fix: grant testing account access to sandbox layers

duncanista · duncanista · commit 46b11e9728b7 · 2026-03-30T14:25:52.000-04:00
Sandbox layers were published without any permissions, blocking
the self-monitoring account (093468662994) from deploying stacks
that reference dev layer versions.
diff --git a/.gitlab/scripts/publish_layers.sh b/.gitlab/scripts/publish_layers.sh
@@ -50,7 +50,7 @@ publish_layer() {
         | jq -r '.Version'
     )
 
-    # Add permissions only for prod
+    # Add permissions: public for prod, grant testing account access to sandbox layers
     if [ "$ADD_LAYER_VERSION_PERMISSIONS" = "1" ]; then
         permission=$(aws lambda add-layer-version-permission --layer-name $layer \
             --version-number $version_nbr \
@@ -59,6 +59,14 @@ publish_layer() {
             --principal "*" \
             --region $region
         )
+    else
+        permission=$(aws lambda add-layer-version-permission --layer-name $layer \
+            --version-number $version_nbr \
+            --statement-id "release-$version_nbr" \
+            --action lambda:GetLayerVersion \
+            --principal "093468662994" \
+            --region $region
+        )
     fi
 
     echo $version_nbr
