Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: "sts:AssumeRole"
      Path: "/"
      Policies:
        - PolicyName:
            Fn::Sub: ${AWS::StackName}-WidgetPutLambdaPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "dynamodb:UpdateItem"
                  - "dynamodb:PutItem"
                Resource:
                  - !Sub ${WidgetDdbTable.Arn}
              - Effect: Allow
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource:
                  - !Sub "arn:${AWS::Partition}:logs:*:*:*"
              - Effect: Allow
                Action:
                  - "xray:PutTraceSegments"
                  - "xray:PutTelemetryRecords"
                  - "xray:GetSamplingRules"
                  - "xray:GetSamplingTargets"
                  - "xray:GetSamplingStatisticSummaries"
                Resource:
                  - !Sub "arn:${AWS::Partition}:xray:*:*:*"