Transform fails to interpret dynamic references in a `CodeUri` S3 bucket path correctly

[Tristano8]

Description

It is not possible to use {{resolve:...}} syntax (CloudFormation Dynamic References) in an S3 bucket reference in the CodeUri field of (at least) AWS::Serverless::Function. To attach certain (Terraform-provisioned) S3 resources to our Functions' execution roles, we have been using dynamic references to SSM Parameters which provide the S3 bucket paths. Attempts to deploy lambdas that reference these bucket paths fail because Serverless Transform is incorrectly interpolating the CloudFormation Template. It appears that SAM interprets anything until the first / as the S3Bucket and anything after as the S3Key

Steps to reproduce

• Create an S3 bucket and a zip file within it
• Create an SSM Parameter (string type) whose value is the name of the bucket from step (1).
• Declare an AWS::Serverless::Function which lists the S3 path to the file, using {{resolve}}:

ExampleFunction:
  Type: AWS::Serverless::Function
  # Other fields omitted
  CodeUri: "s3://{{resolve:ssm:/name_of_bucket_parameter_from_step_2}}/name_of_file.zip"

• Attempt to deploy.

Observed result

Cloudformation deployment failure with Properties validation failed for resource <FunctionName> with message: #/Code/S3Bucket: failed validation constraint for keyword [pattern].

Processed template looks like this:

"Code": {
          "S3Bucket": "{{resolve:ssm:",
          "S3Key": "name_of_bucket_parameter_from_step_2}}/name_of_file.zip"
        },

Expected result

Serverless Transform would not inspect the string, and pass it through unchanged to be substituted by CloudFormation.

[JackKelly-Bellroy]

It's not clear to me what correct behaviour should be. At the time the transform runs, it cannot know whether the SSM parameter will expand to just a bucket name (meaning it's safe to set the BucketName to the entire dynamic ref, or to a bucket name and then a prefix (meaning there's no way to construct the Code object in the transformed output).

Perhaps the transform should just check for and reject dynamic references in the CodeUri: field and return a more helpful error message? Perhaps ask the developer to use a FunctionCode object when specifying code locations using dynamic references?

[GavinZZ]

Hi thanks for opening up the issue. I can confirm that I can reproduce the issue where the transformed template incorrectly parsed the CodeUri property to something like

"Code": {
          "S3Bucket": "{{resolve:ssm:",
          "S3Key": "name_of_bucket_parameter_from_step_2}}/name_of_file.zip"
        },

Will take a deep dive and update you on this issue.

[GavinZZ]

As a workaround, please use the alternative syntax of CodeUri property. See below for an example

Resources:
  MinimalFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri:
        Bucket: "{{resolve:ssm:/name_of_bucket_parameter_from_step_2}}"
        Key: name_of_file.zip
      Handler: hello.handler
      Runtime: python3.8

[GavinZZ]

Going to create a PR to reject when using dynamic reference in CodeUri string format value like "s3://{{resolve:ssm:/name_of_bucket_parameter_from_step_2}}/name_of_file.zip".

[GavinZZ]

Going to mark this issue as completed. Feel free to re-open it or create a new issue if you have any other questions.