chore: Fix KeyError when accessing PolicyDocument (#3522)

jfuss · web-flow · commit e17dc8fd7d56 · 2024-02-06T15:58:13.000-06:00
If an intrinsic is within the Function.Policies Property, the d["PolicyDocument"] will fail because the valid policy is backed within the FN:If. Instead, we access PolicyDocument through a .get() call, which allows us to handle the intrinsic case.

Co-authored-by: Jacob Fuss &lt;jfuss@users.noreply.github.com&gt;
diff --git a/samtranslator/model/eventsources/pull.py b/samtranslator/model/eventsources/pull.py
@@ -233,7 +233,7 @@ def _link_policy(self, role, destination_config_policy=None):  # type: ignore[no
             if role.Policies and destination_config_policy not in role.Policies:
                 policy_document = destination_config_policy.get("PolicyDocument")
                 # do not add the policy if the same policy document is already present
-                if policy_document not in [d["PolicyDocument"] for d in role.Policies]:
+                if policy_document not in [d.get("PolicyDocument", {}) for d in role.Policies]:
                     role.Policies.append(destination_config_policy)
 
     def _validate_filter_criteria(self) -> None:
diff --git a/tests/translator/input/function_with_event_dest_basic.yaml b/tests/translator/input/function_with_event_dest_basic.yaml
@@ -38,3 +38,15 @@ Resources:
       Handler: index.handler
       Runtime: nodejs12.x
       MemorySize: 1024
+      Policies:
+      - Fn::If:
+        - SomeCondition
+        - Version: '2012-10-17'
+          Statement:
+          - Effect: Deny
+            Action:
+            - logs:CreateLogGroup
+            - logs:CreateLogStream
+            - logs:PutLogEvents
+            Resource: arn:aws:logs:*:*:*
+        - Ref: AWS::NoValue
diff --git a/tests/translator/output/aws-cn/function_with_event_dest_basic.json b/tests/translator/output/aws-cn/function_with_event_dest_basic.json
@@ -125,6 +125,31 @@
               ]
             },
             "PolicyName": "MyTestFunctionEventInvokeConfigOnFailureSNSPolicy"
+          },
+          {
+            "Fn::If": [
+              "SomeCondition",
+              {
+                "PolicyDocument": {
+                  "Statement": [
+                    {
+                      "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents"
+                      ],
+                      "Effect": "Deny",
+                      "Resource": "arn:aws:logs:*:*:*"
+                    }
+                  ],
+                  "Version": "2012-10-17"
+                },
+                "PolicyName": "MyTestFunctionRolePolicy0"
+              },
+              {
+                "Ref": "AWS::NoValue"
+              }
+            ]
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-us-gov/function_with_event_dest_basic.json b/tests/translator/output/aws-us-gov/function_with_event_dest_basic.json
@@ -125,6 +125,31 @@
               ]
             },
             "PolicyName": "MyTestFunctionEventInvokeConfigOnFailureSNSPolicy"
+          },
+          {
+            "Fn::If": [
+              "SomeCondition",
+              {
+                "PolicyDocument": {
+                  "Statement": [
+                    {
+                      "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents"
+                      ],
+                      "Effect": "Deny",
+                      "Resource": "arn:aws:logs:*:*:*"
+                    }
+                  ],
+                  "Version": "2012-10-17"
+                },
+                "PolicyName": "MyTestFunctionRolePolicy0"
+              },
+              {
+                "Ref": "AWS::NoValue"
+              }
+            ]
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/function_with_event_dest_basic.json b/tests/translator/output/function_with_event_dest_basic.json
@@ -125,6 +125,31 @@
               ]
             },
             "PolicyName": "MyTestFunctionEventInvokeConfigOnFailureSNSPolicy"
+          },
+          {
+            "Fn::If": [
+              "SomeCondition",
+              {
+                "PolicyDocument": {
+                  "Statement": [
+                    {
+                      "Action": [
+                        "logs:CreateLogGroup",
+                        "logs:CreateLogStream",
+                        "logs:PutLogEvents"
+                      ],
+                      "Effect": "Deny",
+                      "Resource": "arn:aws:logs:*:*:*"
+                    }
+                  ],
+                  "Version": "2012-10-17"
+                },
+                "PolicyName": "MyTestFunctionRolePolicy0"
+              },
+              {
+                "Ref": "AWS::NoValue"
+              }
+            ]
           }
         ],
         "Tags": [
