serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard

Published 20 hours ago verified publisher icon aws

Combining AWS_IAM auth and Resource Condition on AWS::Serverless::Function results in SAM translate error

Open ohadbenita opened this issue 5 years ago • 2 comments

Description:

When a condition is defined on Lambda function in conjunction with AWS_IAM authentication SAM (On the API) translation fails and the template can't be deployed

Steps to reproduce the issue:

  1. Run sam validate -t on the below attached SAM template.
  2. Remove the condition from the function --> the translation now works.

Observed result: The translation fails.

Expected result: The translation should succeed

SAM Template:

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Test API template.

# This was added due to an implicit Stage created by SAM referenced in this GitHub issue:
# https://github.com/awslabs/serverless-application-model/issues/191
Globals:
  Api:
    OpenApiVersion: 3.0.1

Parameters:
  StackEnv:
    Description: The stack environment.
    Type: String
    AllowedValues:
      - dev
      - stg

  Universe:
    Description: The universe that this stack is meant for
    Type: String
    AllowedValues:
      - cn
      - ww

  ReleaseName:
    Description: The git sha/identifying code factor for this commit being deployed.
    Type: String


Conditions:
  IsWorldWideUniverse: !Equals [!Ref Universe, ww]


Resources:
  TestApi:
    Condition: IsWorldWideUniverse
    Type: AWS::Serverless::Api
    Properties:
      Name: MyTestApi
      StageName: !Ref StackEnv
      MethodSettings:
        - LoggingLevel: INFO
          MetricsEnabled: true
          ResourcePath: "/*"
          HttpMethod: "*"
      Auth:
        DefaultAuthorizer: AWS_IAM
        InvokeRole: CALLER_CREDENTIALS

  TestApiMapping:
    Condition: IsWorldWideUniverse
    Type: AWS::ApiGateway::BasePathMapping
    DependsOn: TestApiStage
    Properties:
      DomainName: my-domain.com
      RestApiId: !Ref TestApi
      Stage: !Ref StackEnv
      BasePath: market

  TestLambdaFunction:
    Condition: IsWorldWideUniverse
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: TestLambdaFunction
      Handler: code.entrypoint.handler
      Runtime: python3.7
      Role:
        Fn::ImportValue: !Sub lambda-${Universe}-${StackEnv}-test-role-arn
      MemorySize: 128
      Timeout: 120
      CodeUri: ./
      Events:
        Validate:
          Type: Api
          Properties:
            Method: GET
            RestApiId: !Ref TestApi
            Path: test/api

ohadbenita avatar Apr 05 '20 07:04 ohadbenita

I found myself stacked on the same issue.

Did you find a work-around?

gonzalobandeira avatar May 16 '20 10:05 gonzalobandeira

No, there is none AFAIK.

I ended up splitting my SAM templates because of this issue

On Sat, 16 May 2020 at 13:11 Gonzalo Bandeira [email protected] wrote:

I found myself stacked on the same issue.

Did you find a work-around?

ohadbenita avatar May 16 '20 10:05 ohadbenita

Closing in favor of https://github.com/aws/serverless-application-model/issues/2533.

hoffa avatar Nov 03 '22 23:11 hoffa