!Ref VS !GetAtt | PuglieseWeb

Last updated 6 months ago

Was this helpful?

The !GetAtt (Get Attribute) is a CloudFormation intrinsic function that helps you get the value of an attribute from a resource that has been created in your CloudFormation template.

In the example I showed earlier, !GetAtt NotificationFunction.Arn is getting the ARN (Amazon Resource Name) of a Lambda function named "NotificationFunction".

Here are some common uses of !GetAtt:

The syntax is:

!GetAtt ResourceLogicalName.AttributeName

Where:

ResourceLogicalName: The logical name you gave to the resource in your template
AttributeName: The specific attribute you want to reference

This is particularly useful because:

You don't need to hardcode values
It ensures resources are properly linked together
CloudFormation will automatically resolve the actual value during deployment
It helps maintain dependencies between resources

For example, if you're creating a Lambda function and need to reference it in an EventBridge rule, you would:

Resources:
  # Lambda Function Definition
  NotificationFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: ec2-state-change-handler
      Runtime: nodejs18.x
      Handler: index.handler
      Code:
        ZipFile: |
          exports.handler = async (event) => {
            console.log('Received EC2 state change:', JSON.stringify(event, null, 2));
            return {
              statusCode: 200,
              body: JSON.stringify('Successfully processed EC2 state change')
            };
          };
      Role: !GetAtt LambdaExecutionRole.Arn
      Timeout: 30
      MemorySize: 128

  # Lambda Execution Role
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  # SNS Topic for Notifications
  NotificationTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: ec2-state-change-notifications

  # EventBridge Rule
  EC2StateChangeRule:
    Type: AWS::Events::Rule
    Properties:
      Name: ec2-state-change-rule
      Description: "Rule to monitor EC2 instance state changes"
      EventPattern:
        source:
          - "aws.ec2"
        detail-type:
          - "EC2 Instance State-change Notification"
        detail:
          state:
            - "stopped"
            - "running"
      State: "ENABLED"
      Targets:
        - Arn: !GetAtt NotificationFunction.Arn
          Id: "ProcessEC2StateChangeLambda"
        - Arn: !Ref NotificationTopic
          Id: "NotifyEC2StateChangeSNS"

  # EventBridge IAM Role
  EventBridgeInvokeLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: InvokeLambdaPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: !GetAtt NotificationFunction.Arn

!Ref

The !Ref (Reference) is another CloudFormation intrinsic function that allows you to refer to resources or parameters in your template. It's simpler than !GetAtt because it typically returns a default value for the resource.

For different resource types, !Ref returns different values:

For SNS Topics -> Returns the Topic ARN
For S3 Buckets -> Returns the Bucket name
For Parameters -> Returns the parameter value
For EC2 Instances -> Returns the instance ID

Here are some common examples:

Resources:
  # Creating an SNS Topic
  MyTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: my-notification-topic

  # Creating an SQS Queue
  MyQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: my-queue

  # Using !Ref to reference these resources
  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Environment:
        Variables:
          TOPIC_ARN: !Ref MyTopic     # Gets the Topic ARN
          QUEUE_URL: !Ref MyQueue     # Gets the Queue URL

# Using with Parameters
Parameters:
  EnvironmentName:
    Type: String
    Default: dev

  # Using !Ref with a parameter
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref EnvironmentName  # Gets the parameter value

In our previous EventBridge example:

Targets:
  - Arn: !Ref NotificationTopic    # Gets the SNS Topic ARN
    Id: "NotifyEC2StateChangeSNS"

The key differences between !Ref and !GetAtt:

!Ref gets a default value:

TopicArn: !Ref MyTopic  # Gets Topic ARN

!GetAtt gets a specific attribute:

TopicName: !GetAtt MyTopic.TopicName  # Gets Topic Name specifically

# Getting Lambda Function ARN
LambdaArn: !GetAtt MyLambdaFunction.Arn

# Getting S3 Bucket Domain Name
BucketDomainName: !GetAtt MyS3Bucket.DomainName

# Getting DynamoDB Table Stream ARN
StreamArn: !GetAtt MyDynamoTable.StreamArn

# Getting VPC ID
VpcId: !GetAtt MyVPC.VpcId

# Getting RDS Endpoint Address
DbEndpoint: !GetAtt MyRDSInstance.Endpoint.Address

Resources:
  # Lambda Function Definition
  NotificationFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: ec2-state-change-handler
      Runtime: nodejs18.x
      Handler: index.handler
      Code:
        ZipFile: |
          exports.handler = async (event) => {
            console.log('Received EC2 state change:', JSON.stringify(event, null, 2));
            return {
              statusCode: 200,
              body: JSON.stringify('Successfully processed EC2 state change')
            };
          };
      Role: !GetAtt LambdaExecutionRole.Arn
      Timeout: 30
      MemorySize: 128

  # Lambda Execution Role
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  # SNS Topic for Notifications
  NotificationTopic:
    Type: AWS::SNS::Topic
    Properties:
      TopicName: ec2-state-change-notifications

  # EventBridge Rule
  EC2StateChangeRule:
    Type: AWS::Events::Rule
    Properties:
      Name: ec2-state-change-rule
      Description: "Rule to monitor EC2 instance state changes"
      EventPattern:
        source:
          - "aws.ec2"
        detail-type:
          - "EC2 Instance State-change Notification"
        detail:
          state:
            - "stopped"
            - "running"
      State: "ENABLED"
      Targets:
        - Arn: !GetAtt NotificationFunction.Arn
          Id: "ProcessEC2StateChangeLambda"
        - Arn: !Ref NotificationTopic
          Id: "NotifyEC2StateChangeSNS"

  # EventBridge IAM Role
  EventBridgeInvokeLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: InvokeLambdaPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                Resource: !GetAtt NotificationFunction.Arn