Tracing field of Serverless::Function does not support intrinsics

[keetonian]

Description: Tracing needs to support "Fn::If" and other intrinsic functions

Steps to reproduce the issue:

1. Create a template with "Tracing" set to an !If function
2. Deploy

Observed result: Condition is ignored Expected result: Condition to work

[stevenmhood]

I have an example that works with this already:

Parameters:
  EnableXRayTracing:
    Type: String
    Description: Enables X-Ray tracing.  Disabled by default.
    AllowedValues:
    - 'true'
    - 'false'
    Default: 'false'
Conditions:
  TracingEnabled:
    Fn::Equals:
    - Ref: EnableXRayTracing
    - 'true'
Resources:
  StreamRepartitionerFunction:
    Type: AWS::Serverless::Function
      ...
      Tracing:
        Fn::If:
        - TracingEnabled
        - Active
        - PassThrough

Is this actually complete, then?

[keetonian]

@stevenmhood I should have been a little more clear. The tracing field actually works, but there is an additional policy that is attached to the lambda role that adds x-ray permission. This policy is added whether or not Tracing is turned on or not, which can cause errors in regions where the policy/x-ray does not exist.

[moelasmar]

The issue is mainly we add the policy "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess" regardless if the value of "Fn::If" evaluation result. We should add this policy only if Tracing is enabled.

[sparkyfen]

One thing to note is I believe at the time, the policy was not available in all regions/partitions so it was unsafe to just add the policy if you were deploying to a region which didn't have the policy.

[hoffa]

Closing in favor of https://github.com/aws/serverless-application-model/issues/2533.