Parameters:
  SomeManagedPolicyArn:
    Type: String
    Default: arn:aws:iam::aws:policy/OtherPolicy
Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: s3://sam-demo-bucket/hello.zip
      Handler: hello.handler
      Runtime: python2.7
      Policies:
      - Statement:
        - Action: [dynamodb:*]
          Effect: Allow
          Resource: '*'
      - AmazonDynamoDBFullAccess
        # Duplicate Policies should get de-duped
      - AmazonDynamoDBFullAccess
      - AWSLambdaBasicExecutionRole

      - AWSLambdaRole

        # Intrinsic functions & custom policy ARNs must be supported
      - {Ref: SomeManagedPolicyArn}
      - arn:aws:iam::123456789012:policy/CustomerCreatedManagedPolicy