From 8afa82dba6dae698c11137d03fd46acc72111eef Mon Sep 17 00:00:00 2001 From: lwesche Date: Mon, 17 Jun 2024 16:05:13 -0700 Subject: [PATCH 1/5] Add removalPolicy option to LayerVersionPermission --- packages/aws-cdk-lib/aws-lambda/lib/layers.ts | 14 +++++++++++++- .../aws-cdk-lib/aws-lambda/test/layers.test.ts | 11 +++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-lambda/lib/layers.ts b/packages/aws-cdk-lib/aws-lambda/lib/layers.ts index 8fa00ec929949..09651f119b4da 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/layers.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/layers.ts @@ -101,12 +101,16 @@ abstract class LayerVersionBase extends Resource implements ILayerVersion { throw new Error(`OrganizationId can only be specified if AwsAccountId is '*', but it is ${permission.accountId}`); } - new CfnLayerVersionPermission(this, id, { + const cfnLayerVersionPermission = new CfnLayerVersionPermission(this, id, { action: 'lambda:GetLayerVersion', layerVersionArn: this.layerVersionArn, principal: permission.accountId, organizationId: permission.organizationId, }); + + if (permission.removalPolicy != null) { + cfnLayerVersionPermission.applyRemovalPolicy(permission.removalPolicy); + } } } @@ -126,6 +130,14 @@ export interface LayerVersionPermission { * Can only be specified if ``accountId`` is ``'*'`` */ readonly organizationId?: string; + + /** + * Whether to retain this permission when a new version is added + * or when the stack is deleted. + * + * @default null + */ + readonly removalPolicy?: RemovalPolicy; } /** diff --git a/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts b/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts index 47386596cebe2..bec14b5f3d4aa 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts @@ -41,6 +41,7 @@ describe('layers', () => { // WHEN layer.addPermission('GrantUsage-123456789012', { accountId: '123456789012' }); layer.addPermission('GrantUsage-o-123456', { accountId: '*', organizationId: 'o-123456' }); + layer.addPermission('GrantUsage-o-011235', { accountId: '*', organizationId: 'o-011235', removalPolicy: cdk.RemovalPolicy.RETAIN }); // THEN Template.fromStack(stack).hasResourceProperties('AWS::Lambda::LayerVersionPermission', { @@ -54,6 +55,16 @@ describe('layers', () => { Principal: '*', OrganizationId: 'o-123456', }); + Template.fromStack(stack).hasResource('AWS::Lambda::LayerVersionPermission', { + Properties: { + Action: 'lambda:GetLayerVersion', + LayerVersionArn: stack.resolve(layer.layerVersionArn), + Principal: '*', + OrganizationId: 'o-011235', + }, + UpdateReplacePolicy: cdk.CfnDeletionPolicy.RETAIN, + DeletionPolicy: cdk.CfnDeletionPolicy.RETAIN, + }); }); test('creating a layer with no runtimes compatible', () => { From f9f09fead937cb4a08704114cc54f51d05e8543b Mon Sep 17 00:00:00 2001 From: lwesche Date: Mon, 17 Jun 2024 17:12:34 -0700 Subject: [PATCH 2/5] Readme --- packages/aws-cdk-lib/aws-lambda/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md index 6cb5a4244dede..42a40618dbe00 100644 --- a/packages/aws-cdk-lib/aws-lambda/README.md +++ b/packages/aws-cdk-lib/aws-lambda/README.md @@ -558,6 +558,8 @@ new lambda.LayerVersion(this, 'MyLayer', { }); ``` +The `addPermission()` function can be used to allow access to the layer version from other AWS accounts or AWS Organizations. You can also specify `removalPolicy: RemovalPolicy.RETAIN` as part of the LayerVersionPermission. That way when new layers versions are creatd, old versions remain accessable from other acconts. + ## Architecture Lambda functions, by default, run on compute systems that have the 64 bit x86 architecture. From 0142084d5cc54476348ce218c418971b5241e4aa Mon Sep 17 00:00:00 2001 From: lwesche Date: Mon, 17 Jun 2024 17:16:25 -0700 Subject: [PATCH 3/5] Add integration tests --- packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts b/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts index 989d749c6be2a..0d0ce69d87e8f 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts @@ -18,7 +18,7 @@ const layer = new lambda.LayerVersion(stack, 'MyLayer', { }); // To grant usage by other AWS accounts -layer.addPermission('remote-account-grant', { accountId: awsAccountId }); +layer.addPermission('remote-account-grant', { accountId: awsAccountId, removalPolicy: cdk.RemovalPolicy.RETAIN }); // To grant usage to all accounts in some AWS Ogranization // layer.grantUsage({ accountId: '*', organizationId }); From cd2b97886fa3687141ccb10eb1e56fefe4a23b7f Mon Sep 17 00:00:00 2001 From: lwesche Date: Tue, 18 Jun 2024 10:02:26 -0700 Subject: [PATCH 4/5] add integration test --- .../test/aws-lambda/test/integ.layer-version.lit.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts index 4ed7072d53dd0..0000bd07fe30b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts @@ -19,7 +19,7 @@ const layer = new lambda.LayerVersion(stack, 'MyLayer', { }); // To grant usage by other AWS accounts -layer.addPermission('remote-account-grant', { accountId: awsAccountId }); +layer.addPermission('remote-account-grant', { accountId: awsAccountId, removalPolicy: cdk.RemovalPolicy.RETAIN }); // To grant usage to all accounts in some AWS Ogranization // layer.grantUsage({ accountId: '*', organizationId }); From 786668ca64e3f9a0d578152c2e796409d86741be Mon Sep 17 00:00:00 2001 From: lwesche Date: Wed, 26 Jun 2024 09:51:09 -0700 Subject: [PATCH 5/5] undo integ tests (can't get them to work) --- .../test/aws-lambda/test/integ.layer-version.lit.ts | 2 +- packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts index 0000bd07fe30b..4ed7072d53dd0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.layer-version.lit.ts @@ -19,7 +19,7 @@ const layer = new lambda.LayerVersion(stack, 'MyLayer', { }); // To grant usage by other AWS accounts -layer.addPermission('remote-account-grant', { accountId: awsAccountId, removalPolicy: cdk.RemovalPolicy.RETAIN }); +layer.addPermission('remote-account-grant', { accountId: awsAccountId }); // To grant usage to all accounts in some AWS Ogranization // layer.grantUsage({ accountId: '*', organizationId }); diff --git a/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts b/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts index 0d0ce69d87e8f..989d749c6be2a 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/integ.layer-version.lit.ts @@ -18,7 +18,7 @@ const layer = new lambda.LayerVersion(stack, 'MyLayer', { }); // To grant usage by other AWS accounts -layer.addPermission('remote-account-grant', { accountId: awsAccountId, removalPolicy: cdk.RemovalPolicy.RETAIN }); +layer.addPermission('remote-account-grant', { accountId: awsAccountId }); // To grant usage to all accounts in some AWS Ogranization // layer.grantUsage({ accountId: '*', organizationId });