SLS CloudFormation Resource Depends on SLS Lambda Function Issue

wenindoubt · July 22, 2019, 5:26pm

I am providing Cognito the permission to invoke lambda functions via lambda triggers (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html)

I have a very basic resource created in serverless.yml:

    UserPoolLambdaInvokePermission:
      Type: AWS::Lambda::Permission
      Properties:
        Action: lambda:invokeFunction
        Principal: cognito-idp.amazonaws.com
        FunctionName: arn:aws:lambda:${self:provider.region}:#{AWS::AccountId}:function:${self:service}-${self:provider.stage}-cognitoCustomMessage
        SourceArn: arn:aws:cognito-idp:${self:provider.region}:#{AWS::AccountId}:userpool/${self:provider.environment.USER_POOL_ID}

The above allows Cognito to invoke my cognitoCustomMessage lambda:

cognitoCustomMessage:
  handler: src/main/lambdas/users_handler.cognitoCustomMessage

The error message I am receiving above is: An error occurred: CognitoCustomMessageLambdaFunction - Function not found: arn:aws:lambda:us-west-2:1234567890:my-service-dev-cognitoCustomMessage (Service: AWSLambdaInternal; Status Code: 404; Error Code: ResourceNotFoundException; Request ID: e2a98525-5090-4d0f-a1f5-20610474f93b).

If I insert a DependsOn into the above resource like so:

    UserPoolLambdaInvokePermission:
      Type: AWS::Lambda::Permission
      DependsOn: arn:aws:lambda:${self:provider.region}:#{AWS::AccountId}:function:${self:service}-${self:provider.stage}-cognitoCustomMessage
      Properties:
        Action: lambda:invokeFunction
        Principal: cognito-idp.amazonaws.com
        FunctionName: arn:aws:lambda:${self:provider.region}:#{AWS::AccountId}:function:${self:service}-${self:provider.stage}-cognitoCustomMessage
        SourceArn: arn:aws:cognito-idp:${self:provider.region}:#{AWS::AccountId}:userpool/${self:provider.environment.USER_POOL_ID}

The error message I am receiving from above is: The CloudFormation template is invalid: Template format error: DependsOn must be a string or list of strings.

If I hardcode (which I don’t want to) the entire ARN of the lambda function, I get the following error: The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [arn:aws:lambda:us-west-2:1234567890:function:my-service-dev-cognitoCustomMessage] in the Resources block of the template

Has anyone else run into a similar error or figured out an elegant workaround?

ionush · February 27, 2020, 3:15am

found the solution, use dependOn property and get the function name from .serverless/serverless-state.json

Topic		Replies	Views
Using a serverless function for cognito trigger Serverless Framework	2	5485	May 22, 2017
Not authorized to perform lambda:InvokeFunction from Cognito trigger Serverless Framework	9	24620	January 1, 2020
Granting access for one function to use another Serverless Framework	3	2461	June 3, 2017
How to Add iamRoleStatements to S3 Trigger Bucket Serverless Framework aws	3	11639	September 7, 2017
Generate IAM permissions for invoking lambda from lambda Serverless Framework aws	8	23039	May 29, 2020

SLS CloudFormation Resource Depends on SLS Lambda Function Issue

Related Topics