sam build incorrectly using SSM parameter

[chizou]

I have the following template snippet:

Parameters:
  OrgFunctionsArn:
    Default: /layers/orgfunctions
    Description: SSM Name of the orgfunctions ARN
    Type: AWS::SSM::Parameter::Value<String>

  CfDeployer:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: lambdas/cf_deployer/
      Layers:
        - !Ref OrgFunctionsArn
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action: "sts:AssumeRole"
              Resource: "*"
      Timeout: 300

Running this: sam build -b build -s $(pwd)
Returns this error: Error: /layers/orgfunctions is an Invalid Layer Arn.

If I run sam package, it seems to work correctly.

$ sam --version
SAM CLI, version 0.18.0

[chizou]

The issue seems to stem from this: https://github.com/awslabs/aws-sam-cli/blob/3370cbff3401f76a5aa23ef86f2d332e90386d7e/samcli/commands/local/lib/sam_function_provider.py#L260-L262

IMHO, the Ref check is being too limited in only allowing AWS::Serverless::LayerVersion or AWS::Lambda::LayerVersion. Why shouldn't I be able to specify an ARN via a parameter?

As a workaround, I was able to get it working by replacing Ref with Sub:

  CfDeployer:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: lambdas/cf_deployer/
      Layers:
        - Fn::Sub: "${OrgFunctionsArn}"
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action: "sts:AssumeRole"
              Resource: "*"
      Timeout: 300

On that note, I did also notice the additional unexpected behaviour:

1. Using - !Sub: "${OrgFunctionsArn}" gave this error:

Template Error: Encountered unsupported function: Fn::Sub: Supported functions are: [Fn::Base64, Fn::GetAtt, Fn::GetAZs, Fn::ImportValue, Fn::Join, Fn::Split, Fn::FindInMap, Fn::Select, Ref, Fn::Equals, Fn::If, Fn::Not, Condition, Fn::And, Fn::Or, Fn::Contains, Fn::EachMemberEquals, Fn::EachMemberIn, Fn::ValueOf, Fn::ValueOfAll, Fn::RefAll, Fn::Sub, Fn::Cidr]

2. Using - Sub: "${OrgFunctionsArn}" gave this error in the CloudFormation console: Value of property Layers must be of type List of String. Admittedly, I'm not strong on yaml so maybe that isn't a list of string.

[jfuss]

Why shouldn't I be able to specify an ARN via a parameter?

This is supported already. You !Ref the parameter but you need to pass it into the command through --parameter-overrides

We resolve parameters on build, so in order for the Ref to resolve you need to pass the value in through --parameter-overrides option. This 'works' for package because package does not try to do anything fancy with the template. I updates the CodeUri/Code/etc Properties and replaces with the S3 location.

[chizou]

Doesn't this mean that default parameters can't be used?

[jfuss]

Default parameter can be used. In your example, the default is /layers/orgfunctions. That is not an arn and why if fails the validation.

[chizou]

Right, but /layers/orgfunctions is a valid SSM parameter, which is the Parameters type. Why would sam build try to use the literal value? If the parameter Type: is one of the AWS:SSM:* types, it shouldn't try to interpolate it. It should just pass it on to CloudFormation to let the CloudFormation handle that processing.

[jfuss]

We don't do interpolation or reach out to the cloud to resolve. So the default is read and interpreted as the default value. The way forward is to override this behavior with the --parameter-overrides option.

This is also a duplicate of #1069.

Closing in favor of the other.