Newbe Dev Stack

Answer : Yes, The DependsOn attribute can take a single string or list of strings . http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html Syntax: "DependsOn" : [ String, ... ] This answer comes up first in Google, so I will include how to do multiple dependson attributes in YAML, which I found in this answer. AnotherProductionResource: Type: AWS::CloudFormation::Stack Condition: ISProduction DependsOn: - AResource - MyProductionResource Properties: [...] Yes, "DependsOn" can take multiple strings. I have listed an example below: "DependsOn": [ "S3BucketAppElbLogs", "ElbLogAppBucketPolicy" ]

Answer : Afraid not, as the documentation states it only accepts String and not List therefore multiple blocks are required. Think of it the same way as ingress rules are created within the web console, one new rule for each CIDR. Unfortunately, there's no iteration available through CloudFormation's Intrinsic Functions, and as you pointed out the AWS::EC2::SecurityGroupIngress resource itself only accepts a single String for its CidrIp property. As an alternative, I would recommend choosing an intermediate format to compile down to CloudFormation template JSON using a preprocessor, if/when greater expressive power is needed. You can use a full-featured library like troposphere, but it's also easy enough to code up your own basic preprocessing layer to suit your use-case and programming-language/library preferences. My current choice is a combination of YAML with embedded Ruby (ERB), mostly because I'm already familiar with them. Here's an example templ...

Answer : While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions. The iam:PassRole permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission . For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled. In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function . When a CloudFormation te...