Generated PolicyDocument doesn't include Version.

[garretwilson]

Let's say I indicate a policy for my AWS::Serverless::Function like this:

      …
      Policies:
        - EventBridgePutEventsPolicy:
            EventBusName: FooBus

SAM will generate a policy that looks like this:

        …
        "Policies": [
          {
            "PolicyName": "FooFunctionRolePolicy0",
            "PolicyDocument": {
              "Statement": [
                {
                  "Action": "events:PutEvents",
                  …

Note that no Version is specified in the PolicyDocument. According to the Version documentation for IAM JSON policy elements:

… you should always include a Version element and set it to 2012-10-17 …

Thus the generated policy isn't following AWS' own recommendations.

[garretwilson]

Note that I haven't actually verified the uploaded template—rather I was looking at the CloudFormation stack in the console with "View processed template" enabled, which I believe should be equivalent. I see that the AssumeRolePolicyDocument section does have a version, but not the PolicyDocument.

[hawflau]

Moving to aws/serverless-application-model as this is related to the transform.

[aaythapa]

Thanks for the submitting this issue! You're right in that our policy documents don't include the Version key. We're discussing internally if this was an oversight or if there was a reason we didn't add it in the first place. Also, whether its worth adding it now (as it may cause compatibility errors and we haven't had any reported issues with it so far). Thanks again for the catch.