Template format error: Unresolved resource dependencies [VpcFlowLogBucket] in the Resources block of the template
I am getting the above error in my cloudformation template when i use conditions while creating resources.
I have a usecase where if user enters a specific parameter then i will apply a particular condition to avoid creating an s3 bucket and use the one that user has given the arn to.
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation stack for relaying AWS VPC flow logs for security analysis and storage.
Outputs:
StackName:
Description: The name of the stack deployed by this CloudFormation template.
Value: !Ref "AWS::StackName"
Parameters:
VpcIds:
Description: The IDs of the VPCs for which flow logs will be relayed. VPC Flow Logs will be enabled for these VPCs.
Type: List<AWS::EC2::VPC::Id>
VpcFlowLogBucketArn:
Type: String
Description: (Optional) The ARN of an existing S3 bucket to use for VPC flow logs. If specified, VpcFlowLogDestination will be ignored.
TrafficType:
AllowedValues:
- ACCEPT
- REJECT
- ALL
Default: ALL
Description: Whether to log only rejected or accepted traffic, or log all traffic. Logging all traffic (default) enables more security outcomes.
Type: String
OrgId:
Description: Your account number.
Type: Number
RetentionInDays:
Description: The number of days to retain AWS VPC Flow Logs in the S3 bucket. This is effectively the size of your recovery window if the flow of logs is interrupted.
Type: Number
Default: 3
Conditions:
HasExpirationInDays: !Not [!Equals [!Ref RetentionInDays, 0]]
UseExistingS3Bucket: !Equals [!Ref VpcFlowLogBucketArn, ""]
Resources:
VpcFlowLogBucket:
Type: "AWS::S3::Bucket"
Condition: UseExistingS3Bucket
Properties:
BucketName: !Join
- "-"
- - aarmo-vpc-flow-bucket
- !Ref OrgId
- !Ref "AWS::StackName"
- !Ref "AWS::Region"
LifecycleConfiguration:
Rules:
- ExpirationInDays: !If [HasExpirationInDays, !Ref RetentionInDays, 1]
Status: !If [HasExpirationInDays, Enabled, Disabled]
NotificationConfiguration:
QueueConfigurations:
- Event: "s3:ObjectCreated:*"
Queue: !GetAtt [MyQueue, Arn]
DependsOn:
- MyQueue
VpcFlowLogBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Condition: UseExistingS3Bucket
DependsOn:
- VpcFlowLogBucket
Properties:
Bucket: !Ref VpcFlowLogBucket
PolicyDocument:
Version: "2012-10-17"
Statement: # https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
- Sid: AWSLogDeliveryWrite
Effect: Allow
Principal:
Service: "delivery.logs.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub "${VpcFlowLogBucket.Arn}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"
- Sid: AWSLogDeliveryAclCheck
Effect: Allow
Principal:
Service: "delivery.logs.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !GetAtt "VpcFlowLogBucket.Arn"
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue12345128"
MyQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: sns.amazonaws.com
Action:
- sqs:SendMessage
- sqs:DeleteMessage
- sqs:RecieveMessage
Resource: "*"
Queues:
- Ref: MyQueue
What is the issue with the above cloudformation template? I have tried debugging the template multiple times but still getting nowhere. any help would be greatly appretiated!
AWS OFFICIALUpdated 2 months ago
The Cloudformation template is looking to build resources only not validate something already exists and it is depending on the parameter input for the VpcFlowLogBucket. If it's left blank, the resource is still attempting to be created with a null input from the parameters since it's optional and not required because the Condition is present in the resource. That resource is dependent on the parameter which cannot be left blank. What specifically is the intention of this if no bucket currently exists and the user doesn't supply a Bucket arn they wish to use. Where do these logs go at that point?