recipe¶

simple_aws_lambda.recipe.get_latest_layer_version(lambda_client: LambdaClient, layer_name: str, compatible_runtime: str = OPT, compatible_architecture: str = OPT, _sort_descending: bool = False) → LayerVersion | None[source]¶

Call the AWS Lambda Layer API to retrieve the latest deployed layer version. If it returns None, it indicates that no layer has been deployed yet.

Example: if layer has version 1, 2, 3, then this function return 3. If there’s no layer version created yet, then this function returns None.

Reference:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html#Lambda.Client.list_layer_versions

simple_aws_lambda.recipe.cleanup_old_layer_versions(lambda_client: LambdaClient, layer_name: str, keep_last_n_versions: int = 5, keep_versions_newer_than_seconds: int = 7776000, real_run: bool = False, _sort_descending: bool = False) → list[int][source]¶

Delete old Lambda layer versions based on retention policy.

Keeps layer versions if they meet ANY of these conditions:

Among the last N versions (most recent)
Created within the last N seconds

Parameters:

lambda_client – AWS Lambda client
layer_name – Name of the Lambda layer
keep_last_n_versions – Number of most recent versions to keep
keep_versions_newer_than_seconds – Keep versions newer than this many seconds
real_run – If True, actually delete versions. If False, only return what would be deleted

Returns:

List of version numbers that were deleted (or would be deleted in simulation mode)

Ref:

delete_layer_version

class simple_aws_lambda.recipe.LambdaPermissionActionEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶

Enum for different Lambda layer permission actions.

See: https://docs.aws.amazon.com/lambda/latest/dg/permissions-layer-cross-account.html

class simple_aws_lambda.recipe.LayerPrincipalTypeEnum(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)[source]¶

Enum for different types of layer principals.

Based on this AWS doc https://docs.aws.amazon.com/lambda/latest/dg/permissions-layer-cross-account.html There are only three cross account Lambda layer permission patterns The grant_aws_account_or_aws_organization_lambda_layer_version_access and revoke_aws_account_or_aws_organization_lambda_layer_version_access recipes only support these three patterns.

simple_aws_lambda.recipe.identify_principal_type(principal: str) → LayerPrincipalTypeEnum[source]¶

Identify the type of principal based on its format.

Parameters:: principal – The principal string to identify: - “*” for public access - “123456789012” for specific AWS account (12-digit account ID) - “o-example123456” for AWS organization ID
Returns:: The identified LayerPrincipalTypeEnum

simple_aws_lambda.recipe.get_layer_permission_statement_id(action: str, principal: str) → str[source]¶: Encode the statement ID for Lambda layer permission based on action and principal.

simple_aws_lambda.recipe.grant_aws_account_or_aws_organization_lambda_layer_version_access(lambda_client: LambdaClient, layer_name: str, version_number: int, principal: str)[source]¶

Grant other AWS accounts Lambda layer access to a specific layer version.

Idempotent version of the AWS Lambda add_layer_version_permission API that automatically handles statement ID generation and manages conflicts by allowing existing permissions to remain.

Grants both GetLayerVersion and ListLayerVersions permissions to the specified principal (AWS account, AWS organization, or public access).

Parameters:

lambda_client – AWS Lambda client for the account that owns the layer
layer_name – Name of the Lambda layer
version_number – Version number of the layer to grant access to
principal – Principal to grant access to: - “*” for public access - “123456789012” for specific AWS account (12-digit account ID) - “o-example123456” for AWS organization ID

Ref:

add_layer_version_permission

simple_aws_lambda.recipe.revoke_aws_account_or_aws_organization_lambda_layer_version_access(lambda_client: LambdaClient, layer_name: str, version_number: int, principal: str)[source]¶

Revoke AWS accounts Lambda layer access from a specific layer version.

Idempotent version of the AWS Lambda remove_layer_version_permission API that automatically handles statement ID generation and gracefully handles cases where permissions don’t exist.

Removes both GetLayerVersion and ListLayerVersions permissions from the specified principal (AWS account, AWS organization, or public access).

Parameters:

lambda_client – AWS Lambda client for the account that owns the layer
layer_name – Name of the Lambda layer
version_number – Version number of the layer to revoke access from
principal – Principal to revoke access from: - “*” for public access - “123456789012” for specific AWS account (12-digit account ID) - “o-example123456” for AWS organization ID

Ref:

remove_layer_version_permission