RDS bootstrap role issue (logical Id: RDSBootstrapDatabase)

[rnlduaeo]

when using bootstrap.sql file, I encountered below issue when tenant-onboarding-app.yaml is being executed.

• Resource handler returned message: "User: arn:aws:sts::249837930831:assumed-role/sb-dev-onboarding-svc-role-ap-northeast-2/sb-dev-onboarding-events is not authorized to perform: lambda:TagResource on resource: arn:aws:lambda:ap-northeast-2:249837930831:function:sb-dev-rds-bootstrap-tenant-2fdf5e76 because no identity-based policy allows the lambda:TagResource action (Service: Lambda, Status Code: 403, Request ID: 3f1fdf83-984a-493f-9762-d7b44101d13e)" (RequestToken: c09e52b7-6812-25ed-d7d3-13efeeff5ce1, HandlerErrorCode: AccessDenied)

• Action: add lambda:TagResource permission in OnboardingServiceDatabaseProvisionPolicy

• Effect: Allow Action:

  • lambda:GetFunction
  • lambda:CreateFunction
  • lambda:InvokeFunction
  • lambda:DeleteFunction - lambda:TagResource Resource:
  • !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:sb-${Environment}-rds-bootstrap-tenant-*

Reproduction Steps

What did you expect to happen?

What actually happened?

Environment

• AWS Region :
• AWS SaaS Boost Version :
• Workload OS (Linux or Windows) :

Other

---

This is :bug: Bug Report

[PoeppingT]

Hi @rnlduaeo , thanks for the bug report! It looks like this issue is still present in main. We will get to fixing this when we can, but the best way to ensure a quick resolution is to open a PR with the required changes.