Description
On these lines
|
elif policy_entry.type is PolicyTypes.MANAGED_POLICY: |
|
# There are three options: |
|
# Managed Policy Name (string): Try to convert to Managed Policy ARN |
|
# Managed Policy Arn (string): Insert it directly into the list |
|
# Intrinsic Function (dict): Insert it directly into the list |
|
# |
|
# When you insert into managed_policy_arns list, de-dupe to prevent same ARN from showing up twice |
|
# |
|
|
|
policy_arn = policy_entry.data |
|
if isinstance(policy_arn, str): |
|
policy_arn = _get_managed_policy_arn( |
|
policy_arn, |
|
managed_policy_map, |
|
get_managed_policy_map, |
|
) |
|
|
|
# De-Duplicate managed policy arns before inserting. Mainly useful |
|
# when customer specifies a managed policy which is already inserted |
|
# by SAM, such as AWSLambdaBasicExecutionRole |
|
if policy_arn not in managed_policy_arns: |
|
managed_policy_arns.append(policy_arn) |
|
else: |
|
# Policy Templates are not supported here in the "core" |
|
raise InvalidResourceException( |
|
resource_logical_id, |
|
f"Policy at index {index} in the '{resource_policies.POLICIES_PROPERTY_NAME}' property is not valid", |
|
) |
Intrinsic functions go forward, ignoring any managed policy names in their parameters. Thus, these managed policy names are not converted to ARNs. This behaviour raises errors using cfn-lint (see this issue)
Steps to reproduce
Add an intrinsic function in Policies, i.e.: !If [IsTrue, CloudWatchLambdaInsightsExecutionRolePolicy, !Ref AWS::NoValue]
Observed result
The resulting policy is passed as is.
Expected result
Should result in !If [IsTrue, "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy", !Ref AWS::NoValue]
Additional environment details
- OS: linux
- If using the SAM CLI,
sam --version: using from cfn-lint
- AWS region: us-east-1
