From 802e62d803f0f885747193a4421336f17bd4508e Mon Sep 17 00:00:00 2001 From: Brent Champion Date: Tue, 2 Dec 2025 14:19:53 -0500 Subject: [PATCH] feat: use managed policy for Durable Functions --- samtranslator/model/sam_resources.py | 6 +++++- .../output/aws-cn/function_with_durable_config.json | 2 +- .../output/aws-cn/function_with_durable_config_globals.json | 6 +++--- tests/translator/output/aws-cn/globals_for_function.json | 4 ++-- .../output/aws-us-gov/function_with_durable_config.json | 2 +- .../aws-us-gov/function_with_durable_config_globals.json | 6 +++--- .../translator/output/aws-us-gov/globals_for_function.json | 4 ++-- tests/translator/output/function_with_durable_config.json | 2 +- .../output/function_with_durable_config_globals.json | 6 +++--- tests/translator/output/globals_for_function.json | 4 ++-- 10 files changed, 23 insertions(+), 19 deletions(-) diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py index 7d462b959..55866afc4 100644 --- a/samtranslator/model/sam_resources.py +++ b/samtranslator/model/sam_resources.py @@ -789,7 +789,11 @@ def _construct_role( else IAMRolePolicies.lambda_assume_role_policy() ) - managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicExecutionRole")] + managed_policy_arns = ( + [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicDurableExecutionRolePolicy")] + if self.DurableConfig + else [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicExecutionRole")] + ) tracing = intrinsics_resolver.resolve_parameter_refs(self.Tracing) diff --git a/tests/translator/output/aws-cn/function_with_durable_config.json b/tests/translator/output/aws-cn/function_with_durable_config.json index f4ef270d1..1eb60e928 100644 --- a/tests/translator/output/aws-cn/function_with_durable_config.json +++ b/tests/translator/output/aws-cn/function_with_durable_config.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/aws-cn/function_with_durable_config_globals.json b/tests/translator/output/aws-cn/function_with_durable_config_globals.json index 11faea418..77f3274d1 100644 --- a/tests/translator/output/aws-cn/function_with_durable_config_globals.json +++ b/tests/translator/output/aws-cn/function_with_durable_config_globals.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -103,7 +103,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -160,7 +160,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/aws-cn/globals_for_function.json b/tests/translator/output/aws-cn/globals_for_function.json index bce45277b..cc5467a09 100644 --- a/tests/translator/output/aws-cn/globals_for_function.json +++ b/tests/translator/output/aws-cn/globals_for_function.json @@ -116,7 +116,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess", "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], @@ -254,7 +254,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws-cn:iam::aws:policy/AWSXRayDaemonWriteAccess", "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], diff --git a/tests/translator/output/aws-us-gov/function_with_durable_config.json b/tests/translator/output/aws-us-gov/function_with_durable_config.json index 841337ed9..f3fc80d67 100644 --- a/tests/translator/output/aws-us-gov/function_with_durable_config.json +++ b/tests/translator/output/aws-us-gov/function_with_durable_config.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/aws-us-gov/function_with_durable_config_globals.json b/tests/translator/output/aws-us-gov/function_with_durable_config_globals.json index acd1d77ad..55ea5f613 100644 --- a/tests/translator/output/aws-us-gov/function_with_durable_config_globals.json +++ b/tests/translator/output/aws-us-gov/function_with_durable_config_globals.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -103,7 +103,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -160,7 +160,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/aws-us-gov/globals_for_function.json b/tests/translator/output/aws-us-gov/globals_for_function.json index 8b8ad102b..bf9046d92 100644 --- a/tests/translator/output/aws-us-gov/globals_for_function.json +++ b/tests/translator/output/aws-us-gov/globals_for_function.json @@ -116,7 +116,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess", "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], @@ -254,7 +254,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws-us-gov:iam::aws:policy/AWSXRayDaemonWriteAccess", "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], diff --git a/tests/translator/output/function_with_durable_config.json b/tests/translator/output/function_with_durable_config.json index 04bd66bc6..b1ed16942 100644 --- a/tests/translator/output/function_with_durable_config.json +++ b/tests/translator/output/function_with_durable_config.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/function_with_durable_config_globals.json b/tests/translator/output/function_with_durable_config_globals.json index 075dfceaf..5e56a0e83 100644 --- a/tests/translator/output/function_with_durable_config_globals.json +++ b/tests/translator/output/function_with_durable_config_globals.json @@ -46,7 +46,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -103,7 +103,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { @@ -160,7 +160,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy" ], "Tags": [ { diff --git a/tests/translator/output/globals_for_function.json b/tests/translator/output/globals_for_function.json index 27e1a1ebd..2e4def242 100644 --- a/tests/translator/output/globals_for_function.json +++ b/tests/translator/output/globals_for_function.json @@ -116,7 +116,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ], @@ -254,7 +254,7 @@ "Version": "2012-10-17" }, "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicDurableExecutionRolePolicy", "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" ],