Impossible to use intrinsic functions in S3 triggering event

[MaxTeiger]

Description:

The use of intrinsic functions in S3 triggering event does not work when deploying in AWS.
I tried to build and deploy my application from the following template:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Parameters:
  S3EventParam:
    Type: CommaDelimitedList
    Default: s3:ObjectCreated:*
    Description: The S3 events on which the function must be triggered 
  PrefixParam:
    Type: String
    Default: '*'
    Description: The prefix in the name of each file for which the function must trigger
  SuffixParam:
    Type: String
    Default: '*'
    Description: The suffix in the name of each file for which the function must trigger

Globals:
  Function:
    Timeout: 3
    Runtime: nodejs12.x
    CodeUri: functions
    MemorySize: 128

Resources:
  S3EventFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: app.handler
      Events:
        BucketEvent1:
          Type: S3
          Properties:
            Bucket:
              Ref: SrcBucket
            Events:
              !Ref S3EventParam
            Filter:
              S3Key:
                Rules:
                  - Name: prefix
                    Value: !Ref PrefixParam
                  - Name: suffix
                    Value: !Ref SuffixParam
  LambdaInvokePermission:
    Type: 'AWS::Lambda::Permission'
    Properties:
      FunctionName: !GetAtt S3EventFunction.Arn
      Action: 'lambda:InvokeFunction'
      Principal: 's3.amazonaws.com'
      SourceAccount: !Sub ${AWS::AccountId}
      SourceArn: !GetAtt SrcBucket.Arn
  SrcBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms

Steps to reproduce the issue:
Use sam build and sam deploy with the previous template and a dummy hello world function in NodeJS

I am using SAM CLI version 1.2.0 for Windows 10

Observed result:

I get the error The event is not supported for notifications when SAM deploys the bucket. In AWS Console, the generated cloudformation template looks like this:

        "NotificationConfiguration": {
          "LambdaConfigurations": [
            {
              "Function": {
                "Fn::GetAtt": [
                  "S3EventFunction",
                  "Arn"
                ]
              },
              "Filter": {
                "S3Key": {
                  "Rules": [
                    {
                      "Name": "prefix",
                      "Value": {
                        "Ref": "PrefixParam"
                      }
                    },
                    {
                      "Name": "suffix",
                      "Value": {
                        "Ref": "SuffixParam"
                      }
                    }
                  ]
                }
              },
              "Event": "Ref"
            }
          ]
        }
      },
      "DependsOn": [
        "S3EventFunctionBucketEvent1Permission"
      ]

The value for Event is Ref and doesn't use the parameter value. I tried with other function such as !Sub, Fn:Sub or !Ref and the problem remains the same.

Expected result:

The S3 bucket and the lambda function should be deployed using a parameter. Any help is appreciated, thank you very much!

[c2tarun]

Thanks for pointing this out. SAM have a bug here where it is only checking if parameter is of type string or not. A quick fix would be to validate if Events is of type dictionary (which will be for Ref) then simply pass then on, which will make CFN handle this.

[hoffa]

You might be able to get this to work by adding AWS::LanguageExtensions to Transform as such:

Transform:
  - AWS::LanguageExtensions
  - AWS::Serverless-2016-10-31

AWS::LanguageExtensions resolves intrinsic functions if the value is known when Transforms are run.

See #2533 for more information.

[hoffa]

Closing in favor of #2533.