update error mapping to catch when Lambda layer ARN regions do not match function region (#2216)

rtpascual · web-flow · commit 12cf20928722 · 2024-11-11T12:54:49.000-08:00
* Revert "add validation if layer arn region does not match function region (#2188)" This reverts commit 4e97389. * update error mapping to catch when Lambda layer ARN regions do not match function region * update changeset
diff --git a/.changeset/violet-tools-clap.md b/.changeset/violet-tools-clap.md
@@ -0,0 +1,7 @@
+---
+'@aws-amplify/backend': patch
+'@aws-amplify/backend-deployer': patch
+'@aws-amplify/backend-function': patch
+---
+
+update error mapping to catch when Lambda layer ARN regions do not match function region
diff --git a/packages/backend-deployer/src/cdk_error_mapper.test.ts b/packages/backend-deployer/src/cdk_error_mapper.test.ts
@@ -380,6 +380,12 @@ const testErrorMappings = [
     errorName: 'MissingDefineBackendError',
     expectedDownstreamErrorMessage: undefined,
   },
+  {
+    errorMessage: `User: <bootstrap-exec-role-arn> is not authorized to perform: lambda:GetLayerVersion on resource: <resource-arn> because no resource-based policy allows the lambda:GetLayerVersion action`,
+    expectedTopLevelErrorMessage: 'Unable to get Lambda layer version',
+    errorName: 'GetLambdaLayerVersionError',
+    expectedDownstreamErrorMessage: undefined,
+  },
 ];
 
 void describe('invokeCDKCommand', { concurrency: 1 }, () => {
diff --git a/packages/backend-deployer/src/cdk_error_mapper.ts b/packages/backend-deployer/src/cdk_error_mapper.ts
@@ -196,6 +196,15 @@ export class CdkErrorMapper {
       errorName: 'MultipleSandboxInstancesError',
       classification: 'ERROR',
     },
+    {
+      errorRegex:
+        /User:(.*) is not authorized to perform: lambda:GetLayerVersion on resource:(.*) because no resource-based policy allows the lambda:GetLayerVersion action/,
+      humanReadableErrorMessage: 'Unable to get Lambda layer version',
+      resolutionMessage:
+        'Make sure layer ARNs are correct and layer regions match function region',
+      errorName: 'GetLambdaLayerVersionError',
+      classification: 'ERROR',
+    },
     {
       // Also extracts the first line in the stack where the error happened
       errorRegex: new RegExp(
@@ -360,4 +369,5 @@ export type CDKDeploymentError =
   | 'FileConventionError'
   | 'ModuleNotFoundError'
   | 'SecretNotSetError'
-  | 'SyntaxError';
+  | 'SyntaxError'
+  | 'GetLambdaLayerVersionError';
diff --git a/packages/backend-function/src/factory.test.ts b/packages/backend-function/src/factory.test.ts
@@ -17,7 +17,6 @@ import { NodeVersion, defineFunction } from './factory.js';
 import { lambdaWithDependencies } from './test-assets/lambda-with-dependencies/resource.js';
 import { Runtime } from 'aws-cdk-lib/aws-lambda';
 import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
-import { AmplifyUserError } from '@aws-amplify/platform-core';
 
 const createStackAndSetContext = (): Stack => {
   const app = new App();
@@ -412,38 +411,6 @@ void describe('AmplifyFunctionFactory', () => {
     });
   });
 
-  void describe('layers property', () => {
-    void it('defaults to no layers', () => {
-      const lambda = defineFunction({
-        entry: './test-assets/default-lambda/handler.ts',
-      }).getInstance(getInstanceProps);
-      const template = Template.fromStack(lambda.stack);
-
-      template.resourceCountIs('AWS::Lambda::LayerVersion', 0);
-    });
-
-    void it('throws if layer arn region is not the same as function region', () => {
-      assert.throws(
-        () =>
-          defineFunction({
-            entry: './test-assets/default-lambda/handler.ts',
-            layers: {
-              layer1:
-                'arn:aws:lambda:some-region:123456789012:layer:my-layer-1:1',
-            },
-          }).getInstance(getInstanceProps),
-        (error: AmplifyUserError) => {
-          assert.strictEqual(
-            error.message,
-            'Region in ARN does not match function region for layer: layer1'
-          );
-          assert.ok(error.resolution);
-          return true;
-        }
-      );
-    });
-  });
-
   void describe('minify property', () => {
     void it('sets minify to false', () => {
       const lambda = defineFunction({
diff --git a/packages/backend-function/src/factory.ts b/packages/backend-function/src/factory.ts
@@ -23,11 +23,16 @@ import {
   SsmEnvironmentEntry,
   StackProvider,
 } from '@aws-amplify/plugin-types';
-import { Duration, Lazy, Stack, Tags, Token } from 'aws-cdk-lib';
+import { Duration, Stack, Tags } from 'aws-cdk-lib';
 import { Rule } from 'aws-cdk-lib/aws-events';
 import * as targets from 'aws-cdk-lib/aws-events-targets';
 import { Policy } from 'aws-cdk-lib/aws-iam';
-import { CfnFunction, LayerVersion, Runtime } from 'aws-cdk-lib/aws-lambda';
+import {
+  CfnFunction,
+  ILayerVersion,
+  LayerVersion,
+  Runtime,
+} from 'aws-cdk-lib/aws-lambda';
 import { NodejsFunction, OutputFormat } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { Construct } from 'constructs';
 import { readFileSync } from 'fs';
@@ -345,10 +350,19 @@ class FunctionGenerator implements ConstructContainerEntryGenerator {
     scope,
     backendSecretResolver,
   }: GenerateContainerEntryProps) => {
+    // resolve layers to LayerVersion objects for the NodejsFunction constructor using the scope.
+    const resolvedLayers = Object.entries(this.props.layers).map(([key, arn]) =>
+      LayerVersion.fromLayerVersionArn(
+        scope,
+        `${this.props.name}-${key}-layer`,
+        arn
+      )
+    );
+
     return new AmplifyFunction(
       scope,
       this.props.name,
-      this.props,
+      { ...this.props, resolvedLayers },
       backendSecretResolver,
       this.outputStorageStrategy
     );
@@ -368,39 +382,14 @@ class AmplifyFunction
   constructor(
     scope: Construct,
     id: string,
-    props: HydratedFunctionProps,
+    props: HydratedFunctionProps & { resolvedLayers: ILayerVersion[] },
     backendSecretResolver: BackendSecretResolver,
     outputStorageStrategy: BackendOutputStorageStrategy<FunctionOutput>
   ) {
     super(scope, id);
 
     this.stack = Stack.of(scope);
 
-    // resolve layers to LayerVersion objects for the NodejsFunction constructor using the scope.
-    const resolvedLayers = Object.entries(props.layers).map(([key, arn]) => {
-      const layerRegion = arn.split(':')[3];
-      // If region is an unresolved token, use lazy to get region
-      const region = Token.isUnresolved(this.stack.region)
-        ? Lazy.string({
-            produce: () => this.stack.region,
-          })
-        : this.stack.region;
-
-      if (layerRegion !== region) {
-        throw new AmplifyUserError('InvalidLayerArnRegionError', {
-          message: `Region in ARN does not match function region for layer: ${key}`,
-          resolution:
-            'Update the layer ARN with the same region as the function',
-        });
-      }
-
-      return LayerVersion.fromLayerVersionArn(
-        scope,
-        `${props.name}-${key}-layer`,
-        arn
-      );
-    });
-
     const runtime = nodeVersionMap[props.runtime];
 
     const require = createRequire(import.meta.url);
@@ -443,7 +432,7 @@ class AmplifyFunction
         timeout: Duration.seconds(props.timeoutSeconds),
         memorySize: props.memoryMB,
         runtime: nodeVersionMap[props.runtime],
-        layers: resolvedLayers,
+        layers: props.resolvedLayers,
         bundling: {
           ...props.bundling,
           banner: bannerCode,
diff --git a/packages/backend-function/src/layer_parser.test.ts b/packages/backend-function/src/layer_parser.test.ts
@@ -20,7 +20,7 @@ const createStackAndSetContext = (): Stack => {
   app.node.setContext('amplify-backend-name', 'testEnvName');
   app.node.setContext('amplify-backend-namespace', 'testBackendId');
   app.node.setContext('amplify-backend-type', 'branch');
-  const stack = new Stack(app, 'Stack', { env: { region: 'us-east-1' } });
+  const stack = new Stack(app);
   return stack;
 };
 
