Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lambda: add removalPolicy option to LayerVersionPermission #30686

Open
1 of 2 tasks
lewesche opened this issue Jun 26, 2024 · 0 comments · May be fixed by #30578
Open
1 of 2 tasks

lambda: add removalPolicy option to LayerVersionPermission #30686

lewesche opened this issue Jun 26, 2024 · 0 comments · May be fixed by #30578
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@lewesche
Copy link

Describe the feature

Change LayerVersionPermission to take a optional RemovalPolicy

Use Case

My use case involves publishing a lambda layer consumed by a library. Users may be on different library versions, meaning they may be on different layer versions. These users need to be able to access the layer from different accounts across my organization.

At first I added resource permissions to the layer by calling ILayerVersion.addPermission(). However I noticed that when new layers were published, old layers lost their resource permissions. I confirmed this with the cli: aws lambda get-layer-version-policy --layer-name ... --version-number ....

Looking at the I was able to fix the behavior by manually constructing the CfnLayerVersionPermission instead of using the top level addPermission() function:

    const orgPermission = new CfnLayerVersionPermission(this, "qualtricsOrgPermissionAmd64", {
      action: 'lambda:GetLayerVersion',
      layerVersionArn: lambdaLayer.layerVersionArn,
      principal: '*',
      organizationId: constants.ORG_ID,
    });
    orgPermission.applyRemovalPolicy(cdk.RemovalPolicy.RETAIN);

This added "UpdateReplacePolicy": "Retain", "DeletionPolicy": "Retain" to the cloud formation template (according to this documentation, both are required). That fixed my issue but it's an ugly solution that was difficult to come up with. I'd like to be able to use addPermission().

Proposed Solution

I have a PR for it the change here, thanks! #30578

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.140.0

Environment details (OS name and version, etc.)

Mac OS 14.5 Sonoma
@lewesche lewesche added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 26, 2024
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jun 26, 2024
@lewesche lewesche linked a pull request Jun 26, 2024 that will close this issue
Open
1 task
@ashishdhingra ashishdhingra added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(lambda): add removalPolicy option to LayerVersionPermission lewesche/aws-cdk
2 participants
@lewesche @ashishdhingra