Skip to content

Policy AWSLambdaExecute removed from existing roles when using terraform #259

Open
@jocotton-ea

Description

@jocotton-ea

AWS provider resource aws_iam_policy_attachment creates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to use aws_iam_role_policy_attachment to create an attachment between one policy and one role.

In context here, the policy AWSLambdaExecute policy is being attached to a set of roles created in the terraform module

resource "aws_iam_policy_attachment" "execute-attach" {
  name       = "execute-attachment"
  roles      = [aws_iam_role.analyzer_role.name, aws_iam_role.optimizer_role.name, aws_iam_role.executor_role.name, aws_iam_role.cleaner_role.name, aws_iam_role.initializer_role.name]
  policy_arn = data.aws_iam_policy.analyzer_policy.arn
}

Upon creating this resource, all roles that currently have policy AWSLambdaExecute attached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.

See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions