serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard
verified publisher icon aws

Allow AWS::NoValue to omit Role property in if - FeatureRequest#3728

Open SherrryX opened this issue 9 months ago • 4 comments

3728 #, if available

Allow AWS::NoValue to omit Role property in Fn::If

I have validated the changes with unit tests and hand testing with bin/sam-translate.py. The change resolved my need in https://github.com/aws/serverless-application-model/issues/3728.

Checklist

Examples?

Please reach out in the comments if you want to add an example. Examples will be added to sam init through aws/aws-sam-cli-app-templates.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

SherrryX avatar Mar 20 '25 17:03 SherrryX

Hi @SherrryX Thanks for the PR, One concern is from this issue: https://github.com/aws/serverless-application-model/issues/2533 . Could we add tests that verifies the intrinsic functions implemented in this PR could reject stack resources as intended?

roger-zhangg avatar Mar 21 '25 18:03 roger-zhangg

Below please find some examples of the auto generated output results via testing with bin/sam-translate.py:

My template:

Role: !If
      - RoleExists
      - !Ref roleArn
      - !If
          - PermissionsBoundaryExists
          - "arn:aws:iam::123456789012:role/MyAnotherCustomRole"
          - !Ref "AWS::NoValue"

For case#1 when Role parameter is not present in the template or Role is eventually evaluated to "AWS::NoValue" - SAM generates the the role: 42DCEA95-0659-415B-8C23-634AF2ADD4A2

For case#2 when roleArn is provided (roleArn: "arn:aws:iam::123456789012:role/MyCustomRole") and so roleArn1 is true - use the given role: AC4F5E6B-375E-4F49-B6AC-55BF75ADA627_4_5005_c 7929D0CC-205B-48F8-811F-28D49F5386E0_4_5005_c

For case#3 when roelArn is false but PermissionsBoundaryExists is true - use the given role: CD92507A-8A5A-49D5-B07A-F9A7B60BF721_4_5005_c

SherrryX avatar Mar 24 '25 18:03 SherrryX

We discussed offline. But this solution assumes that the value of the parameters and condition will be known at the time of the transform (which is not). It works when trying locally (because it will use the default values), but when actually deployed and working, SAM doesn't know about the parameters values, therefore there won't be nothing to resolve and these changes won't work.

The solution is to implement extra logic that keeps the conditions, but takes into account both options depending on the values, to define if it will create a role or not.

Generated template should be like this:

Conditions:
	MyCondition:
	NegateMyCondition:

Function:
   Properties:
     Role: !If
       - MyCondition
       - !Ref ExistingRole
       - !Ref NewCreatedRole
 NewCreatedRole:
   Condition: NegateMyCondition
   Type: AWS::IAM::Role
   Properties:
      ...

Existing code where a similar situation is used for destinations here

valerena avatar Apr 28 '25 17:04 valerena

@SherrryX Hello, thank you for your work on this PR! Could you please update based on Renato's comment so we can merge this?

seshubaws avatar May 23 '25 04:05 seshubaws