aws - lambda-layer - cross-account ignore layers with no policies (#6827

)
cloud-custodian · Aug 3, 2021 · f57e129 · f57e129
1 parent 7ad637d
commit f57e129
Show file tree

Hide file tree

Showing 8 changed files with 84 additions and 75 deletions.
diff --git a/c7n/resources/awslambda.py b/c7n/resources/awslambda.py
@@ -644,10 +644,16 @@ class LayerCrossAccount(CrossAccountAccessFilter):
     def process(self, resources, event=None):
         client = local_session(self.manager.session_factory).client('lambda')
         for r in resources:
-            r['c7n:Policy'] = self.manager.retry(
-                client.get_layer_version_policy,
-                LayerName=r['LayerName'],
-                VersionNumber=r['Version']).get('Policy')
+            if 'c7n:Policy' in r:
+                continue
+            try:
+                rpolicy = self.manager.retry(
+                    client.get_layer_version_policy,
+                    LayerName=r['LayerName'],
+                    VersionNumber=r['Version']).get('Policy')
+            except client.exceptions.ResourceNotFoundException:
+                rpolicy = {}
+            r['c7n:Policy'] = rpolicy
         return super(LayerCrossAccount, self).process(resources)
 
     def get_resource_policy(self, r):

diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_1.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_1.json
@@ -1,19 +1,8 @@
 {
     "status_code": 200,
     "data": {
-        "ResponseMetadata": {
-            "RequestId": "3aa70f82-02af-11e9-8f13-8b7358831acf",
-            "HTTPStatusCode": 200,
-            "HTTPHeaders": {
-                "date": "Tue, 18 Dec 2018 10:25:23 GMT",
-                "content-type": "application/json",
-                "content-length": "295",
-                "connection": "keep-alive",
-                "x-amzn-requestid": "3aa70f82-02af-11e9-8f13-8b7358831acf"
-            },
-            "RetryAttempts": 0
-        },
-        "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"Grant\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:644160558196:layer:test:2\"}]}",
-        "RevisionId": "dc14c754-0f12-49cb-b263-95dd45f45bd3"
+        "ResponseMetadata": {},
+        "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"xaccount2\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789123:root\"},\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33:1\"}]}",
+        "RevisionId": "23d7f01d-6216-49c4-8eb4-c395afcfb47d"
     }
 }
diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_2.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_2.json
@@ -2,21 +2,11 @@
     "status_code": 404,
     "data": {
         "Error": {
-            "Message": "Layer version arn:aws:lambda:us-east-1:644160558196:layer:test:2 does not have any resource policy.",
+            "Message": "No policy is associated with the given resource.",
             "Code": "ResourceNotFoundException"
         },
-        "ResponseMetadata": {
-            "RequestId": "3ac7de4a-02af-11e9-b949-5d121549c0c1",
-            "HTTPStatusCode": 404,
-            "HTTPHeaders": {
-                "date": "Tue, 18 Dec 2018 10:25:24 GMT",
-                "content-type": "application/json",
-                "content-length": "127",
-                "connection": "keep-alive",
-                "x-amzn-requestid": "3ac7de4a-02af-11e9-b949-5d121549c0c1",
-                "x-amzn-errortype": "ResourceNotFoundException"
-            },
-            "RetryAttempts": 0
-        }
+        "ResponseMetadata": {},
+        "Type": "User",
+        "Message": "No policy is associated with the given resource."
     }
 }
diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_3.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.GetLayerVersionPolicy_3.json
@@ -0,0 +1,12 @@
+{
+    "status_code": 404,
+    "data": {
+        "Error": {
+            "Message": "Layer version arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33:1 does not have any resource policy.",
+            "Code": "ResourceNotFoundException"
+        },
+        "ResponseMetadata": {},
+        "Type": "User",
+        "Message": "Layer version arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33:1 does not have any resource policy."
+    }
+}
diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayerVersions_1.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayerVersions_1.json
@@ -1,23 +1,19 @@
 {
     "status_code": 200,
     "data": {
-        "ResponseMetadata": {
-            "RequestId": "3a9a8bda-02af-11e9-846d-ff6320024c8c",
-            "HTTPStatusCode": 200,
-            "HTTPHeaders": {
-                "date": "Tue, 18 Dec 2018 10:25:23 GMT",
-                "content-type": "application/json",
-                "content-length": "231",
-                "connection": "keep-alive",
-                "x-amzn-requestid": "3a9a8bda-02af-11e9-846d-ff6320024c8c"
-            },
-            "RetryAttempts": 0
-        },
+        "ResponseMetadata": {},
         "LayerVersions": [
             {
-                "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:test:2",
-                "Version": 2,
-                "CreatedDate": "2018-12-18T10:20:13.948+0000"
+                "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33:1",
+                "Version": 1,
+                "Description": "Lambda Layer for c7n",
+                "CreatedDate": "2021-03-26T01:15:59.627+0000",
+                "CompatibleRuntimes": [
+                    "python2.7",
+                    "python3.6",
+                    "python3.7",
+                    "python3.8"
+                ]
             }
         ]
     }

diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayerVersions_2.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayerVersions_2.json
@@ -0,0 +1,17 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "LayerVersions": [
+            {
+                "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-test:1",
+                "Version": 1,
+                "Description": "second test layer",
+                "CreatedDate": "2021-07-28T17:51:31.295+0000",
+                "CompatibleRuntimes": [
+                    "python3.8"
+                ]
+            }
+        ]
+    }
+}
diff --git a/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayers_1.json b/tests/data/placebo/test_lambda_layer_cross_account/lambda.ListLayers_1.json
@@ -1,26 +1,35 @@
 {
     "status_code": 200,
     "data": {
-        "ResponseMetadata": {
-            "RequestId": "3a8a111d-02af-11e9-a945-e77482cd9b0c",
-            "HTTPStatusCode": 200,
-            "HTTPHeaders": {
-                "date": "Tue, 18 Dec 2018 10:25:23 GMT",
-                "content-type": "application/json",
-                "content-length": "331",
-                "connection": "keep-alive",
-                "x-amzn-requestid": "3a8a111d-02af-11e9-a945-e77482cd9b0c"
-            },
-            "RetryAttempts": 0
-        },
+        "ResponseMetadata": {},
         "Layers": [
             {
-                "LayerName": "test",
-                "LayerArn": "arn:aws:lambda:us-east-1:644160558196:layer:test",
+                "LayerName": "c7n-botocore1-20-33-boto31-17-33",
+                "LayerArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33",
+                "LatestMatchingVersion": {
+                    "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-botocore1-20-33-boto31-17-33:1",
+                    "Version": 1,
+                    "Description": "Lambda Layer for c7n",
+                    "CreatedDate": "2021-03-26T01:15:59.627+0000",
+                    "CompatibleRuntimes": [
+                        "python2.7",
+                        "python3.6",
+                        "python3.7",
+                        "python3.8"
+                    ]
+                }
+            },
+            {
+                "LayerName": "c7n-test",
+                "LayerArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-test",
                 "LatestMatchingVersion": {
-                    "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:test:2",
-                    "Version": 2,
-                    "CreatedDate": "2018-12-18T10:20:13.948+0000"
+                    "LayerVersionArn": "arn:aws:lambda:us-east-1:644160558196:layer:c7n-test:1",
+                    "Version": 1,
+                    "Description": "second test layer",
+                    "CreatedDate": "2021-07-28T17:51:31.295+0000",
+                    "CompatibleRuntimes": [
+                        "python3.8"
+                    ]
                 }
             }
         ]

diff --git a/...s/data/placebo/test_lambda_layer_cross_account/lambda.RemoveLayerVersionPermission_1.json b/...s/data/placebo/test_lambda_layer_cross_account/lambda.RemoveLayerVersionPermission_1.json
@@ -1,16 +1,6 @@
 {
     "status_code": 204,
     "data": {
-        "ResponseMetadata": {
-            "RequestId": "3ab519af-02af-11e9-b4a7-053d0d22210b",
-            "HTTPStatusCode": 204,
-            "HTTPHeaders": {
-                "date": "Tue, 18 Dec 2018 10:25:23 GMT",
-                "content-type": "application/json",
-                "connection": "keep-alive",
-                "x-amzn-requestid": "3ab519af-02af-11e9-b4a7-053d0d22210b"
-            },
-            "RetryAttempts": 0
-        }
+        "ResponseMetadata": {}
     }
 }