Open regexj-twinkl opened 1 week ago
This makes sense, but I don't think the team has bandwidth in the next couple months to tackle this with everything else going on, so going to backlog this. PRs are welcome if you'd like to help out in the meantime!
Problem Statement
In updating our lambdas to take use lambda code-signing I've run into the issue that the Sentry lambda layer is not signed and therefore cannot be used in a code-signed lambda.
Please release a code-signed lambda and with it the version_arn of the signing profile so that we can use the lambda layer in code-signed lambdas.
Solution Brainstorm
See here for reference: https://aws.amazon.com/blogs/security/best-practices-and-advanced-patterns-for-lambda-code-signing/
In particular if you scroll down to the section about using lambda layers in code-signed lambdas it is possible so long as the layer is signed and the code signing config includes the signing profile version arn of the publisher in the allowed publishers:
In terraform we would have something like this:
On this page where you share the
arn
of the lambda layer, it could also include theversion_arn
of the signing profile: https://docs.sentry.io/platforms/javascript/guides/aws-lambda/layer/