Cloudformation在SNS TopicPolicy上为什么提示属性主题不能为空，然后创建失败？

Question

【以下的问题经过翻译处理】 我正在尝试使用在网上找到的示例构建CloudFormation模板。我遇到了一个S3和SNS资源之间的依赖问题，导致我阅读了这篇AWS文章：

> [如何在AWS CloudFormation中避免“无法验证以下目标配置”错误](https://aws.amazon.com/premiumsupport/knowledge-center/unable-validate-destination-s3/)

使用此作为示例，我创建了一个参数化的S3桶名称和SNS TopicPolicy。但是，在创建CloudFormation堆栈时，我发现TopicPolicy的状态为CREATE_FAILED并显示Property Topics cannot be empty.。我唯一尝试的解决方案是将DependsOn添加到TopicPolicy中，这是上面链接的文章中未列出的属性。

我的猜测是，在Topics数组中的{"Ref": "TransactionUploadTopic"}未解析为TransactionUploadTopic的ARN，尽管它已成功创建在CF堆栈中（所以我不知道为什么会出现这种情况）。

我的模板如下，我从AMediaManager教程（GitHub Repo）和其他在线资源中学习（因为我的架构与AMM教程非常不同）:
```
{
  "AWSTemplateFormatVersion": "2010-09-09",

"Description": "Provision resource dependencies for the app (e.g., RDS, S3, DynamoDB, etc..).",

"Parameters": {
    "AppBucketNameSuffix": {
      "Description": "The S3 bucket for user uploads",
      "Type": "String"
    }
  },

"Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "RDS allows ingress from EC2 instances in this group.",
        "SecurityGroupIngress": []
      }
    },

"TransactionUploadQueue": {
      "Type": "AWS::SQS::Queue"
    },

"TransactionUploadTopic": {
      "Type": "AWS::SNS::Topic",
      "Properties": {
        "Subscription": [{
          "Endpoint": {
            "Fn::GetAtt": ["TransactionUploadQueue", "Arn"]
          },
          "Protocol": "sqs"
        }]
      }
    },

"AppBucket2SNSPolicy": {
      "Type": "AWS::SNS::TopicPolicy",
      "DependsOn": ["TransactionUploadTopic"],
      "Properties": {
        "PolicyDocument": {
          "Id": "S3NotificationPolicy",
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Statement-id",
              "Effect": "Allow",
              "Principal": {"Service": "s3.amazonaws.com"},
              "Action": "sns:Publish",
              "Resource": {"Ref": "TransactionUploadTopic"},
              "Condition": {
                "ArnLike": {
                  "aws:SourceArn": {"Fn::Join": [ "", [ "arn:aws:s3:::", {"Ref": "AWS::StackName"}, "-", {"Ref": "AppBucketNameSuffix"} ]]}
                }
              }
            }
          ],
          "Topics": [ {"Ref": "TransactionUploadTopic"} ]
        }
      }
    },

"AppBucket": {
      "Type": "AWS::S3::Bucket",
      "DependsOn": ["AppBucket2SNSPolicy"],
      "Properties": {
        "BucketName": {"Fn::Join": ["-", [{"Ref": "AWS::StackName"}, {"Ref": "AppBucketNameSuffix"}]]},
        "NotificationConfiguration": {
          "TopicConfigurations": [
            {
              "Event": "s3:ObjectCreated:*",
              "Topic": {"Ref": "TransactionUploadTopic"}
            }
          ]
        }
      }
    },

"TransactionUploadTopic2QueuePolicy": {
      "Type": "AWS::SQS::QueuePolicy",
      "Properties": {
        "Queues": [{
          "Ref": "TransactionUploadQueue"
        }],
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Id": "PublicationPolicy",
          "Statement": [{
            "Sid": "Allow-SNS-SendMessage",
            "Effect": "Allow",
            "Principal": {
              "AWS": "*"
            },
            "Action": ["sqs:SendMessage"],
            "Resource": {
              "Fn::GetAtt": ["TransactionUploadQueue", "Arn"]
            },
            "Condition": {
              "ArnEquals": {
                "aws:SourceArn": {
                  "Ref": "TransactionUploadTopic"
                }
              }
            }
          }]
        }
      }
    },

"TransactionUploadRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "ec2.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [{
          "PolicyName": "TransactionUploadPolicy",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Sid": "1",
              "Effect": "Allow",
              "Action": [
                "s3:Get*",
                "s3:ListBucket",
                "s3:Put*",
                "s3:*MultipartUpload*"
              ],
              "Resource": [{
                "Fn::Join": ["", ["arn:aws:s3:::", {
                  "Ref": "AppBucket"
                }, "/*"]]
              }, {
                "Fn::Join": ["", ["arn:aws:s3:::", {
                  "Ref": "AppBucket"
                }]]
              }]
            }, {
              "Sid": "2",
              "Effect": "Allow",
              "Action": "sns:Publish",
              "Resource": {
                "Ref": "TransactionUploadTopic"
              }
            }, {
              "Sid": "3",
              "Effect": "Deny",
              "Action": [
                "sns:*Permission*",
                "sns:*Delete*",
                "sns:*Remove*",
                "s3:*Policy*",
                "s3:*Delete*"
              ],
              "Resource": "*"
            }]
          }
        }]
      }
    }
  },

"Outputs": {
    "InstanceSecurityGroup": {
      "Value": {"Ref": "InstanceSecurityGroup"}
    },
    "AppBucket": {
      "Value": { "Ref" : "AppBucket"}
    },
    "TransactionUploadTopic": {
      "Value": { "Ref" : "TransactionUploadTopic" }
    },
    "TransactionUploadQueue": {
      "Value": { "Ref" : "TransactionUploadQueue" }
    },
    "TransactionUploadRoleArn": {
      "Value": { "Fn::GetAtt": ["TransactionUploadRole", "Arn"]}
    }
  }
}
```

Answer

【以下的回答经过翻译处理】 你的嵌套结构有误 - "topic"应该直接放在属性下面，而不是在策略文档中。

另外，我强烈建议使用YAML而不是JSON。YAML更易于阅读，并且支持注释！

Cloudformation在SNS TopicPolicy上为什么提示属性主题不能为空，然后创建失败？

Relevanter Inhalt