serverless/serverless

AWS API Gateway: Lack of support for CF intrinsic functions at `functions[].events[].http.authorizer.arn`

Open

#3,212 opened on Feb 8, 2017

View on GitHub
 (67 comments) (44 reactions) (0 assignees)JavaScript (46,915 stars) (5,734 forks)batch import
bug/designcat/aws-event-api-gatewaygood first issuehelp wanted

Description

  • What was the config you used?
functions:
  myFunction:
    handler: handler.myFunction
    events:
      - http:
          ...
          authorizer:
            arn: { "Fn::Join" : [ ":", [ "arn:aws:lambda", { "Ref" : "AWS::Region" }, { "Ref" : "AWS::AccountId" }, "function:myAuthorizer" ] ] }
            ...
  • What stacktrace or error message from your provider did you see?
Serverless: Packaging service...

  Type Error ---------------------------------------------

     functionArn.split is not a function

     For debugging logs, run again after setting the "SLS_DEBUG=*" environment variable.

  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues

     Please report this error. We think it might be a bug.

  Your Environment Information -----------------------------
     OS:                 darwin
     Node Version:       4.3.2
     Serverless Version: 1.6.1

Similar or dependent issues:

  • #3129

Additional Data

  • Serverless Framework Version you're using: 1.6.1
  • Operating System: macOS Sierra 10.12.3

Proposed solution:

This report signals two issues:

1. Messed up error reporting (functionArn.split is not a function)

No need to do anything here, as such errors will be handled neatly, once schema is configured for this event (see: https://github.com/serverless/serverless/issues/8018)

2. No support for CF intrinsic functions at authorizer.arn.

See: https://github.com/serverless/serverless/issues/3212#issuecomment-696637248

  1. When arn is passed in object form, require name property (validate it's existence inline, at least it might be hard to validate it with schema, and receive human friendly error message).
  2. When arn is passed in string form and no name is passed. deprecate name resolution with message that it won't be auto-resolved in next major and to have authorizer named, name has to be explicitly set in config

Contributor guide

Tech stack
javascriptnodejsaws
Domain
backendinfrastructurecloud
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Serverless Framework basicsAWS CloudFormation intrinsic functionsJavaScript/Node.jsYAML configuration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue describes that the `authorizer.arn` field in the Serverless Framework configuration does not support CloudFormation intrinsic functions like `Fn::Join` and `Ref`. The error occurs because the code expects a string but receives an object. The proposed solution involves two steps: (1) when `arn` is passed as an object, require the `name` property; (2) when `arn` is a string and no `name` is passed, deprecate auto resolution. To implement, examine the code in the AWS provider plugin that processes the `http` event authorizer configuration, specifically around the `authorizer.arn` handling. The issue references comments for further details. Ensure to add validation and deprecation logic as described, and update or add tests.