Below is the SAM template:
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Events:
MySQSEvent:
Type: SQS
Properties:
Queue: !GetAtt SomeQueue.Arn
BatchSize: 10
PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission"
SomeQueue:
Type: AWS::SQS::Queue
AddPermission:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: "PermissionBoundaryForLogGroup"
Effect: "Allow"
Action:
- "logs:CreateLogGroup"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:*"
that gives below error:
{
"StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"EventId": "cb4be9e0-a682-11e9-bac4-12d48e821f84",
"ResourceStatus": "UPDATE_ROLLBACK_IN_PROGRESS",
"ResourceType": "AWS::CloudFormation::Stack",
"Timestamp": "2019-07-14T22:00:29.808Z",
"ResourceStatusReason": "The following resource(s) failed to create: [AddPermission]. The following resource(s) failed to update: [HelloWorldFunctionRole]. ",
"StackName": "pocstack",
"PhysicalResourceId": "arn:aws:cloudformation:us-east-1:285774445527:stack/somestack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"LogicalResourceId": "pocstack"
},
{
"StackId": "arn:aws:cloudformation:us-east-1:285774445527:stack/pocstack/f986eb30-a5a0-11e9-9771-1273bfab49fc",
"EventId": "AddPermission-CREATE_FAILED-2019-07-14T22:00:29.100Z",
"ResourceStatus": "CREATE_FAILED",
"ResourceType": "AWS::IAM::ManagedPolicy",
"Timestamp": "2019-07-14T22:00:29.100Z",
"ResourceStatusReason": "Resource creation cancelled",
"StackName": "pocstack",
"ResourceProperties": "{\"PolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"logs:CreateLogGroup\"],\"Resource\":[\"arn:aws:logs:us-east-1:285774445527:log-group:*\"],\"Effect\":\"Allow\",\"Sid\":\"PermissionBoundaryForLogGroup\"}]}}",
"PhysicalResourceId": "arn:aws:iam::285774445527:policy/somestack-AddPermission-GKXVOXLQARLR",
"LogicalResourceId": "AddPermission"
},
If I use the new stack, then the error is: "ResourceStatusReason": "Resource creation cancelled"
Why Managed policy by name AddPermission
fails to get created?