search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.74k stars 9.1k forks source link

Cross Account AWS Lambda Layers #12728

Open Arlington1985 opened 4 years ago

Arlington1985 commented 4 years ago

Community Note

Description

Currently, it's not possible to specify Lambda layers from a different AWS account. In cloud formation you can do it just with specifying arn of the layer. It might be with the exact version or without version. But as if now, AWS has no capability to refer cross-account lambda layers without specifying version.

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_lambda_layer_version" "lambda_layer" {
  arn= "arn:aws:lambda:eu-west-1:123456789012:layer:layer_name:1"

  compatible_runtimes = ["nodejs8.10"]
}

References

ewbankkit commented 4 years ago

Similar:

@Arlington1985 Thanks for raising this. arn (and layer_arn) are both Computed attributes so cannot be set for resource creation. Looking at the underlying Lambda API, layer_name could be an ARN but I don't think the way that resourceAwsLambdaLayerVersionParseId has been written would allow this.

Arlington1985 commented 4 years ago

Yes, you are right, instead of resource it should be data, but even this doesn't work. But basically, I solved my problem just specifying the arn in the layers parameter in resource "aws_lambda_function". 

resource "aws_lambda_function" "lambda_function" {
  ... 
  layers = ["arn:aws:lambda:region:123456789012:layer:layer_name:version"]
  ...

Still I think it should work also with the with referencing from data

ewbankkit commented 4 years ago

The corresponding data source uses the ListLayerVersions API and it is unlikely that you would have permissions to call this on a 3rd-party layer. e.g. for Datadog:

$ aws --region us-west-2 lambda list-layer-versions --layer-name arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37

An error occurred (AccessDeniedException) when calling the ListLayerVersions operation: User: arn:aws:iam::123456789012:user/kit is not authorized to perform: lambda:ListLayerVersions on resource: arn:aws:lambda:us-west-2:464622532012:layer:Datadog-Python37
Arlington1985 commented 4 years ago

With 3rd party libs, it might be a problem, but if I am using just my own cross-account layer, then I will have option to give any permission

JoeHitchenXtract commented 4 years ago

The related issue which brought me here was trying to use the Scipy layer across multiple regions, because it seems both the region and the account number change in the ARN. I haven't yet found a good alternative to hardcoding the ARNs for the regions we want to use.

fred-vogt commented 4 years ago

AWS lambda layers support "resource level policies":

What is needed is similar to other resources that support attaching resource policies, such as ECR repository resource policies.

Seems there is already an enhancement request for this:

anwickes commented 1 year ago

Seems there is already an enhancement request for this:

My understanding of this issue is the inability to use the following data block to retrieve the latest version of a lambda layer that is shared from a different account.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_layer_version.html

This would be handy where codebase A deploys a layer to account A and codebase B needs to retrieve the latest version of the layer to use with a lambda function in account B without having to open account A to see what version to use.