2

I would like to reference the arn of a "going-to-be-created" Redis ElastiCache cluster in a cloud formation template.
This is the ElasticacheCluster template (tested and working in cloudFormation)

ElasticacheCluster:
Type: AWS::ElastiCache::CacheCluster
Properties:
  AutoMinorVersionUpgrade: 'true'
  Engine: redis
  CacheNodeType: cache.t2.micro
  NumCacheNodes: '1'
  VpcSecurityGroupIds:
  - Fn::GetAtt:
    - ElastiCacheSecurityGroup
    - GroupId
  CacheSubnetGroupName:
    Ref: ElastiCacheSubnetGroup

I cut on the other staff like subnetgroup and security group because it is also not relevant here. I should grant access to the Cluster to another resource with an Access Policies here what I was trying:

AccessPolicies:
    Version: '2012-10-17'
    Statement:
    - Effect: Allow
      Principal:
        AWS: "*"
      Action: es:*
      Resource: !GetAtt ElasticacheCluster.Arn
    - Effect: Allow
      Principal:
        AWS: "*"
      Action: es:*
      Resource: !GetAtt ElasticacheCluster.Arn
      Condition:
        IpAddress:
          aws:SourceIp: 0.0.0.0/0

I saw this:

the !GetAtt ElasticacheCluster.Arn for the resource entry

here but seems not to be working in this case since !GetAtt is returning a fixed set of attributes and ARN is not one of them (as suggested by @Anton in the comments.

I also saw this other question that could solve the issue but I would prefer a not-harcoded-solution being not dependent on things like region and account id.
The solution to the problem seems to be simple but I am struggling to find a clean answer.

Cr4zyTun4
  • 625
  • 7
  • 18
  • GetAtt: returns a fixed subset of the attributes for ElastiCache and ARN is not one of them. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#aws-properties-elasticache-cache-cluster-return-values Have you tried to accomplish the same with `!Ref` reference? – Anton Mar 24 '22 at 19:45
  • " not to be working in this case" is not clear. Why not? What exactly is happening? Any errors? – Marcin Mar 25 '22 at 00:03
  • Thanks @Mancin I edited the question so that it is bit more explanatory – Cr4zyTun4 Mar 30 '22 at 13:54

2 Answers2

1

I took inspiration from both the @multiscup answer and the one referenced in the question.
This approach is far from clean and I am waiting for a better answer but at least it is working. The main idea is to construct the string needed for the arn:

arn:aws:elasticache:region:account-id:cluster:resource-name

To do that I used a join trying to dynamically get the element thanks to the built-in CloudFormation functions:

Resource: !Join 
        - ':'
        - - 'arn:aws:elasticache' 
          - !Ref 'AWS::Region'
          - '<your-account-id>'
          - 'cluster'
          - !FindInMap [Elasticache, Redis, cluster-name]

I used a Map to define the Redis-cluster because I was using the same value also in other points in the CloudFormation template. Maybe you might find helpful to have the map as well

Mappings: 
  Elasticache: 
    Redis:
      cluster-name: redis-demo
Cr4zyTun4
  • 625
  • 7
  • 18
0

As Anton mentioned, GetAtt only has certain attributes that you can get. Also, the !Ref will return the logical ID of the resource. Have you thought about trying to use the User and/or the UserGroup resources to accomplish what you want?

multicusp
  • 11
  • 1
  • it would be best if you add relevant sections from these links in the answer, in that case if these links are unavailable, we would still know what to do – Akber Iqbal Mar 25 '22 at 06:31
  • You mean for example constructing the string with a join of different element like the user and so on? – Cr4zyTun4 Mar 30 '22 at 13:54