Adding VPC Access Policy when VpcConfig is present

[spockNinja]

Description:

We are building a modular service structure and have several lambda functions launching within a VPC. When tearing down the VPC, we encountered issues where the ENIs that were created for the lambda functions were left dangling.

We now know that one solution is to add the managed role for VPC access. What I would like to know, is if AWS SAM would be open to a PR that automatically checks for VPC config and adds the appropriate managed policy, much like it does for the basic lambda execution policy.

Steps to reproduce the issue:

1. Create a function in a VPC, that does not have permissions to tear down an ENI
2. Tear down the function.
3. Attempt to tear down the VPC.

Observed result:
The VPC fails to delete because of dependencies on the dangling ENIs.

Expected result:
AWS SAM Transform adds the correct permissions automatically when VpcConfig is present.
The VPC deletes successfully.

Possible Solution:
Adding logic to https://github.com/awslabs/serverless-application-model/blob/master/samtranslator/model/sam_resources.py#L189 much like the if self.Tracing block to add a managed policy that allows the lambda function to clean up ENIs when it is done with them.

[keetonian]

@spockNinja This sounds like a great idea! As far as adding it, I know that a lot of SAM users that create VPCs already have this or a similar policy attached to the function. Could you verify that if the same policy is specified twice (once by SAM after this proposed update, once by an existing user) that the policy would still be valid?

[spockNinja]

@keetonian

It looks like someone has already thought of that use-case when dealing with the other similar policies.

https://github.com/awslabs/serverless-application-model/blob/master/samtranslator/model/sam_resources.py#L261

If my team takes on adding this feature, we could certainly be sure to include a unit test to ensure that functionality remains intact for this policy as well.