Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
n
narrow-cpu-35517
01/23/2023, 11:26 PMHI @echoing-match-29901 I am using below code to attach policy to role, but intermittently, the AWS sqs role is skipped in the attachment, Am i missing something?
new aws.iam.RolePolicyAttachment("awsLambdaExecutePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.AWSLambdaExecute
});
new aws.iam.RolePolicyAttachment("plaidSqsRolePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.AmazonSQSFullAccess
});
new aws.iam.RolePolicyAttachment("plaidCloudwatchRolePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.CloudWatchFullAccess
});l
little-cartoon-10569
01/23/2023, 11:52 PMAre you using inline policies and/or managed policies? This happens when you're using attachments with either managed policies or inline ones.
n
narrow-cpu-35517
01/24/2023, 11:54 PMconst plaidHandlerRole = new aws.iam.Role("plaid-lambda-hanlder-role", {
name: "plaid-lambda-hanlder-role",
assumeRolePolicy: lambdaStsAssumeRolePolicy
});
const plaidSqsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidSqsRolePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.AmazonSQSFullAccess
});
const plaidCloudwatchRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidCloudwatchRolePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.CloudWatchFullAccess
});
const awsLambdaExecutePolicyAttachment = new aws.iam.RolePolicyAttachment("awsLambdaExecutePolicyAttachment", {
role: plaidHandlerRole,
policyArn: aws.iam.ManagedPolicies.AWSLambdaExecute
});This is the entire set of role and policy for my lambda and the trust policy is created as below:
const lambdaStsAssumeRolePolicy: pulumi.Input<string | aws.iam.PolicyDocument> = {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
},
Effect: "Allow",
Sid: ""
}
]
};surprisingly, when I have changed the order of the role policy attachment (sqs, cloudwatch, lambdaexecute) from (lambdaexecute, cloudwatch, sqs), I haven't faced this issue again, (ran pulumi up 3 time since then)
l
little-cartoon-10569
01/24/2023, 11:57 PMI can't see anything wrong with that. Is it possible that someone else with different code is pushing to the same stack? If you check app.pulumi.com, can you see anything suspicious in the stack Activity history?
n
narrow-cpu-35517
01/25/2023, 12:25 AMnope, absolutely nothing additional thing touches this section in the stack 😞