问题
Background
I am trying to add service role for codebuild via cloud formation. I keep getting the following error but I am not sure how to fix it.
Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: Template error: instance of Fn::GetAtt references undefined resource CodeBuildServiceRole
I have the following file that has my codebuild configuration
Mappings:
'Fn::Transform':
Name: 'AWS::Include'
Parameters:
Location: s3://source-code-for-download-by-ec2s/include.yaml
Parameters:
RepositoryBranch:
Type: String
Description: git branch to test and deploy
OAuthToken:
Type: String
Description: >
OAuth Token for this code pipeline to connect to GitHub to download the source code
when the webhook publishes a push event
NoEcho: true
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Sub 'xxxxxxx-dev-branch-${XXXXXXXXX}-xxxx'
Artifacts:
Type: S3
Location: 'xxxxxxxxx'
Path: !Sub 'XXXXXXXXXX/${XXXXXXXX}'
Name: 'repo.zip'
Packaging: ZIP
BadgeEnabled: true
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: 'abcxxxxxxxxxxxxxxxxabcxxxxxxxxxxxxxxxxxxabcxxxxxxxxxx'
ImagePullCredentialsType: SERVICE_ROLE
Type: LINUX_CONTAINER
PrivilegedMode: true
LogsConfig:
CloudWatchLogs:
Status: ENABLED
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Source:
Type: GITHUB
Auth:
Type: OAUTH
Resource: !Sub '${OAuthToken}'
Location: 'https://github.com/xxxxxxxxxx/xxxxxxxxxxxxxxxx-xxxxxxxxxx.git'
GitCloneDepth: 0 # no need to download git version history with the repo, just grab the latest version of this branch
ReportBuildStatus: true
SourceVersion: !Ref RepositoryBranch
TimeoutInMinutes: 60
I also have additional file where I am creating the service role policy and also adding codebuild as action.
AWSTemplateFormatVersion: 2010-09-09
Resources:
CodeBuildServiceRole:
Type: AWS::IAM::Role
Properties:
RoleName: AWSCodeBuildServiceRole-role-created-by-cloudformation
AssumeRolePolicyDocument: '{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
}
}
]
}'
ManagedPolicyArns: [!Ref CodeBuildServiceRolePolicy]
Path: /service-role/
CodeBuildServiceRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: AWSCodeBuildServiceRole-policy-created-by-cloudformation
Description: 'Policy meant for CodeBuild service role that CodeBuild runs-as to deploy code from Github to S3'
PolicyDocument: '{
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Action": [
"codebuild:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplication",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticbeanstalk:*",
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"rds:*",
"sqs:*",
"ecs:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:InvokeFunction",
"lambda:ListFunctions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"opsworks:CreateDeployment",
"opsworks:DescribeApps",
"opsworks:DescribeCommands",
"opsworks:DescribeDeployments",
"opsworks:DescribeInstances",
"opsworks:DescribeStacks",
"opsworks:UpdateApp",
"opsworks:UpdateStack"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"devicefarm:ListProjects",
"devicefarm:ListDevicePools",
"devicefarm:GetRun",
"devicefarm:GetUpload",
"devicefarm:CreateUpload",
"devicefarm:ScheduleRun"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:CreateProvisioningArtifact",
"servicecatalog:DescribeProvisioningArtifact",
"servicecatalog:DeleteProvisioningArtifact",
"servicecatalog:UpdateProduct"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
}
],
"Version": "2012-10-17"
}'
Outputs:
CodeBuildServiceRoleExportThingArn:
Description: 'ARN of code-build service role, to be imported by CodeBuild stacks'
Value: !GetAtt CodeBuildServiceRole.Arn
Export:
Name: CodeBuildServiceRoleArn
Question
Both the files are in the same directory so i am not sure why i am getting this error i would love some input as i have been stuck on this for some time.
回答1:
I don't see anywhere that you're nesting the stacks, so I assume these are two distinct stacks? In that case, you can't just reference the entities in another stack - they aren't aware of each other. But you can use CFN Intrinsic Functions to grab the stack outputs.
Keep in mind, the stack with CodeBuildServiceRole will have to be ran first. Also, I suggest you add something unique to the export (maybe stack name) so there aren't naming collisions.
Then this should work:
Resources:
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
ServiceRole: !ImportValue CodeBuildServiceRoleArn
来源:https://stackoverflow.com/questions/59256454/template-error-instance-of-function-references-undefined-resource