CloudFormation 模板无效：模板格式错误：每个输出成员都必须包含一个值对象答案

【问题标题】：CloudFormation Template is invalid: Template format error: Every Outputs member must contain a Value objectCloudFormation 模板无效：模板格式错误：每个输出成员都必须包含一个值对象
【发布时间】：2018-06-21 14:59:15
【问题描述】：

我有一个 AWS IoT 聊天应用程序，它的 UI 在 React 上，为了进行 AWS 配置，我有一个使用“无服务器部署”命令执行的设置。执行时，serverless.yml 被执行，并在抛出错误的地方中断 CloudFormation 模板无效：模板格式错误：每个输出成员都必须包含一个值对象

serverless.yml 代码如下：

resources:
  Resources:
    UserTable:
      Type: "AWS::DynamoDB::Table"
      Properties:
        TableName: "IotChatUsers"
        AttributeDefinitions:
          - AttributeName: identityId
            AttributeType: S
        KeySchema:
          - AttributeName: identityId
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5

    ChatTable:
      Type: "AWS::DynamoDB::Table"
      Properties:
        TableName: "IotChatChats"
        AttributeDefinitions:
          - AttributeName: name
            AttributeType: S
        KeySchema:
          - AttributeName: name
            KeyType: HASH
        ProvisionedThroughput:
          ReadCapacityUnits: 5
          WriteCapacityUnits: 5

    ConnectPolicy:
      Type: "AWS::IoT::Policy"
      Properties:
        PolicyName: IotChatConnectPolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
              - "iot:Connect"
            Resource:
              - "*"

    PublicSubscribePolicy:
      Type: "AWS::IoT::Policy"
      Properties:
        PolicyName: IotChatPublicSubscribePolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
              - "iot:Subscribe"
            Resource: { "Fn::Join" : ["",["arn:aws:iot:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":topicfilter/room/public/*"]] }

    PublicReceivePolicy:
      Type: "AWS::IoT::Policy"
      Properties:
        PolicyName: IotChatPublicReceivePolicy
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: "Allow"
            Action:
              - "iot:Receive"
            Resource: { "Fn::Join" : ["",["arn:aws:iot:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":topic/room/public/*"]] }

    UserPool:
      Type: "AWS::Cognito::UserPool"
      Properties:
        UserPoolName: iot_chat_api_user_pool
        AutoVerifiedAttributes:
          - email
        MfaConfiguration: OFF
        Schema:
          - AttributeDataType: String
            Name: email
            Required: true

    ReactAppClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        GenerateSecret: false
        RefreshTokenValidity: 200
        UserPoolId:
          Ref: UserPool

    IdentityPool:
      Type: "AWS::Cognito::IdentityPool"
      Properties:
        IdentityPoolName: iot_chat_api_identity_pool
        AllowUnauthenticatedIdentities: false
        CognitoIdentityProviders:
          - ClientId:
              Ref: ReactAppClient
            ProviderName:
              Fn::GetAtt: UserPool.ProviderName
        SupportedLoginProviders:
          graph.facebook.com: ${self:custom.variables.facebook_app_id}
          accounts.google.com: ${self:custom.variables.google_app_id}

    IdentityPoolAuthRole:
      Type: "AWS::IAM::Role"
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Principal:
                Federated:
                  - "cognito-identity.amazonaws.com"
              Action:
                - "sts:AssumeRoleWithWebIdentity"
              Condition:
                StringEquals:
                  cognito-identity.amazonaws.com:aud:
                    Ref: IdentityPool
                ForAnyValue:StringLike:
                  cognito-identity.amazonaws.com:amr: authenticated
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/AWSIoTDataAccess
        Path: "/"
        Policies:
          - PolicyName: iot-chat-invoke-api-gateway
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - execute-api:Invoke
                  Resource: { "Fn::Join" : ["", ["arn:aws:execute-api:",{"Ref":"AWS::Region"},":",{"Ref":"AWS::AccountId"},":",{"Ref":"ApiGatewayRestApi"},"/*"]] }

    IdentityPoolRoleAttachment:
      Type: AWS::Cognito::IdentityPoolRoleAttachment
      Properties:
        IdentityPoolId:
          Ref: IdentityPool
        Roles:
          authenticated:
            Fn::GetAtt:
              - IdentityPoolAuthRole
              - Arn

    ConfirmUserInvocationPermission:
      Type: AWS::Lambda::Permission
      Properties:
        Action: lambda:InvokeFunction
        FunctionName:
          Fn::GetAtt: AutoConfirmUserLambdaFunction.Arn
        Principal: cognito-idp.amazonaws.com
        SourceArn:
          Fn::GetAtt: UserPool.Arn

  Outputs:
    UserPoolId:
      Description: "The ID of the user pool that is created."
      Value:
        Ref: UserPool

    ReactAppClientId:
      Description: "The ID of the user pool react app client id."
      Value:
        Ref: ReactAppClient

    IdentityPoolId:
      Description: "The ID of the identity pool that is created."
      Value:
        Ref: IdentityPool

    AutoConfirmUserFnArn:
      Description: "The ARN of the Auto Confirm User Lambda function"
      Value:
        Fn::GetAtt:
          - AutoConfirmUserLambdaFunction
          - Arn

    FacebookAppId:
      Description: "Facebook App Id"
      Value: ${self:custom.variables.facebook_app_id}

    GoogleAppId:
      Description: "Google App Id"
      Value: ${self:custom.variables.google_app_id}

我需要一些洞察力来弄清楚 serverless.yml 出了什么问题，它会抛出这个验证错误。

Environment Information -----------------------------
     OS:                     win32
     Node Version:           8.9.1
     Serverless Version:     1.25.0

更新：

在解析 YAML 时，下面是 Outputs 节点的结果：

"Outputs": {
      "IdentityPoolId": {
        "Description": "The ID of the identity pool that is created.", 
        "Value": {
          "Ref": "IdentityPool"
        }
      }, 
      "FacebookAppId": {
        "Description": "Facebook App Id", 
        "Value": "${self:custom.variables.facebook_app_id}"
      }, 
      "ReactAppClientId": {
        "Description": "The ID of the user pool react app client id.", 
        "Value": {
          "Ref": "ReactAppClient"
        }
      }, 
      "GoogleAppId": {
        "Description": "Google App Id", 
        "Value": "${self:custom.variables.google_app_id}"
      }, 
      "UserPoolId": {
        "Description": "The ID of the user pool that is created.", 
        "Value": {
          "Ref": "UserPool"
        }
      }, 
      "AutoConfirmUserFnArn": {
        "Description": "The ARN of the Auto Confirm User Lambda function", 
        "Value": {
          "Fn::GetAtt": [
            "AutoConfirmUserLambdaFunction", 
            "Arn"
          ]
        }
      }
    }

更新 2：

这是完整应用程序的来源：aws-iot-chat-example

【问题讨论】：

如果从输出块中删除 AutoConfirmUserFnArn 会出错吗？
但这是用户对 Lambda 函数的确认，为什么要删除？
只是为了测试。看看它是否是错误的根源。我会一次删除一个，以隔离错误消息的来源。其中一个是坏的。
我试过了，但没用
如果您删除整个输出部分，您仍然会收到错误消息吗？

标签： amazon-web-services yaml amazon-cloudformation

【解决方案1】：

CloudFormation 经常提供模糊或难以跟踪的错误，并且从不报告带有行号的错误，就像许多解释器/编译器/解析器一样。因此，追踪它们通常是一个反复试验的过程。

在您的情况下，错误消息仅提到错误在模板的Output 部分，但没有提及是哪个值有问题。您在该部分中有 6 个值。

一个很好的故障排除技术是一次删除一个或两个项目，然后重新运行模板。由于输出值只是输出值 - 此模板不需要它们，而是稍后在创建过程中将数据公开给其他模板。只需按照建议删除它们，并使用此技术隔离值中存在错误的字段。

良好的完整性检查是删除整个 Outputs 部分，并确认模板的重置按预期创建。

一旦您找到存在问题的字段，您需要找到主要问题：Every Outputs member must contain a Value object

要解决这个问题，请追踪被引用的对象，并回溯到源资源或资源属性。出于某种原因，这些引用没有引用有效的对象。

我会注意到，在您的 cmets 中，您确定了两个导致错误的字段。两者似乎都使用self:custom.variables.google_app_id 形式的变量引用 - 这些值没有正确解析。如上所述检查它们的来源。我怀疑它们没有被正确解析。我不认为该构造是有效的 CloudFormation 语法。

【讨论】：