Lambda onError can't use CloudFormation "Ref", requires ARN string?

shentonfreude · August 11, 2017, 2:55pm

I’m trying to create an SNS topic in my serverless.yml Resources then reference it in my Lambda’s “onError” to use it as a DeadLetterQueue. I can create the topic and reference it in the iamRoleStatements fine. But when I try to use a CloudFormation “Ref” in the Lambda onError, I get a complaint “onError config must be provided as a string”.

That comes from the SLS code: https://github.com/serverless/serverless/pull/3609/files

Is this due to restrictions in CloudFormation itself, so there’s no way SLS can implement it?The AWS docs imply only a string is possible, not a Ref:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-deadletterconfig.html

Am I understanding this limitation correctly?

gmetzker created a plugin and I’m guessing it’s to get-around this limitation, is that correct?
http://forum.serverless.com/t/published-a-lambda-dead-letter-queue-plugin/1200

My most minimal example code:

service: dlqtest

provider:
  name: aws
  runtime: python3.6
  iamRoleStatements:
    - Effect: Allow
      Action:
        - "sns:Publish"
      Resource: 
        Ref: DeadLetterQueue


resources:
  Resources:
    DeadLetterQueue:
      Type: AWS::SNS::Topic
      Properties:
        Subscription:
          - Endpoint: chris+dlqtest@example.com
            Protocol: email

functions:
  DlqTest:
    handler: dlqtest.handler
    onError: arn:aws:sns:us-east-1:########:dlqtest-dev-DeadLetterQueue-14HOO3X2AAUX7
    #   Ref: DeadLetterQueue  # doesn't work: "onError config must be provided as a string"
    events:
      - s3:
          bucket: cshenton-dlqtest
          event: s3:ObjectCreated:*

rowanu · August 13, 2017, 8:11pm

This looks like an issue with the implementation in Serverless to me. I would open an issue against the project to support Refs in that field - I also would’ve expected to be able to pass the Ref (or similar) through.

The other approach that comes to mind is to create your SNS topic in a separate stack that you deploy before your service. This has the added benefit of being able to be re-used between services without you needing to subscribe multiple times.

Note that the PR you linked is also adding the required sns:Publish permissions to the default role, so you don’t need the same thing in your serverless.yml's iamRoleStatements.

shentonfreude · August 15, 2017, 2:32pm

Thanks, rowanu, issue created

Topic		Replies	Views
onError in serverless.yml Serverless Framework aws	1	1227	November 16, 2018
How to add a reference to SNS ARN? Serverless Framework	7	11662	June 22, 2020
Trying to create CF resources including SNS topic that is used in the stack & by a function Serverless Framework aws	3	1196	April 14, 2019
How to pass create SNS topic ARN to Lambda function Serverless Framework aws	2	8145	November 27, 2017
ARN of the SNS topic for lambda event Serverless Framework aws , lambda	0	857	March 6, 2018

Lambda onError can't use CloudFormation "Ref", requires ARN string?

Related Topics