attach_tracing_policy not attaching the AWSXRayDaemonWriteAccess to the role

Description

When adding attach_tracing_policy = true to my lambda, I expect the module to attach the AWSXRayDaemonWriteAccess policy to its role.

However, as you can see below, this is not happening:

✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
Re-initialize the project root to pull down modules: terraform init
Re-attempt your terraform plan or apply and check if the issue still persists

✅ I've done ALL the above.

Versions

Module version [Required]: v5.0.0
Terraform version:

Terraform v1.3.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.65.0
+ provider registry.terraform.io/hashicorp/external v2.3.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

module "lambda_function" {
  source  = "terraform-aws-modules/lambda/aws"
  version = "v5.0.0"

  function_name = local.function_name
  handler       = "app.handler"
  runtime       = "nodejs16.x"
  publish       = true

  source_path   = "${path.root}/src/nodejs-app"
  artifacts_dir = "${path.root}/.terraform/lambda-builds/"

  # Disable source code tracking to turn off deployments (and rollbacks) using the module by setting ignore_source_code_hash = true and deploy a dummy function.
  ignore_source_code_hash  = true
  recreate_missing_package = false

  store_on_s3               = false

  vpc_security_group_ids = ["sg-666"]
  vpc_subnet_ids         = data.terraform_remote_state.network.outputs.private_subnets
  attach_network_policy  = true

  # Enable X-Ray tracing
  attach_tracing_policy = true
  tracing_mode          = "Active"

  attach_policies = true
  policies        = [
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
  ]
  number_of_policies = 1
}

Steps to reproduce the behavior:

Yes.

Yes

Expected behavior

The module should attach the arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess IAM policy to the Lambda's execution role.

Actual behavior

As shown in the screenshot, the policy is not being attached to the role.

Additional context

If I modify my code to be:

attach_policies = true
  policies        = [
    "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
    "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess",
  ]
  number_of_policies = 2

I can successfully see the policy attached to the role.

There is a copy of the policy/AWSXRayDaemonWriteAccess managed policy in lambda-job-reminder-test-tracing policy in your case. Here is the code snippet of the module where this is implemented:

terraform-aws-lambda/iam.tf

Lines 218 to 239 in dc9356a

    
           # Copying AWS managed policy to be able to attach the same policy with multiple roles without overwrites by another function 
        
           data "aws_iam_policy" "tracing" { 
        
             count = local.create_role && var.attach_tracing_policy ? 1 : 0 
        
             arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess" 
        
           } 
        
           resource "aws_iam_policy" "tracing" { 
        
             count = local.create_role && var.attach_tracing_policy ? 1 : 0 
        
             name   = "${local.policy_name}-tracing" 
        
             path   = var.policy_path 
        
             policy = data.aws_iam_policy.tracing[0].policy 
        
             tags   = var.tags 
        
           } 
        
           resource "aws_iam_role_policy_attachment" "tracing" { 
        
             count = local.create_role && var.attach_tracing_policy ? 1 : 0 
        
             role       = aws_iam_role.lambda[0].name 
        
             policy_arn = aws_iam_policy.tracing[0].arn 
        
           }

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

	# Copying AWS managed policy to be able to attach the same policy with multiple roles without overwrites by another function
	data "aws_iam_policy" "tracing" {
	count = local.create_role && var.attach_tracing_policy ? 1 : 0

	arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess"
	}

	resource "aws_iam_policy" "tracing" {
	count = local.create_role && var.attach_tracing_policy ? 1 : 0

	name = "${local.policy_name}-tracing"
	path = var.policy_path
	policy = data.aws_iam_policy.tracing[0].policy
	tags = var.tags
	}

	resource "aws_iam_role_policy_attachment" "tracing" {
	count = local.create_role && var.attach_tracing_policy ? 1 : 0

	role = aws_iam_role.lambda[0].name
	policy_arn = aws_iam_policy.tracing[0].arn
	}