(aws-iam): Lambda is deployed before its role's inline policies

[Dreamescaper]

Describe the bug

We create a role with some inline policies. This role is used as lambda execution role.
The problem is that lambda deployment does not wait for the deployment of inline policies, which can cause errors if lambda is executed during the deployment.

Expected Behavior

Lambda should not be updated until role's inline policies are created / updated.

Current Behavior

Lambda deployment has no dependency on inline policies. They can be deployed after lambda deployment.

Reproduction Steps

var lambdaRole= new Role(this, "api_lambda_role", new RoleProps { ... } );
lambdaRole.AttachInlinePolicy(Policies.DynamoDbTableReadWrite(scope, props));

var lambda = new Function(this, "my-lambda", new FunctionProps
{
      Role = lambdaRole,
      ...
});

CDK CLI Version

2.64.0

OS

AmazonLinux

Language

.NET

[Dreamescaper]

I suspect that this issue is caused because InlinePolicies are separate resources from CloudFormation perpestive. They are not part of the role, they only have roleArn as a property.

[pahud]

I believe the lambda role will first be created follow by the lambda function and policy created at the same time. This usually will not be a problem but if you need to ensure the dependency you probably will need:

func.node.addDependency(policy)

This will allow func always be created after the policy, which is associated to the lambda role.

Moving this to discussion for general guidance and further discussion.

[Dreamescaper]

We probably can, but shouldn't it happen automatically?
We have a lot of lambdas using the same role, so we'll have to add it to a lot of places.

I'm not sure in which cases it's not a problem. In our case it has caused an unexpected downtime for 15 minutes.

Thanks for the answer!