Add Lambda layer resource policy

- Fixes permission issues with pulling our lambda layers
logzio · Jun 16, 2024 · 81da949 · 81da949
1 parent eb325c6
commit 81da949
Showing 1 changed file with 23 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,13 +29,22 @@ jobs:
       - name: Deploy Layer to AWS region ${{ matrix.aws-region }}
         working-directory: ./logzio-lambda-extensions-logs/bin
         run: |
-          aws lambda publish-layer-version \
+          LAYER_VERSION=$(aws lambda publish-layer-version \
           --layer-name LogzioLambdaExtensionLogs \
           --description "Extension for shipping Lambda logs to Logz.io ${{ github.event.release.tag_name }}." \
           --zip-file "fileb://extension.zip" \
           --region ${{ matrix.aws-region }} \
           --compatible-runtimes dotnet8 python3.12 provided.al2023 dotnet6 java11 java17 java8.al2 nodejs16.x nodejs18.x python3.10 python3.11 python3.8 python3.9 ruby3.2 provided.al2 \
-          --compatible-architectures x86_64
+          --compatible-architectures x86_64 \
+          --output text --query 'Version')
+
+          aws lambda add-layer-version-permission \
+          --layer-name LogzioLambdaExtensionLogs \
+          --version-number $LAYER_VERSION \
+          --statement-id public-access-statement \
+          --principal '*' \
+          --action lambda:GetLayerVersion \
+          --region ${{ matrix.aws-region }}
 
       # ARM Build
       - name: Build ARM ZIP File
@@ -44,10 +53,19 @@ jobs:
       - name: Deploy ARM Layer to AWS region ${{ matrix.aws-region }}
         working-directory: ./logzio-lambda-extensions-logs/bin
         run: |
-          aws lambda publish-layer-version \
+          LAYER_VERSION=$(aws lambda publish-layer-version \
           --layer-name LogzioLambdaExtensionLogsArm \
-          --description "Extension for shipping Lambda logs to Logz.io $ {{ github.event.release.tag_name }}, for arm64 architecture." \
+          --description "Extension for shipping Lambda logs to Logz.io ${{ github.event.release.tag_name }}, for arm64 architecture." \
           --zip-file "fileb://extension.zip" \
           --region ${{ matrix.aws-region }} \
           --compatible-runtimes dotnet8 python3.12 provided.al2023 dotnet6 java11 java17 java8.al2 nodejs16.x nodejs18.x python3.10 python3.11 python3.8 python3.9 ruby3.2 provided.al2 \
-          --compatible-architectures arm64
+          --compatible-architectures arm64 \
+          --output text --query 'Version')
+
+          aws lambda add-layer-version-permission \
+          --layer-name LogzioLambdaExtensionLogs \
+          --version-number $LAYER_VERSION \
+          --statement-id public-access-statement \
+          --principal '*' \
+          --action lambda:GetLayerVersion \
+          --region ${{ matrix.aws-region }}