Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`sam deploy` fails when using SSM Parameter for a Lambda Layer ARN

See original GitHub issue

Description:

When you have a template that is set up using the following structure:

...
Parameters:
  MyLayerParameter:
    Description: The SSM parameter name of the ARN of the Lambda Layer shared across components.
    Type: AWS::SSM::Parameter::Value<String>
....
Resources:
  HelloWorld:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: python3.7
      Handler: index.handler
      CodeUri: ./src/hello_world
      Layers: [ !Ref MyLayerParameter ]

This is perfectly deployable using aws cloudformation deploy however sam deploy will raise the following error:

Error: /environment/service/MyLayerArn is an Invalid Layer Arn.

So my guess is that sam expects the Layer to be an ARN (which is fair) but the type of the parameter is: AWS::SSM::Parameter::Value<String> so, in this case, it should first resolve the SSM Parameter (or ignore it at all)

It looks similar to #1069 but there the build fails on the resolution of the parameter and a workaround is to provide a “dummy” ARN that would cause the build to run. This cannot be used with the deploy command because we actually want to point to the actual SSM Parameter.

Steps to reproduce:

  • Store the LayerARN in a parameter
  • Deploy a stack with passing the SSM Parameter path and not the ARN

Observed result:

2020-12-11 13:34:05,177 | 27 resources found in the template 2020-12-11 13:34:05,178 | Sending Telemetry: {‘metrics’: [{‘commandRun’: {‘awsProfileProvided’: False, ‘debugFlagProvided’: True, ‘region’: ‘eu-west-1’, ‘commandName’: ‘sam deploy’, ‘duration’: 1375, ‘exitReason’: ‘InvalidLayerVersionArn’, ‘exitCode’: 1, ‘requestId’: ‘d7ae766c-2183-4b8b-a690-4eeb47ee2382’, ‘installationId’: ‘e741b3c2-9523-4a05-821d-de8ee1f419de’, ‘sessionId’: ‘3f2f89cc-9c45-48b3-b58a-9443de63e98a’, ‘executionEnvironment’: ‘CLI’, ‘pyversion’: ‘3.7.7’, ‘samcliVersion’: ‘1.13.2’}}]} 2020-12-11 13:34:05,884 | HTTPSConnectionPool(host=‘aws-serverless-tools-telemetry.us-west-2.amazonaws.com’, port=443): Read timed out. (read timeout=0.1) Error: /foo/core/ModelsLambdaLayerArn is an Invalid Layer Arn.

Expected result:

I would expect that if the parameter is an SSM Parameter that is being resolved by CloudFormation, either sam does this before evaluation as well or it would skip the check when performing a deploy.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: Mac OS X 11.0.1
  2. sam --version: SAM CLI, version 1.13.2

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:4
  • Comments:15 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
jchubbsIbexLabscommented, Jul 30, 2021

A bit of a stupid workaround but I found the most elegant way was simply to add a default value to the parameter that is a known layer that exists

Parameters:
  MyLayerParameter:
    Description: The SSM parameter name of the ARN of the Lambda Layer shared across components.
    Type: AWS::SSM::Parameter::Value<String>
    Default: ArnOfExistingLayer
1reaction
JordanShurmercommented, Apr 8, 2021

In case anyone is looking for a workaround: my solution is to lookup the value from SSM elsewhere in the build process and pass the value in using --parameter-overrides

Workaround Example

For example, here’s a makefile using this method for both the build and the deploy steps

SHARED_LAYER := $(shell  aws ssm get-parameter --name '/path/to/lambda/arn' --query 'Parameter.Value' --output text)

deploy: .aws-sam/build/template.yaml
    sam deploy --template .aws-sam/build/template.yaml --parameter-overrides LambdaArnParam=${SHARED_LAYER}

.aws-sam/build/template.yaml:
    sam build --parameter-overrides LambdaArnParam=${SHARED_LAYER

Note that you’ll have to change the Parameter type to a simple String

Read more comments on GitHub >

github_iconTop Results From Across the Web

Invalid Layer Arn Error when using ARN value from SSM ...
It seems, SAM doesn't resolve SSM parameters. Please try using --parameter-overrides option. Example: sam build --parameter-overrides ...
Read more >
Sharing Secrets with AWS Lambda Using AWS Systems ...
In this YAML code, you define a Lambda function named ParameterStoreBlogFunctionDev using the SAM AWS::Serverless::Function type.
Read more >
Deploying Your Stacks - Stackery Documentation
Failed to fetch function layers from SSM Parameter Store (Local & Codebuild deployments). A notable error you may encounter when working with Lambda...
Read more >
AWS Lambda Layer and SSM Parameter Store for multiple ...
The SSM Parameter Store is used to store configuration values, each with a specific parameter path or hierachy (eg: /Config/{Parameter-Name}). The Lambda ......
Read more >
Discussion on: AWS Lambda Layer for Private Certificates
Thanks for the guide. I'm running into a problem when I try to deploy my SAM app that suppose to use the CertificateLayer....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

SAM build - The directory is not empty error

Next page

sam build: NPM Failed when InlineCode is used