Complete SAM implicit resource injection: DeploymentPreference, event permissions, Api Domain/UsagePlan, implicit API stages

kddejong · kddejong · commit fdb75ab59b15 · 2026-05-13T09:18:36.000-07:00
diff --git a/src/cfnlint/context/context.py b/src/cfnlint/context/context.py
@@ -568,6 +568,17 @@ def _init_transforms(transforms: Any) -> Transforms:
     return Transforms([])
 
 
+def _inject(
+    resources: dict[str, Resource], logical_id: str, resource_type: str
+) -> None:
+    """Add a synthetic resource if it doesn't already exist."""
+    if logical_id not in resources:
+        try:
+            resources[logical_id] = Resource({"Type": resource_type})
+        except ValueError:
+            pass
+
+
 def _inject_sam_implicit_resources(
     template_resources: Any, resources: dict[str, Resource]
 ) -> None:
@@ -596,92 +607,95 @@ def _inject_sam_implicit_resources(
             "AWS::Serverless::Function",
             "AWS::Serverless::StateMachine",
         ):
-            role_id = f"{resource_id}Role"
-            if "Role" not in props and role_id not in resources:
-                try:
-                    resources[role_id] = Resource({"Type": "AWS::IAM::Role"})
-                except ValueError:
-                    pass
+            if "Role" not in props:
+                _inject(resources, f"{resource_id}Role", "AWS::IAM::Role")
 
         if resource_type == "AWS::Serverless::Function":
-            # SAM generates Version/Alias resources when AutoPublishAlias
-            # or DeploymentPreference is set. SAM supports !Ref {Id}.Version
-            # and !Ref {Id}.Alias as special syntax.
+            # Version/Alias when AutoPublishAlias or DeploymentPreference
             has_alias = "AutoPublishAlias" in props or "DeploymentPreference" in props
             if has_alias:
-                version_id = f"{resource_id}.Version"
-                if version_id not in resources:
-                    try:
-                        resources[version_id] = Resource(
-                            {"Type": "AWS::Lambda::Version"}
-                        )
-                    except ValueError:
-                        pass
-                alias_id = f"{resource_id}.Alias"
-                if alias_id not in resources:
-                    try:
-                        resources[alias_id] = Resource({"Type": "AWS::Lambda::Alias"})
-                    except ValueError:
-                        pass
-
-            # SAM generates a Url resource when FunctionUrlConfig is set
+                for suffix, rtype in (
+                    (f"{resource_id}.Version", "AWS::Lambda::Version"),
+                    (f"{resource_id}.Alias", "AWS::Lambda::Alias"),
+                ):
+                    if suffix not in resources:
+                        try:
+                            resources[suffix] = Resource({"Type": rtype})
+                        except ValueError:
+                            pass
+
+            # Url when FunctionUrlConfig is set
             if "FunctionUrlConfig" in props:
-                url_id = f"{resource_id}Url"
-                if url_id not in resources:
-                    try:
-                        resources[url_id] = Resource({"Type": "AWS::Lambda::Url"})
-                    except ValueError:
-                        pass
-
-        # SAM Api/HttpApi always generate Stage resources
+                _inject(resources, f"{resource_id}Url", "AWS::Lambda::Url")
+
+            # DeploymentPreference generates CodeDeploy resources
+            dp = props.get("DeploymentPreference", {})
+            if isinstance(dp, dict) and dp.get("Enabled", True):
+                _inject(
+                    resources,
+                    "ServerlessDeploymentApplication",
+                    "AWS::CodeDeploy::Application",
+                )
+                _inject(
+                    resources,
+                    f"{resource_id}DeploymentGroup",
+                    "AWS::CodeDeploy::DeploymentGroup",
+                )
+                if "Role" not in dp:
+                    _inject(resources, "CodeDeployServiceRole", "AWS::IAM::Role")
+
+            # Per-event permissions and implicit API detection
+            events = props.get("Events", {})
+            if isinstance(events, dict):
+                for event_name, event in events.items():
+                    if not isinstance(event, dict):
+                        continue
+                    _inject(
+                        resources,
+                        f"{resource_id}{event_name}Permission",
+                        "AWS::Lambda::Permission",
+                    )
+                    event_type = event.get("Type")
+                    if event_type == "Api":
+                        event_props = event.get("Properties", {})
+                        if (
+                            not isinstance(event_props, dict)
+                            or "RestApiId" not in event_props
+                        ):
+                            needs_rest_api = True
+                    elif event_type == "HttpApi":
+                        event_props = event.get("Properties", {})
+                        if (
+                            not isinstance(event_props, dict)
+                            or "ApiId" not in event_props
+                        ):
+                            needs_http_api = True
+
         if resource_type == "AWS::Serverless::Api":
-            stage_id = f"{resource_id}Stage"
-            if stage_id not in resources:
-                try:
-                    resources[stage_id] = Resource({"Type": "AWS::ApiGateway::Stage"})
-                except ValueError:
-                    pass
+            _inject(resources, f"{resource_id}Stage", "AWS::ApiGateway::Stage")
+            if "Domain" in props:
+                _inject(
+                    resources,
+                    f"{resource_id}DomainName",
+                    "AWS::ApiGateway::DomainName",
+                )
+            if "Auth" in props:
+                _inject(
+                    resources,
+                    f"{resource_id}UsagePlan",
+                    "AWS::ApiGateway::UsagePlan",
+                )
 
         if resource_type == "AWS::Serverless::HttpApi":
-            stage_id = f"{resource_id}Stage"
-            if stage_id not in resources:
-                try:
-                    resources[stage_id] = Resource({"Type": "AWS::ApiGatewayV2::Stage"})
-                except ValueError:
-                    pass
-
-        if resource_type != "AWS::Serverless::Function":
-            continue
+            _inject(resources, f"{resource_id}Stage", "AWS::ApiGatewayV2::Stage")
 
-        events = props.get("Events", {})
-        if not isinstance(events, dict):
-            continue
-        for event in events.values():
-            if not isinstance(event, dict):
-                continue
-            event_type = event.get("Type")
-            if event_type == "Api":
-                event_props = event.get("Properties", {})
-                if not isinstance(event_props, dict) or "RestApiId" not in event_props:
-                    needs_rest_api = True
-            elif event_type == "HttpApi":
-                event_props = event.get("Properties", {})
-                if not isinstance(event_props, dict) or "ApiId" not in event_props:
-                    needs_http_api = True
-
-    if needs_rest_api and "ServerlessRestApi" not in resources:
-        try:
-            resources["ServerlessRestApi"] = Resource({"Type": "AWS::Serverless::Api"})
-        except ValueError:
-            pass
+    if needs_rest_api:
+        _inject(resources, "ServerlessRestApi", "AWS::Serverless::Api")
+        _inject(resources, "ServerlessRestApiStage", "AWS::ApiGateway::Stage")
 
-    if needs_http_api and "ServerlessHttpApi" not in resources:
-        try:
-            resources["ServerlessHttpApi"] = Resource(
-                {"Type": "AWS::Serverless::HttpApi"}
-            )
-        except ValueError:
-            pass
+    if needs_http_api:
+        _inject(resources, "ServerlessHttpApi", "AWS::Serverless::HttpApi")
+        _inject(resources, "ServerlessHttpApiStage", "AWS::ApiGatewayV2::Stage")
 
 
 def create_context_for_template(
