Problem
When versioning: true is set, event sources (API Gateway, DynamoDB streams, SQS, S3, SNS, etc.) are configured to invoke a specific published version, and the lambda.Permission is scoped to that exact version. This creates several issues:
Rolling back is a mess
The primary point of versioning is to enable rollback. But rolling back to a previous version currently requires updating every event source's target version and every lambda.Permission to allow the old version. There's no simple "point everything back to v5" operation.
Propagation delays cause downtime
Resources like API Gateway have their own propagation times. When a new version is deployed, updating the Lambda version in the API Gateway integration takes time to propagate. With an alias, API Gateway doesn't need to change at all — it always points to the alias, and the moment the alias is updated, traffic shifts instantly.
Permission gaps during deploys
The lambda.Permission is scoped to a specific version number. If the permission update and the event source update don't happen at exactly the same time, there's a window where the event source is trying to invoke a version it doesn't have permission for, or the permission is granted for a version that isn't wired up yet. This can cause brief downtime on every deploy.
Solution
When versioning: true, create an alias (e.g. latest) that always points to the most recently published version. All event sources should:
- Invoke the alias instead of a hard-coded version number
- Scope
lambda.Permission to the alias instead of a specific version
This way, deploying a new version only requires updating the alias pointer. Event sources don't change, permissions don't change, and rollback is a single alias update.
Related
Problem
When
versioning: trueis set, event sources (API Gateway, DynamoDB streams, SQS, S3, SNS, etc.) are configured to invoke a specific published version, and thelambda.Permissionis scoped to that exact version. This creates several issues:Rolling back is a mess
The primary point of versioning is to enable rollback. But rolling back to a previous version currently requires updating every event source's target version and every
lambda.Permissionto allow the old version. There's no simple "point everything back to v5" operation.Propagation delays cause downtime
Resources like API Gateway have their own propagation times. When a new version is deployed, updating the Lambda version in the API Gateway integration takes time to propagate. With an alias, API Gateway doesn't need to change at all — it always points to the alias, and the moment the alias is updated, traffic shifts instantly.
Permission gaps during deploys
The
lambda.Permissionis scoped to a specific version number. If the permission update and the event source update don't happen at exactly the same time, there's a window where the event source is trying to invoke a version it doesn't have permission for, or the permission is granted for a version that isn't wired up yet. This can cause brief downtime on every deploy.Solution
When
versioning: true, create an alias (e.g.latest) that always points to the most recently published version. All event sources should:lambda.Permissionto the alias instead of a specific versionThis way, deploying a new version only requires updating the alias pointer. Event sources don't change, permissions don't change, and rollback is a single alias update.
Related