@aws-solutions-constructs/aws-lambda-secretsmanager 2.51.0 → 2.52.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (53) hide show
  1. package/.eslintignore +2 -0
  2. package/.jsii +49 -4
  3. package/integ.config.json +7 -0
  4. package/lib/index.js +1 -1
  5. package/package.json +9 -8
  6. package/test/integ.lamsec-deployFunction.js +5 -2
  7. package/test/integ.lamsec-deployFunction.js.snapshot/asset.0c3255e93ffe7a906c7422e9f0e9cc4c7fd86ee996ee3bb302e2f134b38463c8/index.js +8 -0
  8. package/test/integ.lamsec-deployFunction.js.snapshot/cdk.out +1 -0
  9. package/test/integ.lamsec-deployFunction.js.snapshot/integ.json +12 -0
  10. package/test/integ.lamsec-deployFunction.js.snapshot/lamsec-deployFunction.assets.json +32 -0
  11. package/test/integ.lamsec-deployFunction.js.snapshot/lamsec-deployFunction.template.json +208 -0
  12. package/test/integ.lamsec-deployFunction.js.snapshot/lamsecdeployFunctionIntegDefaultTestDeployAssert7322BEEA.assets.json +19 -0
  13. package/test/integ.lamsec-deployFunction.js.snapshot/lamsecdeployFunctionIntegDefaultTestDeployAssert7322BEEA.template.json +36 -0
  14. package/test/integ.lamsec-deployFunction.js.snapshot/manifest.json +131 -0
  15. package/test/integ.lamsec-deployFunction.js.snapshot/tree.json +342 -0
  16. package/test/integ.lamsec-deployFunctionWithExistingVpc.js +6 -2
  17. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/asset.0c3255e93ffe7a906c7422e9f0e9cc4c7fd86ee996ee3bb302e2f134b38463c8/index.js +8 -0
  18. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  19. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  20. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/cdk.out +1 -0
  21. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/integ.json +12 -0
  22. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/lamsec-deployFunctionWithExistingVpc.assets.json +45 -0
  23. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/lamsec-deployFunctionWithExistingVpc.template.json +1019 -0
  24. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/lamsecdeployFunctionWithExistingVpcIntegDefaultTestDeployAssert647243A7.assets.json +19 -0
  25. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/lamsecdeployFunctionWithExistingVpcIntegDefaultTestDeployAssert647243A7.template.json +36 -0
  26. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/manifest.json +329 -0
  27. package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/tree.json +1393 -0
  28. package/test/integ.lamsec-deployFunctionWithVpc.js +6 -2
  29. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/asset.0c3255e93ffe7a906c7422e9f0e9cc4c7fd86ee996ee3bb302e2f134b38463c8/index.js +8 -0
  30. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/__entrypoint__.js +1 -0
  31. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/asset.dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e/index.js +1 -0
  32. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/cdk.out +1 -0
  33. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/integ.json +12 -0
  34. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/lamsec-deployFunctionWithVpc.assets.json +45 -0
  35. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/lamsec-deployFunctionWithVpc.template.json +735 -0
  36. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/lamsecdeployFunctionWithVpcIntegDefaultTestDeployAssert66148FF5.assets.json +19 -0
  37. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/lamsecdeployFunctionWithVpcIntegDefaultTestDeployAssert66148FF5.template.json +36 -0
  38. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/manifest.json +233 -0
  39. package/test/integ.lamsec-deployFunctionWithVpc.js.snapshot/tree.json +981 -0
  40. package/test/integ.lamsec-existingFunction.js +5 -2
  41. package/test/integ.lamsec-existingFunction.js.snapshot/asset.0c3255e93ffe7a906c7422e9f0e9cc4c7fd86ee996ee3bb302e2f134b38463c8/index.js +8 -0
  42. package/test/integ.lamsec-existingFunction.js.snapshot/cdk.out +1 -0
  43. package/test/integ.lamsec-existingFunction.js.snapshot/integ.json +12 -0
  44. package/test/integ.lamsec-existingFunction.js.snapshot/lamsec-existingFunction.assets.json +32 -0
  45. package/test/integ.lamsec-existingFunction.js.snapshot/lamsec-existingFunction.template.json +208 -0
  46. package/test/integ.lamsec-existingFunction.js.snapshot/lamsecexistingFunctionIntegDefaultTestDeployAssert295B352B.assets.json +19 -0
  47. package/test/integ.lamsec-existingFunction.js.snapshot/lamsecexistingFunctionIntegDefaultTestDeployAssert295B352B.template.json +36 -0
  48. package/test/integ.lamsec-existingFunction.js.snapshot/manifest.json +131 -0
  49. package/test/integ.lamsec-existingFunction.js.snapshot/tree.json +342 -0
  50. package/test/integ.lamsec-deployFunction.expected.json +0 -208
  51. package/test/integ.lamsec-deployFunctionWithExistingVpc.expected.json +0 -1044
  52. package/test/integ.lamsec-deployFunctionWithVpc.expected.json +0 -650
  53. package/test/integ.lamsec-existingFunction.expected.json +0 -208
package/test/integ.lamsec-deployFunctionWithExistingVpc.js.snapshot/lamsec-deployFunctionWithExistingVpc.template.json ADDED
@@ -0,0 +1,1019 @@
1
+ {
2
+ "Description": "Integration Test for aws-lambda-secretsmanager",
3
+ "Resources": {
4
+ "Vpc8378EB38": {
5
+ "Type": "AWS::EC2::VPC",
6
+ "Properties": {
7
+ "CidrBlock": "10.0.0.0/16",
8
+ "EnableDnsHostnames": true,
9
+ "EnableDnsSupport": true,
10
+ "InstanceTenancy": "default",
11
+ "Tags": [
12
+ {
13
+ "Key": "Name",
14
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc"
15
+ }
16
+ ]
17
+ }
18
+ },
19
+ "VpcPublicSubnet1Subnet5C2D37C4": {
20
+ "Type": "AWS::EC2::Subnet",
21
+ "Properties": {
22
+ "AvailabilityZone": {
23
+ "Fn::Select": [
24
+ 0,
25
+ {
26
+ "Fn::GetAZs": ""
27
+ }
28
+ ]
29
+ },
30
+ "CidrBlock": "10.0.0.0/18",
31
+ "MapPublicIpOnLaunch": true,
32
+ "Tags": [
33
+ {
34
+ "Key": "aws-cdk:subnet-name",
35
+ "Value": "Public"
36
+ },
37
+ {
38
+ "Key": "aws-cdk:subnet-type",
39
+ "Value": "Public"
40
+ },
41
+ {
42
+ "Key": "Name",
43
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet1"
44
+ }
45
+ ],
46
+ "VpcId": {
47
+ "Ref": "Vpc8378EB38"
48
+ }
49
+ },
50
+ "Metadata": {
51
+ "cfn_nag": {
52
+ "rules_to_suppress": [
53
+ {
54
+ "id": "W33",
55
+ "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true"
56
+ }
57
+ ]
58
+ }
59
+ }
60
+ },
61
+ "VpcPublicSubnet1RouteTable6C95E38E": {
62
+ "Type": "AWS::EC2::RouteTable",
63
+ "Properties": {
64
+ "Tags": [
65
+ {
66
+ "Key": "Name",
67
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet1"
68
+ }
69
+ ],
70
+ "VpcId": {
71
+ "Ref": "Vpc8378EB38"
72
+ }
73
+ }
74
+ },
75
+ "VpcPublicSubnet1RouteTableAssociation97140677": {
76
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
77
+ "Properties": {
78
+ "RouteTableId": {
79
+ "Ref": "VpcPublicSubnet1RouteTable6C95E38E"
80
+ },
81
+ "SubnetId": {
82
+ "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
83
+ }
84
+ }
85
+ },
86
+ "VpcPublicSubnet1DefaultRoute3DA9E72A": {
87
+ "Type": "AWS::EC2::Route",
88
+ "Properties": {
89
+ "DestinationCidrBlock": "0.0.0.0/0",
90
+ "GatewayId": {
91
+ "Ref": "VpcIGWD7BA715C"
92
+ },
93
+ "RouteTableId": {
94
+ "Ref": "VpcPublicSubnet1RouteTable6C95E38E"
95
+ }
96
+ },
97
+ "DependsOn": [
98
+ "VpcVPCGWBF912B6E"
99
+ ]
100
+ },
101
+ "VpcPublicSubnet1EIPD7E02669": {
102
+ "Type": "AWS::EC2::EIP",
103
+ "Properties": {
104
+ "Domain": "vpc",
105
+ "Tags": [
106
+ {
107
+ "Key": "Name",
108
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet1"
109
+ }
110
+ ]
111
+ }
112
+ },
113
+ "VpcPublicSubnet1NATGateway4D7517AA": {
114
+ "Type": "AWS::EC2::NatGateway",
115
+ "Properties": {
116
+ "AllocationId": {
117
+ "Fn::GetAtt": [
118
+ "VpcPublicSubnet1EIPD7E02669",
119
+ "AllocationId"
120
+ ]
121
+ },
122
+ "SubnetId": {
123
+ "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
124
+ },
125
+ "Tags": [
126
+ {
127
+ "Key": "Name",
128
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet1"
129
+ }
130
+ ]
131
+ },
132
+ "DependsOn": [
133
+ "VpcPublicSubnet1DefaultRoute3DA9E72A",
134
+ "VpcPublicSubnet1RouteTableAssociation97140677"
135
+ ]
136
+ },
137
+ "VpcPublicSubnet2Subnet691E08A3": {
138
+ "Type": "AWS::EC2::Subnet",
139
+ "Properties": {
140
+ "AvailabilityZone": {
141
+ "Fn::Select": [
142
+ 1,
143
+ {
144
+ "Fn::GetAZs": ""
145
+ }
146
+ ]
147
+ },
148
+ "CidrBlock": "10.0.64.0/18",
149
+ "MapPublicIpOnLaunch": true,
150
+ "Tags": [
151
+ {
152
+ "Key": "aws-cdk:subnet-name",
153
+ "Value": "Public"
154
+ },
155
+ {
156
+ "Key": "aws-cdk:subnet-type",
157
+ "Value": "Public"
158
+ },
159
+ {
160
+ "Key": "Name",
161
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet2"
162
+ }
163
+ ],
164
+ "VpcId": {
165
+ "Ref": "Vpc8378EB38"
166
+ }
167
+ },
168
+ "Metadata": {
169
+ "cfn_nag": {
170
+ "rules_to_suppress": [
171
+ {
172
+ "id": "W33",
173
+ "reason": "Allow Public Subnets to have MapPublicIpOnLaunch set to true"
174
+ }
175
+ ]
176
+ }
177
+ }
178
+ },
179
+ "VpcPublicSubnet2RouteTable94F7E489": {
180
+ "Type": "AWS::EC2::RouteTable",
181
+ "Properties": {
182
+ "Tags": [
183
+ {
184
+ "Key": "Name",
185
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet2"
186
+ }
187
+ ],
188
+ "VpcId": {
189
+ "Ref": "Vpc8378EB38"
190
+ }
191
+ }
192
+ },
193
+ "VpcPublicSubnet2RouteTableAssociationDD5762D8": {
194
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
195
+ "Properties": {
196
+ "RouteTableId": {
197
+ "Ref": "VpcPublicSubnet2RouteTable94F7E489"
198
+ },
199
+ "SubnetId": {
200
+ "Ref": "VpcPublicSubnet2Subnet691E08A3"
201
+ }
202
+ }
203
+ },
204
+ "VpcPublicSubnet2DefaultRoute97F91067": {
205
+ "Type": "AWS::EC2::Route",
206
+ "Properties": {
207
+ "DestinationCidrBlock": "0.0.0.0/0",
208
+ "GatewayId": {
209
+ "Ref": "VpcIGWD7BA715C"
210
+ },
211
+ "RouteTableId": {
212
+ "Ref": "VpcPublicSubnet2RouteTable94F7E489"
213
+ }
214
+ },
215
+ "DependsOn": [
216
+ "VpcVPCGWBF912B6E"
217
+ ]
218
+ },
219
+ "VpcPublicSubnet2EIP3C605A87": {
220
+ "Type": "AWS::EC2::EIP",
221
+ "Properties": {
222
+ "Domain": "vpc",
223
+ "Tags": [
224
+ {
225
+ "Key": "Name",
226
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet2"
227
+ }
228
+ ]
229
+ }
230
+ },
231
+ "VpcPublicSubnet2NATGateway9182C01D": {
232
+ "Type": "AWS::EC2::NatGateway",
233
+ "Properties": {
234
+ "AllocationId": {
235
+ "Fn::GetAtt": [
236
+ "VpcPublicSubnet2EIP3C605A87",
237
+ "AllocationId"
238
+ ]
239
+ },
240
+ "SubnetId": {
241
+ "Ref": "VpcPublicSubnet2Subnet691E08A3"
242
+ },
243
+ "Tags": [
244
+ {
245
+ "Key": "Name",
246
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PublicSubnet2"
247
+ }
248
+ ]
249
+ },
250
+ "DependsOn": [
251
+ "VpcPublicSubnet2DefaultRoute97F91067",
252
+ "VpcPublicSubnet2RouteTableAssociationDD5762D8"
253
+ ]
254
+ },
255
+ "VpcPrivateSubnet1Subnet536B997A": {
256
+ "Type": "AWS::EC2::Subnet",
257
+ "Properties": {
258
+ "AvailabilityZone": {
259
+ "Fn::Select": [
260
+ 0,
261
+ {
262
+ "Fn::GetAZs": ""
263
+ }
264
+ ]
265
+ },
266
+ "CidrBlock": "10.0.128.0/18",
267
+ "MapPublicIpOnLaunch": false,
268
+ "Tags": [
269
+ {
270
+ "Key": "aws-cdk:subnet-name",
271
+ "Value": "Private"
272
+ },
273
+ {
274
+ "Key": "aws-cdk:subnet-type",
275
+ "Value": "Private"
276
+ },
277
+ {
278
+ "Key": "Name",
279
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PrivateSubnet1"
280
+ }
281
+ ],
282
+ "VpcId": {
283
+ "Ref": "Vpc8378EB38"
284
+ }
285
+ }
286
+ },
287
+ "VpcPrivateSubnet1RouteTableB2C5B500": {
288
+ "Type": "AWS::EC2::RouteTable",
289
+ "Properties": {
290
+ "Tags": [
291
+ {
292
+ "Key": "Name",
293
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PrivateSubnet1"
294
+ }
295
+ ],
296
+ "VpcId": {
297
+ "Ref": "Vpc8378EB38"
298
+ }
299
+ }
300
+ },
301
+ "VpcPrivateSubnet1RouteTableAssociation70C59FA6": {
302
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
303
+ "Properties": {
304
+ "RouteTableId": {
305
+ "Ref": "VpcPrivateSubnet1RouteTableB2C5B500"
306
+ },
307
+ "SubnetId": {
308
+ "Ref": "VpcPrivateSubnet1Subnet536B997A"
309
+ }
310
+ }
311
+ },
312
+ "VpcPrivateSubnet1DefaultRouteBE02A9ED": {
313
+ "Type": "AWS::EC2::Route",
314
+ "Properties": {
315
+ "DestinationCidrBlock": "0.0.0.0/0",
316
+ "NatGatewayId": {
317
+ "Ref": "VpcPublicSubnet1NATGateway4D7517AA"
318
+ },
319
+ "RouteTableId": {
320
+ "Ref": "VpcPrivateSubnet1RouteTableB2C5B500"
321
+ }
322
+ }
323
+ },
324
+ "VpcPrivateSubnet2Subnet3788AAA1": {
325
+ "Type": "AWS::EC2::Subnet",
326
+ "Properties": {
327
+ "AvailabilityZone": {
328
+ "Fn::Select": [
329
+ 1,
330
+ {
331
+ "Fn::GetAZs": ""
332
+ }
333
+ ]
334
+ },
335
+ "CidrBlock": "10.0.192.0/18",
336
+ "MapPublicIpOnLaunch": false,
337
+ "Tags": [
338
+ {
339
+ "Key": "aws-cdk:subnet-name",
340
+ "Value": "Private"
341
+ },
342
+ {
343
+ "Key": "aws-cdk:subnet-type",
344
+ "Value": "Private"
345
+ },
346
+ {
347
+ "Key": "Name",
348
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PrivateSubnet2"
349
+ }
350
+ ],
351
+ "VpcId": {
352
+ "Ref": "Vpc8378EB38"
353
+ }
354
+ }
355
+ },
356
+ "VpcPrivateSubnet2RouteTableA678073B": {
357
+ "Type": "AWS::EC2::RouteTable",
358
+ "Properties": {
359
+ "Tags": [
360
+ {
361
+ "Key": "Name",
362
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/PrivateSubnet2"
363
+ }
364
+ ],
365
+ "VpcId": {
366
+ "Ref": "Vpc8378EB38"
367
+ }
368
+ }
369
+ },
370
+ "VpcPrivateSubnet2RouteTableAssociationA89CAD56": {
371
+ "Type": "AWS::EC2::SubnetRouteTableAssociation",
372
+ "Properties": {
373
+ "RouteTableId": {
374
+ "Ref": "VpcPrivateSubnet2RouteTableA678073B"
375
+ },
376
+ "SubnetId": {
377
+ "Ref": "VpcPrivateSubnet2Subnet3788AAA1"
378
+ }
379
+ }
380
+ },
381
+ "VpcPrivateSubnet2DefaultRoute060D2087": {
382
+ "Type": "AWS::EC2::Route",
383
+ "Properties": {
384
+ "DestinationCidrBlock": "0.0.0.0/0",
385
+ "NatGatewayId": {
386
+ "Ref": "VpcPublicSubnet2NATGateway9182C01D"
387
+ },
388
+ "RouteTableId": {
389
+ "Ref": "VpcPrivateSubnet2RouteTableA678073B"
390
+ }
391
+ }
392
+ },
393
+ "VpcIGWD7BA715C": {
394
+ "Type": "AWS::EC2::InternetGateway",
395
+ "Properties": {
396
+ "Tags": [
397
+ {
398
+ "Key": "Name",
399
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc"
400
+ }
401
+ ]
402
+ }
403
+ },
404
+ "VpcVPCGWBF912B6E": {
405
+ "Type": "AWS::EC2::VPCGatewayAttachment",
406
+ "Properties": {
407
+ "InternetGatewayId": {
408
+ "Ref": "VpcIGWD7BA715C"
409
+ },
410
+ "VpcId": {
411
+ "Ref": "Vpc8378EB38"
412
+ }
413
+ }
414
+ },
415
+ "VpcRestrictDefaultSecurityGroupCustomResourceC73DA2BE": {
416
+ "Type": "Custom::VpcRestrictDefaultSG",
417
+ "Properties": {
418
+ "ServiceToken": {
419
+ "Fn::GetAtt": [
420
+ "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E",
421
+ "Arn"
422
+ ]
423
+ },
424
+ "DefaultSecurityGroupId": {
425
+ "Fn::GetAtt": [
426
+ "Vpc8378EB38",
427
+ "DefaultSecurityGroup"
428
+ ]
429
+ },
430
+ "Account": {
431
+ "Ref": "AWS::AccountId"
432
+ }
433
+ },
434
+ "UpdateReplacePolicy": "Delete",
435
+ "DeletionPolicy": "Delete"
436
+ },
437
+ "VpcFlowLogIAMRole6A475D41": {
438
+ "Type": "AWS::IAM::Role",
439
+ "Properties": {
440
+ "AssumeRolePolicyDocument": {
441
+ "Statement": [
442
+ {
443
+ "Action": "sts:AssumeRole",
444
+ "Effect": "Allow",
445
+ "Principal": {
446
+ "Service": "vpc-flow-logs.amazonaws.com"
447
+ }
448
+ }
449
+ ],
450
+ "Version": "2012-10-17"
451
+ },
452
+ "Tags": [
453
+ {
454
+ "Key": "Name",
455
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/FlowLog"
456
+ }
457
+ ]
458
+ }
459
+ },
460
+ "VpcFlowLogIAMRoleDefaultPolicy406FB995": {
461
+ "Type": "AWS::IAM::Policy",
462
+ "Properties": {
463
+ "PolicyDocument": {
464
+ "Statement": [
465
+ {
466
+ "Action": [
467
+ "logs:CreateLogStream",
468
+ "logs:DescribeLogStreams",
469
+ "logs:PutLogEvents"
470
+ ],
471
+ "Effect": "Allow",
472
+ "Resource": {
473
+ "Fn::GetAtt": [
474
+ "VpcFlowLogLogGroup7B5C56B9",
475
+ "Arn"
476
+ ]
477
+ }
478
+ },
479
+ {
480
+ "Action": "iam:PassRole",
481
+ "Effect": "Allow",
482
+ "Resource": {
483
+ "Fn::GetAtt": [
484
+ "VpcFlowLogIAMRole6A475D41",
485
+ "Arn"
486
+ ]
487
+ }
488
+ }
489
+ ],
490
+ "Version": "2012-10-17"
491
+ },
492
+ "PolicyName": "VpcFlowLogIAMRoleDefaultPolicy406FB995",
493
+ "Roles": [
494
+ {
495
+ "Ref": "VpcFlowLogIAMRole6A475D41"
496
+ }
497
+ ]
498
+ }
499
+ },
500
+ "VpcFlowLogLogGroup7B5C56B9": {
501
+ "Type": "AWS::Logs::LogGroup",
502
+ "Properties": {
503
+ "RetentionInDays": 731,
504
+ "Tags": [
505
+ {
506
+ "Key": "Name",
507
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/FlowLog"
508
+ }
509
+ ]
510
+ },
511
+ "UpdateReplacePolicy": "Retain",
512
+ "DeletionPolicy": "Retain",
513
+ "Metadata": {
514
+ "cfn_nag": {
515
+ "rules_to_suppress": [
516
+ {
517
+ "id": "W84",
518
+ "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
519
+ }
520
+ ]
521
+ }
522
+ }
523
+ },
524
+ "VpcFlowLog8FF33A73": {
525
+ "Type": "AWS::EC2::FlowLog",
526
+ "Properties": {
527
+ "DeliverLogsPermissionArn": {
528
+ "Fn::GetAtt": [
529
+ "VpcFlowLogIAMRole6A475D41",
530
+ "Arn"
531
+ ]
532
+ },
533
+ "LogDestinationType": "cloud-watch-logs",
534
+ "LogGroupName": {
535
+ "Ref": "VpcFlowLogLogGroup7B5C56B9"
536
+ },
537
+ "ResourceId": {
538
+ "Ref": "Vpc8378EB38"
539
+ },
540
+ "ResourceType": "VPC",
541
+ "Tags": [
542
+ {
543
+ "Key": "Name",
544
+ "Value": "lamsec-deployFunctionWithExistingVpc/Vpc/FlowLog"
545
+ }
546
+ ],
547
+ "TrafficType": "ALL"
548
+ }
549
+ },
550
+ "VpcSECRETSMANAGERF52907C2": {
551
+ "Type": "AWS::EC2::VPCEndpoint",
552
+ "Properties": {
553
+ "PrivateDnsEnabled": true,
554
+ "SecurityGroupIds": [
555
+ {
556
+ "Fn::GetAtt": [
557
+ "lamsecdeployFunctionWithExistingVpcSECRETSMANAGERsecuritygroup30E54F0F",
558
+ "GroupId"
559
+ ]
560
+ }
561
+ ],
562
+ "ServiceName": {
563
+ "Fn::Join": [
564
+ "",
565
+ [
566
+ "com.amazonaws.",
567
+ {
568
+ "Ref": "AWS::Region"
569
+ },
570
+ ".secretsmanager"
571
+ ]
572
+ ]
573
+ },
574
+ "SubnetIds": [
575
+ {
576
+ "Ref": "VpcPrivateSubnet1Subnet536B997A"
577
+ },
578
+ {
579
+ "Ref": "VpcPrivateSubnet2Subnet3788AAA1"
580
+ }
581
+ ],
582
+ "VpcEndpointType": "Interface",
583
+ "VpcId": {
584
+ "Ref": "Vpc8378EB38"
585
+ }
586
+ }
587
+ },
588
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0": {
589
+ "Type": "AWS::IAM::Role",
590
+ "Properties": {
591
+ "AssumeRolePolicyDocument": {
592
+ "Version": "2012-10-17",
593
+ "Statement": [
594
+ {
595
+ "Action": "sts:AssumeRole",
596
+ "Effect": "Allow",
597
+ "Principal": {
598
+ "Service": "lambda.amazonaws.com"
599
+ }
600
+ }
601
+ ]
602
+ },
603
+ "ManagedPolicyArns": [
604
+ {
605
+ "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
606
+ }
607
+ ],
608
+ "Policies": [
609
+ {
610
+ "PolicyName": "Inline",
611
+ "PolicyDocument": {
612
+ "Version": "2012-10-17",
613
+ "Statement": [
614
+ {
615
+ "Effect": "Allow",
616
+ "Action": [
617
+ "ec2:AuthorizeSecurityGroupIngress",
618
+ "ec2:AuthorizeSecurityGroupEgress",
619
+ "ec2:RevokeSecurityGroupIngress",
620
+ "ec2:RevokeSecurityGroupEgress"
621
+ ],
622
+ "Resource": [
623
+ {
624
+ "Fn::Join": [
625
+ "",
626
+ [
627
+ "arn:",
628
+ {
629
+ "Ref": "AWS::Partition"
630
+ },
631
+ ":ec2:",
632
+ {
633
+ "Ref": "AWS::Region"
634
+ },
635
+ ":",
636
+ {
637
+ "Ref": "AWS::AccountId"
638
+ },
639
+ ":security-group/",
640
+ {
641
+ "Fn::GetAtt": [
642
+ "Vpc8378EB38",
643
+ "DefaultSecurityGroup"
644
+ ]
645
+ }
646
+ ]
647
+ ]
648
+ }
649
+ ]
650
+ }
651
+ ]
652
+ }
653
+ }
654
+ ]
655
+ }
656
+ },
657
+ "CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E": {
658
+ "Type": "AWS::Lambda::Function",
659
+ "Properties": {
660
+ "Code": {
661
+ "S3Bucket": {
662
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
663
+ },
664
+ "S3Key": "dd5711540f04e06aa955d7f4862fc04e8cdea464cb590dae91ed2976bb78098e.zip"
665
+ },
666
+ "Timeout": 900,
667
+ "MemorySize": 128,
668
+ "Handler": "__entrypoint__.handler",
669
+ "Role": {
670
+ "Fn::GetAtt": [
671
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0",
672
+ "Arn"
673
+ ]
674
+ },
675
+ "Runtime": "nodejs18.x",
676
+ "Description": "Lambda function for removing all inbound/outbound rules from the VPC default security group"
677
+ },
678
+ "DependsOn": [
679
+ "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0"
680
+ ],
681
+ "Metadata": {
682
+ "cfn_nag": {
683
+ "rules_to_suppress": [
684
+ {
685
+ "id": "W58",
686
+ "reason": "CDK generated custom resource"
687
+ },
688
+ {
689
+ "id": "W89",
690
+ "reason": "CDK generated custom resource"
691
+ },
692
+ {
693
+ "id": "W92",
694
+ "reason": "CDK generated custom resource"
695
+ }
696
+ ]
697
+ }
698
+ }
699
+ },
700
+ "testlambdasecretsmanagerstackLambdaFunctionServiceRole4FE7A9C6": {
701
+ "Type": "AWS::IAM::Role",
702
+ "Properties": {
703
+ "AssumeRolePolicyDocument": {
704
+ "Statement": [
705
+ {
706
+ "Action": "sts:AssumeRole",
707
+ "Effect": "Allow",
708
+ "Principal": {
709
+ "Service": "lambda.amazonaws.com"
710
+ }
711
+ }
712
+ ],
713
+ "Version": "2012-10-17"
714
+ },
715
+ "Policies": [
716
+ {
717
+ "PolicyDocument": {
718
+ "Statement": [
719
+ {
720
+ "Action": [
721
+ "logs:CreateLogGroup",
722
+ "logs:CreateLogStream",
723
+ "logs:PutLogEvents"
724
+ ],
725
+ "Effect": "Allow",
726
+ "Resource": {
727
+ "Fn::Join": [
728
+ "",
729
+ [
730
+ "arn:",
731
+ {
732
+ "Ref": "AWS::Partition"
733
+ },
734
+ ":logs:",
735
+ {
736
+ "Ref": "AWS::Region"
737
+ },
738
+ ":",
739
+ {
740
+ "Ref": "AWS::AccountId"
741
+ },
742
+ ":log-group:/aws/lambda/*"
743
+ ]
744
+ ]
745
+ }
746
+ }
747
+ ],
748
+ "Version": "2012-10-17"
749
+ },
750
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
751
+ }
752
+ ]
753
+ }
754
+ },
755
+ "testlambdasecretsmanagerstackLambdaFunctionServiceRoleDefaultPolicy2F46FC5F": {
756
+ "Type": "AWS::IAM::Policy",
757
+ "Properties": {
758
+ "PolicyDocument": {
759
+ "Statement": [
760
+ {
761
+ "Action": [
762
+ "ec2:AssignPrivateIpAddresses",
763
+ "ec2:CreateNetworkInterface",
764
+ "ec2:DeleteNetworkInterface",
765
+ "ec2:DescribeNetworkInterfaces",
766
+ "ec2:UnassignPrivateIpAddresses",
767
+ "xray:PutTelemetryRecords",
768
+ "xray:PutTraceSegments"
769
+ ],
770
+ "Effect": "Allow",
771
+ "Resource": "*"
772
+ },
773
+ {
774
+ "Action": [
775
+ "secretsmanager:DescribeSecret",
776
+ "secretsmanager:GetSecretValue"
777
+ ],
778
+ "Effect": "Allow",
779
+ "Resource": {
780
+ "Ref": "testlambdasecretsmanagerstacksecretC2FCB96E"
781
+ }
782
+ }
783
+ ],
784
+ "Version": "2012-10-17"
785
+ },
786
+ "PolicyName": "testlambdasecretsmanagerstackLambdaFunctionServiceRoleDefaultPolicy2F46FC5F",
787
+ "Roles": [
788
+ {
789
+ "Ref": "testlambdasecretsmanagerstackLambdaFunctionServiceRole4FE7A9C6"
790
+ }
791
+ ]
792
+ },
793
+ "Metadata": {
794
+ "cfn_nag": {
795
+ "rules_to_suppress": [
796
+ {
797
+ "id": "W12",
798
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
799
+ }
800
+ ]
801
+ }
802
+ }
803
+ },
804
+ "testlambdasecretsmanagerstackReplaceDefaultSecurityGroupsecuritygroupBBE9275E": {
805
+ "Type": "AWS::EC2::SecurityGroup",
806
+ "Properties": {
807
+ "GroupDescription": "lamsec-deployFunctionWithExistingVpc/test-lambda-secretsmanager-stack/ReplaceDefaultSecurityGroup-security-group",
808
+ "SecurityGroupEgress": [
809
+ {
810
+ "CidrIp": "0.0.0.0/0",
811
+ "Description": "Allow all outbound traffic by default",
812
+ "IpProtocol": "-1"
813
+ }
814
+ ],
815
+ "VpcId": {
816
+ "Ref": "Vpc8378EB38"
817
+ }
818
+ },
819
+ "Metadata": {
820
+ "cfn_nag": {
821
+ "rules_to_suppress": [
822
+ {
823
+ "id": "W5",
824
+ "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
825
+ },
826
+ {
827
+ "id": "W40",
828
+ "reason": "Egress IPProtocol of -1 is default and generally considered OK"
829
+ }
830
+ ]
831
+ }
832
+ }
833
+ },
834
+ "testlambdasecretsmanagerstackLambdaFunction2DDE520A": {
835
+ "Type": "AWS::Lambda::Function",
836
+ "Properties": {
837
+ "Code": {
838
+ "S3Bucket": {
839
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
840
+ },
841
+ "S3Key": "0c3255e93ffe7a906c7422e9f0e9cc4c7fd86ee996ee3bb302e2f134b38463c8.zip"
842
+ },
843
+ "Environment": {
844
+ "Variables": {
845
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1",
846
+ "SECRET_ARN": {
847
+ "Ref": "testlambdasecretsmanagerstacksecretC2FCB96E"
848
+ }
849
+ }
850
+ },
851
+ "Handler": "index.handler",
852
+ "Role": {
853
+ "Fn::GetAtt": [
854
+ "testlambdasecretsmanagerstackLambdaFunctionServiceRole4FE7A9C6",
855
+ "Arn"
856
+ ]
857
+ },
858
+ "Runtime": "nodejs16.x",
859
+ "TracingConfig": {
860
+ "Mode": "Active"
861
+ },
862
+ "VpcConfig": {
863
+ "SecurityGroupIds": [
864
+ {
865
+ "Fn::GetAtt": [
866
+ "testlambdasecretsmanagerstackReplaceDefaultSecurityGroupsecuritygroupBBE9275E",
867
+ "GroupId"
868
+ ]
869
+ }
870
+ ],
871
+ "SubnetIds": [
872
+ {
873
+ "Ref": "VpcPrivateSubnet1Subnet536B997A"
874
+ },
875
+ {
876
+ "Ref": "VpcPrivateSubnet2Subnet3788AAA1"
877
+ }
878
+ ]
879
+ }
880
+ },
881
+ "DependsOn": [
882
+ "testlambdasecretsmanagerstackLambdaFunctionServiceRoleDefaultPolicy2F46FC5F",
883
+ "testlambdasecretsmanagerstackLambdaFunctionServiceRole4FE7A9C6",
884
+ "VpcPrivateSubnet1DefaultRouteBE02A9ED",
885
+ "VpcPrivateSubnet1RouteTableAssociation70C59FA6",
886
+ "VpcPrivateSubnet2DefaultRoute060D2087",
887
+ "VpcPrivateSubnet2RouteTableAssociationA89CAD56"
888
+ ],
889
+ "Metadata": {
890
+ "cfn_nag": {
891
+ "rules_to_suppress": [
892
+ {
893
+ "id": "W58",
894
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
895
+ },
896
+ {
897
+ "id": "W89",
898
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
899
+ },
900
+ {
901
+ "id": "W92",
902
+ "reason": "Impossible for us to define the correct concurrency for clients"
903
+ }
904
+ ]
905
+ }
906
+ }
907
+ },
908
+ "testlambdasecretsmanagerstacksecretC2FCB96E": {
909
+ "Type": "AWS::SecretsManager::Secret",
910
+ "Properties": {
911
+ "GenerateSecretString": {}
912
+ },
913
+ "UpdateReplacePolicy": "Delete",
914
+ "DeletionPolicy": "Delete",
915
+ "Metadata": {
916
+ "cfn_nag": {
917
+ "rules_to_suppress": [
918
+ {
919
+ "id": "W77",
920
+ "reason": "We allow the use of the AWS account default key aws/secretsmanager for secret encryption."
921
+ }
922
+ ]
923
+ }
924
+ }
925
+ },
926
+ "lamsecdeployFunctionWithExistingVpcSECRETSMANAGERsecuritygroup30E54F0F": {
927
+ "Type": "AWS::EC2::SecurityGroup",
928
+ "Properties": {
929
+ "GroupDescription": "lamsec-deployFunctionWithExistingVpc/lamsec-deployFunctionWithExistingVpc-SECRETS_MANAGER-security-group",
930
+ "SecurityGroupEgress": [
931
+ {
932
+ "CidrIp": "0.0.0.0/0",
933
+ "Description": "Allow all outbound traffic by default",
934
+ "IpProtocol": "-1"
935
+ }
936
+ ],
937
+ "SecurityGroupIngress": [
938
+ {
939
+ "CidrIp": {
940
+ "Fn::GetAtt": [
941
+ "Vpc8378EB38",
942
+ "CidrBlock"
943
+ ]
944
+ },
945
+ "Description": {
946
+ "Fn::Join": [
947
+ "",
948
+ [
949
+ "from ",
950
+ {
951
+ "Fn::GetAtt": [
952
+ "Vpc8378EB38",
953
+ "CidrBlock"
954
+ ]
955
+ },
956
+ ":443"
957
+ ]
958
+ ]
959
+ },
960
+ "FromPort": 443,
961
+ "IpProtocol": "tcp",
962
+ "ToPort": 443
963
+ }
964
+ ],
965
+ "VpcId": {
966
+ "Ref": "Vpc8378EB38"
967
+ }
968
+ },
969
+ "Metadata": {
970
+ "cfn_nag": {
971
+ "rules_to_suppress": [
972
+ {
973
+ "id": "W5",
974
+ "reason": "Egress of 0.0.0.0/0 is default and generally considered OK"
975
+ },
976
+ {
977
+ "id": "W40",
978
+ "reason": "Egress IPProtocol of -1 is default and generally considered OK"
979
+ }
980
+ ]
981
+ }
982
+ }
983
+ }
984
+ },
985
+ "Parameters": {
986
+ "BootstrapVersion": {
987
+ "Type": "AWS::SSM::Parameter::Value<String>",
988
+ "Default": "/cdk-bootstrap/hnb659fds/version",
989
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
990
+ }
991
+ },
992
+ "Rules": {
993
+ "CheckBootstrapVersion": {
994
+ "Assertions": [
995
+ {
996
+ "Assert": {
997
+ "Fn::Not": [
998
+ {
999
+ "Fn::Contains": [
1000
+ [
1001
+ "1",
1002
+ "2",
1003
+ "3",
1004
+ "4",
1005
+ "5"
1006
+ ],
1007
+ {
1008
+ "Ref": "BootstrapVersion"
1009
+ }
1010
+ ]
1011
+ }
1012
+ ]
1013
+ },
1014
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
1015
+ }
1016
+ ]
1017
+ }
1018
+ }
1019
+ }