Pseudo parameters with variables

So, I just used five hours with my serverless.yml file over the most ridiculous thing: iamRoleStatements and Resources, which are an arn address to SNS topics, or SQS.

The problem arose as I got a deprecation warning when using serverless-pseudo-parameters, which claims Serverless Framework natively supports pseudo parameters as of version 2.3.0. So I removed it, thinking I can manage.

However, the documentation does not say that pseudo parameters can be used in conjunction with other variables ie. I cannot seem to be able to write something like this:

iamRoleStatements:
    - Effect: "Allow"
    Action:
        - SNS:Publish
    Resource:
    - 'Fn::Join':
        - ''
        - - 'arn:aws:logs'
            - Ref: 'AWS::Region'
            - ':'
            - Ref: 'AWS::AccountId'
            - ':'
            - 'sns-topic-name-'
            - ${self:provider.stage}

This will result in an error

An error occurred: IamRoleLambdaExecution - The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 7d50c7e7-87ad-4f3c-bdc2-e569b916e649; Proxy: null).

So, I went back to using the plugin, which has been archived and deprecated.

I do not know if this will reach the original maintainer, but I urge him to restore this plugin. It may be that Serverless Framework now supports these pseudo parameters, but we’re talking about ease of use here.

I’d rather write:

  Resource: "arn:aws:sns:${self:provider.region}:#{AWS::AccountId}:sns-topic-name-${self:provider.stage}"

Than that horrible multiline monster using Fn::Join.

So, is there some hidden documentation page covering this issue, or are we stuck with a deprecated plugin to make this work?

2 Likes

Same here, I don’t understand this documentation, it doesn’t work as described and most importantly you can’t seem to be able to put other variables there too…

Also I don’t understant why in the provided example in the documentation they use once ‘Fn::Join:’ and the other one Ref on it’s own… None of the Cloudformation syntaxes…

Hey folks,

Just wanted to chime in, I too eliminated the same plugin dependency and changed my CloudFormation syntax as follows, producing the exact same CF template as before:

With serverless-pseudo-parameters plugin

  iamRoleStatements:
    - Effect: Allow
      Action:
        - lambda:InvokeFunction
      Resource: 'arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:function-on-error'

Without serverless-pseudo-parameters plugin:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - lambda:InvokeFunction
      Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:function-on-error'

Like I said, the resulting CF template is identical and the changes are minimal, just add CF’s !Sub intrinsic function and replace # with $ and you should get the same template.

Hope it helps!

4 Likes

Just got bitten by this change as well. Removed the package assuming the syntax would match only to have my deployments fail. There is no mention in the docs or deprecation messages that there is a significant syntax difference.

This should be documented, with a guide for updating templates from the deprecated plugin to the new feature.

Cheers to Martin for sharing the CF Sub function!

For anyone using Typescript for their serverless config (serverless.ts instead of serverless.yml) the below should be helpful

{
  Effect: 'Allow',
  Action: ['ssm:GetParameters*'],
  Resource: {
     "Fn::Sub":'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/example*'
   }
}

I think the documentation has beem updated for this

https://www.serverless.com/framework/docs/providers/aws/guide/variables#pseudo-parameters-reference