Home > Enterprise >  Circular dependency in Cloudformation | IAM resources
Circular dependency in Cloudformation | IAM resources

Time:11-27

I keep hitting circular dependency error in my cloudformation template. I believe to get around this one needs to separate the dependancy into a different resource but in my case I just want to add the arn of the role I am creating into the in-policy.

Below is one of the actions I want to add to the policy on this role:

Resources:
  SSMHostMgmtRole:
     Type: AWS::IAM::Role
     Properties:
       AssumeRolePolicyDocument:
         Statement:
         - Action:
           - sts:AssumeRole
           Effect: Allow
           Principal:
             Service:
             - ssm.amazonaws.com
         Version: '2012-10-17'
       Path: "/"
       Policies:
       - PolicyDocument:
           - Action:
             - iam:PassRole
             Effect: Allow
             Resource: !GetAtt SSMHostMgmtRole.Arn
         PolicyName: !Sub ${AWS::StackName}-${AWS::Region}-Example
       RoleName: !Sub ${AWS::StackName}-${AWS::Region}-HostMgmtRole

Can someone help me point out the changes to eliminate the circular dependency and get the template to work?

CodePudding user response:

You need to break the circular dependency by manually creating the Arn. Replace:

Resource: !GetAtt SSMHostMgmtRole.Arn

with

Resource: !Sub arn:aws:iam::${AWS::AccountId}:role/${AWS::StackName}-${AWS::Region}-HostMgmtRole
  • Related