Serverless-application-model: SourceVpcWhitelist is unable to resolve intrinsic functions
Description:
Within the Auth object, trying to use SourceVpcWhitelist and finding that intrinsic functions are causing issues with cloudformation creating or updating a stack.
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api-auth-object
...
Auth:
DefaultAuthorizer: AWS_IAM
ResourcePolicy:
SourceVpcWhitelist:
- !Ref VPCEndpoint
...
Steps to reproduce the issue:
- Create an Serveless::API with a vpc or vpcendpoint
- Put the above into the Auth section for resource policies
Observed result:
Transform AWS::Serverless-2016-10-31 failed with: Internal transform failure.
cfn-lint returns E0001 Error transforming template: expected string or bytes-like object.
Expected result:
Cloudformation updates stack and is able to resolve the intrinsic functions
Note
If you do not use intrinsic functions like !Sub or !Ref this works fine
I have not tried this on the other options. I have tried with CustomStatements and had no issues
sanjP10
All 3 comments
馃憢
Any update on this?
I'm also experiencing this issue, the workaround I have for now is an ugly custom statement.
Auth:
ResourcePolicy:
CustomStatements:
- Effect: Allow
Principal: '*'
Action: execute-api:Invoke
Resource: execute-api:/*
- Effect: Deny
Principal: '*'
Action: execute-api:Invoke
Resource: execute-api:/*
Condition:
StringNotEquals:
aws:SourceVpce: !Ref VpcEndpoint
duartemendes
on 30 Dec 2019
Having the same issue. Going to hardcode the vpc until this is solved. I got lucky that it's not an issue for me yet.
henkesde
on 2 Jan 2020
I have ran into this issue as well.
keanesf
on 9 Jan 2020
Related issues
zeroastro
路
3Comments
restfulhead
路
4Comments
kwcrook
路
3Comments
vinkris
路
3Comments
feinstein
路
3Comments
Most helpful comment
馃憢
Any update on this?
I'm also experiencing this issue, the workaround I have for now is an ugly custom statement.