I recently added a resource policy to a stack template which has been applied in our app and when executing it in cloudformation, found error "YAML not well-formed. (line 249, column 21)".
I have marked where line 249 is in below code.
ATMDatabaseSecretResourcePolicy:
Type: 'AWS::SecretsManager::ResourcePolicy'
Properties:
BlockPublicPolicy: true
SecretId: !Ref ATMDatabase
ResourcePolicy:
Version: '2012-10-17'
Statement:
- Action: secretsmanager:GetSecretValue
Effect: Deny
Principal: '*'
Resource: '*'
Condition:
'StringNotEquals':
'aws:principalArn':
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/DA-Deploy'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/DA-DEVAdmin'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/DA-Support'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/DA-Developer'
- !sub 'arn:aws:iam::${AWS::AccountId}:role/${InstanceIdentifier}-LoanMiddlewareRole' -- line 249
- !sub 'arn:aws:iam::${AWS::AccountId}:role/${InstanceIdentifier}-LoanAccountRole'
- !sub 'arn:aws:iam::${AWS::AccountId}:role/${InstanceIdentifier}-AuthorizerRole'
- !sub 'arn:aws:iam::${AWS::AccountId}:role/${InstanceIdentifier}-AuthenticationRole'
'aws:sourceVpce':
Fn::ImportValue:
!Sub '${TargetNetworkStack}-AppsVpcId'
It seems I can't have more than 4 aws:principalArns, as if I removed from line 249 to line 252 and only leave the first 4 there, then the error disappear.
I wonder if there is an alternative to get around this issue as I need to set more than 4 values for the condition key. I checked AWS Document but haven't found resources which mentions a limitation of maximum items for the condition key.
The issue is caused, because you have !sub, rather then !Sub. CloudFormation is case-sensitive.