Allow AWS::NoValue to omit Role property in if - FeatureRequest#3728

[SherrryX]

3728 #, if available

Allow AWS::NoValue to omit Role property in Fn::If

I have validated the changes with unit tests and hand testing with bin/sam-translate.py. The change resolved my need in #3728.

Checklist

• Adheres to the development guidelines
• Add/update transform tests
  • Using correct values
  • Using wrong values
• Add/update integration tests

Examples?

Please reach out in the comments if you want to add an example. Examples will be
added to sam init through aws/aws-sam-cli-app-templates.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[roger-zhangg]

Hi @SherrryX Thanks for the PR, One concern is from this issue: #2533 . Could we add tests that verifies the intrinsic functions implemented in this PR could reject stack resources as intended?

[SherrryX]

Below please find some examples of the auto generated output results via testing with bin/sam-translate.py:

My template:

Role: !If
      - RoleExists
      - !Ref roleArn
      - !If
          - PermissionsBoundaryExists
          - "arn:aws:iam::123456789012:role/MyAnotherCustomRole"
          - !Ref "AWS::NoValue"

For case#1 when Role parameter is not present in the template or Role is eventually evaluated to "AWS::NoValue" - SAM generates the the role:

For case#2 when roleArn is provided (roleArn: "arn:aws:iam::123456789012:role/MyCustomRole") and so roleArn1 is true - use the given role:

For case#3 when roelArn is false but PermissionsBoundaryExists is true - use the given role: