lambda layers

src/aws.go

@@ -268,6 +268,8 @@ func GetAWSResourcePermissions(result ResourceV2) ([]string, error) {
 		"aws_glacier_vault_lock":                             awsGlacierVaultLock,
 		"aws_glacier_vault":                                  awsGlacierVault,
 		"aws_dlm_lifecycle_policy":                           awsDlmLifecyclePolicy,
+		"aws_lambda_layer_version":                           awsLambdaLayerVersion,
+		"aws_lambda_layer_version_permission":                awsLambdaLayerVersionPermission,
 	}
 
 	var Permissions []string

src/files.go

@@ -654,3 +654,9 @@ var awsGlacierVault []byte
 
 //go:embed mapping/aws/resource/dlm/aws_dlm_lifecycle_policy.json
 var awsDlmLifecyclePolicy []byte
+
+//go:embed mapping/aws/resource/lambda/aws_lambda_layer_version.json
+var awsLambdaLayerVersion []byte
+
+//go:embed mapping/aws/resource/lambda/aws_lambda_layer_version_permission.json
+var awsLambdaLayerVersionPermission []byte

src/mapping/aws/resource/lambda/aws_lambda_layer_version.json

@@ -0,0 +1,21 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "lambda:GetLayerVersion",
+      "lambda:PublishLayerVersion",
+      "lambda:DeleteLayerVersion"
+    ],
+    "attributes": {
+      "s3_bucket": [
+        "s3:GetObject"
+      ],
+      "tags": []
+    },
+    "destroy": [
+      "lambda:DeleteLayerVersion"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/lambda/aws_lambda_layer_version_permission.json

@@ -0,0 +1,18 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "lambda:AddLayerVersionPermission",
+      "lambda:RemoveLayerVersionPermission",
+      "lambda:GetLayerVersionPolicy"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "lambda:RemoveLayerVersionPermission"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]

terraform/aws/backup/aws_lambda_layer_version.tf

@@ -0,0 +1,10 @@
+resource "aws_lambda_layer_version" "pike" {
+  s3_bucket           = "testbucketineu-west2"
+  s3_key              = "bin.zip"
+  layer_name          = "pike"
+  compatible_runtimes = ["go1.x"]
+}
+
+output "layer" {
+  value = aws_lambda_layer_version.pike
+}

terraform/aws/backup/aws_lambda_layer_version_permission.tf

@@ -0,0 +1,9 @@
+resource "aws_lambda_layer_version_permission" "pike" {
+  action         = "lambda:GetLayerVersion"
+  layer_name     = aws_lambda_layer_version.pike.layer_name
+  principal      = data.aws_caller_identity.current.account_id
+  statement_id   = "anything"
+  version_number = aws_lambda_layer_version.pike.version
+}
+
+data "aws_caller_identity" "current" {}

terraform/aws/role/aws_iam_policy.basic.tf

@@ -7,16 +7,17 @@ resource "aws_iam_policy" "basic" {
         "Sid" : "0",
         "Effect" : "Allow",
         "Action" : [
-          "dlm:UntagResource",
-          "dlm:CreateLifecyclePolicy",
-          "dlm:UpdateLifecyclePolicy",
-          "dlm:DeleteLifecyclePolicy",
           "ec2:DescribeAccountAttributes",
-          "dlm:TagResource",
-          "dlm:GetLifecyclePolicy",
-          "dlm:ListTagsForResource",
-          "kms:ListAliases",
-          "kms:DescribeKey",
+          "lambda:GetLayerVersion",
+          "lambda:PublishLayerVersion",
+          "lambda:DeleteLayerVersion",
+          "s3:GetObject",
+
+          "ec2:DescribeAccountAttributes",
+          "lambda:AddLayerVersionPermission",
+          "lambda:RemoveLayerVersionPermission",
+          "lambda:GetLayerVersionPolicy",
+          "lambda:RemoveLayerVersionPermission"
         ]
         "Resource" : "*"
       }

todo.md

@@ -106,8 +106,6 @@
 ./resource.ps1 aws_lambda_function_event_invoke_config
 ./resource.ps1 aws_lambda_function_event_invoke_config
 ./resource.ps1 aws_lambda_function_url
-./resource.ps1 aws_lambda_layer_version
-./resource.ps1 aws_lambda_layer_version
 ./resource.ps1 aws_lambda_provisioned_concurrency_config
 
 ./resource.ps1 aws_lb_listener_rule