Adding condition for IAM resource

Sid Madipalli · Sid Madipalli · commit cf96ad9463b1 · 2025-12-11T15:07:18.000-08:00
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
@@ -394,7 +394,7 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def] # noqa: P
             intrinsics_resolver,
             get_managed_policy_map,
         )
-        self._make_lambda_role(lambda_function, intrinsics_resolver, execution_role, resources)
+        self._make_lambda_role(lambda_function, intrinsics_resolver, execution_role, resources, conditions)
 
         try:
             resources += self._generate_event_resources(
@@ -418,6 +418,7 @@ def _make_lambda_role(
         intrinsics_resolver: IntrinsicsResolver,
         execution_role: IAMRole,
         resources: List[Any],
+        conditions: Dict[str, Any],
     ) -> None:
         lambda_role = lambda_function.Role
 
@@ -432,8 +433,17 @@ def _make_lambda_role(
             role_resolved_value = intrinsics_resolver.resolve_parameter_refs(self.Role)
             role_list = role_resolved_value.get("Fn::If")
 
-            # both are none values then we need to create a role
-            if is_intrinsic_no_value(role_list[1]) and is_intrinsic_no_value(role_list[2]):
+            is_both_intrinsic_no_values = is_intrinsic_no_value(role_list[1]) and is_intrinsic_no_value(role_list[2])
+
+            # When either one of the condition is a non no value we need to conditionally
+            # create IAM role, This requires generating a condition that negates the condition check
+            # passed for IAM role creation and use that for the new role being created
+            if not is_both_intrinsic_no_values:
+                execution_role.set_resource_attribute("Condition", f"NOT{role_list[0]}")
+                conditions[f"NOT{role_list[0]}"] = make_not_conditional(role_list[0])
+
+            # both are none values, we need to create a role
+            if is_both_intrinsic_no_values:
                 lambda_function.Role = execution_role.get_runtime_attr("arn")
 
             # first value is none so we should create condition ? create : [2]
diff --git a/tests/translator/output/aws-cn/function_with_iam_role.json b/tests/translator/output/aws-cn/function_with_iam_role.json
@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [
diff --git a/tests/translator/output/aws-us-gov/function_with_iam_role.json b/tests/translator/output/aws-us-gov/function_with_iam_role.json
@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [
diff --git a/tests/translator/output/function_with_iam_role.json b/tests/translator/output/function_with_iam_role.json
@@ -1,5 +1,12 @@
 {
   "Conditions": {
+    "NOTRoleExists": {
+      "Fn::Not": [
+        {
+          "Condition": "RoleExists"
+        }
+      ]
+    },
     "RoleExists": {
       "Fn::Not": [
         {
@@ -52,6 +59,7 @@
       "Type": "AWS::Lambda::Function"
     },
     "MinimalFunctionRole": {
+      "Condition": "NOTRoleExists",
       "Properties": {
         "AssumeRolePolicyDocument": {
           "Statement": [
