search

alexcasalboni / aws-lambda-power-tuning

AWS Lambda Power Tuning is an open-source tool that can help you visualize and fine-tune the memory/power configuration of Lambda functions. It runs in your own AWS account - powered by AWS Step Functions - and it supports three optimization strategies: cost, speed, and balanced.
Apache License 2.0
5.5k stars 379 forks source link

Policy AWSLambdaExecute removed from existing roles when using terraform #259

Open jocotton-ea opened 1 month ago

jocotton-ea commented 1 month ago

AWS provider resource aws_iam_policy_attachment creates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to use aws_iam_role_policy_attachment to create an attachment between one policy and one role.

In context here, the policy AWSLambdaExecute policy is being attached to a set of roles created in the terraform module 

resource "aws_iam_policy_attachment" "execute-attach" {
  name       = "execute-attachment"
  roles      = [aws_iam_role.analyzer_role.name, aws_iam_role.optimizer_role.name, aws_iam_role.executor_role.name, aws_iam_role.cleaner_role.name, aws_iam_role.initializer_role.name]
  policy_arn = data.aws_iam_policy.analyzer_policy.arn
}

Upon creating this resource, all roles that currently have policy AWSLambdaExecute attached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.

See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment

alexcasalboni commented 1 month ago

@jocotton-ea thanks for sharing!

We're in the process or moving all the Terraform definitions to this external module (already on the Terraform Registry): https://registry.terraform.io/modules/aws-ia/lambda-power-tuning/aws/latest

So I'd suggest opening the same issue on this repository: https://github.com/aws-ia/terraform-aws-lambda-power-tuning

FYI @sfloresk