Template contains errors.: [/Resources/CloudTrail/Type/EventSelectors] 'null' values are not allowed in templates in AWS CloudFormation CloudTrail

1
votes

I am getting "Template contains errors.: [/Resources/CloudTrail/Type/EventSelectors] 'null' values are not allowed in templates" error when I am trying to validate my cloudformation template.

"Conditions":
  "S3Enabled":
    "Fn::Equals":
    - "IsS3Enabled"
    - "true"
"Parameters":
  "IsS3Enabled":
    "AllowedValues":
    - "true"
    - "false"
    "Default": "true"
    "Description": "whether you want cloudtrail enabled for S3"
    "Type": "String"
  "LambdaArns":
    "Default": "arn:aws:lambda"
    "Description": "The lambda arns of cloudtrail event selectors"
    "Type": "CommaDelimitedList"
  "S3Arns":
    "Default": "'arn:aws:s3:::'"
    "Description": "The S3 arns of cloudtrail event selectors"
    "Type": "CommaDelimitedList"
"Resources":
  "CloudTrail":
    "DependsOn":
    - "CloudTrailLogBucketPolicy"
    "Properties":
      "EnableLogFileValidation": "true"
      "EventSelectors":
      "DataResources": {"Fn::If" : ["S3Enabled", { "Type": "AWS::S3::Object", "Values": !Ref "S3Arns"}, {"Type": "AWS::Lambda::Function", "Values": !Ref "LambdaArns"}]}
      "IncludeGlobalServiceEvents": "true"
      "IsLogging": "true"
      "IsMultiRegionTrail": "true"
      "S3BucketName":
        "Ref": "CloudTrailLogBucket"
      "S3KeyPrefix": "sample"
      "TrailName": "sample"
    "Type": "AWS::CloudTrail::Trail"

Resources that I am using

  1. CloudTrail CloudFormation : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html
  2. Fn::If documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-conditions.html#intrinsic-function-reference-conditions-if

I have gone through similar questions, both of them leads to indentation, but cannot find a fault with my template.

  1. AWS Cloudformation [/Resources/PrivateGateway/Properties] 'null' values are not allowed in templates
  2. AWS IAM Cloudformation YAML template errror: 'null' values are not allowed
2
amazon-web-servicesamazon-cloudformationamazon-cloudtrail

2 Answers

1
votes

The CloudFormation Linter catches this with:

E0000: Null value at line 31 column 24

DataResources isn't indented far enough and EventSelectors and DataResources both need to be lists

All members of a list are lines beginning at the same indentation level starting with a "- " (a dash and a space)

I'd recommend getting that template snippet working without Fn::If first like this:

"Resources":
  "CloudTrail":
    "DependsOn":
    - "CloudTrailLogBucketPolicy"
    "Properties":
      "EnableLogFileValidation": "true"
      "EventSelectors":
        - "DataResources":
           - Type: AWS::S3::Object
             Values: !Ref S3Arns

and then using Fn::If to set the first DataResource in the DataResources list

0
votes

probably the yaml would be as : 

cloudtrail:
    Type: AWS::CloudTrail::Trail
    Properties:       
      EnableLogFileValidation: Yes
      EventSelectors: 
        - DataResources:
            - Type: AWS::S3::Object
              Values: 
                - arn:aws:s3:::s3-event-step-bucket/    
          IncludeManagementEvents: Yes
          ReadWriteType: All
      IncludeGlobalServiceEvents: Yes
      IsLogging: Yes
      IsMultiRegionTrail: Yes
      S3BucketName: s3-event-step-bucket-storage       
      TrailName: xyz