fix(notifications): merge SNS/SQS policies for shared topics and queues (#275)

[VirtueMe]

Summary

Fixes issue #275: when multiple state machines send notifications to the same SNS topic or SQS queue (fan-in), the plugin generates a separate AWS::SNS::TopicPolicy / AWS::SQS::QueuePolicy resource per state machine. AWS::SNS::TopicPolicy and AWS::SQS::QueuePolicy are full replacements in CloudFormation — when two resources target the same topic/queue, the second overwrites the first. The first machine's notification rules then silently stop working because their principal is no longer in the policy.

Fix

After compiling all notification resources, same-target SNS topic policies and SQS queue policies are merged into a single CloudFormation resource with all statements combined. CloudFormation then applies the policy exactly once with all principals authorised.

The change is in compileNotifications.js: a mergeResourcePolicies step groups AWS::SNS::TopicPolicy resources by topic and AWS::SQS::QueuePolicy resources by queue, merging statements before the resources are written into the CloudFormation template.

Verification

Integration test: The notifications fixture was updated to include a second state machine (notificationMachine2) sharing the same SNS topic and SQS queue as the first — the exact fan-in scenario from #275.

The compiled CloudFormation template was inspected after packaging with the fix applied:

SNS TopicPolicy resources: 1
  IntegrationDashnotificationsDashtestResourcePolicyc30a6: 2 statement(s)

SQS QueuePolicy resources: 1
  IntegrationDashnotificationsDashtestResourcePolicy6fbc7: 2 statement(s)

One merged policy per target, with one statement per state machine. Without the fix, two separate resources would be generated for each target, causing CloudFormation to overwrite the first machine's policy with the second's. LocalStack deploy is green.

Unit tests: Three new tests added covering:

• Two state machines sharing the same SNS topic → 1 policy, 10 merged statements
• Two state machines sharing the same SQS queue → 1 policy, 10 merged statements
• One state machine with the same topic on multiple statuses → 1 policy, 2 merged statements

Test plan

• npm test — 533 passing
• npx osls notifications:deploy --stage test — green
• Packaged template confirms 1 merged AWS::SNS::TopicPolicy and 1 merged AWS::SQS::QueuePolicy with statements from both state machines

Closes #275

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/serverless-operations/serverless-step-functions@747

commit: fe678cd

[VirtueMe]

Note: the manual template inspection used to verify this fix (#275) revealed a gap in the integration test suite — LocalStack deploys green for this class of bug but the incorrect template is only visible by inspecting the compiled output. Tracked in #748.