${appsync:id} can't be used in IAM-permissions

Question

${appsync:id} can't be used in IAM-permissions

sevbauer opened this issue 2 years ago · 2 comments

I just upgraded to v2 of the plugin and migrated my configuration. Everything works fine, the AppSync-API is created correctly.

But when using the ${appsync:id}-variable like in the following statement:

provider:
  name: aws
  ...
  iam:
    role:
      statements:
        - Effect: "Allow"
          Action:
            - "appsync:GraphQL"
          Resource:
            - "arn:aws:appsync:${aws:region}:${aws:accountId}:apis/${appsync:id}/types/*/fields/*"
            - "arn:aws:appsync:${aws:region}:${aws:accountId}:apis/${appsync:id}"

I then get this error:

Error:
Cannot resolve serverless.yml: Variables resolution errored with:
  - Cannot resolve variable at "provider.iam.role.statements.0.Resource.0": String value consist of variable which resolve with non-string value,
  - Cannot resolve variable at "provider.iam.role.statements.0.Resource.1": String value consist of variable which resolve with non-string value

When I replace ${appsync:id} with the ID of the API directly, it works.

Answer 1 · 2023-03-14T18:29:09.000Z

I'm having the same issue :(

Answer 2 · 2023-04-07T16:48:28.000Z

@sevbauer the logical cloudformation id that this plugin creates/uses for appsync is GraphQlApi.
To get the arn you can use:
- Fn::Join: ["", [!GetAtt GraphQlApi.Arn, "/types/*/fields/*"]]