Unable to update Lambda Layer permissions

josefaidt commented 2 years ago

Before opening, please confirm:

[X] I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
[X] I have searched for duplicate or closed issues.
[X] I have read the guide for submitting bug reports.
[X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

How did you install the Amplify CLI?

pnpm add -g @aws-amplify/cli

If applicable, what version of Node.js are you using?

v16.13.0

Amplify CLI Version

7.3.3

What operating system are you using?

Mac

Amplify Categories

function

Amplify Commands

update

Describe the bug

After upgrading the CLI to the latest version (7.3.3), I am unable to update lambda layer permissions from a layer created with a previous version of the CLI (6.3.1)

A few observation notes:

layers created with latest version are able to be updated with latest version
layers created with 6.3.1 are unable to be updated with 6.3.1
layers created with 6.4.0 are unable to be updated with 6.4.0

Expected behavior

CLI should update the layer accordingly

Reproduction steps

using Amplify CLI v6.3.1, create a lambda layer:

> amplify add function
⚠️ Amplify command hooks are disabled in the current execution environment.
⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information.
? Select which capability you want to add: Lambda layer (shared code & resource used across functions)
? Provide a name for your Lambda layer: layer2465d15f
? Choose the runtime that you want to use: NodeJS
? The current AWS account will always have access to this layer.
Optionally, configure who else can access this layer. (Hit <Enter> to skip) Public
✅ Lambda layer folders & files created:
amplify/backend/function/8525layerslayer2465d15f

Next steps:
Move your libraries to the following folder:

Include any files you want to share across runtimes in this folder:
amplify/backend/function/8525layerslayer2465d15f/opt

"amplify function update <function-name>" - configure a function with this Lambda layer
"amplify push" - builds all of your local backend resources and provisions them in the cloud

Push new layer amplify push -y
Upgrade to latest version of CLI pnpm add -g @aws-amplify/cli@latest

Attempt to update lambda layer permissions

> amplify update function
⚠️ Amplify command hooks are disabled in the current execution environment.
⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information.
? Do you want to adjust layer version permissions? Yes
? Select the layer version to update: Future layer versions
? The current AWS account will always have access to this layer.
Optionally, configure who else can access this layer. (Hit <Enter> to skip) Specific AWS accounts, Public
? Provide a list of comma-separated AWS account IDs: xxxxxxxx

Observe CLI exits with no clear indication of failed or successful update, running amplify status -v shows no changes

> amplify status -v
⚠️ Amplify command hooks are disabled in the current execution environment.
⚠️ See https://docs.amplify.aws/cli/usage/command-hooks/ for more information.

    Current Environment: dev

┌──────────┬─────────────────────────┬───────────┬───────────────────┐
│ Category │ Resource name           │ Operation │ Provider plugin   │
├──────────┼─────────────────────────┼───────────┼───────────────────┤
│ Function │ 8525layerslayer2465d15f │ No Change │ awscloudformation │
└──────────┴─────────────────────────┴───────────┴───────────────────┘

GraphQL schema(s)

```graphql # Put schemas below this line ```

Log output

``` # Put your logs below this line ```

Additional information

No response

sachscode commented 2 years ago

Need more clarity on the problem :

Option: "Future layer versions" is the default configuration, hence there is no visible change. This also means that config changes are applied to future lambda layers.
Validated : Add Lambda Layer with 6.3.1 and update lambda layer permission for the existing layer with the latest (7.5.5) works as expected.

sachscode commented 2 years ago

The feature functionality works fine. Tested the following flows:

Create lambda layer, add 2 accounts ( aws1, aws2)
Update lambda layer, replace the above 2 accounts with a third account ( aws3 ) . Push and validate in the layer-configs
Update lambda layer and "un-select" the aws account option . (This removed the account- aws3 ) , and push . All flows worked fine.

UX issues :

Remove "- Access permissions: Maintain existing permissions" prompt, when permissions for future revisions are only updated. This prompt is confusing , since it refers to the current layer instead of future layers.
When "public" access is enabled on the lambda layer, disable addition and removal of aws accounts in the update walkthrough.
amplify -status -v : Needs to be updated to query layer-configuration.json, since layers do not update cloudformation on every permission update.
AWS Lambda console doesn't show any information for account permissions added for the lambda layers. This needs to be updated .
amplify status should show the lambda layers and access accounts

sachscode commented 2 years ago

Moved issue to feature request to address UX upgrades

n-ae commented 1 year ago

Do note that this is the error yielded when such layer doesn't exist on that region. I.e:

An error occurred (AccessDeniedException) when calling the UpdateFunctionConfiguration operation: User: arn:aws:iam::***:user/{username} is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:us-east-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension:4 because no resource-based policy allows the lambda:GetLayerVersion action

Pay special attention to the fact that account_ids may differ for the same aws managed lambda layer from region to region.

aws-amplify / amplify-cli