add validation if layer arn region does not match function region (#2188)

* add validation if layer arn region does not match function region

* add backend to changeset

* update function region in test and add conditional logic for region

Author: rtpascual

.changeset/tiny-cameras-happen.md

@@ -0,0 +1,6 @@
+---
+'@aws-amplify/backend': patch
+'@aws-amplify/backend-function': patch
+---
+
+add validation if layer arn region does not match function region

packages/backend-function/src/factory.test.ts

@@ -17,6 +17,7 @@ import { NodeVersion, defineFunction } from './factory.js';
 import { lambdaWithDependencies } from './test-assets/lambda-with-dependencies/resource.js';
 import { Runtime } from 'aws-cdk-lib/aws-lambda';
 import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { AmplifyUserError } from '@aws-amplify/platform-core';
 
 const createStackAndSetContext = (): Stack => {
   const app = new App();
@@ -411,6 +412,38 @@ void describe('AmplifyFunctionFactory', () => {
     });
   });
 
+  void describe('layers property', () => {
+    void it('defaults to no layers', () => {
+      const lambda = defineFunction({
+        entry: './test-assets/default-lambda/handler.ts',
+      }).getInstance(getInstanceProps);
+      const template = Template.fromStack(lambda.stack);
+
+      template.resourceCountIs('AWS::Lambda::LayerVersion', 0);
+    });
+
+    void it('throws if layer arn region is not the same as function region', () => {
+      assert.throws(
+        () =>
+          defineFunction({
+            entry: './test-assets/default-lambda/handler.ts',
+            layers: {
+              layer1:
+                'arn:aws:lambda:some-region:123456789012:layer:my-layer-1:1',
+            },
+          }).getInstance(getInstanceProps),
+        (error: AmplifyUserError) => {
+          assert.strictEqual(
+            error.message,
+            'Region in ARN does not match function region for layer: layer1'
+          );
+          assert.ok(error.resolution);
+          return true;
+        }
+      );
+    });
+  });
+
   void describe('minify property', () => {
     void it('sets minify to false', () => {
       const lambda = defineFunction({

packages/backend-function/src/factory.ts

@@ -23,16 +23,11 @@ import {
   SsmEnvironmentEntry,
   StackProvider,
 } from '@aws-amplify/plugin-types';
-import { Duration, Stack, Tags } from 'aws-cdk-lib';
+import { Duration, Lazy, Stack, Tags, Token } from 'aws-cdk-lib';
 import { Rule } from 'aws-cdk-lib/aws-events';
 import * as targets from 'aws-cdk-lib/aws-events-targets';
 import { Policy } from 'aws-cdk-lib/aws-iam';
-import {
-  CfnFunction,
-  ILayerVersion,
-  LayerVersion,
-  Runtime,
-} from 'aws-cdk-lib/aws-lambda';
+import { CfnFunction, LayerVersion, Runtime } from 'aws-cdk-lib/aws-lambda';
 import { NodejsFunction, OutputFormat } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { Construct } from 'constructs';
 import { readFileSync } from 'fs';
@@ -350,19 +345,10 @@ class FunctionGenerator implements ConstructContainerEntryGenerator {
     scope,
     backendSecretResolver,
   }: GenerateContainerEntryProps) => {
-    // resolve layers to LayerVersion objects for the NodejsFunction constructor using the scope.
-    const resolvedLayers = Object.entries(this.props.layers).map(([key, arn]) =>
-      LayerVersion.fromLayerVersionArn(
-        scope,
-        `${this.props.name}-${key}-layer`,
-        arn
-      )
-    );
-
     return new AmplifyFunction(
       scope,
       this.props.name,
-      { ...this.props, resolvedLayers },
+      this.props,
       backendSecretResolver,
       this.outputStorageStrategy
     );
@@ -382,14 +368,39 @@ class AmplifyFunction
   constructor(
     scope: Construct,
     id: string,
-    props: HydratedFunctionProps & { resolvedLayers: ILayerVersion[] },
+    props: HydratedFunctionProps,
     backendSecretResolver: BackendSecretResolver,
     outputStorageStrategy: BackendOutputStorageStrategy<FunctionOutput>
   ) {
     super(scope, id);
 
     this.stack = Stack.of(scope);
 
+    // resolve layers to LayerVersion objects for the NodejsFunction constructor using the scope.
+    const resolvedLayers = Object.entries(props.layers).map(([key, arn]) => {
+      const layerRegion = arn.split(':')[3];
+      // If region is an unresolved token, use lazy to get region
+      const region = Token.isUnresolved(this.stack.region)
+        ? Lazy.string({
+            produce: () => this.stack.region,
+          })
+        : this.stack.region;
+
+      if (layerRegion !== region) {
+        throw new AmplifyUserError('InvalidLayerArnRegionError', {
+          message: `Region in ARN does not match function region for layer: ${key}`,
+          resolution:
+            'Update the layer ARN with the same region as the function',
+        });
+      }
+
+      return LayerVersion.fromLayerVersionArn(
+        scope,
+        `${props.name}-${key}-layer`,
+        arn
+      );
+    });
+
     const runtime = nodeVersionMap[props.runtime];
 
     const require = createRequire(import.meta.url);
@@ -432,7 +443,7 @@ class AmplifyFunction
         timeout: Duration.seconds(props.timeoutSeconds),
         memorySize: props.memoryMB,
         runtime: nodeVersionMap[props.runtime],
-        layers: props.resolvedLayers,
+        layers: resolvedLayers,
         bundling: {
           ...props.bundling,
           banner: bannerCode,

packages/backend-function/src/layer_parser.test.ts

@@ -20,7 +20,7 @@ const createStackAndSetContext = (): Stack => {
   app.node.setContext('amplify-backend-name', 'testEnvName');
   app.node.setContext('amplify-backend-namespace', 'testBackendId');
   app.node.setContext('amplify-backend-type', 'branch');
-  const stack = new Stack(app);
+  const stack = new Stack(app, 'Stack', { env: { region: 'us-east-1' } });
   return stack;
 };