AWS CloudFormation YAML gotcha

I just got stuck on a CloudFormation gotcha for an hour. I was trying to add an access policy to an SQS queue to allow SNS to post messages to it, but it gave this error:

An error occurred: myQueue – Invalid value for the parameter Policy. (Service: AmazonSQS; Status Code: 400; Error Code: InvalidAttributeValue).

The CloudFormation YAML for that queue was:

Type: AWS::SQS::QueuePolicy
Properties:
  Queues:
    - Ref: myQueue
  PolicyDocument:
    Id: QueuePolicy
    Version: 2012-10-17
    Statement:
      - Sid: sendMessagesToQueue
        Effect: Allow
        Principal:
          AWS: "*"
        Action:
         - sqs:SendMessage
        Resource: "*"
        Condition:
          ArnEquals:
            aws:SourceArn:
              Ref: myTopic

The problem with this policy is that YAML automatically parses anything that looks like an ISO-formatted date, so when Serverless converted my YAML CloudFormation to JSON to be uploaded, that “2012-10-17” date was transformed to:

 "Version": "2012-10-17T00:00:00.000Z"

Whoops! Adding quotes around the date in the Version field fixes this problem:

Version: "2012-10-17"

4 thoughts on “AWS CloudFormation YAML gotcha”

  1. Thank you so much for posting this! Had the same problem your blogpost is the only site on the internet that mention this solution

    Reply

  2. No Help


    AWSTemplateFormatVersion: ‘2010-09-09’
    Description: This template creates a new SQS Standard Queue
    Parameters:
    DelaySeconds:
    Type: Number
    Default: ‘5’
    MaximumMessageSize:
    Type: Number
    Default: ‘262144’
    MessageRetentionPeriod:
    Type: Number
    Default: ‘345600’
    ReceiveMessageWaitTimeSeconds:
    Type: Number
    Default: ‘0’
    VisibilityTimeout:
    Type: Number
    Default: ‘5’
    SQSQueueName:
    Type: String
    Default: ‘DCCqueue’
    mytopic:
    Type: String
    Default: mytopic

    Resources:
    SQSQueue:
    Type: AWS::SQS::Queue
    Properties:
    QueueName:
    Ref: SQSQueueName
    DelaySeconds:
    Ref: DelaySeconds
    MaximumMessageSize:
    Ref: MaximumMessageSize
    MessageRetentionPeriod:
    Ref: MessageRetentionPeriod
    ReceiveMessageWaitTimeSeconds:
    Ref: ReceiveMessageWaitTimeSeconds
    VisibilityTimeout:
    Ref: VisibilityTimeout

    SQSQueuePolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
    Queues: [ !Ref ‘SQSQueue’ ]
    PolicyDocument:
    Version: 2012-10-17
    Id: PublicationPolicy
    Statement:
    – Sid: Allow-User-SendMessage
    Effect: Allow
    Principal:
    Ref ${AWS::AccountId}
    Action:
    – sqs: SendMessage
    – sqs: ReceiveMessage
    – sqs: DeleteMessage
    Resource: !GetAtt [SQSQueue, Arn]

    Outputs:
    QueueURL:
    Description: URL of newly created SQS Queue
    Value:
    Ref: SQSQueue

    Reply

    1. Your Version in your SQSQueuePolicy needs quotes around it:

      Version: “2012-10-17”

      If you’re getting an error message then state the message.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.