AWS::SSO::PermissionSet Transform fails with !FindInMap

[ashfaqrehman]

@benkehoe not sure if I am using it incorrectly but for permissionset the using !FindInMap fails. It works without Transform: AWS-SSO-Util-2020-11-08 to confirm the PermissionSet resource creation works otherwise

ReadOnlyPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      Name: ReadOnly
      Description: ReadOnly
      InlinePolicy:
        Version: 2012-10-17
        Statement:
          - Sid: ReadOnly
            Effect: Allow
            Resource: '*'
            Action: !FindInMap [ CommonPermissions, ReadOnly, List ]

If I manually replace FindInMap with the list of of string that it references, the template works with the transform.

ReadOnlyPermissionSet:
    Type: AWS::SSO::PermissionSet
    Properties:
      InstanceArn: !Ref SSOInstanceArn
      Name: ReadOnly
      Description: ReadOnly
      InlinePolicy:
        Version: 2012-10-17
        Statement:
          - Sid: ReadOnly
            Effect: Allow
            Resource: '*'
            Action:
              - acm:DescribeCertificate
              - acm:GetCertificate
              - acm:ListCertificates
              - acm:ListTagsForCertificate

The error that the cloudformation console displays

Resource handler returned message: "Invalid PermissionsPolicy Document {"Version": "2012-10-17", "Statement": [{"Sid": "ReadOnly", "Effect": "Allow", "Resource": "*", "Action": {"Fn::FindInMap": ["CommonPermissions", "ReadOnly", "List"]}}]}. (Service: SsoAdmin, Status Code: 400, Request ID: 41543aa6-75d0-467b-855a-60b3e63543e9, Extended Request ID: null)" (RequestToken: 908414f0-342e-2699-4afa-5da9906b8739, HandlerErrorCode: InvalidRequest)

[benkehoe]

I'm not sure why that's happening. Along with #12, the macro isn't handling CloudFormation intrinsic functions correctly in all cases.