Build own policy instead of using AWSLambdaBasicExecutionRole

[sjauld]

Terraform is pretty greedy with role attachments, so we should just create a standalone policy to avoid issues elsewhere.

[jufemaiz]

The problem is aws_iam_policy_attachment not aws_iam_role_policy_attachment

Had that fun today!

[sjauld]

Ooh double issue. Possibly my internet fail

[sjauld]

Also, I don't trust aws_iam_role_policy_attachment

[jufemaiz]

Also, I don't trust aws_iam_role_policy_attachment

Why's that?

[sjauld]

It seems to break more easily than a normal aws_iam_policy_attachment. Especially if you try to add more policies to the role, which I do quite a lot.

[jufemaiz]

Really? Strange!

[jufemaiz]

Are you mixing aws_iam_policy_attachment and aws_iam_role_policy_attachment? Because if you are it will break ><

[sjauld]

yes, that's why I don't use aws_iam_role_policy_attachment

[jufemaiz]

I guess I’ve gone down the “only use `aws_iam_role_policy_attachment`” instead. TF is pretty blatant about it snot being a great approach.

*WARNING:* The aws_iam_policy_attachment resource creates *exclusive* attachments

of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachmentinstead. These resources do not enforce exclusive attachment of an IAM policy. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html

On Wed, 29 Apr 2020 at 17:22, Stuart Auld ***@***.***> wrote: yes, that's why I don't use aws_iam_role_policy_attachment — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAEAYNMSMX4AR2SRE2QMMDRO7IURANCNFSM4MTMULNQ> .

-- ———————————————— Joel Courtney – ACE Teknologi Architect, Developer, Engineer, Founder, Manager, Product 📱 +61 401 501 625 📧 joel@aceteknologi.com 🕸 aceteknologi.com <https://aceteknologi.com/?utm_source=joel&utm_medium=email> 🐦 @joelmcourtney <https://twitter.com/joelmcourtney> 📃 in/joelcourtney <https://www.linkedin.com/in/joelcourtney>

[sjauld]

Are you allowed more than one `aws_iam_role_policy_attachment` per role? From memory no, and that's what why I don't use it. On Wed, 29 Apr 2020 at 20:16, Joel Courtney <notifications@github.com> wrote:

…

I guess I’ve gone down the “only use `aws_iam_role_policy_attachment`” instead. TF is pretty blatant about it snot being a great approach. > *WARNING:* The aws_iam_policy_attachment resource creates *exclusive* attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws_iam_policy_attachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachmentinstead. These resources do not enforce exclusive attachment of an IAM policy. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html On Wed, 29 Apr 2020 at 17:22, Stuart Auld ***@***.***> wrote: > yes, that's why I don't use aws_iam_role_policy_attachment > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > < #13 (comment) >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/AAAEAYNMSMX4AR2SRE2QMMDRO7IURANCNFSM4MTMULNQ > > . > -- ———————————————— Joel Courtney – ACE Teknologi Architect, Developer, Engineer, Founder, Manager, Product 📱 +61 401 501 625 📧 ***@***.*** 🕸 aceteknologi.com <https://aceteknologi.com/?utm_source=joel&utm_medium=email> 🐦 @joelmcourtney <https://twitter.com/joelmcourtney> 📃 in/joelcourtney <https://www.linkedin.com/in/joelcourtney> — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB6Z4N3L56FLT2QMAUJXUODRO746XANCNFSM4MTMULNQ> .

[jufemaiz]

Yep. You can.

[sjauld]

I think you need to make a new issue rather than reopening... this one is already SOLVED

…

On Wed, 29 Apr 2020 at 20:27, Joel Courtney ***@***.***> wrote: Reopened #13 <#13>. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB6Z4N4V6ZADN4ZAX56AYWDRO76JZANCNFSM4MTMULNQ> .