Adding condition for IAM role with if and else case

Sid Madipalli · Sid Madipalli · commit 83e1f032e975 · 2025-12-11T15:56:51.000-08:00
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
@@ -435,28 +435,27 @@ def _make_lambda_role(
 
             is_both_intrinsic_no_values = is_intrinsic_no_value(role_list[1]) and is_intrinsic_no_value(role_list[2])
 
-            # When either one of the condition is a non no value we need to conditionally
-            # create IAM role, This requires generating a condition that negates the condition check
-            # passed for IAM role creation and use that for the new role being created
-            if not is_both_intrinsic_no_values:
-                execution_role.set_resource_attribute("Condition", f"NOT{role_list[0]}")
-                conditions[f"NOT{role_list[0]}"] = make_not_conditional(role_list[0])
-
             # both are none values, we need to create a role
             if is_both_intrinsic_no_values:
                 lambda_function.Role = execution_role.get_runtime_attr("arn")
 
             # first value is none so we should create condition ? create : [2]
+            # create a condition for IAM role to only create on if case
             elif is_intrinsic_no_value(role_list[1]):
                 lambda_function.Role = make_conditional(
                     role_list[0], execution_role.get_runtime_attr("arn"), role_list[2]
                 )
+                execution_role.set_resource_attribute("Condition", f"{role_list[0]}")
 
             # second value is none so we should create condition ? [1] : create
+            # create a condition for IAM role to only create on else case
+            # with top level condition that negates the condition passed
             elif is_intrinsic_no_value(role_list[2]):
                 lambda_function.Role = make_conditional(
                     role_list[0], role_list[1], execution_role.get_runtime_attr("arn")
                 )
+                execution_role.set_resource_attribute("Condition", f"NOT{role_list[0]}")
+                conditions[f"NOT{role_list[0]}"] = make_not_conditional(role_list[0])
 
     def _construct_event_invoke_config(  # noqa: PLR0913
         self,
diff --git a/tests/translator/input/function_with_iam_role_create.yaml b/tests/translator/input/function_with_iam_role_create.yaml
@@ -0,0 +1,20 @@
+Parameters:
+  iamRoleArn:
+    Type: String
+    Description: The ARN of an IAM role to use as this function's execution role.
+      If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.
+
+Conditions:
+  CreateRole: !Not [!Equals ['', !Ref iamRoleArn]]
+
+Resources:
+  MinimalFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Handler: hello.handler
+      Runtime: python3.10
+      Role: !If
+      - CreateRole
+      - !Ref "AWS::NoValue"
+      - !Ref "iamRoleArn"
diff --git a/tests/translator/output/aws-cn/function_with_iam_role_create.json b/tests/translator/output/aws-cn/function_with_iam_role_create.json
@@ -0,0 +1,86 @@
+{
+  "Conditions": {
+    "CreateRole": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::If": [
+            "CreateRole",
+            {
+              "Fn::GetAtt": [
+                "MinimalFunctionRole",
+                "Arn"
+              ]
+            },
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Condition": "CreateRole",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
diff --git a/tests/translator/output/aws-us-gov/function_with_iam_role_create.json b/tests/translator/output/aws-us-gov/function_with_iam_role_create.json
@@ -0,0 +1,86 @@
+{
+  "Conditions": {
+    "CreateRole": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::If": [
+            "CreateRole",
+            {
+              "Fn::GetAtt": [
+                "MinimalFunctionRole",
+                "Arn"
+              ]
+            },
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Condition": "CreateRole",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-us-gov:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
diff --git a/tests/translator/output/function_with_iam_role_create.json b/tests/translator/output/function_with_iam_role_create.json
@@ -0,0 +1,86 @@
+{
+  "Conditions": {
+    "CreateRole": {
+      "Fn::Not": [
+        {
+          "Fn::Equals": [
+            "",
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        }
+      ]
+    }
+  },
+  "Parameters": {
+    "iamRoleArn": {
+      "Description": "The ARN of an IAM role to use as this function's execution role. If a role isn't specified, one is created for you with a logical ID of <function-logical-id>Role.",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "MinimalFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::If": [
+            "CreateRole",
+            {
+              "Fn::GetAtt": [
+                "MinimalFunctionRole",
+                "Arn"
+              ]
+            },
+            {
+              "Ref": "iamRoleArn"
+            }
+          ]
+        },
+        "Runtime": "python3.10",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "MinimalFunctionRole": {
+      "Condition": "CreateRole",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
