Is It Possible to Reference CFN Outputs in iamRoleStatements?

I would like to reference a resource’s ARN in my iamRoleStatements. Currently, this is only possible if the CognitoUserPool resource is deployed first.

provider:
  name: aws
  runtime: nodejs8.10
  iamRoleStatements:
    - Effect: Allow
      Action:
        - cognito-idp:AdminGetUser
      Resource:
        - Fn::GetAtt: ["CognitoUserPoolMyUserPool", "Arn"]

resources:
  Resources:
    CognitoUserPoolMyUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        AutoVerifiedAttributes:
          - email

I have seen solutions where the CognitoUserPool resource would be defined elsewhere (another CFN stack, etc). Then, I can reference the <stack_name.output> in my iamRoleStatements.

Unfortunately, the above will not work for me because I am also trying to override an existing Cognito User Pool (https://serverless.com/framework/docs/providers/aws/events/cognito-user-pool#overriding-a-generated-user-pool)

Therefore, I need the CognitoUserPool resource to be in the same serverless.yml as my iamRoleStatements.

It depends why it’s not working. Is this creating a circular dependency? If it is then using https://github.com/functionalone/serverless-iam-roles-per-function to implement per function IAM roles might solve the problem.

Yeah! I’m running into circular dependency issues. Can you explain why this might solve the problem?

Serverless creates one role that is shared by all Lambda so if one has a dependency on Cognito User Pools they all do. When this has happend to me in the past it’s because one of those Lambda was actually a Lambda trigger on the User Pool and shouldn’t have a dependency on it. Without seeing the full serverless.yml it’s impossible to understand if setting up per Lambda IAM roles will help.