@gradientedge/cdk-utils 8.155.0 → 8.156.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/lib/aws/construct/lambda-with-iam-access/main.js +57 -11
- package/dist/src/lib/aws/construct/lambda-with-iam-access/types.d.ts +5 -1
- package/package.json +1 -1
- package/src/lib/aws/construct/lambda-with-iam-access/main.ts +72 -13
- package/src/lib/aws/construct/lambda-with-iam-access/types.ts +5 -1
|
@@ -4,10 +4,14 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.LambdaWithIamAccess = void 0;
|
|
7
|
+
const aws_cdk_lib_1 = require("aws-cdk-lib");
|
|
8
|
+
const aws_ec2_1 = require("aws-cdk-lib/aws-ec2");
|
|
7
9
|
const aws_iam_1 = require("aws-cdk-lib/aws-iam");
|
|
10
|
+
const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
|
|
8
11
|
const aws_secretsmanager_1 = require("aws-cdk-lib/aws-secretsmanager");
|
|
9
12
|
const lodash_1 = __importDefault(require("lodash"));
|
|
10
13
|
const common_1 = require("../../common");
|
|
14
|
+
const services_1 = require("../../services");
|
|
11
15
|
/**
|
|
12
16
|
* @classdesc Provides a construct to create a lambda function with IAM access
|
|
13
17
|
* @example
|
|
@@ -31,7 +35,7 @@ class LambdaWithIamAccess extends common_1.CommonConstruct {
|
|
|
31
35
|
lambdaPolicy;
|
|
32
36
|
lambdaRole;
|
|
33
37
|
lambdaEnvironment;
|
|
34
|
-
lambdaLayers;
|
|
38
|
+
lambdaLayers = [];
|
|
35
39
|
lambdaFunction;
|
|
36
40
|
lambdaIamUser;
|
|
37
41
|
lambdaUserAccessKey;
|
|
@@ -63,8 +67,18 @@ class LambdaWithIamAccess extends common_1.CommonConstruct {
|
|
|
63
67
|
this.createIamUserForLambdaFunction();
|
|
64
68
|
this.createIamSecretForLambdaFunction();
|
|
65
69
|
}
|
|
66
|
-
resolveVpc() {
|
|
67
|
-
|
|
70
|
+
resolveVpc() {
|
|
71
|
+
if (this.props.vpcName) {
|
|
72
|
+
this.lambdaVpc = this.vpcManager.retrieveCommonVpc(`${this.id}-vpc`, this, this.props.vpcName);
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
resolveSecurityGroups() {
|
|
76
|
+
if (this.props.securityGroupExportName) {
|
|
77
|
+
const lambdaSecurityGroup = aws_ec2_1.SecurityGroup.fromSecurityGroupId(this, `${this.id}-security-group`, aws_cdk_lib_1.Fn.importValue(this.props.securityGroupExportName));
|
|
78
|
+
this.addCfnOutput(`${this.id}-sg`, lambdaSecurityGroup.securityGroupId);
|
|
79
|
+
this.lambdaSecurityGroups = [lambdaSecurityGroup];
|
|
80
|
+
}
|
|
81
|
+
}
|
|
68
82
|
resolveAccessPoint() { }
|
|
69
83
|
resolveMountPath() { }
|
|
70
84
|
resolveVpcSubnets() { }
|
|
@@ -73,14 +87,20 @@ class LambdaWithIamAccess extends common_1.CommonConstruct {
|
|
|
73
87
|
*/
|
|
74
88
|
createLambdaPolicy() {
|
|
75
89
|
this.lambdaPolicy = new aws_iam_1.PolicyDocument({
|
|
76
|
-
statements: [this.iamManager.statementForCreateAnyLogStream()],
|
|
90
|
+
statements: [this.iamManager.statementForCreateAnyLogStream(), this.iamManager.statementForPutXrayTelemetry()],
|
|
77
91
|
});
|
|
92
|
+
if (this.props.configEnabled) {
|
|
93
|
+
this.lambdaPolicy.addStatements(this.iamManager.statementForReadAnyAppConfig(), this.iamManager.statementForAppConfigExecution());
|
|
94
|
+
}
|
|
78
95
|
}
|
|
79
96
|
/**
|
|
80
97
|
* @summary Method to create iam role for Lambda function
|
|
81
98
|
*/
|
|
82
99
|
createLambdaRole() {
|
|
83
100
|
this.lambdaRole = this.iamManager.createRoleForLambda(`${this.id}-lambda-role`, this, this.lambdaPolicy);
|
|
101
|
+
if (this.props.vpcName) {
|
|
102
|
+
this.lambdaRole.addManagedPolicy(aws_iam_1.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'));
|
|
103
|
+
}
|
|
84
104
|
}
|
|
85
105
|
/**
|
|
86
106
|
* @summary Method to create environment variables for Lambda function
|
|
@@ -97,17 +117,26 @@ class LambdaWithIamAccess extends common_1.CommonConstruct {
|
|
|
97
117
|
*/
|
|
98
118
|
createLambdaLayers() {
|
|
99
119
|
const layers = [];
|
|
100
|
-
if (
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
120
|
+
if (this.props.lambdaLayerSources) {
|
|
121
|
+
lodash_1.default.forEach(this.props.lambdaLayerSources, (source, index) => {
|
|
122
|
+
layers.push(this.lambdaManager.createLambdaLayer(`${this.id}-layer-${index}`, this, source));
|
|
123
|
+
});
|
|
124
|
+
this.lambdaLayers = layers;
|
|
125
|
+
}
|
|
126
|
+
if (this.props.configEnabled) {
|
|
127
|
+
const appConfigExtensionLayer = aws_lambda_1.LayerVersion.fromLayerVersionArn(this, `${this.id}-ac-extlayer`, this.appConfigManager.getArnForAppConfigExtension(this, services_1.Architecture.ARM_64));
|
|
128
|
+
this.lambdaLayers.push(appConfigExtensionLayer);
|
|
129
|
+
}
|
|
106
130
|
}
|
|
107
131
|
/**
|
|
108
132
|
* @summary Method to create lambda function
|
|
109
133
|
*/
|
|
110
134
|
createLambdaFunction() {
|
|
135
|
+
if (this.props.lambdaInsightsVersion) {
|
|
136
|
+
lodash_1.default.assign(this.props.lambda, {
|
|
137
|
+
insightsVersion: this.props.lambdaInsightsVersion,
|
|
138
|
+
});
|
|
139
|
+
}
|
|
111
140
|
this.lambdaFunction = this.lambdaManager.createLambdaFunction(`${this.id}-lambda`, this, this.props.lambda, this.lambdaRole, this.lambdaLayers, this.props.lambdaSource, this.props.lambdaHandler || 'index.handler', this.lambdaEnvironment, this.lambdaVpc, this.lambdaSecurityGroups, this.lambdaAccessPoint, this.lambdaMountPath, this.lambdaVpcSubnets);
|
|
112
141
|
}
|
|
113
142
|
/**
|
|
@@ -122,11 +151,28 @@ class LambdaWithIamAccess extends common_1.CommonConstruct {
|
|
|
122
151
|
statements: [
|
|
123
152
|
new aws_iam_1.PolicyStatement({
|
|
124
153
|
actions: ['lambda:InvokeFunction'],
|
|
125
|
-
resources: [this.lambdaFunction.functionArn],
|
|
154
|
+
resources: [this.lambdaFunction.functionArn, `${this.lambdaFunction.functionArn}*`],
|
|
126
155
|
}),
|
|
127
156
|
],
|
|
128
157
|
users: [this.lambdaIamUser],
|
|
129
158
|
});
|
|
159
|
+
if (this.props.lambda.lambdaAliases && !lodash_1.default.isEmpty(this.props.lambda.lambdaAliases)) {
|
|
160
|
+
lodash_1.default.forEach(this.props.lambda.lambdaAliases, (alias, index) => {
|
|
161
|
+
new aws_iam_1.Policy(this, `${this.id}-alias-user-policy`, {
|
|
162
|
+
policyName: `${this.id}-alias-policy-${index}-${this.props.stage}`,
|
|
163
|
+
statements: [
|
|
164
|
+
new aws_iam_1.PolicyStatement({
|
|
165
|
+
actions: ['lambda:InvokeFunction'],
|
|
166
|
+
resources: [
|
|
167
|
+
aws_cdk_lib_1.Fn.importValue(`${this.id}-${alias.aliasName}AliasArn`),
|
|
168
|
+
`${aws_cdk_lib_1.Fn.importValue(`${this.id}-${alias.aliasName}AliasArn`)}*`,
|
|
169
|
+
],
|
|
170
|
+
}),
|
|
171
|
+
],
|
|
172
|
+
users: [this.lambdaIamUser],
|
|
173
|
+
});
|
|
174
|
+
});
|
|
175
|
+
}
|
|
130
176
|
this.lambdaUserAccessKey = new aws_iam_1.CfnAccessKey(this, `${this.id}-access-key-${this.props.stage}`, {
|
|
131
177
|
userName: this.lambdaIamUser.userName,
|
|
132
178
|
});
|
|
@@ -1,16 +1,20 @@
|
|
|
1
|
-
import { AssetCode } from 'aws-cdk-lib/aws-lambda';
|
|
1
|
+
import { AssetCode, LambdaInsightsVersion } from 'aws-cdk-lib/aws-lambda';
|
|
2
2
|
import { SecretProps } from 'aws-cdk-lib/aws-secretsmanager';
|
|
3
3
|
import { CommonStackProps } from '../../common';
|
|
4
4
|
import { LambdaEnvironment, LambdaProps } from '../../services';
|
|
5
5
|
export interface LambdaWithIamAccessProps extends CommonStackProps {
|
|
6
|
+
configEnabled?: boolean;
|
|
6
7
|
lambda: LambdaProps;
|
|
7
8
|
lambdaHandler?: string;
|
|
9
|
+
lambdaInsightsVersion?: LambdaInsightsVersion;
|
|
8
10
|
lambdaLayerSources: AssetCode[];
|
|
9
11
|
lambdaSecret: SecretProps;
|
|
10
12
|
lambdaSource: AssetCode;
|
|
11
13
|
logLevel: string;
|
|
12
14
|
nodeEnv: string;
|
|
15
|
+
securityGroupExportName?: string;
|
|
13
16
|
timezone: string;
|
|
17
|
+
vpcName?: string;
|
|
14
18
|
}
|
|
15
19
|
export interface LambdaWithIamAccessEnvironment extends LambdaEnvironment {
|
|
16
20
|
}
|
package/package.json
CHANGED
|
@@ -1,11 +1,13 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { Fn } from 'aws-cdk-lib'
|
|
2
|
+
import { ISecurityGroup, IVpc, SecurityGroup, SubnetSelection } from 'aws-cdk-lib/aws-ec2'
|
|
2
3
|
import { IAccessPoint } from 'aws-cdk-lib/aws-efs'
|
|
3
|
-
import { CfnAccessKey, Policy, PolicyDocument, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam'
|
|
4
|
+
import { CfnAccessKey, ManagedPolicy, Policy, PolicyDocument, PolicyStatement, Role, User } from 'aws-cdk-lib/aws-iam'
|
|
4
5
|
import { AssetCode, IFunction, ILayerVersion, LayerVersion } from 'aws-cdk-lib/aws-lambda'
|
|
5
6
|
import { CfnSecret, Secret } from 'aws-cdk-lib/aws-secretsmanager'
|
|
6
7
|
import { Construct } from 'constructs'
|
|
7
8
|
import _ from 'lodash'
|
|
8
9
|
import { CommonConstruct } from '../../common'
|
|
10
|
+
import { Architecture } from '../../services'
|
|
9
11
|
import { LambdaWithIamAccessEnvironment, LambdaWithIamAccessProps } from './types'
|
|
10
12
|
|
|
11
13
|
/**
|
|
@@ -32,7 +34,7 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
32
34
|
lambdaPolicy: PolicyDocument
|
|
33
35
|
lambdaRole: Role
|
|
34
36
|
lambdaEnvironment: LambdaWithIamAccessEnvironment
|
|
35
|
-
lambdaLayers: ILayerVersion[]
|
|
37
|
+
lambdaLayers: ILayerVersion[] = []
|
|
36
38
|
lambdaFunction: IFunction
|
|
37
39
|
lambdaIamUser: User
|
|
38
40
|
lambdaUserAccessKey: CfnAccessKey
|
|
@@ -68,9 +70,23 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
68
70
|
this.createIamSecretForLambdaFunction()
|
|
69
71
|
}
|
|
70
72
|
|
|
71
|
-
protected resolveVpc() {
|
|
73
|
+
protected resolveVpc() {
|
|
74
|
+
if (this.props.vpcName) {
|
|
75
|
+
this.lambdaVpc = this.vpcManager.retrieveCommonVpc(`${this.id}-vpc`, this, this.props.vpcName)
|
|
76
|
+
}
|
|
77
|
+
}
|
|
72
78
|
|
|
73
|
-
protected resolveSecurityGroups() {
|
|
79
|
+
protected resolveSecurityGroups() {
|
|
80
|
+
if (this.props.securityGroupExportName) {
|
|
81
|
+
const lambdaSecurityGroup = SecurityGroup.fromSecurityGroupId(
|
|
82
|
+
this,
|
|
83
|
+
`${this.id}-security-group`,
|
|
84
|
+
Fn.importValue(this.props.securityGroupExportName)
|
|
85
|
+
)
|
|
86
|
+
this.addCfnOutput(`${this.id}-sg`, lambdaSecurityGroup.securityGroupId)
|
|
87
|
+
this.lambdaSecurityGroups = [lambdaSecurityGroup]
|
|
88
|
+
}
|
|
89
|
+
}
|
|
74
90
|
|
|
75
91
|
protected resolveAccessPoint() {}
|
|
76
92
|
|
|
@@ -83,8 +99,14 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
83
99
|
*/
|
|
84
100
|
protected createLambdaPolicy() {
|
|
85
101
|
this.lambdaPolicy = new PolicyDocument({
|
|
86
|
-
statements: [this.iamManager.statementForCreateAnyLogStream()],
|
|
102
|
+
statements: [this.iamManager.statementForCreateAnyLogStream(), this.iamManager.statementForPutXrayTelemetry()],
|
|
87
103
|
})
|
|
104
|
+
if (this.props.configEnabled) {
|
|
105
|
+
this.lambdaPolicy.addStatements(
|
|
106
|
+
this.iamManager.statementForReadAnyAppConfig(),
|
|
107
|
+
this.iamManager.statementForAppConfigExecution()
|
|
108
|
+
)
|
|
109
|
+
}
|
|
88
110
|
}
|
|
89
111
|
|
|
90
112
|
/**
|
|
@@ -92,6 +114,11 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
92
114
|
*/
|
|
93
115
|
protected createLambdaRole() {
|
|
94
116
|
this.lambdaRole = this.iamManager.createRoleForLambda(`${this.id}-lambda-role`, this, this.lambdaPolicy)
|
|
117
|
+
if (this.props.vpcName) {
|
|
118
|
+
this.lambdaRole.addManagedPolicy(
|
|
119
|
+
ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole')
|
|
120
|
+
)
|
|
121
|
+
}
|
|
95
122
|
}
|
|
96
123
|
|
|
97
124
|
/**
|
|
@@ -111,19 +138,33 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
111
138
|
protected createLambdaLayers() {
|
|
112
139
|
const layers: LayerVersion[] = []
|
|
113
140
|
|
|
114
|
-
if (
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
141
|
+
if (this.props.lambdaLayerSources) {
|
|
142
|
+
_.forEach(this.props.lambdaLayerSources, (source: AssetCode, index: number) => {
|
|
143
|
+
layers.push(this.lambdaManager.createLambdaLayer(`${this.id}-layer-${index}`, this, source))
|
|
144
|
+
})
|
|
145
|
+
this.lambdaLayers = layers
|
|
146
|
+
}
|
|
119
147
|
|
|
120
|
-
this.
|
|
148
|
+
if (this.props.configEnabled) {
|
|
149
|
+
const appConfigExtensionLayer = LayerVersion.fromLayerVersionArn(
|
|
150
|
+
this,
|
|
151
|
+
`${this.id}-ac-extlayer`,
|
|
152
|
+
this.appConfigManager.getArnForAppConfigExtension(this, Architecture.ARM_64)
|
|
153
|
+
)
|
|
154
|
+
this.lambdaLayers.push(appConfigExtensionLayer)
|
|
155
|
+
}
|
|
121
156
|
}
|
|
122
157
|
|
|
123
158
|
/**
|
|
124
159
|
* @summary Method to create lambda function
|
|
125
160
|
*/
|
|
126
161
|
protected createLambdaFunction() {
|
|
162
|
+
if (this.props.lambdaInsightsVersion) {
|
|
163
|
+
_.assign(this.props.lambda, {
|
|
164
|
+
insightsVersion: this.props.lambdaInsightsVersion,
|
|
165
|
+
})
|
|
166
|
+
}
|
|
167
|
+
|
|
127
168
|
this.lambdaFunction = this.lambdaManager.createLambdaFunction(
|
|
128
169
|
`${this.id}-lambda`,
|
|
129
170
|
this,
|
|
@@ -154,12 +195,30 @@ export class LambdaWithIamAccess extends CommonConstruct {
|
|
|
154
195
|
statements: [
|
|
155
196
|
new PolicyStatement({
|
|
156
197
|
actions: ['lambda:InvokeFunction'],
|
|
157
|
-
resources: [this.lambdaFunction.functionArn],
|
|
198
|
+
resources: [this.lambdaFunction.functionArn, `${this.lambdaFunction.functionArn}*`],
|
|
158
199
|
}),
|
|
159
200
|
],
|
|
160
201
|
users: [this.lambdaIamUser],
|
|
161
202
|
})
|
|
162
203
|
|
|
204
|
+
if (this.props.lambda.lambdaAliases && !_.isEmpty(this.props.lambda.lambdaAliases)) {
|
|
205
|
+
_.forEach(this.props.lambda.lambdaAliases, (alias, index) => {
|
|
206
|
+
new Policy(this, `${this.id}-alias-user-policy`, {
|
|
207
|
+
policyName: `${this.id}-alias-policy-${index}-${this.props.stage}`,
|
|
208
|
+
statements: [
|
|
209
|
+
new PolicyStatement({
|
|
210
|
+
actions: ['lambda:InvokeFunction'],
|
|
211
|
+
resources: [
|
|
212
|
+
Fn.importValue(`${this.id}-${alias.aliasName}AliasArn`),
|
|
213
|
+
`${Fn.importValue(`${this.id}-${alias.aliasName}AliasArn`)}*`,
|
|
214
|
+
],
|
|
215
|
+
}),
|
|
216
|
+
],
|
|
217
|
+
users: [this.lambdaIamUser],
|
|
218
|
+
})
|
|
219
|
+
})
|
|
220
|
+
}
|
|
221
|
+
|
|
163
222
|
this.lambdaUserAccessKey = new CfnAccessKey(this, `${this.id}-access-key-${this.props.stage}`, {
|
|
164
223
|
userName: this.lambdaIamUser.userName,
|
|
165
224
|
})
|
|
@@ -1,17 +1,21 @@
|
|
|
1
|
-
import { AssetCode } from 'aws-cdk-lib/aws-lambda'
|
|
1
|
+
import { AssetCode, LambdaInsightsVersion } from 'aws-cdk-lib/aws-lambda'
|
|
2
2
|
import { SecretProps } from 'aws-cdk-lib/aws-secretsmanager'
|
|
3
3
|
import { CommonStackProps } from '../../common'
|
|
4
4
|
import { LambdaEnvironment, LambdaProps } from '../../services'
|
|
5
5
|
|
|
6
6
|
export interface LambdaWithIamAccessProps extends CommonStackProps {
|
|
7
|
+
configEnabled?: boolean
|
|
7
8
|
lambda: LambdaProps
|
|
8
9
|
lambdaHandler?: string
|
|
10
|
+
lambdaInsightsVersion?: LambdaInsightsVersion
|
|
9
11
|
lambdaLayerSources: AssetCode[]
|
|
10
12
|
lambdaSecret: SecretProps
|
|
11
13
|
lambdaSource: AssetCode
|
|
12
14
|
logLevel: string
|
|
13
15
|
nodeEnv: string
|
|
16
|
+
securityGroupExportName?: string
|
|
14
17
|
timezone: string
|
|
18
|
+
vpcName?: string
|
|
15
19
|
}
|
|
16
20
|
|
|
17
21
|
export interface LambdaWithIamAccessEnvironment extends LambdaEnvironment {}
|