chore: Remove Validation on DeletionPolicy and UpdateReplacePolicy (aws#3317)

Author: GavinZZ

.cfnlintrc.yaml

@@ -131,6 +131,7 @@ ignore_templates:
   - tests/translator/output/**/function_with_mq_using_autogen_role.json  # Property "EventSourceArn" can Fn::GetAtt to a resource of types [AWS::DynamoDB::GlobalTable, AWS::DynamoDB::Table, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::SQS::Queue]
   - tests/translator/output/**/function_with_tracing.json # Obsolete DependsOn on resource
   - tests/translator/output/**/api_with_propagate_tags.json # TODO: Intentional error transform tests. Will be updated.
+  - tests/translator/output/**/function_with_intrinsics_resource_attribute.json # CFN now supports intrinsics in DeletionPolicy
 ignore_checks:
   - E2531 # Deprecated runtime; not relevant for transform tests
   - W2531 # EOL runtime; not relevant for transform tests

integration/combination/test_function_with_implicit_api_with_timeout.py

@@ -16,6 +16,14 @@ def test_function_with_implicit_api_with_timeout(self):
         rest_api_id = self.get_physical_id_by_type("AWS::ApiGateway::RestApi")
         resources = apigw_client.get_resources(restApiId=rest_api_id)["items"]
 
-        method = apigw_client.get_method(restApiId=rest_api_id, resourceId=resources[0]["id"], httpMethod="GET")
+        resource = get_resource_by_path(resources, "/hello")
+        method = apigw_client.get_method(restApiId=rest_api_id, resourceId=resource["id"], httpMethod="GET")
         method_integration = method["methodIntegration"]
         self.assertEqual(method_integration["timeoutInMillis"], expected_timeout)
+
+
+def get_resource_by_path(resources, path):
+    for resource in resources:
+        if resource["path"] == path:
+            return resource
+    return None

integration/combination/test_function_with_intrinsics_resource_attributes.py

@@ -0,0 +1,11 @@
+from integration.helpers.base_test import BaseTest
+
+
+class TestFunctionWithIntrinsicsResourceAttributes(BaseTest):
+    def test_function_with_intrinsics_resource_attributes(self):
+        # simply verify the stack is deployed successfully is enough
+        self.create_and_verify_stack("combination/function_with_intrinsics_resource_attribute")
+
+        stack_outputs = self.get_stack_outputs()
+        id_dev_stack = stack_outputs["IsDevStack"]
+        self.assertEqual(id_dev_stack, "true")

integration/resources/expected/combination/function_with_intrinsics_resource_attribute.json

@@ -0,0 +1,10 @@
+[
+  {
+    "LogicalResourceId": "MyLambdaFunction",
+    "ResourceType": "AWS::Lambda::Function"
+  },
+  {
+    "LogicalResourceId": "MyLambdaFunctionRole",
+    "ResourceType": "AWS::IAM::Role"
+  }
+]

integration/resources/templates/combination/function_with_intrinsics_resource_attribute.yaml

@@ -0,0 +1,27 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: A template to test timeout support for implicit APIs.
+
+Parameters:
+  IsDevStack: {Type: String, Default: 'true', AllowedValues: ['true', 'false']}
+Conditions:
+  IsDevStack: !Equals [!Ref IsDevStack, 'true']
+  NotIsDevStack: !Not [Condition: IsDevStack]
+
+Resources:
+  MyLambdaFunction:
+    DeletionPolicy: !If [NotIsDevStack, Retain, Delete]
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs16.x
+      MemorySize: 128
+      Timeout: 3
+      InlineCode: |
+        exports.handler = async () => 'Hello World!'
+
+Outputs:
+  IsDevStack:
+    Value: !Ref IsDevStack
+
+Metadata:
+  SamTransformTest: true

samtranslator/sdk/resource.py

@@ -43,14 +43,6 @@ def valid(self) -> bool:
         if self.condition and not IS_STR(self.condition, should_raise=False):
             raise InvalidDocumentException([InvalidTemplateException("Every Condition member must be a string.")])
 
-        if self.deletion_policy and not IS_STR(self.deletion_policy, should_raise=False):
-            raise InvalidDocumentException([InvalidTemplateException("Every DeletionPolicy member must be a string.")])
-
-        if self.update_replace_policy and not IS_STR(self.update_replace_policy, should_raise=False):
-            raise InvalidDocumentException(
-                [InvalidTemplateException("Every UpdateReplacePolicy member must be a string.")]
-            )
-
         # TODO: should we raise exception if `self.type` is not a string?
         return isinstance(self.type, str) and SamResourceType.has_value(self.type)
 

tests/translator/input/function_with_intrinsics_resource_attribute.yaml

@@ -0,0 +1,18 @@
+Parameters:
+  IsDevStack: {Type: String, Default: 'true', AllowedValues: ['true', 'false']}
+Conditions:
+  IsDevStack: !Equals [!Ref IsDevStack, 'true']
+  NotIsDevStack: !Not [Condition: IsDevStack]
+
+Resources:
+  FunctionWithArchitecturesIntrinsic:
+    Type: AWS::Serverless::Function
+    UpdateReplacePolicy: !Equals [NotIsDevStack, Retain]
+    DeletionPolicy: !Equals [NotIsDevStack, Retain]
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Description: Created by SAM
+      Handler: index.handler
+      MemorySize: 1024
+      Runtime: nodejs12.x
+      Timeout: 3

tests/translator/output/aws-cn/function_with_intrinsics_resource_attribute.json

@@ -0,0 +1,111 @@
+{
+  "Conditions": {
+    "IsDevStack": {
+      "Fn::Equals": [
+        {
+          "Ref": "IsDevStack"
+        },
+        "true"
+      ]
+    },
+    "NotIsDevStack": {
+      "Fn::Not": [
+        {
+          "Condition": "IsDevStack"
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "IsDevStack": {
+      "AllowedValues": [
+        "true",
+        "false"
+      ],
+      "Default": "true",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "FunctionWithArchitecturesIntrinsic": {
+      "DeletionPolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      },
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Description": "Created by SAM",
+        "Handler": "index.handler",
+        "MemorySize": 1024,
+        "Role": {
+          "Fn::GetAtt": [
+            "FunctionWithArchitecturesIntrinsicRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "nodejs12.x",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ],
+        "Timeout": 3
+      },
+      "Type": "AWS::Lambda::Function",
+      "UpdateReplacePolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      }
+    },
+    "FunctionWithArchitecturesIntrinsicRole": {
+      "DeletionPolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      },
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role",
+      "UpdateReplacePolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      }
+    }
+  }
+}

tests/translator/output/aws-us-gov/function_with_intrinsics_resource_attribute.json

@@ -0,0 +1,111 @@
+{
+  "Conditions": {
+    "IsDevStack": {
+      "Fn::Equals": [
+        {
+          "Ref": "IsDevStack"
+        },
+        "true"
+      ]
+    },
+    "NotIsDevStack": {
+      "Fn::Not": [
+        {
+          "Condition": "IsDevStack"
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "IsDevStack": {
+      "AllowedValues": [
+        "true",
+        "false"
+      ],
+      "Default": "true",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "FunctionWithArchitecturesIntrinsic": {
+      "DeletionPolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      },
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Description": "Created by SAM",
+        "Handler": "index.handler",
+        "MemorySize": 1024,
+        "Role": {
+          "Fn::GetAtt": [
+            "FunctionWithArchitecturesIntrinsicRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "nodejs12.x",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ],
+        "Timeout": 3
+      },
+      "Type": "AWS::Lambda::Function",
+      "UpdateReplacePolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      }
+    },
+    "FunctionWithArchitecturesIntrinsicRole": {
+      "DeletionPolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      },
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role",
+      "UpdateReplacePolicy": {
+        "Fn::Equals": [
+          "NotIsDevStack",
+          "Retain"
+        ]
+      }
+    }
+  }
+}