By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

QueuePolicy breaks when changing Queue from static name to CF Ref

0

I changed a QueuePolicy in our CloudFormation stack such that the Queues field went from the name of a queue (e.g. my-sqs-queue-name) to a !Ref to the queue resource in CF (e.g. !Ref 'MySqsQueue'). CF successfully applied the changes, but when I went to SQS to look at the queue, the Access policy indicated that it was using the default queue policy, and indeed the relevant resources could not access the queue. I observed the same behavior when switching from !Ref back to the static name.

Interestingly, when the queue policy was in this broken state, I was able to fix it by making a trivial change to the Resource in the policy document, in particular by changing it from just the entry to a single-element list, or vice-versa. Other trivial changes, like adding or changing Metadata fields on the QueuePolicy, did not fix things.

I've solved things for now by having the QueuePolicy's Queues include both the static queue name and the CF !Ref. But it was very surprising and confusing behavior, and I'm wondering if anyone here knows CF well to understand why this happened, or other possible workarounds. (Or if it's a bug?)

Some other context in case it's relevant: The queue in question is triggered by notifications on some S3 buckets when new objects are added, so the policy was to grant access to those buckets to send to the queue. I changed the Queues value from a static name to a Reference because I was deploying a new CF stack with these objects (which in other stacks had been added gradually, rather than all at once), and CF was creating the policy before the queue, and failing as a result. The Reference got it to create the resources in the correct order.

Topics
Management & GovernanceServerlessApplication Integration
Tags
AWS CloudFormationAmazon Simple Queue Service
Language
English
smagidson
asked 3 months ago161 views
1 Answer
1

Hello.

According to the documentation, it works with the SQS queue name obtained with "!Ref".
Actually, I have created a queue using CloudFormation in the past, but it worked with the SQS queue name obtained with "!Ref".
I think it will work if you use "!GetAtt" to get the ARN of the SQS queue set in "Resource" of the queue policy. https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queuepolicy.html#cfn-sqs-queuepolicy-queues

Specifically, I thought it would work if I did the following:

  QueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: "Account used"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SQS:*"
            Resource: !GetAtt MySqsQueue.Arn
profile picture
EXPERT
Riku_Kobayashi
answered 3 months ago
  • smagidson
    3 months ago

    Thanks. To clarify, we had multiple stacks with similar content for different environments that were already working, and I added a new stack that was similar to the others. So I know that having a static name in the Queues field can work, and so can a !Ref. It was only when switching from one format to the other that the policy broke.

    In my experiments, I also found that the Resource could be a static ARN like arn:aws:sqs:region:accountId:queue-name or a !GetAtt – either would work. The weird thing I found with this field was that changing it from an array to a single-item object or back could revive a policy that was broken by the issue I described with the Queues field.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content