Open
Description
AWS provider resource aws_iam_policy_attachment
creates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to use aws_iam_role_policy_attachment
to create an attachment between one policy and one role.
In context here, the policy AWSLambdaExecute
policy is being attached to a set of roles created in the terraform module
resource "aws_iam_policy_attachment" "execute-attach" {
name = "execute-attachment"
roles = [aws_iam_role.analyzer_role.name, aws_iam_role.optimizer_role.name, aws_iam_role.executor_role.name, aws_iam_role.cleaner_role.name, aws_iam_role.initializer_role.name]
policy_arn = data.aws_iam_policy.analyzer_policy.arn
}
Upon creating this resource, all roles that currently have policy AWSLambdaExecute
attached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.
See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment
Metadata
Metadata
Assignees
Labels
No labels