serverless: Model validation failed (#/EventSourceArn: failed validation constraint for keyword [pattern])

When I want to publish my functions with last version of serverless (2.18.0) I have this error for function using sqs event with arn directly setted :

Model validation failed (#/EventSourceArn: failed validation constraint for keyword [pattern])

When I try in previous version (2.16.1) It works fine

service: my-service

provider:
  name: aws
  runtime: nodejs12.x
  stage: ${opt:stage, 'dev'}
  profile: ${env:AWS_DEFAULT_PROFILE}
  region: eu-west-1
  memorySize: 1024
  timeout: 60
  logRetentionInDays: ${self:custom.${opt:stage, 'dev'}.RetentionInDays}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - cloudwatch:*
        - cloudformation:*
        - ec2:*
        - events:*
        - iot:*
        - lambda:*
        - rds:*
        - route53:*
        - s3:*
        - sns:*
        - sqs:*
        - tag:*
        - es:*
        - xray:*
        - apigateway:*
        - elasticloadbalancing:*
      Resource: "*"
  vpc: ${self:custom.${opt:stage, 'dev'}.vpc}
  environment:
    NODE_ENV: production
    WIRES_ENV: ${self:custom.${opt:stage, 'dev'}.WIRES_ENV}

custom:
  dev:
    accountId : 0123456789345
    WIRES_ENV: development
    RetentionInDays: 30
    moduleLayer: arn:aws:lambda:eu-west-1:0123456789345:layer:serverless-module-dev:12
    vpc:
      securityGroupIds:
        - sg-xxxxxxxxxxxxxxxxx
      subnetIds:
        - subnet-xxxxxxxxxxxxxxxxx
        - subnet-xxxxxxxxxxxxxxxxx
        - subnet-xxxxxxxxxxxxxxxxx
  prune:
    automatic: true
    number: 3

package:
  individually: true
  exclude:
    - node_modules/**
    - wires.*.json
    - claudia/**
    - core/test/**
    - invoke/**
    - test/**
    - tests/**
    - graphite-storage-schemas/**
    - sources/**
    - scripts/**
    - migrations/**
    - modules/**/test/**
    - '*.js'
    - '.nyc_output/**'
    - '.vscode/**'
    - '.editorconfig'
    - '.eslintignore'
    - '.eslintrc'
    - '.gitignore'
    - '.npmignore'
    - 'jsconfig.json'
    - README.md
    - .DS_Store
    - '**/.DS_Store'
  include:
    - _init.js
    - package.json
    - wires-defaults.json
    - wires.${self:custom.${opt:stage, 'dev'}.WIRES_ENV}.json

functions:
  my-function:
    handler: my-function.handler
    reservedConcurrency: 5
    package:
      individually: true
      include:
        - my-function.js
    layers:
      - ${self:custom.${opt:stage, 'dev'}.moduleLayer}
    events:
      - sqs: arn:aws:sqs:eu-west-1:${self:custom.${opt:stage, 'dev'}.accountId}:${self:custom.${opt:stage, 'dev'}.WIRES_ENV}-test

plugins:
  - serverless-prune-plugin

Serverless Warning --------------------------------------
 
  A valid environment variable to satisfy the declaration 'env:AWS_DEFAULT_PROFILE' could not be found.
 
Serverless: Deprecation warning: Starting with next major version, default value of provider.lambdaHashingVersion will be equal to "20201221"
            More Info: https://www.serverless.com/framework/docs/deprecations/#LAMBDA_HASHING_VERSION_V2
Serverless: Deprecation warning: Starting with next major version, API Gateway naming will be changed from "{stage}-{service}" to "{service}-{stage}".
            Set "provider.apiGateway.shouldStartNameWithService" to "true" to adapt to the new behavior now.
            More Info: https://www.serverless.com/framework/docs/deprecations/#AWS_API_GATEWAY_NAME_STARTING_WITH_SERVICE
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service my-function.zip file to S3 (322.64 KB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
CloudFormation - UPDATE_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-dev
CloudFormation - UPDATE_IN_PROGRESS - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - UPDATE_COMPLETE - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - UPDATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - UPDATE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - UPDATE_IN_PROGRESS - AWS::Lambda::Function - MyDashFunctionLambdaFunction
CloudFormation - UPDATE_COMPLETE - AWS::Lambda::Function - MyDashFunctionLambdaFunction
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Version - MyDashFunctionLambdaVersionpfFLqPl6dceyKRrLZYMakXPRNalRIGvyAl96c2l4nM
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Version - MyDashFunctionLambdaVersionpfFLqPl6dceyKRrLZYMakXPRNalRIGvyAl96c2l4nM
CloudFormation - CREATE_COMPLETE - AWS::Lambda::Version - MyDashFunctionLambdaVersionpfFLqPl6dceyKRrLZYMakXPRNalRIGvyAl96c2l4nM
CloudFormation - UPDATE_IN_PROGRESS - AWS::Lambda::EventSourceMapping - MyDashFunctionEventSourceMappingSQSDevelopmentmeasures
CloudFormation - UPDATE_FAILED - AWS::Lambda::EventSourceMapping - MyDashFunctionEventSourceMappingSQSDevelopmentmeasures
CloudFormation - UPDATE_ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-dev
CloudFormation - UPDATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - UPDATE_IN_PROGRESS - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - UPDATE_COMPLETE - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - UPDATE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - UPDATE_IN_PROGRESS - AWS::Lambda::Function - MyDashFunctionLambdaFunction
CloudFormation - UPDATE_COMPLETE - AWS::Lambda::Function - MyDashFunctionLambdaFunction
CloudFormation - UPDATE_COMPLETE - AWS::Lambda::EventSourceMapping - MyDashFunctionEventSourceMappingSQSDevelopmentmeasures
CloudFormation - UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS - AWS::CloudFormation::Stack - serverless-dev
CloudFormation - DELETE_SKIPPED - AWS::Lambda::Version - MyDashFunctionLambdaVersionpfFLqPl6dceyKRrLZYMakXPRNalRIGvyAl96c2l4nM
CloudFormation - DELETE_COMPLETE - AWS::Lambda::EventSourceMapping - MyDashFunctionEventSourceMappingSQSDevelopmentmeasures
CloudFormation - UPDATE_ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - serverless-dev
Serverless: Operation failed!

Installed version

2.18.0

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 28 (11 by maintainers)

Most upvoted comments

It’s worth noting that my accountId is not zero-prefixed and I’m seeing the exact same error. sls print snippet below:

  processor:
    handler: src/processor.process
    timeout: 900
    reservedConcurrency: 10
    layers:
      - arn:aws:lambda:us-east-1:XXXXXXXXXXXX:layer:LambdaInsightsExtension:14
    events:
      - sqs:
          arn: arn:aws:sqs:us-east-1:XXXXXXXXXXXX:processor-queue-dev.fifo

Framework Core: 2.43.1
Plugin: 5.1.3
SDK: 4.2.2
Components: 3.10.0

ericmillsio on Jun 1, 2021

@throrin19: I had the same problem and according to your serverless.yml, it might be caused by the same cause.

I have noticed, you are also using a custom variable to store your AccountId and it also starts with a 0. Can you try wrapping your AccountId value in single quotes? accountId : '0123456789345'

I believe the value gets interpreted as a number, and all the leading zeroes gets removed. You can also confirm it when inspecting the final CloudFormation template which should be a part of your ServerlessDeploymentBucket.

kolinekp on Feb 15, 2021

@pgrzesik haha it’s seems the same. My account ID start with 0

throrin19 on Jan 29, 2021

@pgrzesik We tried this deployment again last night. It failed again and I opened a ticket with AWS. I believe we have found the problem. This is what AWS found had been submitted from their backend tools (I’ve anonymized the account number):

{
  "BatchSize":"10",
  "FunctionName":"arn:aws:lambda:us-east-1:011111111111:function:rdn-ca-prod-addAcceptCase",
  "Enabled":"true",
  "EventSourceArn":"arn:aws:sqs:us-east-1:11111111111:rdn-ca-AddAcceptCaseQueue-prod"
}

Notice that the account ID in FunctionName has a leading zero and is 12 digits long. This is a correct ARN. The SQS queue ARN in the EventSourceArn has no leading 0, meaning it’s 11 digits long and thus is not a correctly formatted ARN.

The reason this doesn’t work in our prod account but does work in our non-prod account? Our prod account is old enough to have an 11 digit account number and needs a leading zero. Our non-prod account is much newer, is a full 12 digits and doesn’t need a leading zero.

I’ve trimmed down the serverless.yml down to the relevant chunks:

custom:
  stage: ${opt:stage,'dev'}
  accountIds:
      prod: 011111111111
  accountId: ${self:custom.accountIds.${self:custom.stage}}
  sqsArnPrefix: "arn:aws:sqs:${self:provider.region}:${self:custom.accountId}:${self:service}-"
  addAcceptCaseQueueArn: "${self:custom.sqsArnPrefix}AddAcceptCaseQueue-${self:custom.stage}"

  functions:
    addAcceptCase:
    events: 
      - sqs:
          arn: ${self:custom.addAcceptCaseQueueArn}

You can see that while we supplied the leading zero as the variable value, we supplied it as a number, not a string, meaning the leading zero got eaten in a conversion somewhere. We’ll test today, but I’m pretty sure we’ll be okay if we just declare these as strings by putting quotes around the account numbers.

One last thing. This error message is getting written to stdout, not stderr, meaning our CD tooling isn’t picking it up as a failure. This should definitely go to stderr. I think both of these problems would be resolved by doing the appropriate ARN validation you suggested someone put a PR in for.

Skymogul on Jan 27, 2021

Found this issue as it was one of the only discussions I could find about this error. I don’t have much to contribute, but I don’t think this is a Serverless issue - we use our own provisioner via boto3.

Properties validation failed for resource MyMWAAEnvironmentName with message: #/SourceBucketArn: failed validation constraint for keyword [pattern] #/ExecutionRoleArn: failed validation constraint for keyword [pattern]

This is for creating a stack for AWS Mangaged Airflow, which also implements and uses an SQS queue behind the scenes. The values for those two parameters in the template:

"SourceBucketArn": "arn:aws:s3:::mybucketname" "ExecutionRoleArn": {"Ref": "MyRoleName"}

Just thought I’d post here as it might be related and help troubleshoot.

adam133 on Jan 21, 2021

Closing as it appears source issue was configuration error

medikoo on Dec 8, 2021

Howdy! (Long time listener, first time caller)

I actually figured it out late last night. I believe it was some permissioning issues that were arising as this same error. My queue was made manually as opposed to within the resources section. I rewrote it to be as a resource and created a new queue, and there was no issue then.

I believe it was the access policy of the queue restricting from fetching information about the queue. Might have come along with me having to migrate the serverless role recently and performing the upgrade of the framework in parallel.

But yeah, essentially this error can come up if it’s just access issues as well.

To answer your question, it was matching. 😃

ericmillsio on Jun 1, 2021

Update - instead of using Ref to get the ARN of the role, I used GetAtt and now I no longer get the error on that one. Doesn’t explain why the bucket string arn is failing validation though.

"ExecutionRoleArn": {"Fn::GetAtt": ["MyRoleName", "Arn"]}

Edit - I was having issues with the bucket arn because apparently it has to start with airflow- This issue has more details about how to find the root cause of this error: https://github.com/aws-cloudformation/aws-cloudformation-resource-schema/issues/114

adam133 on Jan 21, 2021