Skip to content

fix(cloudformation): expand SAM Function Policies into a role + non-API events into triggers#1923

Merged
vieiralucas merged 1 commit into
mainfrom
fix/sam-events-policies
Jun 24, 2026
Merged

fix(cloudformation): expand SAM Function Policies into a role + non-API events into triggers#1923
vieiralucas merged 1 commit into
mainfrom
fix/sam-events-policies

Conversation

@vieiralucas

@vieiralucas vieiralucas commented Jun 24, 2026

Copy link
Copy Markdown
Member

Summary (part of CRITICAL 1.1/1.2)

A SAM AWS::Serverless::Function's Policies and Events were dropped by the transform → sam deploy produced a function with no execution role (every IAM-enforced call denied under #1880) and no triggers (nothing invoked it).

The transform now synthesizes the native resources the existing provisioner arms handle:

  • Policies → implicit AWS::IAM::Role (<Fn>Role, trust = lambda.amazonaws.com); managed names/ARNs → ManagedPolicyArns, inline statement docs → inline policies; function Role = GetAtt. Explicit Role kept.
  • Schedule/ScheduleV2Events::Rule (+ Lambda::Permission).
  • SQS/DynamoDB/Kinesis/MSK/MQLambda::EventSourceMapping.
  • SNSSNS::Subscription (lambda) + permission.
  • EventBridgeRule/CloudWatchEventEvents::Rule (EventPattern) + permission.

Api/HttpApi events (implicit-API route synthesis) follow in the next PR. SAM policy templates (DynamoDBCrudPolicy etc.) aren't expanded into statements yet — the role is still created so the function is no longer role-less.

Non-code surface

Internal CFN/SAM transform fidelity; SAM functions/events already documented as supported. No SDK/docs/metadata change applies (checked).

Test plan

  • Unit tests for expand_function_extras (Policies→role, explicit-role kept, Schedule→rule, SQS→ESM) + updated the Globals-additive-Policies test (merged list now lands in the role).
  • E2E sam_function_expands_policies_and_events: deploys a function with Policies + Schedule + SQS events; asserts the role (managed+inline), Events::Rule target, and EventSourceMapping are created.
  • cargo test -p fakecloud-cloudformation --lib (242) + existing SAM e2e pass; clippy clean.

Summary by cubic

Fixes the SAM transform dropping AWS::Serverless::Function Policies and non-API Events. Functions now deploy with a proper execution role and working triggers.

  • Bug Fixes
    • Policies → synthesize AWS::IAM::Role (<Fn>Role): managed names/ARNs → ManagedPolicyArns, inline statements → inline policies; set function Role to GetAtt of the role; keep explicit Role unchanged.
    • Non-API Events → native triggers:
      • Schedule/ScheduleV2AWS::Events::Rule + AWS::Lambda::Permission
      • SQS/DynamoDB/Kinesis/MSK/MQAWS::Lambda::EventSourceMapping
      • SNSAWS::SNS::Subscription (lambda) + permission
      • EventBridgeRule/CloudWatchEventAWS::Events::Rule + permission
      • Note: Api/HttpApi events and SAM policy templates are not expanded in this PR.

Written for commit 44ab1c6. Summary will update on new commits.

Review in cubic

…PI events into triggers

A SAM AWS::Serverless::Function's `Policies` and `Events` were dropped by the
transform, so a `sam deploy` produced a function with no execution role (every
IAM-enforced call denied under #1880 enforcement) and no triggers (nothing ever
invoked it).

The transform now synthesizes the native resources the existing provisioner
arms already handle:
- `Policies` -> an implicit `AWS::IAM::Role` (`<Fn>Role`) whose trust policy
  allows lambda.amazonaws.com; managed-policy names/ARNs become
  ManagedPolicyArns, inline statement docs become inline policies. The
  function's Role is set to GetAtt the role. An explicit `Role` is kept as-is.
- `Schedule`/`ScheduleV2` -> `Events::Rule` (ScheduleExpression) targeting the
  function + `Lambda::Permission`.
- `SQS`/`DynamoDB`/`Kinesis`/`MSK`/`MQ` -> `Lambda::EventSourceMapping`.
- `SNS` -> `SNS::Subscription` (protocol lambda) + `Lambda::Permission`.
- `EventBridgeRule`/`CloudWatchEvent` -> `Events::Rule` (EventPattern) + permission.

Api/HttpApi events (implicit-API route synthesis) follow in a separate change.
SAM policy *templates* (DynamoDBCrudPolicy etc.) aren't expanded into statements
yet — the role is still created so the function is no longer role-less.

Adds unit tests for the expansion and an E2E test deploying a function with
Policies + Schedule + SQS events and asserting the role, Events::Rule target,
and EventSourceMapping are all created.
@vieiralucas vieiralucas merged commit ccc6e98 into main Jun 24, 2026
93 checks passed
@vieiralucas vieiralucas deleted the fix/sam-events-policies branch June 24, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant