Invalid CloudFormation Template when use Custom Authorizer ARN

Question

Invalid CloudFormation Template when use Custom Authorizer ARN

aleksdikanski opened this issue 6 years ago · comments

Aleksander Dikanski commented 6 years ago

Hi,

I ran into an issue when using APIG custom authorizers, if the authorizers are not part of the project but are referenced by a ARN

Running serverless deploy will fail with the following error due to invalid parts of the AuthorizerUrl

Serverless Error ---------------------------------------

  An error occurred: RoleApiGatewayAuthorizerdev - Invalid Authorizer URI: :${stageVariables.SERVERLESS_ALIAS}arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789:function:authorizer/invocations. 
  Authorizer URI should be a valid API Gateway ARN that represents a Lambda function invocation..

As an example I have this service, which references a custom authorizer within the project:

#serverless.yml
functions:
  authorize:
    handler: com.serverless.Authorizer
  create:
    handler: com.serverless.CreateHandler
    events:
      - http:
           path: /test
           method: POST
           authorizer: authorize

which results in the correct CF template

"AuthorizeApiGatewayAuthorizerdev": {
  "Type": "AWS::ApiGateway::Authorizer",
  "Properties": {
    "IdentitySource": "method.request.header.Authorization",
    "Name": "authorize-dev",
      "RestApiId": {
        "Ref": "ApiGatewayRestApi"
      },
      "AuthorizerUri": {
        "Fn::Join": [
          "",
          [
            "arn:aws:apigateway:",
            {
              "Ref": "AWS::Region"
            },
            ":lambda:path/2015-03-31/functions/",
            {
              "Fn::GetAtt": [
                "AuthorizeLambdaFunction",
                "Arn"
              ]
            },
            ":${stageVariables.SERVERLESS_ALIAS}",
            "/invocations"
          ]
        ]
      },
      "Type": "TOKEN"
  }
}

Using a referenced custom authorizer (which is supported by serverless framework) produce an erroneous CF template:

functions:
  create:
    handler: com.serverless.CreateHandler
    events:
      - http:
          path: /test
          method: POST
          authorizer: arn:aws:lambda:${self:provider.region}:${opt:account}:function:authorize


“AuthorizeApiGatewayAuthorizerdev": {
  "Type": "AWS::ApiGateway::Authorizer",
  "Properties": {
    "IdentitySource": "method.request.header.Authorization",
    "Name": "authorize-dev",
    "RestApiId": {
      "Ref": "ApiGatewayRestApi"
    },
    "AuthorizerUri": {
      "Fn::Join": [
        "",
        [
          ":${stageVariables.SERVERLESS_ALIAS}",
          "arn:aws:apigateway:",
          {
            "Ref": "AWS::Region"
          },
          ":lambda:path/2015-03-31/functions/",
          "arn:aws:lambda:us-east-1:274712788788:function:authorize”,
          "/invocations"
        ]
      ]
    },
    "Type": "TOKEN"
  }
}

I also noticed null values in the DependsOn section of the Permissions for the custom authorizer lambda, as well as a missing FunctionName, which seem to stem from the similar cause as mentioned in #83

 “AuthorizeLambdaPermissionApiGateway": {
   "Type": "AWS::Lambda::Permission",
   "Properties": {
     "FunctionName": {},
       "Action": "lambda:InvokeFunction",
            "Principal": "apigateway.amazonaws.com"
        },
        "DependsOn": [
            null,
            null
        ]
    }

Frank Schmid · Answer 1 · Wed Feb 14 2018 17:52:03 GMT+0800 (China Standard Time)

@aleksdikanski Good catch. I fully agree that referencing already existing authorizers should be possible and using authorizers that are referenced by only an ARN should be supported.

I will have a look at the PR soon.

Frank Schmid · Answer 2 · Sat Mar 10 2018 18:51:05 GMT+0800 (China Standard Time)

Solved by #102