Sentinel forwarder fails to apply if not using most recent layer ARN

[patheard]

Summary

The sentinel_forwarder module fails to Terraform apply if the layer_arn being used is not the most recently published layer version:

╷
│ Error: error creating Lambda Function (1): AccessDeniedException: 
│ 	status code: 403, request id: 4be17092-313c-469a-b905-45f6cbec8546
│ 
│   with module.sentinel_forwarder.aws_lambda_function.sentinel_forwarder,
│   on .terraform/modules/sentinel_forwarder/sentinel_forwarder/main.tf line 34, in resource "aws_lambda_function" "sentinel_forwarder":
│   34: resource "aws_lambda_function" "sentinel_forwarder" {
│ 
│
│ "User is not authorized to perform: lambda:GetLayerVersion on 
│ resource: arn:aws:lambda:ca-central-1:283582579564:layer:aws-sentinel-connector-layer:20 
│ because no resource-based policy allows the lambda:GetLayerVersion action"

Although the layer has a permission policy created for it on publish, it appears that this permission is being removed when a new layer version is published.

aws lambda get-layer-version-policy \
  --layer-name aws-sentinel-connector-layer \
  --version-number 37

# policy returned successfully

aws lambda get-layer-version-policy \
  --layer-name aws-sentinel-connector-layer \
  --version-number 36

# Following error returned for any layer version that is not the latest
An error occurred (ResourceNotFoundException) when calling the GetLayerVersionPolicy operation: Layer version arn:aws:lambda:ca-central-1:283582579564:layer:aws-sentinel-connector-layer:36 does not have any resource policy.

Related

• fix: bump to latest Sentinel layer arn version notification-terraform#612

[patheard]

This implies it's possible to re-add the lambda layer's resource based policy to previous versions, but it's not clear what's causing the removal of the permission in the first place:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountlayer