Function role policy attachment works only sometimes?

[thelegendtubaguy]

I have a function that I have defined like so:

const myFunction = new sst.aws.Function('MyFunction', {
    environment: {
        ...
    },
    handler: './apps/functions/src/MyFunction.handler',
    memory: '128 MB',
    timeout: '1 minute',
    live: false,
})

I have a policy document and policy defined like so:

const ssmReadPutPolicyDocument = aws.iam.getPolicyDocument({
    statements: [
        {
            actions: ['ssm:Get*', 'ssm:PutParameter'],
            resources: ['*'],
        },
    ],
})

const ssmReadPutPolicy = new aws.iam.Policy('SSMReadPutPolicy', {
    name: `${$app.name}-${$app.stage}-ssm-readput`,
    policy: ssmReadPutPolicyDocument.then((ssmReadPutPolicyDocument) => ssmReadPutPolicyDocument.json),
})

I'm trying to attach this policy to the function's role like so:

new aws.iam.RolePolicyAttachment('SSMReadPutPolicyAttachment', {
    role: myFunction.nodes.role,
    policyArn: ssmReadPutPolicy.arn,
})

This seems to only apply the attachment if I delete the attachment from my code, then re-add it while SST is running. If I edit the code to add a new function and a new attachment for the function's role, it will not do it. It also seems to be randomly removing it, but I can't pinpoint what I'm doing to cause that. I'm not randomly adding/removing the attachment from my code, so not sure what I'm doing wrong here.

[thelegendtubaguy]

This is also happening if I define the permissions directly on the function resource like:

    permissions: [
        {
            actions: ['ssm:Get*', 'ssm:PutParameter'],
            resources: ['*'],
        },
    ],

I had a function that I forgot to add these permissions to, got an auth error about not being able to talk to SSM. I added those lines. Function worked. Then some time later without further touching the code, SST removed those permissions from the lambda's role.