Adding condition for IAM resource

Author: Sid Madipalli

samtranslator/model/sam_resources.py

@@ -394,7 +394,7 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def] # noqa: P
             intrinsics_resolver,
             get_managed_policy_map,
         )
-        self._make_lambda_role(lambda_function, intrinsics_resolver, execution_role, resources)
+        self._make_lambda_role(lambda_function, intrinsics_resolver, execution_role, resources, conditions)
 
         try:
             resources += self._generate_event_resources(
@@ -418,6 +418,7 @@ def _make_lambda_role(
         intrinsics_resolver: IntrinsicsResolver,
         execution_role: IAMRole,
         resources: List[Any],
+        conditions: Dict[str, Any],
     ) -> None:
         lambda_role = lambda_function.Role
 
@@ -432,8 +433,17 @@ def _make_lambda_role(
             role_resolved_value = intrinsics_resolver.resolve_parameter_refs(self.Role)
             role_list = role_resolved_value.get("Fn::If")
 
-            # both are none values then we need to create a role
-            if is_intrinsic_no_value(role_list[1]) and is_intrinsic_no_value(role_list[2]):
+            is_both_intrinsic_no_values = is_intrinsic_no_value(role_list[1]) and is_intrinsic_no_value(role_list[2])
+
+            # When either one of the condition is a non no value we need to conditionally
+            # create IAM role, This requires generating a condition that negates the condition check
+            # passed for IAM role creation and use that for the new role being created
+            if not is_both_intrinsic_no_values:
+                execution_role.set_resource_attribute("Condition", f"NOT{role_list[0]}")
+                conditions[f"NOT{role_list[0]}"] = make_not_conditional(role_list[0])
+
+            # both are none values, we need to create a role
+            if is_both_intrinsic_no_values:
                 lambda_function.Role = execution_role.get_runtime_attr("arn")
 
             # first value is none so we should create condition ? create : [2]

tests/translator/input/function_with_iam_role_both_no_value.yaml

@@ -0,0 +1,20 @@
+Parameters:
+  iamRoleArn:
+    Type: String
+    Description: The ARN of an IAM role to use as this function's execution role.
+      If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.
+
+Conditions:
+  RoleExists: !Not [!Equals ['', !Ref iamRoleArn]]
+
+Resources:
+  MinimalFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Handler: hello.handler
+      Runtime: python3.10
+      Role: !If
+      - RoleExists
+      - !Ref "AWS::NoValue"
+      - !Ref "AWS::NoValue"

tests/translator/output/aws-cn/function_with_iam_role.json

@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [

tests/translator/output/aws-cn/function_with_iam_role_both_no_value.json

@@ -0,0 +1,77 @@
+{
+  "Conditions": {
+    "RoleExists": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "MinimalFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}

tests/translator/output/aws-us-gov/function_with_iam_role.json

@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [

tests/translator/output/aws-us-gov/function_with_iam_role_both_no_value.json

@@ -0,0 +1,77 @@
+{
+  "Conditions": {
+    "RoleExists": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "MinimalFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}

tests/translator/output/function_with_iam_role.json

@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [

tests/translator/output/function_with_iam_role_both_no_value.json

@@ -0,0 +1,77 @@
+{
+  "Conditions": {
+    "RoleExists": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "MinimalFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}