Bug: Fn::GetAtt fails to resolve correctly

[morgan-dgk]

Description:

I am trying to use the GetAtt intrinsic function to retrieve the UserPoolId and ClientId from a UserPoolClient and UserPool resource respectively.

Debug output shows

Unable to resolve property UserPoolId: OrderedDict([('Fn::GetAtt', ['UserPool', 'UserPoolId'])]). Leaving as is.        

Is this a supported feature currently or an area where Intrinsic Function support is limited?

If the latter, it would be great to document these limitations somewhere (unless I have missed them!)

Steps to reproduce:

Run sam local invoke my_func where some properties in template.yaml rely on Fn::GetAtt.

Observed result:

Expected result:

!GetAtt should return the specified attribute for the given resource.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: Linux
2. sam --version: SAM CLI, version 1.113.0
3. AWS region: us-east-2

# Paste the output of `sam --info` here
{
  "version": "1.113.0",
  "system": {
    "python": "3.11.8",
    "os": "Linux-6.8.1-arch1-1-x86_64-with-glibc2.39"
  },
  "additional_dependencies": {
    "docker_engine": "25.0.4",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

Add --debug flag to command you are running

[mildaniel]

Hey @morgan-dgk, like you mentioned, resolving that intrinsic isn't something currently supported. It is probably a good idea to document which cases are/aren't supported like you mentioned. Let me bring this to the team to see what we can do.

[morgan-dgk]

Just wondering if there are any suggested workarounds for this currently?

In my example, I would like to attach a Lambda Authorizer to a HTTP api using a lambda function defined in the SAM template like so:

LambdaAuthorizerFunc:
    Type: AWS::Serverless::Function
    Properties:
      Handler: src/layers/custom_auth/custom_auth.authorize
      Runtime: nodejs20.x
      Architectures:
        - x86_64
      MemorySize: 128
      Timeout: 100

  API:
    Type: AWS::Serverless::HttpApi
    Properties:
      Auth:
        Authorizers:
          LambdaAuthorizer:
            AuthorizerPayloadFormatVersion: 2.0
            FunctionArn: 
              !GetAtt:
                - LambdaAuthorizerFunc
                - ARN
            Identity:
              Headers:
                - "context" 

However, as !GetAtt does not correctly resolve, this fails.

[mildaniel]

This case should already be supported. Can you try changing the

!GetAtt:
   - LambdaAuthorizerFunc
   - ARN

to

!GetAtt:
   - LambdaAuthorizerFunc
   - Arn

[morgan-dgk]

This case should already be supported. Can you try changing the

!GetAtt:
   - LambdaAuthorizerFunc
   - ARN

to

!GetAtt:
   - LambdaAuthorizerFunc
   - Arn

Duh, apologies on my oversight. Debug log still shows this failing after correcting attribute name:

2024-05-01 14:37:15,549 | This Integration URI format is not supported: {'Fn::GetAtt:': ['LambdaAuthorizerFunc', 'Arn']}                                                                                             
2024-05-01 14:37:15,550 | Extracted Function ARN: None                                                                                                                                                               
2024-05-01 14:37:15,550 | Unable to parse the Lambda ARN for Authorizer 'LambdaAuthorizer', skipping   

[mildaniel]

There also shouldn't be the colon after the !GetAtt (I missed that the first time). So it should be

!GetAtt
   - LambdaAuthorizerFunc
   - Arn

[morgan-dgk]

Ok, that seems to have fixed it. Thank you very much for your help.