localstack
diff --git a/‎localstack/services/cloudformation/engine/template_deployer.py
Lines changed: 1 addition & 0 deletions b/‎localstack/services/cloudformation/engine/template_deployer.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎localstack/services/cloudformation/models/awslambda.py
Lines changed: 19 additions & 12 deletions b/‎localstack/services/cloudformation/models/awslambda.py
Lines changed: 19 additions & 12 deletions
diff --git a/‎tests/integration/cloudformation/resources/test_lambda.py
Lines changed: 28 additions & 0 deletions b/‎tests/integration/cloudformation/resources/test_lambda.py
Lines changed: 28 additions & 0 deletions
diff --git a/‎tests/integration/cloudformation/resources/test_lambda.snapshot.json
Lines changed: 36 additions & 0 deletions b/‎tests/integration/cloudformation/resources/test_lambda.snapshot.json
Lines changed: 36 additions & 0 deletions
diff --git a/‎tests/integration/templates/cfn_lambda_permission_multiple.yaml
Lines changed: 65 additions & 0 deletions b/‎tests/integration/templates/cfn_lambda_permission_multiple.yaml
Lines changed: 65 additions & 0 deletions
@@ -1161,6 +1161,7 @@ def get_change_config(self, action, resource, change_set_id=None):
 
     def resource_config_differs(self, resource_new):
         """Return whether the given resource properties differ from the existing config (for stack updates)."""
+        # TODO: this is broken for default fields when they're added to the properties in the model
         resource_id = resource_new["LogicalResourceId"]
         resource_old = self.resources[resource_id]
         props_old = resource_old["Properties"]
 
@@ -86,7 +86,7 @@ def add_defaults(resource, stack_name: str):
 
     @staticmethod
     def get_lambda_code_param(params, _include_arch=False, **kwargs):
-        code = params.get("Code", {})
+        code = params.get("Code", {}).copy()
         zip_file = code.get("ZipFile")
         if zip_file and not is_base64(zip_file) and not is_zip_file(to_bytes(zip_file)):
             tmp_dir = new_tmp_dir()
@@ -153,7 +153,6 @@ def result_handler(result, resource_id, resources, resource_type):
                     "VpcConfig": "VpcConfig"
                     # TODO add missing fields
                 },
-                "defaults": {"Role": "test_role"},
                 "types": {"Timeout": int, "MemorySize": int},
                 "result_handler": result_handler,
             },
@@ -243,26 +242,34 @@ def cloudformation_type():
         return "AWS::Lambda::Permission"
 
     def fetch_state(self, stack_name, resources):
+        if not self.physical_resource_id:
+            return None
+
         props = self.props
         func_name = props.get("FunctionName")
         lambda_client = aws_stack.connect_to_service("lambda")
-        return lambda_client.get_policy(FunctionName=func_name)
+        policy = lambda_client.get_policy(FunctionName=func_name)
+        if not policy:
+            return None
 
-    def get_physical_resource_id(self, attribute=None, **kwargs):
-        # return statement ID here to indicate that the resource has been deployed
-        return self.props.get("Sid")
+        loaded_policy = json.loads(policy["Policy"])
+        statements = loaded_policy.get("Statement", [])
+        matched_statements = [s for s in statements if s["Sid"] == self.physical_resource_id]
+        if not matched_statements:
+            return None
+
+        return statements[0]
 
     def update_resource(self, new_resource, stack_name, resources):
         props = new_resource["Properties"]
         parameters_to_select = ["FunctionName", "Action", "Principal", "SourceArn"]
         update_config_props = select_attributes(props, parameters_to_select)
 
         client = aws_stack.connect_to_service("lambda")
-        sid = new_resource["PhysicalResourceId"]
-
-        client.remove_permission(FunctionName=update_config_props["FunctionName"], StatementId=sid)
-
-        return client.add_permission(StatementId=sid, **update_config_props)
+        client.remove_permission(
+            FunctionName=update_config_props["FunctionName"], StatementId=self.physical_resource_id
+        )
+        return client.add_permission(StatementId=self.physical_resource_id, **update_config_props)
 
     @staticmethod
     def get_deploy_templates():
@@ -435,7 +442,7 @@ def get_physical_resource_id(self, attribute=None, **kwargs):
 
     def get_cfn_attribute(self, attribute_name):
         if attribute_name == "CodeSigningConfigId":
-            return self.props()["CodeSigningConfigId"]
+            return self.props["CodeSigningConfigId"]
 
         return self.physical_resource_id
 
 
@@ -338,6 +338,34 @@ def test_update_lambda_permissions(deploy_cfn_template, lambda_client, sts_clien
     assert new_principal in principal
 
 
+@pytest.mark.skip_snapshot_verify(
+    condition=is_old_provider, paths=["$..PolicyArn", "$..PolicyName", "$..RevisionId"]
+)
+@pytest.mark.aws_validated
+def test_multiple_lambda_permissions_for_singlefn(
+    deploy_cfn_template, cfn_client, lambda_client, snapshot
+):
+    deploy = deploy_cfn_template(
+        template_path=os.path.join(
+            os.path.dirname(__file__), "../../templates/cfn_lambda_permission_multiple.yaml"
+        ),
+        max_wait=240,
+    )
+    fn_name = deploy.outputs["LambdaName"]
+    p1_sid = deploy.outputs["PermissionLambda"]
+    p2_sid = deploy.outputs["PermissionStates"]
+
+    snapshot.add_transformer(snapshot.transform.regex(p1_sid, "<p1-sid>"))
+    snapshot.add_transformer(snapshot.transform.regex(p2_sid, "<p2-sid>"))
+    snapshot.add_transformer(snapshot.transform.regex(fn_name, "<fn-name>"))
+    snapshot.add_transformer(SortingTransformer("Statement", lambda s: s["Sid"]))
+
+    policy = lambda_client.get_policy(FunctionName=fn_name)
+    # load the policy json, so we can properly snapshot it
+    policy["Policy"] = json.loads(policy["Policy"])
+    snapshot.match("policy", policy)
+
+
 class TestCfnLambdaIntegrations:
     @pytest.mark.skip_snapshot_verify(
         paths=[
 
@@ -1355,5 +1355,41 @@
         }
       }
     }
+  },
+  "tests/integration/cloudformation/resources/test_lambda.py::test_multiple_lambda_permissions_for_singlefn": {
+    "recorded-date": "09-03-2023, 22:07:56",
+    "recorded-content": {
+      "policy": {
+        "Policy": {
+          "Id": "default",
+          "Statement": [
+            {
+              "Action": "lambda:InvokeFunction",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com"
+              },
+              "Resource": "arn:aws:lambda:<region>:111111111111:function:<fn-name>",
+              "Sid": "<p1-sid>"
+            },
+            {
+              "Action": "lambda:InvokeFunction",
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "states.amazonaws.com"
+              },
+              "Resource": "arn:aws:lambda:<region>:111111111111:function:<fn-name>",
+              "Sid": "<p2-sid>"
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "RevisionId": "<uuid:1>",
+        "ResponseMetadata": {
+          "HTTPHeaders": {},
+          "HTTPStatusCode": 200
+        }
+      }
+    }
   }
 }
@@ -0,0 +1,65 @@
+Resources:
+  FunctionServiceRole675BB04A:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action: sts:AssumeRole
+            Effect: Allow
+            Principal:
+              Service: lambda.amazonaws.com
+        Version: "2012-10-17"
+      ManagedPolicyArns:
+        - Fn::Join:
+            - ""
+            - - "arn:"
+              - Ref: AWS::Partition
+              - :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+  Function76856677:
+    Type: AWS::Lambda::Function
+    Properties:
+      Code:
+        ZipFile: |
+          def handler(event, context):
+              return {"hello": "world"}
+      Role:
+        Fn::GetAtt:
+          - FunctionServiceRole675BB04A
+          - Arn
+      Handler: index.handler
+      Runtime: python3.9
+    DependsOn:
+      - FunctionServiceRole675BB04A
+  FunctionInvoketnlpEgfIKpZyEIAINyVhXFSIfV5EJ7IaMp0cNGOcC4227DF5:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName:
+        Fn::GetAtt:
+          - Function76856677
+          - Arn
+      Principal: states.amazonaws.com
+  FunctionInvokearOgSVH4Ts0qbAOHNp0VMi6g5gzMbVQFH2pumFohAQA578E6CA:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName:
+        Fn::GetAtt:
+          - Function76856677
+          - Arn
+      Principal: lambda.amazonaws.com
+Outputs:
+  LambdaName:
+    Value:
+      Ref: Function76856677
+  LambdaArn:
+    Value:
+      Fn::GetAtt:
+        - Function76856677
+        - Arn
+  PermissionLambda:
+    Value:
+      Ref: FunctionInvokearOgSVH4Ts0qbAOHNp0VMi6g5gzMbVQFH2pumFohAQA578E6CA
+  PermissionStates:
+    Value:
+      Ref: FunctionInvoketnlpEgfIKpZyEIAINyVhXFSIfV5EJ7IaMp0cNGOcC4227DF5