fix(iam): prevent nested Fn::Sub when lambda Resource is a Fn::Sub expression

[VirtueMe]

Summary

Fixes #302.

When a Task state's Resource is a Fn::Sub object — as produced by plugins like serverless-pseudo-parameters that convert #{AWS::Region} to ${AWS::Region} — the versioned ARN (:*) was generated using the array form of Fn::Sub with the Fn::Sub object as a variable map value:

{ "Fn::Sub": ["${functionArn}:*", { "functionArn": { "Fn::Sub": "arn:..." } }] }

CloudFormation does not support nesting Fn::Sub as a variable map value, so this produces a MalformedPolicyDocument error on deploy.

Fix

Introduces getVersionedArn() in lambda.js which detects when the base ARN is already a Fn::Sub and appends :* directly to the template string:

{ "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:my-fn:*" }

Ref and Fn::GetAtt resources are unaffected and continue to use the existing array form.

Test plan

• Two new unit tests in lambda.test.js (written before the fix, confirmed failing then passing)
• fnSubMachine state machine added to the basic-state-machine integration fixture, covering the Fn::Sub resource reference style alongside the existing Fn::GetAtt one
• verify.test.js added to basic-state-machine fixture asserting no nested Fn::Sub in the IAM policy and a valid versioned ARN

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/serverless-operations/serverless-step-functions@749

commit: 028ad7a