It happens that, if a policy statement in "IamLambdaRoleExecution" that references an external resource is removed, the statement will actually not be removed.
This causes no runtime failures, but should be handled correcty, i.e. the policy statement should be removed afterwards.
A better solution to handle policies and aliases than the current one is, that the plugin should create one role per alias and set the lambda role for the aliased function versions correctly.
This has the advantage that each user can deploy completely different access policies per alias.
It happens that, if a policy statement in "IamLambdaRoleExecution" that references an external resource is removed, the statement will actually not be removed.
This causes no runtime failures, but should be handled correcty, i.e. the policy statement should be removed afterwards.
A better solution to handle policies and aliases than the current one is, that the plugin should create one role per alias and set the lambda role for the aliased function versions correctly. This has the advantage that each user can deploy completely different access policies per alias.