Policy AWSLambdaExecute removed from existing roles when using terraform

[jocotton-ea]

AWS provider resource aws_iam_policy_attachment creates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to use aws_iam_role_policy_attachment to create an attachment between one policy and one role.

In context here, the policy AWSLambdaExecute policy is being attached to a set of roles created in the terraform module

resource "aws_iam_policy_attachment" "execute-attach" {
  name       = "execute-attachment"
  roles      = [aws_iam_role.analyzer_role.name, aws_iam_role.optimizer_role.name, aws_iam_role.executor_role.name, aws_iam_role.cleaner_role.name, aws_iam_role.initializer_role.name]
  policy_arn = data.aws_iam_policy.analyzer_policy.arn
}

Upon creating this resource, all roles that currently have policy AWSLambdaExecute attached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.

See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment

[alexcasalboni]

@jocotton-ea thanks for sharing!

We're in the process or moving all the Terraform definitions to this external module (already on the Terraform Registry): https://registry.terraform.io/modules/aws-ia/lambda-power-tuning/aws/latest

So I'd suggest opening the same issue on this repository: https://github.com/aws-ia/terraform-aws-lambda-power-tuning

FYI @sfloresk