fix: propagate condition to sqs queue policy for sqssubscription (#1798)

* fix: propagate condition to sqs queue policy for sqssubscription

* Update unit test for function_event_conditions

* Update black commands in Makefile to check only .py files

* Update test with one more SNS event source with sqsSubscription set

* Revert "Update black commands in Makefile to check only .py files"

This reverts commit 115ff09.

Author: hawflau

samtranslator/model/eventsources/push.py

@@ -438,7 +438,7 @@ def to_cloudformation(self, **kwargs):
             queue_arn = queue.get_runtime_attr("arn")
             queue_url = queue.get_runtime_attr("queue_url")
 
-            queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url)
+            queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url, function.resource_attributes)
             subscription = self._inject_subscription(
                 "sqs", queue_arn, self.Topic, self.Region, self.FilterPolicy, function.resource_attributes
             )
@@ -461,7 +461,9 @@ def to_cloudformation(self, **kwargs):
         batch_size = self.SqsSubscription.get("BatchSize", None)
         enabled = self.SqsSubscription.get("Enabled", None)
 
-        queue_policy = self._inject_sqs_queue_policy(self.Topic, queue_arn, queue_url, queue_policy_logical_id)
+        queue_policy = self._inject_sqs_queue_policy(
+            self.Topic, queue_arn, queue_url, function.resource_attributes, queue_policy_logical_id
+        )
         subscription = self._inject_subscription(
             "sqs", queue_arn, self.Topic, self.Region, self.FilterPolicy, function.resource_attributes
         )
@@ -497,8 +499,11 @@ def _inject_sqs_event_source_mapping(self, function, role, queue_arn, batch_size
         event_source.Enabled = enabled or True
         return event_source.to_cloudformation(function=function, role=role)
 
-    def _inject_sqs_queue_policy(self, topic_arn, queue_arn, queue_url, logical_id=None):
+    def _inject_sqs_queue_policy(self, topic_arn, queue_arn, queue_url, resource_attributes, logical_id=None):
         policy = SQSQueuePolicy(logical_id or self.logical_id + "QueuePolicy")
+        if CONDITION in resource_attributes:
+            policy.set_resource_attribute(CONDITION, resource_attributes[CONDITION])
+
         policy.PolicyDocument = SQSQueuePolicies.sns_topic_send_message_role_policy(topic_arn, queue_arn)
         policy.Queues = [queue_url]
         return policy

tests/translator/input/function_event_conditions.yaml

@@ -79,6 +79,22 @@ Resources:
             Topic:
               Ref: Notifications
 
+        SNSTopicWithSQSSubscription:
+          Type: SNS
+          Properties:
+            Topic:
+              Ref: Notifications
+            SqsSubscription:
+              QueueArn: !GetAtt Queue.Arn
+              QueueUrl: !Ref Queue
+
+        AnotherSNSWithSQSSubscription:
+          Type: SNS
+          Properties:
+            Topic:
+              Ref: Notifications
+            SqsSubscription: true
+
         KinesisStream:
           Type: Kinesis
           Properties:
@@ -99,3 +115,7 @@ Resources:
 
   Images:
     Type: AWS::S3::Bucket
+
+  Queue:
+    Condition: MyCondition
+    Type: AWS::SQS::Queue

tests/translator/output/aws-cn/function_event_conditions.json

@@ -222,7 +222,8 @@
         "ManagedPolicyArns": [
           "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", 
           "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole", 
-          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole"
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole",
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
         ],
         "Tags": [
           {
@@ -459,6 +460,148 @@
       "DependsOn": [
         "FunctionOneImageBucketPermission"
       ]
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscription": {
+      "Type": "AWS::SNS::Subscription",
+      "Properties": {
+        "Endpoint": {
+          "Fn::GetAtt": [
+            "Queue",
+            "Arn"
+          ]
+        },
+        "Protocol": "sqs",
+        "TopicArn": {
+          "Ref": "Notifications"
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscriptionQueuePolicy": {
+      "Type": "AWS::SQS::QueuePolicy",
+      "Properties": {
+        "Queues": [
+          {
+            "Ref": "Queue"
+          }
+        ],
+        "PolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Action": "sqs:SendMessage",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "Queue",
+                  "Arn"
+                ]
+              },
+              "Effect": "Allow",
+              "Condition": {
+                "ArnEquals": {
+                  "aws:SourceArn": {
+                    "Ref": "Notifications"
+                  }
+                }
+              },
+              "Principal": "*"
+            }
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscriptionEventSourceMapping": {
+      "Type": "AWS::Lambda::EventSourceMapping",
+      "Properties": {
+        "BatchSize": 10,
+        "Enabled": true,
+        "FunctionName": {
+          "Ref": "MyAwesomeFunctionAliasLive"
+        },
+        "EventSourceArn": {
+          "Fn::GetAtt": [
+            "Queue",
+            "Arn"
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue": {
+      "Type": "AWS::SQS::Queue",
+      "Properties": {}
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionEventSourceMapping": {
+      "Type": "AWS::Lambda::EventSourceMapping",
+      "Properties": {
+        "BatchSize": 10,
+        "Enabled": true,
+        "FunctionName": {
+          "Ref": "MyAwesomeFunctionAliasLive"
+        },
+        "EventSourceArn": {
+          "Fn::GetAtt": [
+            "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+            "Arn"
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscription": {
+      "Type": "AWS::SNS::Subscription",
+      "Properties": {
+        "Endpoint": {
+          "Fn::GetAtt": [
+            "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+            "Arn"
+          ]
+        },
+        "Protocol": "sqs",
+        "TopicArn": {
+          "Ref": "Notifications"
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueuePolicy": {
+      "Type": "AWS::SQS::QueuePolicy",
+      "Properties": {
+        "Queues": [
+          {
+            "Ref": "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue"
+          }
+        ],
+        "PolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Action": "sqs:SendMessage",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+                  "Arn"
+                ]
+              },
+              "Effect": "Allow",
+              "Condition": {
+                "ArnEquals": {
+                  "aws:SourceArn": {
+                    "Ref": "Notifications"
+                  }
+                }
+              },
+              "Principal": "*"
+            }
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "Queue": {
+      "Type": "AWS::SQS::Queue",
+      "Condition": "MyCondition"
     }
   }
 }

tests/translator/output/aws-us-gov/function_event_conditions.json

@@ -222,7 +222,8 @@
         "ManagedPolicyArns": [
           "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", 
           "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole", 
-          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole"
+          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole",
+          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
         ],
         "Tags": [
           {
@@ -459,6 +460,148 @@
       "DependsOn": [
         "FunctionOneImageBucketPermission"
       ]
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscription": {
+      "Type": "AWS::SNS::Subscription",
+      "Properties": {
+        "Endpoint": {
+          "Fn::GetAtt": [
+            "Queue",
+            "Arn"
+          ]
+        },
+        "Protocol": "sqs",
+        "TopicArn": {
+          "Ref": "Notifications"
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscriptionQueuePolicy": {
+      "Type": "AWS::SQS::QueuePolicy",
+      "Properties": {
+        "Queues": [
+          {
+            "Ref": "Queue"
+          }
+        ],
+        "PolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Action": "sqs:SendMessage",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "Queue",
+                  "Arn"
+                ]
+              },
+              "Effect": "Allow",
+              "Condition": {
+                "ArnEquals": {
+                  "aws:SourceArn": {
+                    "Ref": "Notifications"
+                  }
+                }
+              },
+              "Principal": "*"
+            }
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionSNSTopicWithSQSSubscriptionEventSourceMapping": {
+      "Type": "AWS::Lambda::EventSourceMapping",
+      "Properties": {
+        "BatchSize": 10,
+        "Enabled": true,
+        "FunctionName": {
+          "Ref": "MyAwesomeFunctionAliasLive"
+        },
+        "EventSourceArn": {
+          "Fn::GetAtt": [
+            "Queue",
+            "Arn"
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue": {
+      "Type": "AWS::SQS::Queue",
+      "Properties": {}
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionEventSourceMapping": {
+      "Type": "AWS::Lambda::EventSourceMapping",
+      "Properties": {
+        "BatchSize": 10,
+        "Enabled": true,
+        "FunctionName": {
+          "Ref": "MyAwesomeFunctionAliasLive"
+        },
+        "EventSourceArn": {
+          "Fn::GetAtt": [
+            "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+            "Arn"
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscription": {
+      "Type": "AWS::SNS::Subscription",
+      "Properties": {
+        "Endpoint": {
+          "Fn::GetAtt": [
+            "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+            "Arn"
+          ]
+        },
+        "Protocol": "sqs",
+        "TopicArn": {
+          "Ref": "Notifications"
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueuePolicy": {
+      "Type": "AWS::SQS::QueuePolicy",
+      "Properties": {
+        "Queues": [
+          {
+            "Ref": "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue"
+          }
+        ],
+        "PolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Action": "sqs:SendMessage",
+              "Resource": {
+                "Fn::GetAtt": [
+                  "MyAwesomeFunctionAnotherSNSWithSQSSubscriptionQueue",
+                  "Arn"
+                ]
+              },
+              "Effect": "Allow",
+              "Condition": {
+                "ArnEquals": {
+                  "aws:SourceArn": {
+                    "Ref": "Notifications"
+                  }
+                }
+              },
+              "Principal": "*"
+            }
+          ]
+        }
+      },
+      "Condition": "MyCondition"
+    },
+    "Queue": {
+      "Type": "AWS::SQS::Queue",
+      "Condition": "MyCondition"
     }
   }
 }