https://pulumi.com logo
Title
n

narrow-cpu-35517

01/23/2023, 11:26 PM
HI @echoing-match-29901 I am using below code to attach policy to role, but intermittently, the AWS sqs role is skipped in the attachment, Am i missing something?
new aws.iam.RolePolicyAttachment("awsLambdaExecutePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AWSLambdaExecute
  });

  new aws.iam.RolePolicyAttachment("plaidSqsRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AmazonSQSFullAccess
  });

  new aws.iam.RolePolicyAttachment("plaidCloudwatchRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.CloudWatchFullAccess
  });
l

little-cartoon-10569

01/23/2023, 11:52 PM
Are you using inline policies and/or managed policies? This happens when you're using attachments with either managed policies or inline ones.
n

narrow-cpu-35517

01/24/2023, 11:54 PM
const plaidHandlerRole = new aws.iam.Role("plaid-lambda-hanlder-role", {
    name: "plaid-lambda-hanlder-role",
    assumeRolePolicy: lambdaStsAssumeRolePolicy
  });

  const plaidSqsRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidSqsRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AmazonSQSFullAccess
  });

  const plaidCloudwatchRolePolicyAttachment = new aws.iam.RolePolicyAttachment("plaidCloudwatchRolePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.CloudWatchFullAccess
  });

  const awsLambdaExecutePolicyAttachment = new aws.iam.RolePolicyAttachment("awsLambdaExecutePolicyAttachment", {
    role: plaidHandlerRole,
    policyArn: aws.iam.ManagedPolicies.AWSLambdaExecute
  });
This is the entire set of role and policy for my lambda and the trust policy is created as below:
const lambdaStsAssumeRolePolicy: pulumi.Input<string | aws.iam.PolicyDocument> = {
    Version: "2012-10-17",
    Statement: [
      {
        Action: "sts:AssumeRole",
        Principal: {
          Service: "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
        },
        Effect: "Allow",
        Sid: ""
      }
    ]
  };
surprisingly, when I have changed the order of the role policy attachment (sqs, cloudwatch, lambdaexecute) from (lambdaexecute, cloudwatch, sqs), I haven't faced this issue again, (ran pulumi up 3 time since then)
l

little-cartoon-10569

01/24/2023, 11:57 PM
I can't see anything wrong with that. Is it possible that someone else with different code is pushing to the same stack? If you check app.pulumi.com, can you see anything suspicious in the stack Activity history?
n

narrow-cpu-35517

01/25/2023, 12:25 AM
nope, absolutely nothing additional thing touches this section in the stack 😞