fix(iam): resolve local Lambda Ref to static ARN (#470)

[VirtueMe]

Summary

Fixes two bugs triggered when a task state uses Resource: !Ref localFunction:

• MalformedPolicyDocument — the IAM role's policy resource contained { Ref: ParseCSVLambdaFunction }, which CloudFormation resolves to the function name (e.g. my-service-dev-parseCSV), not its ARN. IAM rejects non-ARN resources.
• InvalidDefinition — the state machine definition received the same function name string as its Resource. Step Functions rejects anything that isn't an ARN.

Both bugs also introduce a CloudFormation resource dependency (StateMachineRole → Lambda) that causes the circular dependency error reported in #470 when the Lambda has an env var referencing the state machine ARN.

Fix

Adds resolveLambdaFunctionName to lib/utils/aws.js. When a Ref points to a local function whose deployed name is known at compile time (via serverless.service.functions[key].name), a static Fn::Sub ARN is emitted instead — no CloudFormation resource reference, no dependency, no cycle.

Two call sites fixed:

File	Path
iamStrategies/lambda.js	getFallbackPermissions (direct !Ref resource) and getPermissions (FunctionName: !Ref SDK integration)
compileStateMachines.js	Definition string Fn::Sub params — local Lambda Refs are inlined as static ARNs directly in the definition string

Integration test

Adds a circular-dependency fixture reproducing the exact scenario from #470. LocalStack validates both bugs:

• Without fix: CircularMachineRole fails with MalformedPolicyDocument, then CircularMachine fails with InvalidDefinition
• With fix: full stack deploys cleanly

Test plan

• npm test — 534 passing
• npx osls circular-dependency:deploy --stage test deploys successfully against LocalStack

Closes #470

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/serverless-operations/serverless-step-functions@746

commit: 389288b