fix: surface user-facing errors for malformed Auth.securityDefinitions and Domain.AccessAssociation#3923
Merged
roger-zhangg merged 1 commit intoMay 12, 2026
Conversation
…s and Domain.AccessAssociation
Two malformed-template inputs crashed the SAM transform with unhandled
exceptions, which CloudFormation surfaced as the opaque message
"Transform AWS::Serverless-2016-10-31 failed with: Internal transform
failure.", giving users no indication of which resource or property was
wrong.
1) AWS::Serverless::Api DefinitionBody.securityDefinitions must be a
map of authorizer name to definition, but SwaggerEditor.add_authorizers_security_definitions
indexed self.security_definitions[name] without first checking the
type. A user supplying a list (or other non-map) crashed the
transform. The sibling method add_apikey_security_definition already
guards this case; this change applies the same guard to the
authorizers path so a malformed value raises an
InvalidTemplateException ("securityDefinitions must be a
dictionary.").
2) AWS::Serverless::Api Domain.AccessAssociation must be a map (with
VpcEndpointId), but _generate_domain_access_association called
.get("VpcEndpointId") without first validating the type, so a
string value crashed the transform. Now validates via sam_expect(...)
.to_be_a_map() so a malformed value raises InvalidResourcePropertyTypeException
("Property 'Domain.AccessAssociation' should be a map.") naming the
API logical id.
Tests:
- tests/translator/input/error_api_securitydefinitions_not_dict.{yaml,json}
- tests/translator/input/error_api_domain_access_association_not_dict.{yaml,json}
(auto-discovered by test_transform_invalid_document)
make pr: format-check, lint (ruff + mypy --strict + cfn-lint), 4508
passed, coverage 95.61%.
reedham-aws
approved these changes
May 11, 2026
seshubaws
approved these changes
May 11, 2026
roger-zhangg
deleted the
fix/graceful-errors-authorizers-and-domain-access
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available
N/A
Description of changes
Two malformed-template inputs crashed the SAM transform partway through translation, which CloudFormation surfaced as the opaque message:
The user had no indication of which resource or property was wrong. Both gaps are the same shape: customer input flowed into a property accessor without first being type-checked, so a wrong-shape value (string in place of map, list in place of map) bypassed SAM's normal validation layer.
1.
AWS::Serverless::ApiDefinitionBody.securityDefinitionsnon-map. The OpenAPI/Swagger spec requiressecurityDefinitionsto be a map of authorizer name → definition. When SAM merged user-definedAuth.Authorizersinto aDefinitionBodywhosesecurityDefinitionswas a list (or any other non-map), the merge step failed without a property-level error. The sibling code path forapi_keysecurity definitions already guards this case via anisinstancecheck; this change applies the same guard to the authorizers code path so the failure surfaces as aStructure of the SAM template is invalid.error with the messagesecurityDefinitions must be a dictionary..2.
AWS::Serverless::ApiDomain.AccessAssociationnon-map. TheDomain.AccessAssociationproperty is documented as a map containingVpcEndpointId. When a user passed a bare string (e.g. the VPCE id directly) instead of a map,_generate_domain_access_associationaccessed properties on it without validating the type, so the failure surfaced as the generic transform-failed message instead of a property-level error. Now uses the existingsam_expect(...).to_be_a_map()validator (matching howDomain.MutualTlsAuthentication,Domain.Route53, andDomain.BasePathare validated nearby) so the failure surfaces as:After the fix, users see the same class of message SAM emits for other malformed properties.
Description of how you validated changes
tests/translator/test_translator.py::test_transform_invalid_document:tests/translator/input/error_api_securitydefinitions_not_dict.{yaml,json}tests/translator/input/error_api_domain_access_association_not_dict.{yaml,json}make prend-to-end in a Python 3.10 venv:format-check: black + schema diff + JSON/YAML formatters all cleanlint: ruff +mypy --strict+ cfn-lint all cleandev(tests): 4508 passed, 0 failed, coverage 95.61% (gate: 95%)Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.