cfn-lint icon indicating copy to clipboard operation
cfn-lint copied to clipboard

Published 20 hours ago verified publisher icon martysweet

Role property for AWS::Serverless::Function reports as invalid

Open aap69 opened this issue 6 years ago • 4 comments

When linting an AWS SAM output file, we get this error:

Error: No such property type AWS::Serverless::Function.#Role

Resource definition:

RegisterErrorLambdaFunction: DependsOn: RegisterErrorStackLogGroup Properties: CodeUri: s3://tri-deploy/lambda/api-register/1e0866c6ab4fafa3e64718bc35a3cef2 Environment: Variables: ALERT_SNS_TOPIC: Ref: RegisterAlertSnsTopic LOG_LEVEL: Ref: logLevel Handler: Lambda-DeviceRegistration-ErrorEndState::Lambda_DeviceRegistration_ErrorEndState.ErrorStateFunction::FunctionHandler Policies: - Statement: - Action: - sns:Publish Effect: Allow Resource: Fn::Sub: arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${RegisterAlertSnsTopic.TopicName} Runtime: dotnetcore2.1 Timeout: 300 Type: AWS::Serverless::Function

Property Role is a valid property

aap69 avatar Oct 31 '18 01:10 aap69

Hi @aap69, could you pop that in a code block?

Looks like this is due to the new SAM support @RazzM13. @aap69, I assume you are not defining a role and letting the SAM framework do it for you?

martysweet avatar Oct 31 '18 07:10 martysweet

Hey @martysweet, I'm having a look at it now.

RazzM13 avatar Oct 31 '18 08:10 RazzM13

Hello @aap69, could you please provide a full template sample, preferably within a code block, as I have attempted to reproduce this issue by cleaning up your example a bit and I ended up with:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Issue 206
Parameters:
  logLevel:
    Type: string
    Default: someLogLevel

Resources:
  RegisterAlertSnsTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: someTopicName

  RegisterErrorStackLogGroup:
    Type: AWS::Logs::LogGroup

  RegisterErrorLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      # Role: arn:aws:iam::123456789012:role/S3Access
      CodeUri: s3://some-example/lambda/api-register/ffffffffffffffffffffffffffffffff
      Environment:
        Variables:
          ALERT_SNS_TOPIC:
            Ref: RegisterAlertSnsTopic
          LOG_LEVEL:
            Ref: logLevel
      Handler: Lambda-DeviceRegistration-ErrorEndState::Lambda_DeviceRegistration_ErrorEndState.ErrorStateFunction::FunctionHandler
      # Policies:
      #   - Statement:
      #     -
      #       Action:
      #         - sns:Publish
      #       Effect: Allow
      #       Resource:
      #         Fn::Sub: arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${RegisterAlertSnsTopic.TopicName}
      Runtime: dotnetcore2.1
      Timeout: 300
    DependsOn: RegisterErrorStackLogGroup

Unfortunately, the above does not trigger the issue you described however, it does reflect another issue in regards to the handling of the Policies property and we should probably open up a separate issue about that.

I have tried even inserting a Role myself within the definition however that did not work either and, apparently, that property is not supported by SAM Globals so even though I'm 100% sure that the issue is valid, without a full template sample, I can't easily figure out where it's coming from...

RazzM13 avatar Oct 31 '18 08:10 RazzM13

In regards to the handling of the Policies property, just opened #207.

RazzM13 avatar Oct 31 '18 16:10 RazzM13