SourceVpcWhitelist is unable to resolve intrinsic functions

[sanjP10]

Description:

Within the Auth object, trying to use SourceVpcWhitelist and finding that intrinsic functions are causing issues with cloudformation creating or updating a stack.

https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api-auth-object

...
Auth:
  DefaultAuthorizer: AWS_IAM
    ResourcePolicy:
      SourceVpcWhitelist:
        - !Ref VPCEndpoint
...

Steps to reproduce the issue:

1. Create an Serveless::API with a vpc or vpcendpoint
2. Put the above into the Auth section for resource policies

Observed result:
Transform AWS::Serverless-2016-10-31 failed with: Internal transform failure.

cfn-lint returns E0001 Error transforming template: expected string or bytes-like object.

Expected result:

Cloudformation updates stack and is able to resolve the intrinsic functions

Note
If you do not use intrinsic functions like !Sub or !Ref this works fine
I have not tried this on the other options. I have tried with CustomStatements and had no issues

[duartemendes]

👋
Any update on this?
I'm also experiencing this issue, the workaround I have for now is an ugly custom statement.

Auth:
  ResourcePolicy:
    CustomStatements:
      - Effect: Allow
        Principal: '*'
        Action: execute-api:Invoke
        Resource: execute-api:/*
      - Effect: Deny
        Principal: '*'
        Action: execute-api:Invoke
        Resource: execute-api:/*
        Condition:
          StringNotEquals:
            aws:SourceVpce: !Ref VpcEndpoint

[henkesde]

Having the same issue. Going to hardcode the vpc until this is solved. I got lucky that it's not an issue for me yet.

[null-ref-0000]

I have ran into this issue as well.

[ncanibano]

Facing this issue as well. My understanding is this PR: #1395 already fixes the !Ref use-case, but using Fn::ImportValue is still not supported within a SourceVpcWhitelist, is that correct?

[jfuss]

We created a set of new properties to support the Intrinsic use cases: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-resourcepolicystatement.html#sam-api-resourcepolicystatement-IntrinsicVpcWhitelist

This is not supported in SourceVpc* properties because SAM does some regex's on the value in order to determine if the statements is for VPC or VPCE. The solution is to move towards the new properties for intrinsic usage.

Closing