No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Are you using inline policies and/or managed policies? This happens when you're using attachments with either managed policies or inline ones.

```const plaidHandlerRole = new aws.iam.Role("plaid-lambda-hanlder-role", {
    name: "plaid-lambda-hanlder-role",
    assumeRolePolicy: lambdaStsAssumeRolePolicy
  });

  const plaidSqsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidSqsRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AmazonSQSFullAccess
  });

  const plaidCloudwatchRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidCloudwatchRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.CloudWatchFullAccess
  });

  const awsLambdaExecutePolicyAttachment = new aws.iam.RolePolicyAttachment("awsLambdaExecutePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AWSLambdaExecute
  });```

This is the entire set of role and policy for my lambda and the trust policy is created as below:
```const lambdaStsAssumeRolePolicy: pulumi.Input&lt;string | aws.iam.PolicyDocument&gt; = {
    Version: "2012-10-17",
    Statement: [
      {
        Action: "sts:AssumeRole",
        Principal: {
          Service: "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
        },
        Effect: "Allow",
        Sid: ""
      }
    ]
  };```

surprisingly, when I have changed the order of the role policy attachment (sqs, cloudwatch, lambdaexecute) from (lambdaexecute, cloudwatch, sqs), I haven't faced this issue again, (ran pulumi up 3 time since then)

I can't see anything wrong with that. Is it possible that someone else with different code is pushing to the same stack? If you check <http://app.pulumi.com|app.pulumi.com>, can you see anything suspicious in the stack Activity history?

nope, absolutely nothing additional thing touches this section in the stack :disappointed: