aws · prenx4x · Nov 6, 2020 · Nov 6, 2020 · Nov 6, 2020
@@ -930,6 +930,12 @@ def _set_default_authorizer(
         if not default_authorizer:
             return
 
+        if not isinstance(default_authorizer, string_types):
+            raise InvalidResourceException(
+                self.logical_id,
+                "DefaultAuthorizer is not a string.",
+            )
+
         if not authorizers.get(default_authorizer) and default_authorizer != "AWS_IAM":
             raise InvalidResourceException(
                 self.logical_id,

@@ -889,6 +889,11 @@ class Cognito(PushEventSource):
     def resources_to_link(self, resources):
         if isinstance(self.UserPool, dict) and "Ref" in self.UserPool:
             userpool_id = self.UserPool["Ref"]
+            if not isinstance(userpool_id, string_types):
+                raise InvalidEventException(
+                    self.logical_id,
+                    "Ref in Userpool is not a string.",
+                )
             if userpool_id in resources:
                 return {"userpool": resources[userpool_id], "userpool_id": userpool_id}
         raise InvalidEventException(

@@ -0,0 +1,18 @@
+Resources:
+  UserPool:
+    Type: AWS::Cognito::UserPool
+
+  ImplicitApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/member_portal.zip
+      Handler: index.gethtml
+      Runtime: nodejs12.x
+      Events:
+        OneTrigger:
+          Type: Cognito
+          Properties:
+            UserPool: 
+              Ref:
+                - NotAString
+            Trigger: PreSignUp
@@ -0,0 +1,48 @@
+Resources:
+  MyApi:
+    Type: "AWS::Serverless::Api"
+    Properties:
+      StageName: Prod
+      Auth:
+        DefaultAuthorizer:
+          - NotAString
+        ApiKeyRequired: true
+        Authorizers:
+          MyLambdaTokenAuth:
+            FunctionPayloadType: TOKEN
+            FunctionArn: arn:aws
+            FunctionInvokeRole: arn:aws:iam::123456789012:role/S3Access
+            Identity:
+              Header: MyCustomAuthHeader
+              ValidationExpression: mycustomauthexpression
+              ReauthorizeEvery: 20
+
+  StateMachine:
+    Type: AWS::Serverless::StateMachine
+    Properties:
+      Name: MyStateMachine
+      Type: STANDARD
+      Definition:
+        Comment: A Hello World example of the Amazon States Language using Pass states
+        StartAt: Hello
+        States:
+          Hello:
+            Type: Pass
+            Result: Hello
+            Next: World
+          World:
+            Type: Pass
+            Result: World
+            End: true
+      Policies:
+        - Version: "2012-10-17"
+          Statement:
+            - Effect: Deny
+              Action: "*"
+              Resource: "*"
+      Events:
+        WithNoAuthorizer:
+          Type: Api
+          Properties:
+            Path: /startNoAuth
+            Method: post
@@ -0,0 +1,3 @@
+{
+  "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [ImplicitApiFunction] is invalid. Event with id [ImplicitApiFunctionOneTrigger] is invalid. Ref in Userpool is not a string."
+}
@@ -0,0 +1,3 @@
+{
+    "errorMessage": "Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MyApi] is invalid. DefaultAuthorizer is not a string."
+}
@@ -568,7 +568,9 @@ def _generate_new_deployment_hash(self, logical_id, dict_to_hash, rest_api_to_sw
         "error_state_machine_with_api_auth_none",
         "error_state_machine_with_no_api_authorizers",
         "error_state_machine_with_undefined_api_authorizer",
+        "error_state_machine_with_invalid_default_authorizer",
         "error_cognito_userpool_duplicate_trigger",
+        "error_cognito_userpool_not_string",
         "error_api_duplicate_methods_same_path",
         "error_api_gateway_responses_nonnumeric_status_code",
         "error_api_gateway_responses_unknown_responseparameter",