(gen2-migration) `lock` command shows unexpected drift for s3 storage triggers

[iliapolo]

How did you install the Amplify CLI?

npm install @aws-amplify/cli-internal-gen2-migration-experimental-alpha

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

0.4.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

When running npx amplify gen2-migration lock I get the following drift:

DETAILED CHANGES:
└── DRIFTED: AWS::IAM::Role LambdaExecutionRole → Function → functionS3Triggerff4b207c
    └── PROPERTY: /Policies/1
        ├── [+] {"PolicyDocument":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::storagebucket-main\"},{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\",\"s3:GetObject\",\"s3:ListBucket\",\"s3:DeleteObject\"],\"Resource\":\"arn:aws:s3:::storagebucket-main/*\"}]}","PolicyName":"amplify-lambda-execution-policy-storage"}
        └── [-] null

Expected behavior

No drift detected. I didn't perform any changes after the last amplify push.

Reproduction steps

Follow the gen2-migration guide of product-catalog app.

Workaround right now is to run the lock without validations.

npx amplify gen2-migration lock --skip-validations

Project Identifier

No response

Log output

Details

# Put your logs below this line

Additional information

No response

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.

[iankhou]

Pending more research. This policy is added here:

https://github.com/aws-amplify/amplify-cli/blob/dev/packages/amplify-category-storage/src/provider-utils/awscloudformation/cdk-stack-builder/s3-stack-builder.ts#L245