AWS provider resource aws_iam_policy_attachment creates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to use aws_iam_role_policy_attachment to create an attachment between one policy and one role.
In context here, the policy AWSLambdaExecute policy is being attached to a set of roles created in the terraform module
resource "aws_iam_policy_attachment" "execute-attach" {
name = "execute-attachment"
roles = [aws_iam_role.analyzer_role.name, aws_iam_role.optimizer_role.name, aws_iam_role.executor_role.name, aws_iam_role.cleaner_role.name, aws_iam_role.initializer_role.name]
policy_arn = data.aws_iam_policy.analyzer_policy.arn
}
Upon creating this resource, all roles that currently have policy AWSLambdaExecute attached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.
See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment
AWS provider resource
aws_iam_policy_attachmentcreates an exclusive relationship between the policy and roles defined. As this is almost never what you want, it is suggested to useaws_iam_role_policy_attachmentto create an attachment between one policy and one role.In context here, the policy
AWSLambdaExecutepolicy is being attached to a set of roles created in the terraform moduleUpon creating this resource, all roles that currently have policy
AWSLambdaExecuteattached will have that policy detached, resulting in resources that previously had permission to execute lambda functions no longer having that permission.See https://registry.terraform.io/providers/hashicorp/aws/2.70.1/docs/resources/iam_policy_attachment