Description: When defining AWS::Serverless::Function as a trigger of AWS::S3::Bucket, currently it is impossible to SAM predefined policies with restricted access.
so for example let's take a look at the following template:
Resources:
BlobsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "blobs-${AWS::AccountId}-${AWS::Region}"
ProcessBlobFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: blobsprjct/
Handler: processBlob.lambda_handler
Runtime: python3.8
Policies:
- S3ReadPolicy:
BucketName: !Sub "blobs-${AWS::AccountId}-${AWS::Region}"
- AmazonRekognitionFullAccess
Events:
BlobsBucket:
Type: S3
Properties:
Bucket: !Ref BlobsBucket
Events: s3:ObjectCreated:*
This will fail with:
Error: Failed to create changeset for the stack: blob, ex: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "FAILED" Status: FAILED. Reason: Circular dependency between resources: [ProcessBlobFunction, ProcessBlobFunctionBlobsBucketPermission, BlobsBucket]
All resources say to set BucketName - I've already had it, I also add permission (Not sure that its needed, cause Error stayed bigger for 1 point)
AllowS3ToCallLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: 'lambda:InvokeFunction'
FunctionName: !Ref ProcessBlobFunction
Principal: s3.amazonaws.com
SourceArn: !GetAtt BlobsBucket.Arn
And this will fail with:
Error: Failed to create changeset for the stack: blob, ex: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state: For expression "Status" we matched expected path: "FAILED" Status: FAILED. Reason: Circular dependency between resources: [ProcessBlobFunction, ProcessBlobFunctionBlobsBucketPermission, AllowS3ToCallLambdaPermission, BlobsBucket]
I am stuck and cannot find a solution for a long time.
