Lambda Principal role cannot be attached to lambda

[pierskarsenbarg]

Creating a "native" lambda with a "classic" IAM role is failing with the following error:

operation CREATE failed with "InvalidRequest": The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: 73c1fbab-3e41-471c-b4ce-fa57a4ab8c5c, Extended Request ID: null)

Steps to reproduce

import * as aws from "@pulumi/aws";
import * as awsnative from "@pulumipreview/aws-native";

const lambdaRole = new aws.iam.Role("classicLambdaRole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "lambda.amazonaws.com" })
});

const lambdaRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
    role: lambdaRole,
    policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
});

const nativeLambdaFunction = new awsnative.lambda.Function("nativelambdaFunction", {
    code: {
        zipFile: "./app.zip",
    },
    runtime: "nodejs12.x",
    role: lambdaRole.arn,
    handler: "index.handler",
});

Expected: Lambda would be deployed

Actual: Getting error message as above

[lblackstone]

I tested this and noticed that it works if I run the update twice. I get the same error on the first update, so I'm guessing the RolePolicyAttachment isn't completing before the lambda function creation step.

I tried setting dependsOn, but am still seeing the same error.

[jkodroff]

I'm seeing the same. It looks like an intermittent failure because pulumi destroy -y && pulumi up -y works.