Define Amazon Cognito as authoriser for lambda function in serverless using shared API Gateway

service-a-serverless.yml

service: service-a
frameworkVersion: "3"
provider:
  name: aws
  runtime: nodejs14.x
  region: ap-southeast-1
  stage: dev
  environment:
    API_GATEWAY_NAME: ${self:service}-${sls:stage}-apigw
    API_GATEWAY_ROOT_RESOURCE_ID: ${self:service}-${sls:stage}-apigw-root-resource-id
    API_GATEWAY_ID: ${self:service}-${sls:stage}-apigw-id

Resources:
  ApiGatewayRestApiServiceA:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Description: API Gateway created to be shared by the different microservices
      Name: ${self:provider.environment.API_GATEWAY_NAME}

Outputs:
  ApiGatewayRestApiId:
    Value: !Ref ApiGatewayRestApiServiceA
    Export:
      Name: ${self:provider.environment.API_GATEWAY_ID}

  ApiGatewayRestApiRootResourceId:
    Value:
      Fn::GetAtt:
        - ApiGatewayRestApiServiceA
        - RootResourceId
    Export:
      Name: ${self:provider.environment.API_GATEWAY_ROOT_RESOURCE_ID}

service-b-serverless.yml

service: service-b
frameworkVersion: "3"
provider:
  name: aws
  runtime: nodejs14.x
  region: ap-southeast-1
  stage: dev
  environment:
    COGNITO_USER_POOL: ${self:service}-${sls:stage}-pool
    COGNITO_USER_CLIENT: ${self:service}-${sls:stage}-client
    API_GATEWAY_AUTHORIZER_NAME: ${self:service}-${sls:stage}-auth
    API_GATEWAY_AUTHORIZER_PHYSICAL_ID: ${self:service}-${sls:stage}-auth-physical-id

Resources:
  ServiceBCognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: ${self:provider.environment.COGNITO_USER_POOL}
      AutoVerifiedAttributes:
        - phone_number
      Schema:
        - AttributeDataType: String
          Name: phone_number
          Required: true

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: ${self:provider.environment.COGNITO_USER_CLIENT}
      UserPoolId:
        Ref: ServiceBCognitoUserPool
      ExplicitAuthFlows:
        - ADMIN_NO_SRP_AUTH
      GenerateSecret: false

  ApiGatewayAuthorizer:
    Type: AWS::ApiGateway::Authorizer
    Properties:
      RestApiId: !ImportValue service-a-dev-apigw-id
      Name: ${self:provider.environment.API_GATEWAY_AUTHORIZER_NAME}
      Type: COGNITO_USER_POOLS
      IdentitySource: method.request.header.Authorization
      ProviderARNs:
        - !GetAtt ServiceBCognitoUserPool.Arn
      AuthorizerResultTtlInSeconds: 300

Outputs:
  AuthorizerPhysicalId:
    Value: !Ref ApiGatewayAuthorizer
    Export:
      Name: ${self:provider.environment.API_GATEWAY_AUTHORIZER_PHYSICAL_ID}

service-c-serverless.yml

service: service-c
frameworkVersion: "3"
provider:
  name: aws
  runtime: nodejs14.x
  region: ap-southeast-1
  stage: dev
  apiGateway:
    restApiId: !ImportValue service-a-${sls:stage}-apigw-id
    restApiRootResourceId: !ImportValue service-a-${sls:stage}-apigw-root-resource-id
  environment:
    AUTHORIZER_PHYSICAL_ID: ${cf:zbb-user-${sls:stage}.AuthorizerPhysicalId}

functions:
  hello:
    handler: handler.hello
    timeout: 30
    memorySize: 128
    events:
      - http:
          method: get
          path: hello
          cors:
            origins: "*"
            headers:
              - Content-Type
              - X-Amz-Date
              - Authorization
              - X-Api-Key
              - X-Amz-Security-Token
              - X-Amz-User-Agent
            allowCredentials: false
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: 
              ${self:provider.environment.AUTHORIZER_PHYSICAL_ID}