# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
Used to attach the latest version of a layer to a Lambda
Resources:
AttachLambdaLayerCustomResource:
Type: AWS::Serverless::Function
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: This function needs to be able to work with any Lambda
- id: W58
reason: AWSLambdaBasicExecutionRole gives permission to CloudWatch Logs
Properties:
FunctionName: cfn-attach-lambda-layer
CodeUri: ./src
Handler: index.handler
Runtime: python3.10
Timeout: 60
Role: !GetAtt AttachLambdaLayeCustomResourceRole.Arn
AttachLambdaLayeCustomResourceRole:
Type: AWS::IAM::Role
Metadata:
cfn_nag:
rules_to_suppress:
- id: W11
reason: This function needs to be able to work with any Lambda
- id: W58
reason: AWSLambdaBasicExecutionRole gives permission to CloudWatch Logs
Properties:
Path: /
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName:
Fn::Sub: updater-lambda-configuration-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:GetFunction
- lambda:GetFunctionConfiguration
- lambda:UpdateFunctionConfiguration
- lambda:GetLayerVersion
- lambda:ListLayerVersions
- logs:DescribeLogGroups
- logs:CreateLogGroup
Resource: "*"
Outputs:
CFNAttachLambdaLayer:
Value: !GetAtt AttachLambdaLayerCustomResource.Arn
Export:
Name: CFNAttachLambdaLayer