By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Cloudformation template error: "Fragment returned by transform AWS::LanguageExtensions is null"

0

I'm trying to include the Transform AWS::LanguageExtensions in a template. I'm unable to create the stack with the error

Fragment returned by transform AWS::LanguageExtensions is null

I've removed various resources from the template to try to narrow down the issue. I've been able to determine that for step functions AWS::StepFunctions::StateMachine

If I use !GetAtt for the RoleARN I receive the above error. I'm wondering if anyone else is using LanguageExtensions with Stepfuctions or if others are seeing this error.

A sampel template

AWSTemplateFormatVersion: "2010-09-09"
#Transform: 'AWS::LanguageExtensions'
Transform: 
  - 'AWS::LanguageExtensions'
Resources:
  mystatemachine:
    Type: 'AWS::StepFunctions::StateMachine'
    Properties:
      RoleArn: !GetAtt myrole.Arn
      DefinitionString: |-
        {
          "Comment": "A description of my state machine",
          "StartAt": "Pass",
          "States": {
            "Pass": {
              "Type": "Pass",
              "End": true
            }
          }
        }
4 Answers
0

Hi, I tried it with your template with a simple role definition added:

AWSTemplateFormatVersion: "2010-09-09"
#Transform: 'AWS::LanguageExtensions'
Transform: 
  - 'AWS::LanguageExtensions'
Resources:
  myrole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'  
  mystatemachine:
    Type: 'AWS::StepFunctions::StateMachine'
    Properties:
      RoleArn: !GetAtt myrole.Arn
      DefinitionString: |-
        {
          "Comment": "A description of my state machine",
          "StartAt": "Pass",
          "States": {
            "Pass": {
              "Type": "Pass",
              "End": true
            }
          }
        }

The Stack was created without any errors in ap-southeast-2.

EXPERT
answered 20 days ago
  • This helped. Thank you. I see the same behavior in us-east-1. I assumed my policy was correct and the AWS Stepfunction definition was wrong. I'm taking a closer look at the role. Thanks again!

0

The error you're encountering, "Fragment returned by transform AWS::LanguageExtensions is null," suggests an issue with the AWS::LanguageExtensions transform in your CloudFormation template. This transform is designed to enable additional features in CloudFormation, but it seems to be causing problems with your specific template structure.

The issue appears to be related to the use of !GetAtt for the RoleArn property in your AWS::StepFunctions::StateMachine resource. The AWS::LanguageExtensions transform might not be properly processing this intrinsic function in this context.

To troubleshoot this issue, you could try the following:

  1. Ensure that the 'myrole' resource is properly defined in your template. The error could occur if the role resource doesn't exist or is incorrectly referenced.

  2. Instead of using !GetAtt, try using the Fn::GetAtt function in its JSON form: "RoleArn": { "Fn::GetAtt": ["myrole", "Arn"] }

  3. If possible, try hardcoding the role ARN temporarily to see if the issue persists. This can help isolate whether the problem is with the !GetAtt function or something else in the template.

  4. Check if removing the AWS::LanguageExtensions transform resolves the issue. If it does, you may need to restructure your template to work without this transform or investigate if there's a compatibility issue between the transform and your template structure.

  5. Validate your template using the AWS CloudFormation Linter (cfn-lint) before attempting to create the stack. This can help catch potential issues early in the process.

If the problem persists after trying these steps, you may want to contact AWS support for further assistance, as this could potentially be a bug in the AWS::LanguageExtensions transform when used with certain Step Functions configurations.
Sources
Troubleshoot CloudFormation module errors | AWS re:Post
Transform section for CloudFormation templates - AWS CloudFormation

profile picture
answered 20 days ago
0

The source of the issues was the Role policy. Specifically this policy

        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: '*'
                Action:
                  - events:*
                Effect: Allow
                Sid: EventBridgeActions
              - Condition:
                  StringEquals:
                    iam:AWSServiceName: apidestinations.events.amazonaws.com
                Resource: arn:aws:iam::*:role/aws-service-role/AmazonEventBridgeApiDestinationsServiceRolePolicy
                Action: iam:CreateServiceLinkedRole
                Effect: Allow
                Sid: IAMCreateServiceLinkedRoleForApiDestinations
              - Resource: arn:aws:secretsmanager:*:*:secret:events!*
                Action:
                  - secretsmanager:CreateSecret
                  - secretsmanager:UpdateSecret
                  - secretsmanager:DeleteSecret
                  - secretsmanager:GetSecretValue
                  - secretsmanager:PutSecretValue
                Effect: Allow
                Sid: SecretsManagerAccessForApiDestinations
              - Condition:
                  StringLike:
                    iam:PassedToService: events.amazonaws.com
                Resource: arn:aws:iam::*:role/*
                Action: iam:PassRole
                Effect: Allow
                Sid: IAMPassRoleAccessForEventBridge
          PolicyName: createJiraConnectionStepFunctionRole-creatConnectionEventBridge

I translated this from a JSON policy and threw it into a tool that converts JSON to yaml. This policy will parse and create a valid role and corresponding policy documents. The issues seems to be with how the online tool created the yaml array. Notice that two of the array elements start with "Resource" and two start with "Condition". This seems to cause an issue with the the AWS::LanguageExtensions.

This above passes cfn-lint and will create a valid policy in straight cloudformation.

If you update the policy to have the array elements all start with the same attribute, this policy will work.

answered 20 days ago
0

I received this error today and it had absolutely nothing to do with any content I've found to fix it. It was a duplicate key in ForEach loop that was used earlier in template. I removed the duplicate key and that was the only change. It seemed this error was pointing me in a direction that was a false positive.

answered 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions