Exception for lambda authorizer uri (#3720)

* Exception for lambda authorizer uri
* Remove exceptions in I3042 and allow lambda auth uri

Author: kddejong

src/cfnlint/rules/resources/HardCodedArnProperties.py

@@ -47,11 +47,6 @@ def __init__(self):
                 "type": "boolean",
             },
         }
-        self.exceptions = {
-            "AWS::ApiGateway::Authorizer": [
-                ["Properties", "AuthorizerUri"],
-            ]
-        }
 
         self.configure()
 
@@ -102,17 +97,6 @@ def match(self, cfn: Template) -> RuleMatches:
             path = ["Resources"] + parameter_string_path[:-1]
             candidate = parameter_string_path[-1]
 
-            resource_name = path[1]
-            _type = cfn.template.get("Resources", {}).get(resource_name, {}).get("Type")
-            is_exception = False
-            if _type in self.exceptions:
-                for exception in self.exceptions[_type]:
-                    if all(x[0] == x[1] for x in zip(path[2:], exception)):
-                        is_exception = True
-
-            if is_exception:
-                continue
-
             # ruff: noqa: E501
             # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
             # is valid even with aws as the account #.  This handles empty string
@@ -135,8 +119,11 @@ def match(self, cfn: Template) -> RuleMatches:
                     " incorrectly placed Pseudo Parameters"
                 )
                 matches.append(RuleMatch(path, message.format(path[1])))
+
+            # Lambda is added for authorizer's Uniform Resource Identifier (URI)
+            # https://github.com/aws-cloudformation/cfn-lint/issues/3716
             if self.config["accountId"] and not re.match(
-                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|$", candidate[2]
+                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|lambda|$", candidate[2]
             ):
                 message = (
                     "ARN in Resource {0} contains hardcoded AccountId in ARN or"

test/fixtures/templates/bad/hard_coded_arn_properties.yaml

@@ -77,11 +77,3 @@ Resources:
               - !Sub arn:${AWS::Partition}:sns:${AWS::Partition}:${AWS::AccountId}:TestTopic
       Roles:
         - !Ref SampleRole
-
-  Authorizer:
-    Type: AWS::ApiGateway::Authorizer
-    Properties:
-      AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations
-      RestApiId: RestApiId
-      Type: REQUEST
-      Name: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:Name/invocations

test/fixtures/templates/good/resources/properties/hard_coded_arn_properties.yaml

@@ -6,3 +6,11 @@ Resources:
       RestApiId: RestApiId
       Type: REQUEST
       Name: Name
+  Stack:
+    Type: AWS::CloudFormation::Stack
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: !Sub https://s3_bucket_name.s3.${AWS::Region}.amazonaws.com/template.yaml
+      Parameters:
+        AuthorizerUri: !Sub arn:${AWS::Partition}:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:FunctionName/invocations

test/unit/rules/resources/test_hardcodedarnproperties.py

@@ -71,7 +71,7 @@ def test_file_negative_region(self):
     def test_file_negative_accountid(self):
         self.helper_file_negative(
             "test/fixtures/templates/bad/hard_coded_arn_properties.yaml",
-            2,
+            1,
             ConfigMixIn(
                 [],
                 include_experimental=True,