It doesn’t appear that it is possible to override the auto-created IAM Role for functions that trigger off of sqs_events. Neither role, class_role, nor config-level (config.function.role) properties ever end up changing the underlying cloudformation.
Is there something I’m missing or is this by design? I know that you can use iam_policy to add additional permissions to the generated role, but I would rather maintain my own IAM role in Terraform where all my other IAM resources live.