From 46fa7a44589d398eb8d6d207a9d8ca249a2158b1 Mon Sep 17 00:00:00 2001
From: Kevin DeJong <kddejong@amazon.com>
Date: Thu, 26 Sep 2024 14:01:34 -0700
Subject: [PATCH] Exception for lambda authorizer uri (#3720)

* Exception for lambda authorizer uri
* Remove exceptions in I3042 and allow lambda auth uri
---
 .../rules/resources/HardCodedArnProperties.py | 21 ++++---------------
 .../bad/hard_coded_arn_properties.yaml        |  8 -------
 .../properties/hard_coded_arn_properties.yaml |  8 +++++++
 .../resources/test_hardcodedarnproperties.py  |  2 +-
 4 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/src/cfnlint/rules/resources/HardCodedArnProperties.py b/src/cfnlint/rules/resources/HardCodedArnProperties.py
index 0fce8446a2..a88329e9a8 100644
--- a/src/cfnlint/rules/resources/HardCodedArnProperties.py
+++ b/src/cfnlint/rules/resources/HardCodedArnProperties.py
@@ -47,11 +47,6 @@ def __init__(self):
                 "type": "boolean",
             },
         }
-        self.exceptions = {
-            "AWS::ApiGateway::Authorizer": [
-                ["Properties", "AuthorizerUri"],
-            ]
-        }
 
         self.configure()
 
@@ -102,17 +97,6 @@ def match(self, cfn: Template) -> RuleMatches:
             path = ["Resources"] + parameter_string_path[:-1]
             candidate = parameter_string_path[-1]
 
-            resource_name = path[1]
-            _type = cfn.template.get("Resources", {}).get(resource_name, {}).get("Type")
-            is_exception = False
-            if _type in self.exceptions:
-                for exception in self.exceptions[_type]:
-                    if all(x[0] == x[1] for x in zip(path[2:], exception)):
-                        is_exception = True
-
-            if is_exception:
-                continue
-
             # ruff: noqa: E501
             # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
             # is valid even with aws as the account #.  This handles empty string
@@ -135,8 +119,11 @@ def match(self, cfn: Template) -> RuleMatches:
                     " incorrectly placed Pseudo Parameters"
                 )
                 matches.append(RuleMatch(path, message.format(path[1])))
+
+            # Lambda is added for authorizer's Uniform Resource Identifier (URI)
+            # https://github.com/aws-cloudformation/cfn-lint/issues/3716
             if self.config["accountId"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|$", candidate[2]
+                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|$", candidate[2]
             ):
                 message = (
                     "ARN in Resource {0} contains hardcoded AccountId in ARN or"
diff --git a/test/fixtures/templates/bad/hard_coded_arn_properties.yaml b/test/fixtures/templates/bad/hard_coded_arn_properties.yaml
index f57b35b6c7..de51db2922 100644
--- a/test/fixtures/templates/bad/hard_coded_arn_properties.yaml
+++ b/test/fixtures/templates/bad/hard_coded_arn_properties.yaml
@@ -77,11 +77,3 @@ Resources:
               - !Sub arn:${AWS::Partition}:sns:${AWS::Partition}:${AWS::AccountId}:TestTopic
       Roles:
         - !Ref SampleRole
-
-  Authorizer:
-    Type: AWS::ApiGateway::Authorizer
-    Properties:
-      AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
-      RestApiId: RestApiId
-      Type: REQUEST
-      Name: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
diff --git a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
index 2ad971962a..0250c3225b 100644
--- a/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
+++ b/test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml
@@ -6,3 +6,11 @@ Resources:
       RestApiId: RestApiId
       Type: REQUEST
       Name: Name
+  Stack:
+    Type: AWS::CloudFormation::Stack
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://s3_bucket_name.s3.${AWS::Region}.amazonaws.com/template.yaml
+      Parameters:
+        AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:FunctionName/invocations
diff --git a/test/unit/rules/resources/test_hardcodedarnproperties.py b/test/unit/rules/resources/test_hardcodedarnproperties.py
index 2b7b1fce92..bee996d3e7 100644
--- a/test/unit/rules/resources/test_hardcodedarnproperties.py
+++ b/test/unit/rules/resources/test_hardcodedarnproperties.py
@@ -71,7 +71,7 @@ def test_file_negative_region(self):
     def test_file_negative_accountid(self):
         self.helper_file_negative(
             "test/fixtures/templates/bad/hard_coded_arn_properties.yaml",
-            2,
+            1,
             ConfigMixIn(
                 [],
                 include_experimental=True,