template. Check to see that the name you are passing in exactly matches what you are are trying to reference.

Also I wish AWS would fix the inconsistent syntax. It’s hard to remember how to create all these one-off cases.

One more: I saw someone else got the same error I go where the FN::Import cannot be on the same line as the property — a mapping error. The person responding to them said “well it’s invalid yaml.” But this is CloudFormation, not just Yaml. Overwrite that underlying YAML error message with something more meaningful in the context of CloudFormation.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
\
Importvalue
Sub
Cloudformation
Error Message
Cannot Depend On
Recommended from ReadMedium
avatarJessica Stillman
Jeff Bezos Says the 1-Hour Rule Makes Him Smarter. New Neuroscience Says He’s Right

Jeff Bezos’s morning routine has long included the one-hour rule. New neuroscience says yours probably should too.

4 min read
avatarTide Foundation
It’s cybersecurity’s kryptonite: Why are you still holding it?

Decoupling authority, so a breach leaves nothing for hackers to find.

8 min read
avatarHarendra
How I Am Using a Lifetime 100% Free Server

Get a server with 24 GB RAM + 4 CPU + 200 GB Storage + Always Free

3 min read
avatarCrafting-Code
I Stopped Using Kubernetes. Our DevOps Team Is Happier Than Ever

Why Letting Go of Kubernetes Worked for Us

10 min read
avatarAlice the Architect
AWS Auto Scaling Group Scaling Policies: Dynamic, Scheduled, and Predictive Approaches

Managing traffic fluctuations efficiently is a fundamental challenge in cloud infrastructure. AWS Auto Scaling Groups (ASG) provide the…

5 min read
avatarAndrew Zuo
AI Is Killing Coding

There’s a new IDE out called Cursor. Although as I said before:

7 min read