CFn: Handle Fn::Sub returning JSON strings for IAM policies (#13735)

nik-localstack · web-flow · commit 2046dff91d05 · 2026-02-11T22:37:39.000+02:00
diff --git a/localstack-core/localstack/services/iam/resource_providers/aws_iam_managedpolicy.py b/localstack-core/localstack/services/iam/resource_providers/aws_iam_managedpolicy.py
@@ -61,7 +61,13 @@ def create(
             group_name = util.generate_default_name(request.stack_name, request.logical_resource_id)
             model["ManagedPolicyName"] = group_name
 
-        policy_doc = json.dumps(util.remove_none_values(model["PolicyDocument"]))
+        # PolicyDocument can be either a dict or a JSON string (e.g., from Fn::Sub)
+        policy_document = model["PolicyDocument"]
+        if isinstance(policy_document, str):
+            policy_doc = policy_document
+        else:
+            policy_doc = json.dumps(util.remove_none_values(policy_document))
+
         policy = iam_client.create_policy(
             PolicyName=model["ManagedPolicyName"], PolicyDocument=policy_doc
         )
diff --git a/localstack-core/localstack/services/iam/resource_providers/aws_iam_policy.py b/localstack-core/localstack/services/iam/resource_providers/aws_iam_policy.py
@@ -53,7 +53,13 @@ def create(
         model = request.desired_state
         iam_client = request.aws_client_factory.iam
 
-        policy_doc = json.dumps(util.remove_none_values(model["PolicyDocument"]))
+        # PolicyDocument can be either a dict or a JSON string (e.g., from Fn::Sub)
+        policy_document = model["PolicyDocument"]
+        if isinstance(policy_document, str):
+            policy_doc = policy_document
+        else:
+            policy_doc = json.dumps(util.remove_none_values(policy_document))
+
         policy_name = model["PolicyName"]
 
         if not any([model.get("Roles"), model.get("Users"), model.get("Groups")]):
@@ -122,7 +128,14 @@ def update(
         iam_client = request.aws_client_factory.iam
         model = request.desired_state
         # FIXME: this wasn't properly implemented before as well, still needs to be rewritten
-        policy_doc = json.dumps(util.remove_none_values(model["PolicyDocument"]))
+
+        # PolicyDocument can be either a dict or a JSON string (e.g., from Fn::Sub)
+        policy_document = model["PolicyDocument"]
+        if isinstance(policy_document, str):
+            policy_doc = policy_document
+        else:
+            policy_doc = json.dumps(util.remove_none_values(policy_document))
+
         policy_name = model["PolicyName"]
 
         for role in model.get("Roles", []):
diff --git a/tests/aws/services/cloudformation/resource_providers/iam/test_iam.py b/tests/aws/services/cloudformation/resource_providers/iam/test_iam.py
@@ -333,3 +333,213 @@ def test_updating_stack_with_iam_role(deploy_cfn_template, aws_client):
         "Role"
     )
     assert stack.outputs["TestStackRoleName"] == lambda_role_name_new
+
+
+@markers.aws.validated
+def test_managedpolicy_with_fn_sub_json_string(deploy_cfn_template, snapshot, aws_client):
+    snapshot.add_transformer(snapshot.transform.iam_api())
+
+    policy_name = f"test-policy-{short_uid()}"
+
+    template_json = {
+        "AWSTemplateFormatVersion": "2010-09-09",
+        "Parameters": {"ClusterName": {"Type": "String", "Default": "test-cluster"}},
+        "Resources": {
+            "TestPolicy": {
+                "Type": "AWS::IAM::ManagedPolicy",
+                "Properties": {
+                    "ManagedPolicyName": policy_name,
+                    "PolicyDocument": {
+                        "Fn::Sub": json.dumps(
+                            {
+                                "Version": "2012-10-17",
+                                "Statement": [
+                                    {
+                                        "Effect": "Allow",
+                                        "Action": "s3:GetObject",
+                                        "Resource": "arn:${AWS::Partition}:s3:::bucket-${ClusterName}-${AWS::Region}/*",
+                                    }
+                                ],
+                            }
+                        )
+                    },
+                },
+            }
+        },
+        "Outputs": {"PolicyArn": {"Value": {"Ref": "TestPolicy"}}},
+    }
+
+    stack = deploy_cfn_template(
+        template=json.dumps(template_json), parameters={"ClusterName": "my-cluster"}
+    )
+
+    policy_arn = stack.outputs["PolicyArn"]
+    policy_version = aws_client.iam.get_policy_version(
+        PolicyArn=policy_arn,
+        VersionId=aws_client.iam.get_policy(PolicyArn=policy_arn)["Policy"]["DefaultVersionId"],
+    )["PolicyVersion"]
+
+    snapshot.match("policy_document", policy_version["Document"])
+
+
+@markers.aws.validated
+def test_managedpolicy_with_fn_sub_multiline_yaml(deploy_cfn_template, snapshot, aws_client):
+    snapshot.add_transformer(snapshot.transform.iam_api())
+
+    policy_name = f"test-policy-{short_uid()}"
+
+    template_yaml = f"""
+AWSTemplateFormatVersion: "2010-09-09"
+Parameters:
+  ClusterName:
+    Type: String
+    Default: "test-cluster"
+Resources:
+  TestPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: {policy_name}
+      PolicyDocument: !Sub |
+        {{
+          "Version": "2012-10-17",
+          "Statement": [
+            {{
+              "Effect": "Allow",
+              "Action": "eks:DescribeCluster",
+              "Resource": "arn:${{AWS::Partition}}:eks:${{AWS::Region}}:${{AWS::AccountId}}:cluster/${{ClusterName}}"
+            }}
+          ]
+        }}
+Outputs:
+  PolicyArn:
+    Value: !Ref TestPolicy
+"""
+
+    stack = deploy_cfn_template(template=template_yaml, parameters={"ClusterName": "my-cluster"})
+
+    policy_arn = stack.outputs["PolicyArn"]
+    policy_version = aws_client.iam.get_policy_version(
+        PolicyArn=policy_arn,
+        VersionId=aws_client.iam.get_policy(PolicyArn=policy_arn)["Policy"]["DefaultVersionId"],
+    )["PolicyVersion"]
+
+    snapshot.match("policy_document_multiline", policy_version["Document"])
+
+
+@markers.aws.validated
+def test_managedpolicy_with_fn_sub_and_arrays(deploy_cfn_template, snapshot, aws_client):
+    snapshot.add_transformer(snapshot.transform.iam_api())
+
+    policy_name = f"test-policy-{short_uid()}"
+
+    template = {
+        "AWSTemplateFormatVersion": "2010-09-09",
+        "Parameters": {"BucketName": {"Type": "String", "Default": "my-bucket"}},
+        "Resources": {
+            "TestPolicy": {
+                "Type": "AWS::IAM::ManagedPolicy",
+                "Properties": {
+                    "ManagedPolicyName": policy_name,
+                    "PolicyDocument": {
+                        "Fn::Sub": json.dumps(
+                            {
+                                "Version": "2012-10-17",
+                                "Statement": [
+                                    {
+                                        "Effect": "Allow",
+                                        "Action": ["s3:GetObject", "s3:PutObject"],
+                                        "Resource": [
+                                            "arn:${AWS::Partition}:s3:::${BucketName}/*",
+                                            "arn:${AWS::Partition}:s3:::${BucketName}-${AWS::Region}/*",
+                                        ],
+                                    }
+                                ],
+                            }
+                        )
+                    },
+                },
+            }
+        },
+        "Outputs": {"PolicyArn": {"Value": {"Ref": "TestPolicy"}}},
+    }
+
+    stack = deploy_cfn_template(
+        template=json.dumps(template), parameters={"BucketName": "test-bucket"}
+    )
+
+    policy_arn = stack.outputs["PolicyArn"]
+    policy_version = aws_client.iam.get_policy_version(
+        PolicyArn=policy_arn,
+        VersionId=aws_client.iam.get_policy(PolicyArn=policy_arn)["Policy"]["DefaultVersionId"],
+    )["PolicyVersion"]
+
+    snapshot.match("policy_with_arrays", policy_version["Document"])
+
+
+@markers.aws.validated
+def test_inline_policy_with_fn_sub_json_string(deploy_cfn_template, snapshot, aws_client):
+    """
+    Test inline IAM Policy (AWS::IAM::Policy) with Fn::Sub returning a JSON string.
+
+    Verifies that inline policies also handle JSON strings from Fn::Sub correctly.
+    """
+    snapshot.add_transformer(snapshot.transform.iam_api())
+
+    role_name = f"test-role-{short_uid()}"
+    policy_name = f"test-policy-{short_uid()}"
+
+    template = {
+        "AWSTemplateFormatVersion": "2010-09-09",
+        "Resources": {
+            "TestRole": {
+                "Type": "AWS::IAM::Role",
+                "Properties": {
+                    "RoleName": role_name,
+                    "AssumeRolePolicyDocument": {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Effect": "Allow",
+                                "Principal": {"Service": "lambda.amazonaws.com"},
+                                "Action": "sts:AssumeRole",
+                            }
+                        ],
+                    },
+                },
+            },
+            "TestPolicy": {
+                "Type": "AWS::IAM::Policy",
+                "Properties": {
+                    "PolicyName": policy_name,
+                    "Roles": [{"Ref": "TestRole"}],
+                    "PolicyDocument": {
+                        "Fn::Sub": json.dumps(
+                            {
+                                "Version": "2012-10-17",
+                                "Statement": [
+                                    {
+                                        "Effect": "Allow",
+                                        "Action": "s3:GetObject",
+                                        "Resource": "arn:${AWS::Partition}:s3:::my-bucket-${AWS::Region}/*",
+                                    }
+                                ],
+                            }
+                        )
+                    },
+                },
+            },
+        },
+    }
+
+    deploy_cfn_template(template=json.dumps(template))
+
+    # Verify the inline policy was attached to the role
+    policies = aws_client.iam.list_role_policies(RoleName=role_name)
+    assert policy_name in policies["PolicyNames"]
+
+    # Get the policy document
+    policy_doc = aws_client.iam.get_role_policy(RoleName=role_name, PolicyName=policy_name)[
+        "PolicyDocument"
+    ]
+
+    snapshot.match("inline_policy_document", policy_doc)
diff --git a/tests/aws/services/cloudformation/resource_providers/iam/test_iam.snapshot.json b/tests/aws/services/cloudformation/resource_providers/iam/test_iam.snapshot.json
@@ -1,24 +1,24 @@
 {
   "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_iam_username_defaultname": {
-    "recorded-date": "31-05-2022, 11:29:45",
+    "recorded-date": "10-02-2026, 15:51:18",
     "recorded-content": {
       "get_iam_user": {
         "User": {
+          "Arn": "arn:<partition>:iam::111111111111:user/<user-name:1>",
+          "CreateDate": "datetime",
           "Path": "/",
-          "UserName": "<user-name:1>",
           "UserId": "<user-id:1>",
-          "Arn": "arn:<partition>:iam::111111111111:user/<user-name:1>",
-          "CreateDate": "datetime"
+          "UserName": "<user-name:1>"
         },
         "ResponseMetadata": {
-          "HTTPStatusCode": 200,
-          "HTTPHeaders": {}
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
         }
       }
     }
   },
   "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_managed_policy_with_empty_resource": {
-    "recorded-date": "11-07-2023, 18:10:41",
+    "recorded-date": "10-02-2026, 15:56:19",
     "recorded-content": {
       "outputs": {
         "PolicyArn": "arn:<partition>:iam::111111111111:policy/<policy-name:1>",
@@ -48,7 +48,7 @@
     }
   },
   "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_iam_user_access_key": {
-    "recorded-date": "11-07-2023, 08:23:54",
+    "recorded-date": "10-02-2026, 15:52:59",
     "recorded-content": {
       "key_outputs": {
         "AccessKeyId": "<key-id:1>",
@@ -69,7 +69,7 @@
     }
   },
   "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_update_inline_policy": {
-    "recorded-date": "05-04-2023, 11:55:22",
+    "recorded-date": "10-02-2026, 15:54:55",
     "recorded-content": {
       "user_inline_policy": {
         "PolicyDocument": {
@@ -156,7 +156,7 @@
     }
   },
   "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_server_certificate": {
-    "recorded-date": "13-03-2024, 20:20:07",
+    "recorded-date": "10-02-2026, 15:58:53",
     "recorded-content": {
       "outputs": {
         "Arn": "arn:<partition>:iam::111111111111:server-certificate/<server-certificate-name:1>",
@@ -192,5 +192,71 @@
         }
       }
     }
+  },
+  "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_managedpolicy_with_fn_sub_json_string": {
+    "recorded-date": "10-02-2026, 16:02:06",
+    "recorded-content": {
+      "policy_document": {
+        "Statement": [
+          {
+            "Action": "s3:GetObject",
+            "Effect": "Allow",
+            "Resource": "arn:<partition>:s3:::bucket-my-cluster-<region>/*"
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
+  },
+  "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_managedpolicy_with_fn_sub_multiline_yaml": {
+    "recorded-date": "10-02-2026, 16:02:38",
+    "recorded-content": {
+      "policy_document_multiline": {
+        "Statement": [
+          {
+            "Action": "eks:DescribeCluster",
+            "Effect": "Allow",
+            "Resource": "arn:<partition>:eks:<region>:111111111111:cluster/my-cluster"
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
+  },
+  "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_managedpolicy_with_fn_sub_and_arrays": {
+    "recorded-date": "10-02-2026, 16:03:09",
+    "recorded-content": {
+      "policy_with_arrays": {
+        "Statement": [
+          {
+            "Action": [
+              "s3:GetObject",
+              "s3:PutObject"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+              "arn:<partition>:s3:::test-bucket/*",
+              "arn:<partition>:s3:::test-bucket-<region>/*"
+            ]
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
+  },
+  "tests/aws/services/cloudformation/resource_providers/iam/test_iam.py::test_inline_policy_with_fn_sub_json_string": {
+    "recorded-date": "10-02-2026, 16:03:58",
+    "recorded-content": {
+      "inline_policy_document": {
+        "Statement": [
+          {
+            "Action": "s3:GetObject",
+            "Effect": "Allow",
+            "Resource": "arn:<partition>:s3:::my-bucket-<region>/*"
+          }
+        ],
+        "Version": "2012-10-17"
+      }
+    }
   }
 }
diff --git a/tests/aws/services/cloudformation/resource_providers/iam/test_iam.validation.json b/tests/aws/services/cloudformation/resource_providers/iam/test_iam.validation.json
