(aws-lambda): LambdaLayer construct from one stack overwrites LambdaLayer from other stack in same account

[flemjame-at-amazon]

Describe the bug

I have two stacks from separate CDK projects. The logical ID hierarchy is:

StackName1

• LambdaLayer
• • LambdaLayer <---- I am referring to the logical ID of this resource

StackName2

• LambdaLayer
• • LambdaLayer <---- and I am referring to the logical ID of this resource

When I deploy these two stacks the logicalId of these resources are both "LambdaLayer97FEAF95". This isn't a problem because they are in separate stacks.

What is a problem is that they map to the same ARN. When stack2 deploys it creates a new version that overwrites whatever Stack1 is using. These layers have different contents; when Stack1 deploys, it creates an outage in Stack2, and vice versa.

Expected Behavior

Two different Lambda Layers with the same name, but different stacks, would map to different resources, or else not allow deployment.

Current Behavior

The Layer from Stack2 overwrote the layer from Stack1, creating an outage.

Reproduction Steps

Test stack code:

import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { LayerVersion, Runtime, S3Code } from 'aws-cdk-lib/aws-lambda';
import { BlockPublicAccess, Bucket } from 'aws-cdk-lib/aws-s3';

export class TestStack extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id);

    const layerBucket = new Bucket(this, 'LayerBucket', {
      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
    });
    new LayerVersion(this, 'LambdaLayer', {
      compatibleRuntimes: [Runtime.PYTHON_3_8],
      code: new S3Code(layerBucket, 'object'),
    });
  }
}

App code:

const app = new App();
new TestStack(app, 'StackName1', {});
new TestStack(app, 'StackName2', {});

Template outputs:

StackName1:

 "LambdaLayerCA94B5F7": {
   "Type": "AWS::Lambda::LayerVersion",
   "Properties": {
    "Content": {
     "S3Bucket": {
      "Ref": "LayerBucketF5B16CA1"
     },
     "S3Key": "object"
    },
    "CompatibleRuntimes": [
     "python3.8"
    ]
   },
   "Metadata": {
    "aws:cdk:path": "StackName1/LambdaLayer/Resource"
   }

StackName2:

"LambdaLayerCA94B5F7": {
   "Type": "AWS::Lambda::LayerVersion",
   "Properties": {
    "Content": {
     "S3Bucket": {
      "Ref": "LayerBucketF5B16CA1"
     },
     "S3Key": "object"
    },
    "CompatibleRuntimes": [
     "python3.8"
    ]
   },
   "Metadata": {
    "aws:cdk:path": "StackName2/LambdaLayer/Resource"
   }

The ARN for both resources is:

arn:aws:lambda:::layer:LambdaLayerCA94B5F7

If stack1 uses a different code artifact than stack2 in its layer, then they will overwrite each other

Possible Solution

AWS Lambda doesn't appear to check that creating this Layer resource would touch an existing one from another stack. I think it should result in a deployment error.

Additional Information/Context

No response

CDK CLI Version

2.14

Framework Version

No response

Node.js Version

14

OS

OSX

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Yes, you will need to specify layerVersionName.

Check out my sample below:

import { CfnOutput, Stack, StackProps,
aws_s3_deployment as s3deploy, 
RemovalPolicy} from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { LayerVersion, Runtime, S3Code } from 'aws-cdk-lib/aws-lambda';
import { BlockPublicAccess, Bucket } from 'aws-cdk-lib/aws-s3';
import * as path from 'path';

export class TestStack extends Stack {
  readonly layerArn: string;
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const layerBucket = new Bucket(this, 'LayerBucket', {
      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
      removalPolicy: RemovalPolicy.DESTROY,
    });

    const deployment = new s3deploy.BucketDeployment(this, 'Deploy', {
      destinationBucket: layerBucket,
      sources: [ s3deploy.Source.asset(path.join(__dirname, '../lambda.d'))],
    });

    const layerVer = new LayerVersion(this, 'LambdaLayer', {
      compatibleRuntimes: [Runtime.PYTHON_3_8],
      code: new S3Code(layerBucket, 'object.zip'),
      layerVersionName: `${Stack.of(this).stackName}Layer`,
    });

    layerVer.node.addDependency(deployment)

    this.layerArn = layerVer.layerVersionArn
  }
}

And you will get

arn:aws:lambda:us-east-1:<deducted>:layer:StackName1Layer:1
arn:aws:lambda:us-east-1:<deducted>:layer:StackName2Layer:1

Let me know if it works with you.

[flemjame-at-amazon]

This is what I ended up doing eventually.

[pahud]

Moving this to discussion.

[flemjame-at-amazon]

This issue puts the burden of knowing individual construct names onto teams to prevent overlapping, or else inventing conventions to proactively prevent overlapping. IMO there should be a mechanism somewhere owned by AWS to ensure this doesn't happen.