Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross Account AWS Lambda Layers #12728

Open
Arlington1985 opened this issue Apr 8, 2020 · 7 comments
Open

Cross Account AWS Lambda Layers #12728

Arlington1985 opened this issue Apr 8, 2020 · 7 comments
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/lambda Issues and PRs that pertain to the lambda service.

Comments

@Arlington1985
Copy link

Arlington1985 commented Apr 8, 2020
edited

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, it's not possible to specify Lambda layers from a different AWS account. In cloud formation you can do it just with specifying arn of the layer. It might be with the exact version or without version. But as if now, AWS has no capability to refer cross-account lambda layers without specifying version.

New or Affected Resource(s)

  • aws_lambda_layer_version

Potential Terraform Configuration

resource "aws_lambda_layer_version" "lambda_layer" {
  arn= "arn:aws:lambda:eu-west-1:123456789012:layer:layer_name:1"

  compatible_runtimes = ["nodejs8.10"]
}

References
@Arlington1985 Arlington1985 added the enhancement Requests to existing resources that expand the functionality or scope. label Apr 8, 2020
@ghost ghost added the service/lambda Issues and PRs that pertain to the lambda service. label Apr 8, 2020
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Apr 8, 2020
@ewbankkit
Copy link
Contributor

ewbankkit commented Apr 8, 2020
edited

Similar:

@Arlington1985 Thanks for raising this. arn (and layer_arn) are both Computed attributes so cannot be set for resource creation.
Looking at the underlying Lambda API, layer_name could be an ARN but I don't think the way that resourceAwsLambdaLayerVersionParseId has been written would allow this.

@ewbankkit ewbankkit mentioned this issue Apr 8, 2020
Closed
@Arlington1985
Copy link
Author

Arlington1985 commented Apr 8, 2020
edited

Yes, you are right, instead of resource it should be data, but even this doesn't work.
But basically, I solved my problem just specifying the arn in the layers parameter in
resource "aws_lambda_function".

resource "aws_lambda_function" "lambda_function" {
  ... 
  layers = ["arn:aws:lambda:region:123456789012:layer:layer_name:version"]
  ...

Still I think it should work also with the with referencing from data

@ewbankkit
Copy link
Contributor

The corresponding data source uses the ListLayerVersions API and it is unlikely that you would have permissions to call this on a 3rd-party layer.
e.g. for Datadog:

$ aws --region us-west-2 lambda list-layer-versions --layer-name arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: User: arn:aws:iam::123456789012:user/kit is not authorized to perform: lambda:ListLayerVersions on resource: arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37

@Arlington1985
Copy link
Author

With 3rd party libs, it might be a problem, but if I am using just my own cross-account layer, then I will have option to give any permission

@JoeHitchenXtract
Copy link

The related issue which brought me here was trying to use the Scipy layer across multiple regions, because it seems both the region and the account number change in the ARN. I haven't yet found a good alternative to hardcoding the ARNs for the regions we want to use.

@fred-vogt
Copy link

fred-vogt commented Jul 29, 2020
edited

AWS lambda layers support "resource level policies":

What is needed is similar to other resources that support attaching resource policies, such as ECR repository resource policies.

Seems there is already an enhancement request for this:

@breathingdust breathingdust removed the needs-triage Waiting for first response or review from a maintainer. label Sep 21, 2021
@anwickes
Copy link

Seems there is already an enhancement request for this:

My understanding of this issue is the inability to use the following data block to retrieve the latest version of a lambda layer that is shared from a different account.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_layer_version.html

This would be handy where codebase A deploys a layer to account A and codebase B needs to retrieve the latest version of the layer to use with a lambda function in account B without having to open account A to see what version to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/lambda Issues and PRs that pertain to the lambda service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@breathingdust @fred-vogt @ewbankkit @Arlington1985 @JoeHitchenXtract @anwickes