I understand that SAM is built on top of CloudFormation, and there are some facilities within SAM to make it easier to construct the stack template.

I created a SAM Condition like:

    Conditions:
      ProductTag: !Equals
        - 'aws:ResourceTag/Joba:Product'
        - !Ref Product
      EnvironmentTag: !Equals
        - 'aws:ResourceTag/Joba:Environment'
        - !Ref Environment
      TagsPolicy: !And
        - !Condition ProductTag
        - !Condition EnvironmentTag

And I tried to reference the TagsPolicy in the AWS::IAM::Role policies (last line).

      DownloadBrokerageNotesStateMachineExecutionRole:
        Type: "AWS::IAM::Role"
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Principal:
                  Service:
                    - !Sub states.${AWS::Region}.amazonaws.com
                Action: "sts:AssumeRole"
          Path: "/"
          Policies:
            - PolicyName: LambdaExecute
              PolicyDocument:
                Version: "2012-10-17"
                Statement:
                  - Effect: Allow
                    Action:
                      - "lambda:InvokeFunction"
                    Resource: 
                      - !GetAtt RicoRobotAuthenticateFunction.Arn
                    Condition: TagsPolicy

Running sam validate --link gives me:

template.yaml is a valid SAM Template. This is according to basic SAM Validation
W8001 Condition TagsPolicy not used.

But running sam deploy, throws the following error:

Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: d215f541-4f16-4050-ac48-04bda830e9dc; Proxy: null)
The following resource(s) failed to create: [DownloadBrokerageNotesStateMachineExecutionRole]. Rollback requested by user.

How can I reference the TagsPolicy there?

CodePudding user response：

The Condition key has several distinct usages in a template. You're mixing them up a bit.

1. The template's top-level Condition section defines rules governing the conditional creation of resources. The conditions are then optionally applied within resource definitions, also using the Condition key. CloudFormation evaluates these conditions at deploy-time, deploying only those resources where the condition is true. This isn't what you want.
2. IAM policy statements accept an optional, unrelated Condition element to narrow the policy's applicability. Define the policy conditions in the statement itself. The conditions are part of the policy definition and are applied at run-time when the policy is evaluated.

DownloadBrokerageNotesStateMachineExecutionRole:
  Type: "AWS::IAM::Role"
  # Meaning #1:  Applies a defined condition.  Role is created only if the condition is true.
  # Not what you want
  Condition: IsProduction
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Service:
              - !Sub states.${AWS::Region}.amazonaws.com
          Action: "sts:AssumeRole"
    Path: "/"
    Policies:
      - PolicyName: LambdaExecute
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - "lambda:InvokeFunction"
              Resource:
                - !GetAtt RicoRobotAuthenticateFunction.Arn
              # Meaning #2: Defines the conditions under which the IAM policy applies.
              # This is what you want
              Condition:
                StringEquals:
                  "aws:ResourceTag/Joba:Product": !Ref Product
                  "aws:ResourceTag/Joba:Environment": !Ref Environment