Fn::Select cannot select nonexistent value at index 1
Stop requiring default Subnets and why is it suddenly failing when they exist and my code hasn’t changed?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I was using a select to get an availability zone id according to method described in the AWS documentation here:
I started getting errors on this code that worked perfectly find in the past.
Template error: Fn::Select cannot select nonexistent value at index 1
After further review of the documentation I find that this method only working if a default subnet exists is nonsensical. Also, I do have default VPCs and default subnets in this region. Nothing has changed. I wonder if there’s a bug in that function at the moment. In any case, it seems unreliable so I wrote my own function for command line use as this is a very simple concept and there’s no need to rely on the default resources.
The other thing I don’t like and find messy looking our the CloudFormation cases where you have to combine the old FN:: style functions with the new short versions in YAML that start with an exclamation point (like !GetAZs). Seems like there must be a better, cleaner way to do that. But anyway I have the above function now so won’t be using that built in one anymore.
Improvements I should/could make:
- Check to see if the index is within the available AZs or throw an error
- Check to see that the index is an integer.
- If there was some way to see if there is capacity to deploy in that AZ would be nice. #awswishlist
Except…I got this error….because that’s not actually the correct value for an availability zone.
Resource handler returned message: “Value (use2-az2) for parameter availabilityZone is invalid. Subnets can currently only be created in the following availability zones: us-east-2a, us-east-2b, us-east-2c.”
I actually needed to use the ZoneName not ZoneId — easy fix.
Or so I thought. I was grepping but the number in the ID…one more change.
By the way, the list in that error message is what I want some function to return, because sometimes there’s no capacity in a zone and it won’t be in that list. Anyway that gives me a ZoneName instead.
However, after fixing that, which I like better than AZ select anyway for the reasons mentioned, I’m getting the error on another Select that was working before. Hmm.
What I realized here is that I was using the CIDR function to create a number of ciders specified by SubnetIndexParam and then trying to select an index outside of that range. That was likely due to a poorly named SubnetIndexParam parameter. I renamed to to SubnetCountParam to be more clear.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
