DQL wrong SNS permissions while SQS resource set

[Enase]

Issue description: Plugin adds sns:Publish permission in case if function has onError definition and doesn't take into account that it might be SQS resource arn

Steps to reproduce:

1. Define any function with onError property mapped to SQS resource:

functions:
  function_name_here:
    handler: functions/function_name_here/index.handler
    iamRoleStatementsName: "function_name_here_lambda_role"
    iamRoleStatements:
      - ${file(../../function_name_here.yml)}
    onError:
      Fn::GetAtt: [QueueNameDeadLetterQueue, Arn]

2. Define SQS Resource:

Resources:
  QueueNameDeadLetterQueue:
    Type: AWS::SQS::Queue
    Properties:
      QueueName: "SomeNameDeadLetterQueue"

3. Deploy your code with sls deploy

Expected result: No useless permissions should be added

Current result: Useless permissions added:

        {
            "Action": [
                "sns:Publish"
            ],
            "Resource": "arn:aws:sqs:{region_here}:{accountId_here}:SomeNameDeadLetterQueue",
            "Effect": "Allow"
        }

Background:

Serverless added support for DQL setup with onError function property here. However it has some strange concurrency issue described in docs. But still community has some workarounds and moreover, it's hard to reproduce it (that's why it's not fixed yet), so that most people (like me) use it as is without any issues.

TBD:

As possible solution I recommend to delete additional policy definitions in case if onError property set in function definition.

In case if we want to keep backward compatibility we may add configuration property like addOnErrorPolicy: boolean.

Looking forward for your comments, Thanks in advance.

[Enase]

@glicht any comment on this?