https://pulumi.com logo
Title
c

curved-pharmacist-41509

05/31/2021, 3:15 AM
Or should I do something like this
const role = new Role('role')
const policy = new Policy('policy', {})
const rpa = new RolePolicyAttachment('rpa', { role, policy })
const myLambda = new Lambda('lambda', { executionRole: role }, { dependsOn: [rpa] })
l

little-cartoon-10569

05/31/2021, 3:18 AM
You'll need to do this.
c

curved-pharmacist-41509

05/31/2021, 3:19 AM
Great, thanks for confirming
👍 1
This would be awesome to have an implicit dependency here. It prevents a component resource creating the execution role, then attaching additional resource policies to that execution policy outside of the component resource
l

little-cartoon-10569

05/31/2021, 3:23 AM
Yes, though the explicit dependency is good for self-documentation purposes. And would there be cases where Pulumi would guess incorrectly? For example, if there were multiple RolePolicyAttachments and only one was relevant to the lambda?
c

curved-pharmacist-41509

05/31/2021, 3:54 AM
Possible. Thoughts on this pattern?
const executionRole = new LambdaExecutionRole()

new Lambda('', { role: executionRole.role }, { dependsOn: [executionRole] }))

executionRole.attachPolicy(...)
This would create a role policy attachment with parent of the LambdaExecutionRole. Allowing role policy attachments to be added after the lambda has been `new`ed up, but also creating a dependency between the RPA’s and hte lambda?