- Newest
- Most votes
- Most comments
Hi, I tried it with your template with a simple role definition added:
AWSTemplateFormatVersion: "2010-09-09"
#Transform: 'AWS::LanguageExtensions'
Transform:
- 'AWS::LanguageExtensions'
Resources:
myrole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
mystatemachine:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
RoleArn: !GetAtt myrole.Arn
DefinitionString: |-
{
"Comment": "A description of my state machine",
"StartAt": "Pass",
"States": {
"Pass": {
"Type": "Pass",
"End": true
}
}
}
The Stack was created without any errors in ap-southeast-2.
The error you're encountering, "Fragment returned by transform AWS::LanguageExtensions is null," suggests an issue with the AWS::LanguageExtensions transform in your CloudFormation template. This transform is designed to enable additional features in CloudFormation, but it seems to be causing problems with your specific template structure.
The issue appears to be related to the use of !GetAtt for the RoleArn property in your AWS::StepFunctions::StateMachine resource. The AWS::LanguageExtensions transform might not be properly processing this intrinsic function in this context.
To troubleshoot this issue, you could try the following:
-
Ensure that the 'myrole' resource is properly defined in your template. The error could occur if the role resource doesn't exist or is incorrectly referenced.
-
Instead of using !GetAtt, try using the Fn::GetAtt function in its JSON form: "RoleArn": { "Fn::GetAtt": ["myrole", "Arn"] }
-
If possible, try hardcoding the role ARN temporarily to see if the issue persists. This can help isolate whether the problem is with the !GetAtt function or something else in the template.
-
Check if removing the AWS::LanguageExtensions transform resolves the issue. If it does, you may need to restructure your template to work without this transform or investigate if there's a compatibility issue between the transform and your template structure.
-
Validate your template using the AWS CloudFormation Linter (cfn-lint) before attempting to create the stack. This can help catch potential issues early in the process.
If the problem persists after trying these steps, you may want to contact AWS support for further assistance, as this could potentially be a bug in the AWS::LanguageExtensions transform when used with certain Step Functions configurations.
Sources
Troubleshoot CloudFormation module errors | AWS re:Post
Transform section for CloudFormation templates - AWS CloudFormation
The source of the issues was the Role policy. Specifically this policy
- PolicyDocument:
Version: '2012-10-17'
Statement:
- Resource: '*'
Action:
- events:*
Effect: Allow
Sid: EventBridgeActions
- Condition:
StringEquals:
iam:AWSServiceName: apidestinations.events.amazonaws.com
Resource: arn:aws:iam::*:role/aws-service-role/AmazonEventBridgeApiDestinationsServiceRolePolicy
Action: iam:CreateServiceLinkedRole
Effect: Allow
Sid: IAMCreateServiceLinkedRoleForApiDestinations
- Resource: arn:aws:secretsmanager:*:*:secret:events!*
Action:
- secretsmanager:CreateSecret
- secretsmanager:UpdateSecret
- secretsmanager:DeleteSecret
- secretsmanager:GetSecretValue
- secretsmanager:PutSecretValue
Effect: Allow
Sid: SecretsManagerAccessForApiDestinations
- Condition:
StringLike:
iam:PassedToService: events.amazonaws.com
Resource: arn:aws:iam::*:role/*
Action: iam:PassRole
Effect: Allow
Sid: IAMPassRoleAccessForEventBridge
PolicyName: createJiraConnectionStepFunctionRole-creatConnectionEventBridge
I translated this from a JSON policy and threw it into a tool that converts JSON to yaml. This policy will parse and create a valid role and corresponding policy documents. The issues seems to be with how the online tool created the yaml array. Notice that two of the array elements start with "Resource" and two start with "Condition". This seems to cause an issue with the the AWS::LanguageExtensions.
This above passes cfn-lint and will create a valid policy in straight cloudformation.
If you update the policy to have the array elements all start with the same attribute, this policy will work.
I received this error today and it had absolutely nothing to do with any content I've found to fix it. It was a duplicate key in ForEach loop that was used earlier in template. I removed the duplicate key and that was the only change. It seemed this error was pointing me in a direction that was a false positive.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 9 months ago
This helped. Thank you. I see the same behavior in us-east-1. I assumed my policy was correct and the AWS Stepfunction definition was wrong. I'm taking a closer look at the role. Thanks again!