attach_tracing_policy not attaching the AWSXRayDaemonWriteAccess to the role
lpossamai opened this issue · 2 comments
Description
When adding attach_tracing_policy = true
to my lambda, I expect the module to attach the AWSXRayDaemonWriteAccess
policy to its role.
However, as you can see below, this is not happening:
-
✋ I have searched the open/closed issues and my issue is not listed.
⚠️ Note
Before you submit an issue, please perform the following first:
- Remove the local
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!):rm -rf .terraform/
- Re-initialize the project root to pull down modules:
terraform init
- Re-attempt your terraform plan or apply and check if the issue still persists
Versions
-
Module version [Required]:
v5.0.0
-
Terraform version:
Terraform v1.3.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.65.0
+ provider registry.terraform.io/hashicorp/external v2.3.1
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
Reproduction Code [Required]
module "lambda_function" {
source = "terraform-aws-modules/lambda/aws"
version = "v5.0.0"
function_name = local.function_name
handler = "app.handler"
runtime = "nodejs16.x"
publish = true
source_path = "${path.root}/src/nodejs-app"
artifacts_dir = "${path.root}/.terraform/lambda-builds/"
# Disable source code tracking to turn off deployments (and rollbacks) using the module by setting ignore_source_code_hash = true and deploy a dummy function.
ignore_source_code_hash = true
recreate_missing_package = false
store_on_s3 = false
vpc_security_group_ids = ["sg-666"]
vpc_subnet_ids = data.terraform_remote_state.network.outputs.private_subnets
attach_network_policy = true
# Enable X-Ray tracing
attach_tracing_policy = true
tracing_mode = "Active"
attach_policies = true
policies = [
"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
]
number_of_policies = 1
}
Steps to reproduce the behavior:
Yes.
Yes
Expected behavior
The module should attach the arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess
IAM policy to the Lambda's execution role.
Actual behavior
As shown in the screenshot, the policy is not being attached to the role.
Additional context
If I modify my code to be:
attach_policies = true
policies = [
"arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy",
"arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXRayDaemonWriteAccess",
]
number_of_policies = 2
There is a copy of the policy/AWSXRayDaemonWriteAccess
managed policy in lambda-job-reminder-test-tracing
policy in your case. Here is the code snippet of the module where this is implemented:
Lines 218 to 239 in dc9356a
I'm going to lock this issue because it has been closed for 30 days