From 757c75c3413fb8f7b74d35642341792558454216 Mon Sep 17 00:00:00 2001
From: kstich <kevin@kstich.com>
Date: Fri, 5 Jan 2024 09:26:53 -0800
Subject: [PATCH] Support iamAction for CFN handler permissions

---
 CHANGELOG.md                                           |  1 +
 .../fromsmithy/mappers/HandlerPermissionMapper.java    | 10 +++++++---
 .../mappers/HandlerPermissionMapperTest.java           |  2 +-
 .../schema/fromsmithy/mappers/simple.smithy            |  2 ++
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3ac4a6d8df..a3985fff906 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@
 
 ### Bug Fixes
 
+* Fixed an issue where `@iamAction` wasn't reflected in CFN resource schema creation. ([#2091](https://github.com/smithy-lang/smithy/pull/2091)) 
 * Fixed tree node start and end locations. ([#2084](https://github.com/smithy-lang/smithy/pull/2084))
 * Fixed several minor build warnings. ([2089](https://github.com/smithy-lang/smithy/pull/2089))
 * Fixed protocol test service signing name for `awsJson1_1` protocol. ([#2089](https://github.com/smithy-lang/smithy/pull/2089))
diff --git a/smithy-aws-cloudformation/src/main/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapper.java b/smithy-aws-cloudformation/src/main/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapper.java
index 97106725859..4a671f949a7 100644
--- a/smithy-aws-cloudformation/src/main/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapper.java
+++ b/smithy-aws-cloudformation/src/main/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapper.java
@@ -22,6 +22,7 @@
 import software.amazon.smithy.aws.cloudformation.schema.fromsmithy.Context;
 import software.amazon.smithy.aws.cloudformation.schema.model.Handler;
 import software.amazon.smithy.aws.cloudformation.schema.model.ResourceSchema;
+import software.amazon.smithy.aws.iam.traits.IamActionTrait;
 import software.amazon.smithy.aws.iam.traits.RequiredActionsTrait;
 import software.amazon.smithy.aws.traits.ServiceTrait;
 import software.amazon.smithy.model.Model;
@@ -30,6 +31,7 @@
 import software.amazon.smithy.model.shapes.ServiceShape;
 import software.amazon.smithy.model.shapes.ShapeId;
 import software.amazon.smithy.model.traits.NoReplaceTrait;
+import software.amazon.smithy.utils.ListUtils;
 import software.amazon.smithy.utils.SetUtils;
 import software.amazon.smithy.utils.SmithyInternalApi;
 
@@ -112,9 +114,11 @@ private Set<String> getPermissionsEntriesForOperation(Model model, ServiceShape
         permissionsEntries.add(operationActionName);
 
         // Add all the other required actions for the operation.
-        operation.getTrait(RequiredActionsTrait.class)
-                .map(RequiredActionsTrait::getValues)
-                .map(permissionsEntries::addAll);
+        permissionsEntries.addAll(operation.getTrait(IamActionTrait.class)
+                .map(IamActionTrait::getRequiredActions)
+                .orElseGet(() -> operation.getTrait(RequiredActionsTrait.class)
+                        .map(RequiredActionsTrait::getValues)
+                        .orElse(ListUtils.of())));
         return permissionsEntries;
     }
 }
diff --git a/smithy-aws-cloudformation/src/test/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapperTest.java b/smithy-aws-cloudformation/src/test/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapperTest.java
index 410b00ec279..1bbe03ca9c2 100644
--- a/smithy-aws-cloudformation/src/test/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapperTest.java
+++ b/smithy-aws-cloudformation/src/test/java/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/HandlerPermissionMapperTest.java
@@ -58,7 +58,7 @@ public void addsHandlerPermissionsByDefault() {
                 containsInAnyOrder("testservice:CreateFooOperation", "otherservice:DescribeDependencyComponent"));
         assertThat(handlersDefined.get("read").expectObjectNode()
                            .expectArrayMember("permissions").getElementsAs(StringNode::getValue),
-                contains("testservice:GetFooOperation"));
+                containsInAnyOrder("testservice:GetFooOperation", "otherservice:DescribeThing"));
         assertThat(handlersDefined.get("update").expectObjectNode()
                            .expectArrayMember("permissions").getElementsAs(StringNode::getValue),
                 contains("testservice:UpdateFooOperation"));
diff --git a/smithy-aws-cloudformation/src/test/resources/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/simple.smithy b/smithy-aws-cloudformation/src/test/resources/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/simple.smithy
index 115fd0c2e15..edcf04fecc8 100644
--- a/smithy-aws-cloudformation/src/test/resources/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/simple.smithy
+++ b/smithy-aws-cloudformation/src/test/resources/software/amazon/smithy/aws/cloudformation/schema/fromsmithy/mappers/simple.smithy
@@ -3,6 +3,7 @@ $version: "2.0"
 namespace smithy.example
 
 use aws.cloudformation#cfnResource
+use aws.iam#iamAction
 
 service TestService {
     version: "2020-07-02",
@@ -56,6 +57,7 @@ structure CreateFooResponse {
 }
 
 @readonly
+@iamAction(requiredActions: ["otherservice:DescribeThing"])
 operation GetFooOperation {
     input: GetFooRequest,
     output: GetFooResponse,