Connector with event source mapping and DLQ requires `DependsOn`

[hoffa]

Consider the following template:

Transform: AWS::Serverless-2016-10-31
Resources:
  MyTable:
    Type: AWS::DynamoDB::Table
    Properties:
      BillingMode: PAY_PER_REQUEST
      AttributeDefinitions:
        - AttributeName: id
          AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH
      StreamSpecification:
        StreamViewType: NEW_IMAGE

  MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service: lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs16.x
      Handler: index.handler
      Role: !GetAtt MyRole.Arn
      Code:
        ZipFile: |
          exports.handler = async (event, context) => {
            console.log(JSON.stringify(event));
          };

  MyQueue:
    Type: AWS::SQS::Queue

  MyEventSourceMapping:
    Type: AWS::Lambda::EventSourceMapping
    Properties:
      EventSourceArn: !GetAtt MyTable.StreamArn
      FunctionName: !Ref MyFunction
      StartingPosition: TRIM_HORIZON
      DestinationConfig:
        OnFailure:
          Destination: !GetAtt MyQueue.Arn

  MyConnector:
    Type: AWS::Serverless::Connector
    Properties:
      Source: 
        Id: MyTable
      Destination: 
        Id: MyFunction
      Permissions:
        - Read

  LambdaToQueue:
    Type: AWS::Serverless::Connector
    Properties:
      Source: 
        Id: MyFunction
      Destination: 
        Id: MyQueue
      Permissions:
        - Write

Deploying it will fail with:

MyEventSourceMapping
Resource handler returned message: "Invalid request provided: The provided execution role does not have permissions to call SendMessage on SQS (Service: Lambda, Status Code: 400, Request ID: 6ac8d38a-723c-4356-a146-caa6d4d0fef0)" (RequestToken: a66d8170-30dd-29b4-8010-560f8b56c5db, HandlerErrorCode: InvalidRequest)

To fix this, we need to make sure the permission resource (generated by LambdaToQueue) is created first:

@@ -41,6 +41,7 @@
     Type: AWS::SQS::Queue
 
   MyEventSourceMapping:
+    DependsOn: LambdaToQueuePolicy
     Type: AWS::Lambda::EventSourceMapping
     Properties:
       EventSourceArn: !GetAtt MyTable.StreamArn

Would be great if this was simpler.

[hoffa]

Could potentially add it automatically, like we do here:

serverless-application-model/samtranslator/model/sam_resources.py

Lines 1755 to 1764 in 971c6bb

	if depended_by == "DESTINATION_EVENT_SOURCE_MAPPING":
	if source.logical_id and destination.logical_id:
	# The dependency type assumes Destination is a AWS::Lambda::Function
	esm_ids = list(get_event_source_mappings(source.logical_id, destination.logical_id, resource_resolver))
	# There can only be a single ESM from a resource to function, otherwise deployment fails
	if len(esm_ids) == 1:
	add_depends_on(esm_ids[0], policy.logical_id, resource_resolver)
	if depended_by == "SOURCE":
	if source.logical_id:
	add_depends_on(source.logical_id, policy.logical_id, resource_resolver)

Although I haven't identified any specific risk, need to ensure there's no risk of creating a circular dependency.

[hoffa]

Resolved in #2537