Feature request: Resolve AWS::Include transform intrinsic for DefinitionBody in validate

[kirill-andr]

Description:

Error: Auth works only with inline Swagger specified in 'DefinitionBody' property.
It seems that this has already been discussed in 2021, but it is still appearing the the latest SAM.
sam validate treats Auth and DefinitionUri as invalid for resource AWS::Serverless::Api.
Has this issue been solved or is it still ongoing? Seems like there were patches in place to address this.

Steps to reproduce:

This will throw an error:

  ApiGatewayRestApiAnalitiqBackend:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: !Ref CognitoUserPoolArn
            IdentitySource: method.request.header.Authorization
      DefinitionUri: 'api-slack.yaml'

This will not:

  ApiGatewayRestApiAnalitiqBackend:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: !Ref CognitoUserPoolArn
            IdentitySource: method.request.header.Authorization
      DefinitionBody:
        'Fn::Transform':
          Name: 'AWS::Include'
          Parameters:
            Location:

Observed result:

sam validate warns:

"Auth works only with inline Swagger specified in 'DefinitionBody' property."

Expected result:

SAM should validate the template with API definition included as DefinitionUri as well as DefinitionBody. Especially if both refer to local file.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: iOS Sonoma
2. sam --version: 1.12.0
3. AWS region: eu-central-1

# Paste the output of `sam --info` here

{
  "version": "1.123.0",
  "system": {
    "python": "3.12.5",
    "os": "macOS-14.6.1-arm64-arm-64bit"
  },
  "additional_dependencies": {
    "docker_engine": "Not available",
    "aws_cdk": "Not available",
    "terraform": "Not available"
  },
  "available_beta_feature_env_vars": [
    "SAM_CLI_BETA_FEATURES",
    "SAM_CLI_BETA_BUILD_PERFORMANCE",
    "SAM_CLI_BETA_TERRAFORM_SUPPORT",
    "SAM_CLI_BETA_RUST_CARGO_LAMBDA"
  ]
}

[hnnasit]

Hi @kirill-andr, thanks for opening the issue. Do you have a link to the previous discussion you mentioned? Let me check with the team what's the right behavior here.

[lucashuy]

Hi, using Auth with DefinitionUri is an existing limitation, as the template would need to be fully transformed before Cloudformation can utilize the authorizers. This is apart of the reason why DefinitionBody is recommended, however in the context of sam validate, SAM CLI does not currently resolve the transform intrinsic locally.

When using DefinitionBody, you can use sam validate --lint to validate the rest of the template contents, but this will not validate the API definition file contents.

I can mark this as a feature request in the mean time.