Conditionally create IAM role statement

For our application, we have a Kinesis stream that is only supposed to exist in one environment. Then we have an IAM role to allow Lambda to access the stream.

Since the stream will not exist in other environments, is it possible to conditionally create the Kinesis statement? Or should I just use some dummy value for the ARN?

I have tried specifying a Condition for the statement (with the definition under resources.Conditions) but this is returning a syntax error.

I managed to do this by moving the statement to a separate managed policy, and applying the Condition to that.

In case you need another approach, here’s what I did.

resources:
  Conditions:
    IsEventSourceMappingEnabled:
      Fn::Or: # the event source will only exist in the stages defined here.
        - Fn::Equals: ["${self:provider.stage}", "dev2"]
        - Fn::Equals: ["${self:provider.stage}", "prod"]
  Resources:
    MyEventSourceMapping:
      DependsOn:
        - MyTable
      Type: AWS::Lambda::EventSourceMapping
      Condition: IsEventSourceMappingEnabled # reference the above condition to limit which stages the event source is created in
      Properties:
        BatchSize: 10
        EventSourceArn:
          Fn::GetAtt: [MyTable, StreamArn]
        FunctionName:
          Ref: MyHandlerLambdaFunction
        StartingPosition: TRIM_HORIZON
        Enabled: true

This would only create the EventSourceMapping in prod and dev2 stages.