From a374dea4dd4790742837e53411d362cd4a04bcf1 Mon Sep 17 00:00:00 2001 From: Brian McMahon Date: Thu, 14 May 2026 14:35:31 -0700 Subject: [PATCH] fix(iam): grant deploy role update + invoke on regime Lambdas MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The codified github-actions-lambda-deploy policy missed the two regime Lambdas added 2026-05-14: - alpha-engine-predictor-regime-substrate (Stage A) - alpha-engine-predictor-regime-retrospective-eval (Stage C.2 T1) Symptom: today's predictor deploy.yml run (CI 25884911718) logged "NOT FOUND — skipping" for both functions in deploy.sh Step 9 + 10. That branch was protective at the time (the functions hadn't been created yet via setup-regime-{lambda,retrospective-eval-lambda}.sh). But adding the ARNs now unblocks the auto-create fall-through being shipped in alpha-engine-predictor (parallel PR) so the manual setup scripts become break-glass-only rather than required. Both Lambdas need explicit ARNs in two statements: - LambdaUpdate (CreateFunction / UpdateFunctionCode / PublishVersion / UpdateAlias / CreateAlias — needed for auto-create + update path) - LambdaInvokeCanary (InvokeFunction on both bare + versioned ARNs — needed for deploy.sh's post-update dry_run canary) Applied to live AWS via: bash infrastructure/iam/apply.sh github-actions-lambda-deploy Verified: python3 infrastructure/iam/check-drift.py → clean pytest tests/test_sf_iam_lambda_grants.py → 2 passed, 1 skipped Co-Authored-By: Claude Opus 4.7 (1M context) --- infrastructure/iam/github-actions-lambda-deploy.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/infrastructure/iam/github-actions-lambda-deploy.json b/infrastructure/iam/github-actions-lambda-deploy.json index e59f94e..95f6513 100644 --- a/infrastructure/iam/github-actions-lambda-deploy.json +++ b/infrastructure/iam/github-actions-lambda-deploy.json @@ -53,6 +53,8 @@ "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-replay-concordance", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-replay-counterfactual", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-inference", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-substrate", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-retrospective-eval", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-data-collector", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-health-check" ] @@ -86,6 +88,10 @@ "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-replay-counterfactual:*", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-inference", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-inference:*", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-substrate", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-substrate:*", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-retrospective-eval", + "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-predictor-regime-retrospective-eval:*", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-data-collector", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-data-collector:*", "arn:aws:lambda:us-east-1:711398986525:function:alpha-engine-health-check",