Description
On these lines
|
elif policy_entry.type is PolicyTypes.MANAGED_POLICY: |
|
# There are three options: |
|
# Managed Policy Name (string): Try to convert to Managed Policy ARN |
|
# Managed Policy Arn (string): Insert it directly into the list |
|
# Intrinsic Function (dict): Insert it directly into the list |
|
# |
|
# When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice |
|
# |
|
|
|
policy_arn = policy_entry.data |
|
if isinstance(policy_arn, str): |
|
policy_arn = _get_managed_policy_arn( |
|
policy_arn, |
|
managed_policy_map, |
|
get_managed_policy_map, |
|
) |
|
|
|
# De-Duplicate managed policy arns before inserting. Mainly useful |
|
# when customer specifies a managed policy which is already inserted |
|
# by SAM, such as AWSLambdaBasicExecutionRole |
|
if policy_arn not in managed_policy_arns: |
|
managed_policy_arns.append(policy_arn) |
|
else: |
|
# Policy Templates are not supported here in the "core" |
|
raise InvalidResourceException( |
|
resource_logical_id, |
|
f"Policy at index {index} in the '{resource_policies.POLICIES_PROPERTY_NAME}' property is not valid", |
|
) |
Intrinsic functions go forward, ignoring any managed policy names in their parameters. Thus, these managed policy names are not converted to ARNs. This behaviour raises errors using cfn-lint (see this issue)
Steps to reproduce
Add an intrinsic function in Policies, i.e.: !If [IsTrue, CloudWatchLambdaInsightsExecutionRolePolicy, !Ref AWS::NoValue]
Observed result
The resulting policy is passed as is.
Expected result
Should result in !If [IsTrue, "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy", !Ref AWS::NoValue]
Additional environment details
- OS: linux
- If using the SAM CLI,
sam --version: using from cfn-lint
- AWS region: us-east-1
Description
On these lines
serverless-application-model/samtranslator/model/role_utils/role_constructor.py
Lines 133 to 160 in 85d142d
Intrinsic functions go forward, ignoring any managed policy names in their parameters. Thus, these managed policy names are not converted to ARNs. This behaviour raises errors using cfn-lint (see this issue)
Steps to reproduce
Add an intrinsic function in Policies, i.e.:
!If [IsTrue, CloudWatchLambdaInsightsExecutionRolePolicy, !Ref AWS::NoValue]Observed result
The resulting policy is passed as is.
Expected result
Should result in
!If [IsTrue, "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy", !Ref AWS::NoValue]Additional environment details
sam --version: using from cfn-lint