AWS CloudFormation - can I use Sub inside GetAtt?

Question

I'm trying to reference a security group inside a CloudFormation template.

the name of the group is !Sub '${EnvironmentName}-SG-Private, where EnvironmentName is a template parameter.

However, the DBInstance AWS type requires the GroupId of the security group, not the group name. So I'm trying to use GetAtt to retrieve it, but without any luck:

Fn::GetAtt: [$(Fn::Sub:[${EnvironmentName}-SG-Private]), GroupId]

This and various other permutations all caused errors.

Reading the docs, it says

For the Fn::GetAtt logical resource name, you cannot use functions. You must specify a string that is a resource's logical ID.

If I've read that right, the problem cannot be solved the way I'm trying to do so. So how am I supposed to reference this security group? Do I need to export its GroupId at group creation time?

Great tips here https://garbe.io/blog/2017/07/17/cloudformation-hacks/ — Tim, Jul 28 '20 at 07:52

score 0 · Answer 1 · edited Jul 30 '20 at 16:00

0

Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template. For more information about GetAtt return values for a particular resource, refer to the documentation for that resource.

edited Jul 30 '20 at 16:00

kenlukas

3,101
2
16
26

answered Jul 28 '20 at 07:28

Skill Skot

1

score 0 · Answer 2 · answered Jul 28 '20 at 08:01

You can only use Fn::GetAtt with resources in the same template. Hence you can’t use it on names derived from template parameters.

If you need the GroupId you can export it from the template that creates the Security Group and Fn::ImportValue it in the template that needs it.

For more info see CloudFormation Export / ImportValue

Hope that helps :)

AWS CloudFormation - can I use Sub inside GetAtt?

2 Answers2