Template format error: YAML not well-formed.

78 views
Skip to first unread message

Kishore Ponniah

unread,
Jan 7, 2019, 11:34:25 AM1/7/19
to Ansible Project
Hi all,

My cloudformation template has exceeded the template body limit more than 51200 bytes and I am trying to upload to s3 and deploy using cross account. I used template_url parameter in the playbook but giving an error. Before adding template_url, I had template_body which was working fine. I have only replaced template_body to template_url. 

Please find the playbook below: 

    - name: create xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles changeset
      cloudformation:
        stack_name: "xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles"
        state: present
        region: "{{ account_config.1 }}"
        aws_access_key: "{{ account_config.0.sts_creds.access_key }}"
        aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"
        security_token: "{{ account_config.0.sts_creds.session_token }}"
        create_changeset: true
        changeset_name: "{{ cf_changeset_name }}"
        template_parameters: "{{ account_config.0.account_config.stacks[' xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].params }}"        
        termination_protection: no
        tags: "{{ global_tags | combine(account_config.0.account_config.stacks[' xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].override_tags, recursive=True) }}"
      loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"
      loop_control:
        loop_var: account_config
        label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"
      tags:
        rxgt-ps-identity-stack-deploy

    - name: create xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles stack
      cloudformation:
        stack_name: "xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles"
        state: present
        region: "{{ account_config.1 }}"
        aws_access_key: "{{ account_config.0.sts_creds.access_key }}"
        aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"
        security_token: "{{ account_config.0.sts_creds.session_token }}"
        create_changeset: false
        changeset_name: "{{ cf_changeset_name }}"
        template_parameters: "{{ account_config.0.account_config.stacks['xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].params }}"        
        termination_protection: no
        tags: "{{ global_tags | combine(account_config.0.account_config.stacks['xx-xxxx-xxxx-xxxxxx-iam-atlas-developer-roles'].override_tags, recursive=True) }}"
      # Convert to a list of dicts duplicated per region. See https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#subelements-filter
      loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"
      loop_control:
        loop_var: account_config
        label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"
      when: with_stack_deploy
      tags:
        rxgt-ps-identity-stack-deploy

Kishore Ponniah

unread,
Jan 7, 2019, 11:38:12 AM1/7/19
to Ansible Project
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: YAML not well-formed. (line 12, column 6)

Karthik Chandrashekar

unread,
Jan 7, 2019, 11:38:53 AM1/7/19
to ansible...@googlegroups.com
It would have shown line number as well in the error. Please look into yaml file. 

May be it could be an issue with unnecessary tab/space.

Regards,
Karthik.C

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f737c13e-5b6e-4398-804f-69157e7b2698%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Kishore Ponniah

unread,
Jan 7, 2019, 11:48:20 AM1/7/19
to Ansible Project
Yes, it did show the line number (line 12, column 6). I checked the line with tab and space

    - name: get sts session token

I did not make any update on this section. The only change I made was instead of template_body, I changed to template_url. 

goforawalktwice

unread,
Jan 7, 2019, 7:58:08 PM1/7/19
to Ansible Project
hi, when I paste that YAML to 

https://jsonformatter.org/yaml-validator

it reckons line 22 is a problem - the second -name entry. When I remove from line 22 down it reckons it's valid YAML.

Regards, Straff

Karl Auer

unread,
Jan 7, 2019, 8:04:24 PM1/7/19
to ansible-project
What is the problem that it reports on line 22?

When posting code, please post in a fixed-width font if you can. Makes it easier to check indentation.

Regards, K.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c8fce4d7-b3f2-4495-9604-d554187f7ea0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Karl Auer

Email  : ka...@2pisoftware.com
Website: http://2pisoftware.com

GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816
Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA

goforawalktwice

unread,
Jan 7, 2019, 8:37:43 PM1/7/19
to Ansible Project
ooops ... the error was due to me copy/paste formatting - the second '-name' got indented too far - fixing that indentation makes it valid YAML according to that site
Message has been deleted

Kishore Ponniah

unread,
Jan 8, 2019, 5:06:31 AM1/8/19
to Ansible Project
Please find my code below: I checked the code using YAML validator and looks like it is valid. But still complaining about Line 12 column 6.

Any help please?

---
# This playbook builds IAM infrastructure in all configured accounts
- name: Install/Update RXGT Identity account CF templates
hosts: infrastructure
tasks:

- name: Install/Update RXGT PS cross account CF templates
hosts: infrastructure
tasks:
# Support using STS temporary creds (optional)
# See readme.md
- name: get sts session token
sts_session_token:
duration_seconds: "{{ sts_session_duration | default(3600) }}"
# Support role policy with mandatory MFA
mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}"
mfa_token: "{{ sts_mfa_token | default(omit) }}"
register: sts_session_token
when: with_sts
tags:
rxgt-ps-identity-stack-deploy

- name: retrieve sts credentials
set_fact:
sts_access_key: "{{ sts_session_token.sts_creds.access_key }}"
sts_secret_key: "{{ sts_session_token.sts_creds.secret_key }}"
sts_session_token: "{{ sts_session_token.sts_creds.session_token }}"
when: with_sts
tags:
rxgt-ps-identity-stack-deploy

- name: debug role arns
debug:
msg: "Assuming role: {{ account_config.sts_role_arn }}"
verbosity: 1
loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', rxgt_identity_account['account_config'])|list }}"
loop_control:
loop_var: account_config
label: "{{ account_config.sts_role_arn }}"
tags:
rxgt-ps-identity-stack-deploy

- name: assume cross account roles
sts_assume_role:
role_arn: "{{ account_config.sts_role_arn }}"
role_session_name: "ansibledeploy"
duration_seconds: "{{ sts_session_duration | default(3600) }}"
# Use STS temporary creds or fallback to aws cli/boto creds - see readme.md
aws_access_key: "{{ sts_access_key | default(omit) }}"
aws_secret_key: "{{ sts_secret_key | default(omit) }}"
security_token: "{{ sts_session_token | default(omit) }}"
# Support role policy with mandatory MFA
mfa_serial_number: "{{ sts_mfa_serial_number | default(omit) }}"
mfa_token: "{{ sts_mfa_token | default(omit) }}"
loop: "{{ rxgt_identity_account['deploy_accounts']|map('extract', rxgt_identity_account['account_config'])|list }}"
loop_control:
loop_var: account_config
label: "{{ account_config.sts_role_arn }}"
register: assumed_roles_with_account_config
tags:
rxgt-ps-identity-stack-deploy

- name: create rxgt-ps-cross-account-iam-atlas-developer-roles changeset
cloudformation:
stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles"
state: present
region: "{{ account_config.1 }}"
aws_access_key: "{{ account_config.0.sts_creds.access_key }}"
aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"
security_token: "{{ account_config.0.sts_creds.session_token }}"
create_changeset: true
changeset_name: "{{ cf_changeset_name }}"
# Don't pass the cd-deploy-role to CF due to [possible privilege escalation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html)
# for anyone able to perform stack updates.
# role_arn: "{{ account_config.0.account_config.pass_role_arn }}"
template_parameters: "{{ account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params }}"
termination_protection: no
tags: "{{ global_tags | combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, recursive=True) }}"
loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"
loop_control:
loop_var: account_config
label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"
tags:
rxgt-ps-identity-stack-deploy

- name: create rxgt-ps-cross-account-iam-atlas-developer-roles stack
cloudformation:
stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles"
state: present
region: "{{ account_config.1 }}"
aws_access_key: "{{ account_config.0.sts_creds.access_key }}"
aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"
security_token: "{{ account_config.0.sts_creds.session_token }}"
create_changeset: false
changeset_name: "{{ cf_changeset_name }}"
# Don't pass the cd-deploy-role to CF due to [possible privilege escalation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html)
# for anyone able to perform stack updates.
# role_arn: "{{ account_config.0.account_config.pass_role_arn }}"
template_parameters: "{{ account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params }}"
termination_protection: no
tags: "{{ global_tags | combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, recursive=True) }}"
loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"
loop_control:
loop_var: account_config
label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"
when: with_stack_deploy
tags:
rxgt-ps-identity-stack-deploy

Dick Visser

unread,
Jan 8, 2019, 7:41:40 AM1/8/19
to ansible...@googlegroups.com
I suspect the issue is introduced by the copy/pasting.
Can you pipe it directly to yamllint and tell us what that says?

DIck
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/28a0aea4-ce8c-4d6a-bda8-e33824808a19%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

Kishore Ponniah

unread,
Jan 8, 2019, 8:04:11 AM1/8/19
to Ansible Project
Hi,

That issue is now fixed by re-doing that part of the code but introduced with another error: S3 error: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. This is because the S3 bucket is encrypted. I tried to create a temporary unencrypted bucket and it works fine. I found a document and it says "to use KMS with S3 encryption you have to set the signature version to v4 explicitly"


I am not sure where this needs to be updated, as I am running this code from Cloud9 environment. I guess it is Python-Boto SDK. 
Reply all
Reply to author
Forward
0 new messages