ERROR: Unable to resolve Fn::ImportValue when using multiple stack
Opened this issue · 1 comments
Oour IaC project is split in multiple stack that are dependent on each other so in result we have multiple template.json (one per stack). In some template.json we have import like this :
"changereceivedsubscriber8A7E66AA4CBE": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::ImportValue": "t-project-other-stack:ExportsOutputFnGetAttChangeReceivedSubscriberFunctionArnAA0ADE45"
},
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"UpdatedRule",
"Arn"
]
}
},
"Metadata": {
"aws:cdk:path": "t-project-current-stack/t-project-period-updated-rule/AllowEventRuletprojectotherstackchangereceivedsubscriber8A7E66A"
}
}
The cfn-policy-validator cli only take one file on input so when I try to run it on a template that contains the above section it result in : ERROR: Unable to resolve Fn::ImportValue. Could not find a stack export to import with value t-project-other-stack:ExportsOutputFnGetAttChangeReceivedSubscriberFunctionArnAA0ADE45.
Thanks for the feedback!
The current implementation of Fn::ImportValue uses the credentials you provided when running the command to list the stacks in your AWS account and attempt to find a stack export with the name provided. If it finds that export, it will substitute the value in your template before validating your policies. This is done this way to ensure that the value that will be substituted by CloudFormation when the template is deployed is the same value that we use when validating your policies.
I think there's a potential feature for the ability to manually pass values for the stack exports as inputs to the validate command (or potentially allow multiple templates to be validated together and determine relationships between them).