aws lambda deploy-serverless command not updating Layer version when used with secrets manager

[awsimaya]

When trying to update an existing Lambda function with a Lambda Layer using aws lambda deploy-serverless command, it fails to update the function with the latest layer version when the Layer ARN is fetched from AWS Secrets Manager. Creating a new function with the same command works fine. Issue is only when we do consecutive updates to the same function.

Scenario

• Create a Lambda Function with Layer
• Update the Layer using dotnet lambda publish-layer command.
• Now run aws lambda deploy-serverless command by passing a serverless template. Example command below

dotnet lambda deploy-serverless -sb my-lambda-apps -t .\serverless.yaml -sn OrderProcessor

• serverless.yaml command has the Layer settings as below. Layer ARN is stored as a key/value pair in AWS Secrets Manager.

Layers:
        - '{{resolve:secretsmanager:LambdaLayerSecretArn:SecretString:LambdaLayerSecretArn}}'

• When the Layer ARN is directly given as plain text in the .yaml file, there is no issue.

[normj]

The way the feature is currently implemented in the .NET Lambda tools is the actual layer ARN has to be used in the CloudFormation template. The .NET Lambda tools don't resolve the ARN from SSM or CloudFormation parameters. That is a feature we could look into but I don't have a timeline when that will be.

[ericbach]

We use aws cloudformation package in CodeBuild within CodePipeline to deploy our Lambdas.
Because of this limitation we had to find a workaround within CodeBuild.

Within our buildspec.yml file, we first have to get the Lambda Layer ARN during the install phase

lambdaResult=$(dotnet lambda publish-layer LambdaCoreDependencies --package-manifest LambdaCoreDependencies.xml --layer-type runtime-package-store --s3-bucket lambda-core-depedencies --region us-west-2 --framework netcoreapp2.1)
lambdaLayerArn=$(echo $lambdaResult | grep -oP "arn:aws:lambda:us-west-2:.+")

Then we do a search and replace in the post_build phase where we would have expected to get the Lambda Layer ARN from AWS Secrets Manager

aws cloudformation package --template-file serverless.yaml --s3-bucket codepipeline-artifacts --output-template-file outputServerless.yaml
sed -i "s/Fn::Sub:\W'{{resolve:secretsmanager:\${LambdaLayerSecretArn}}}'/$lambdaLayerArn/g" outputServerless.yaml

The result produces a .yaml file with the actual layer ARN to be used in the subsequent CloudFormation deploy stage in CodePipeline.

[github-actions]

We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.

[ddivita]

Is this still an issue with .net deployments? Is there a better way to get the layer arn?