AWS::ApiGatewayV2::Api - GetAtt-Arn

[iconara]

Scope of request

AWS::ApiGatewayV2::Api does not support GetAtt.

Expected behavior

It should be possible to use GetAtt with a AWS::ApiGatewayV2::Api to get the ARN of the resource, e.g. !GetAtt MyApi.Arn.

Suggest specific test cases

Resources:
  Api:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: Lambda Proxy
      Description: Lambda proxy using quick create
      ProtocolType: HTTP
      Target: !Ref Function # this resource has been omitted for brevity

  ApiPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt Function.Arn # this resource has been omitted for brevity
      Principal: apigateway.amazonaws.com
      SourceArn: !GetAtt Api.Arn # this does not work

Category (required)

Networking & Content (API GW)

Workaround

You can work around the issue with !Ref:

  ApiPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt Function.Arn # this resource has been omitted for brevity
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub 'arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/' # Api resource ommitted for brevity

[PatMyron]

@iconara can use Psuedo Parameters as described here to generalize your workaround a bit more:
#68 (comment)
https://stackoverflow.com/a/59362496/4122849

      SourceArn: !Sub arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}

[iconara]

@PatMyron yes, I updated the issue with your suggestion if anyone else comes across this and wants the use the workaround it's better that they use that one.

[simonbuchan]

At the moment only the resource ARN is documented: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonapigateway.html#amazonapigateway-resources-for-iam-policies
So the general form is:

      SourceArn: !Sub arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/${Stage}/${Method}/${Path}

But you can of course use [...]/${Api}/* to match everything on the API.

I suspect this is why the Arn attribute wasn't added, as technically there isn't an API ARN: only a common prefix. That said, it would be nice to be able to SourceArn: !Sub ${Api.Arn/*, SourceArn: !Sub ${Stage}/get/* etc...

[simonbuchan]

To elaborate this issue, there are also the "quick create" Stage, Integration and Route implicit resources created when you specify Target on the Api. You need at least the Stage ref in order to create an ApiMapping when you are providing a domain name. Presumably this would allow simplifying a lot of templates.