All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

sequenceDiagram
  participant Packager as "Package step"
  participant Compiler as "AwsCompileFunctions"
  participant IAM as "Provider IAM config"
  participant Permissions as "roles-per-function-permissions"
  participant DestService as "Destination service\n(Lambda/SQS/SNS/Events)"

  Packager->>Compiler: compileFunctionEventInvokeConfig(function)
  Compiler->>IAM: read provider.iam.role (mode)
  IAM-->>Compiler: returns mode (e.g., 'perFunction')
  alt mode === 'perFunction' or executionRole present
    Compiler->>Permissions: applyPerFunctionPermissions(function)
    Permissions->>Permissions: applyDestinationPermissions(onSuccess/onFailure)
    Permissions->>DestService: emit policy statement (action, resource/ARN)
    Compiler->>DestService: create EventInvokeConfig with destinations
  else shared-role mode
    Compiler->>Compiler: ensureTargetExecutionPermission(target)
    Compiler->>DestService: create EventInvokeConfig with destinations
  end

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/serverless/lib/plugins/aws/package/lib/roles-per-function-permissions.js (1)> 516-595: Fail fast when destination permissions can’t be inferred.

In per-function IAM mode, ensureTargetExecutionPermission is skipped; if getDestinationAction returns null (typo/unsupported type), we now silently skip permissions, which can surface later as runtime delivery failures. Consider throwing (or using throwError) to keep behavior consistent with the shared-role path.

🧩 Proposed fix

-function applyDestinationPermissions({
-  functionObject,
-  policyStatements,
-  serverless,
-}) {
+function applyDestinationPermissions({
+  functionObject,
+  policyStatements,
+  serverless,
+  throwError,
+}) {
   const { destinations } = functionObject
   if (!destinations) return

   const processDestination = (destinationProperty) => {
     const action = getDestinationAction(destinationProperty)
-    if (!action) return
+    if (!action) {
+      if (typeof throwError === 'function') {
+        throwError(`Unsupported destination target`, functionObject)
+      }
+      return
+    }

     const resourceArn = getDestinationArn(destinationProperty, serverless)

     policyStatements.push({
       Effect: 'Allow',
       Action: action,
       Resource: resourceArn,
     })
   }
@@
-  applyDestinationPermissions({ functionObject, policyStatements, serverless })
+  applyDestinationPermissions({
+    functionObject,
+    policyStatements,
+    serverless,
+    throwError,
+  })
 }

🤖 Fix all issues with AI agents

In
`@packages/serverless/test/unit/lib/plugins/aws/package/compile/functions.test.js`:
- Around line 661-664: The test currently uses await
expect(awsCompileFunctions.compileFunctions()).resolves.not.toThrow(), which is
invalid because toThrow expects a function; replace that assertion with a direct
await of the promise to ensure it resolves without throwing: change the
assertion to await awsCompileFunctions.compileFunctions(); (locate and update
the test that calls awsCompileFunctions.compileFunctions()).

This has been addressed