@gradientedge/cdk-utils 8.83.0 → 8.85.0

package/dist/src/lib/construct/api-to-eventbridge-target/main.d.ts

@@ -105,6 +105,7 @@ export declare class ApiToEventBridgeTarget extends CommonConstruct {
      * @protected
      */
     protected createApiToEventBridgeTargetMethodErrorResponse(): void;
+    protected createApiToEventBridgeTargetRestApiLogGroup(): void;
     /**
      * @summary Method to create rest restApi for Api
      * @protected

package/dist/src/lib/construct/api-to-eventbridge-target/main.js

@@ -90,6 +90,7 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
         this.createApiToEventBridgeTargetIntegrationResponse();
         this.createApiToEventBridgeTargetIntegrationErrorResponse();
         this.createApiToEventBridgeTargetIntegration();
+        this.createApiToEventBridgeTargetRestApiLogGroup();
         this.createApiToEventBridgeTargetRestApi();
         this.createApiToEventBridgeTargetResource();
         this.createApiToEventBridgeTargetResponseModel();
@@ -339,6 +340,12 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
             ...this.props.api.methodErrorResponse,
         };
     }
+    createApiToEventBridgeTargetRestApiLogGroup() {
+        this.apiToEventBridgeTargetRestApi.accessLogGroup = this.logManager.createLogGroup(`${this.id}-rest-api-access-log`, this, {
+            logGroupName: `/custom/api/${this.id}-rest-api-access`,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
+    }
     /**
      * @summary Method to create rest restApi for Api
      * @protected
@@ -348,10 +355,6 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
             this.apiToEventBridgeTargetRestApi.api = apig.RestApi.fromRestApiId(this, `${this.id}-rest-api`, cdk.Fn.importValue(this.props.api.importedRestApiRef));
             return;
         }
-        const accessLogGroup = this.logManager.createLogGroup(`${this.id}-rest-api-access-log`, this, {
-            logGroupName: `/custom/api/${this.id}-rest-api-access`,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
         this.apiToEventBridgeTargetRestApi.api = new apig.RestApi(this, `${this.id}-rest-api`, {
             ...{
                 cloudWatchRole: this.props.api.restApi?.cloudWatchRole ?? true,
@@ -370,7 +373,7 @@ class ApiToEventBridgeTarget extends common_1.CommonConstruct {
                     loggingLevel: apig.MethodLoggingLevel.INFO,
                     metricsEnabled: true,
                     stageName: this.props.stage,
-                    accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+                    accessLogDestination: new apig.LogGroupLogDestination(this.apiToEventBridgeTargetRestApi.accessLogGroup),
                     accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
                 },
                 endpointConfiguration: {

package/dist/src/lib/construct/index.d.ts

@@ -3,6 +3,7 @@ export * from './api-to-eventbridge-target-with-sns';
 export * from './api-to-lambda-target';
 export * from './graphql-api-lambda';
 export * from './graphql-api-lambda-with-cache';
+export * from './lambda-with-iam-access';
 export * from './rest-api-lambda';
 export * from './rest-api-lambda-with-cache';
 export * from './site-with-ecs-backend';

package/dist/src/lib/construct/index.js

@@ -19,6 +19,7 @@ __exportStar(require("./api-to-eventbridge-target-with-sns"), exports);
 __exportStar(require("./api-to-lambda-target"), exports);
 __exportStar(require("./graphql-api-lambda"), exports);
 __exportStar(require("./graphql-api-lambda-with-cache"), exports);
+__exportStar(require("./lambda-with-iam-access"), exports);
 __exportStar(require("./rest-api-lambda"), exports);
 __exportStar(require("./rest-api-lambda-with-cache"), exports);
 __exportStar(require("./site-with-ecs-backend"), exports);

package/dist/src/lib/construct/lambda-with-iam-access/index.d.ts

@@ -0,0 +1,2 @@
+export * from './main';
+export * from './types';

package/dist/src/lib/construct/lambda-with-iam-access/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./main"), exports);
+__exportStar(require("./types"), exports);

package/dist/src/lib/construct/lambda-with-iam-access/main.d.ts

@@ -0,0 +1,78 @@
+import { CommonConstruct } from '../../common';
+import { Construct } from 'constructs';
+import { LambdaWithIamAccessEnvironment, LambdaWithIamAccessProps } from './types';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager';
+/**
+ * @category cdk-utils.lambda-with-iam-access
+ * @subcategory construct
+ * @classdesc Provides a construct to create a lambda function with IAM access
+ *
+ * @example
+ * import { LambdaWithIamAccess, LambdaWithIamAccessProps } '@gradientedge/cdk-utils'
+ * import { Construct } from 'constructs'
+ *
+ * class CustomConstruct extends LambdaWithIamAccess {
+ *   constructor(parent: Construct, id: string, props: LambdaWithIamAccessProps) {
+ *     super(parent, id, props)
+ *     this.props = props
+ *     this.id = id
+ *     this.initResources()
+ *   }
+ * }
+ * @mixin
+ */
+export declare class LambdaWithIamAccess extends CommonConstruct {
+    props: LambdaWithIamAccessProps;
+    id: string;
+    lambdaPolicy: iam.PolicyDocument;
+    lambdaRole: iam.Role;
+    lambdaEnvironment: LambdaWithIamAccessEnvironment;
+    lambdaLayers: lambda.LayerVersion[];
+    lambdaFunction: lambda.Function;
+    lambdaIamUser: iam.User;
+    lambdaUserAccessKey: iam.CfnAccessKey;
+    lambdaUserAccessSecret: secretsManager.Secret;
+    protected constructor(parent: Construct, id: string, props: LambdaWithIamAccessProps);
+    /**
+     * @summary Initialise and provision resources
+     * @protected
+     */
+    initResources(): void;
+    /**
+     * @summary Method to create iam policy for Lambda function
+     * @protected
+     */
+    protected createLambdaPolicy(): void;
+    /**
+     * @summary Method to create iam role for Lambda function
+     * @protected
+     */
+    protected createLambdaRole(): void;
+    /**
+     * @summary Method to create environment variables for Lambda function
+     * @protected
+     */
+    protected createLambdaEnvironment(): void;
+    /**
+     * @summary Method to create layers for Lambda function
+     * @protected
+     */
+    protected createLambdaLayers(): void;
+    /**
+     * @summary Method to create lambda function
+     * @protected
+     */
+    protected createLambdaFunction(): void;
+    /**
+     * @summary Method to create iam user for the lambda function
+     * @protected
+     */
+    protected createIamUserForLambdaFunction(): void;
+    /**
+     * @summary Method to create iam secret for the lambda function
+     * @protected
+     */
+    protected createIamSecretForLambdaFunction(): void;
+}

package/dist/src/lib/construct/lambda-with-iam-access/main.js

@@ -0,0 +1,160 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LambdaWithIamAccess = void 0;
+const common_1 = require("../../common");
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const secretsManager = __importStar(require("aws-cdk-lib/aws-secretsmanager"));
+/**
+ * @category cdk-utils.lambda-with-iam-access
+ * @subcategory construct
+ * @classdesc Provides a construct to create a lambda function with IAM access
+ *
+ * @example
+ * import { LambdaWithIamAccess, LambdaWithIamAccessProps } '@gradientedge/cdk-utils'
+ * import { Construct } from 'constructs'
+ *
+ * class CustomConstruct extends LambdaWithIamAccess {
+ *   constructor(parent: Construct, id: string, props: LambdaWithIamAccessProps) {
+ *     super(parent, id, props)
+ *     this.props = props
+ *     this.id = id
+ *     this.initResources()
+ *   }
+ * }
+ * @mixin
+ */
+class LambdaWithIamAccess extends common_1.CommonConstruct {
+    /* LambdaWithIamAccess props */
+    props;
+    id;
+    /* LambdaWithIamAccess resources */
+    lambdaPolicy;
+    lambdaRole;
+    lambdaEnvironment;
+    lambdaLayers;
+    lambdaFunction;
+    lambdaIamUser;
+    lambdaUserAccessKey;
+    lambdaUserAccessSecret;
+    constructor(parent, id, props) {
+        super(parent, id, props);
+        this.props = props;
+        this.id = id;
+    }
+    /**
+     * @summary Initialise and provision resources
+     * @protected
+     */
+    initResources() {
+        this.createLambdaPolicy();
+        this.createLambdaRole();
+        this.createLambdaEnvironment();
+        this.createLambdaLayers();
+        this.createLambdaFunction();
+        this.createIamUserForLambdaFunction();
+        this.createIamSecretForLambdaFunction();
+    }
+    /**
+     * @summary Method to create iam policy for Lambda function
+     * @protected
+     */
+    createLambdaPolicy() {
+        this.lambdaPolicy = new iam.PolicyDocument({
+            statements: [this.iamManager.statementForCreateAnyLogStream()],
+        });
+    }
+    /**
+     * @summary Method to create iam role for Lambda function
+     * @protected
+     */
+    createLambdaRole() {
+        this.lambdaRole = this.iamManager.createRoleForLambda(`${this.id}-lambda-role`, this, this.lambdaPolicy);
+    }
+    /**
+     * @summary Method to create environment variables for Lambda function
+     * @protected
+     */
+    createLambdaEnvironment() {
+        this.lambdaEnvironment = {
+            NODE_ENV: this.props.nodeEnv,
+            LOG_LEVEL: this.props.logLevel,
+            TZ: this.props.timezone,
+        };
+    }
+    /**
+     * @summary Method to create layers for Lambda function
+     * @protected
+     */
+    createLambdaLayers() {
+        const layers = [];
+        if (!this.props.lambdaLayerSources)
+            return;
+        this.props.lambdaLayerSources.forEach((source, index) => {
+            layers.push(this.lambdaManager.createLambdaLayer(`${this.id}-layer-${index}`, this, source));
+        });
+        this.lambdaLayers = layers;
+    }
+    /**
+     * @summary Method to create lambda function
+     * @protected
+     */
+    createLambdaFunction() {
+        this.lambdaFunction = this.lambdaManager.createLambdaFunction(`${this.id}-lambda`, this, this.props.lambda, this.lambdaRole, this.lambdaLayers, this.props.lambdaSource, this.props.lambdaHandler || 'index.handler', this.lambdaEnvironment);
+    }
+    /**
+     * @summary Method to create iam user for the lambda function
+     * @protected
+     */
+    createIamUserForLambdaFunction() {
+        this.lambdaIamUser = new iam.User(this, `${this.id}-lambda-user`, {
+            userName: `${this.id}-user-${this.props.stage}`,
+        });
+        new iam.Policy(this, `${this.id}-lambda-user-policy`, {
+            policyName: `${this.id}-policy-${this.props.stage}`,
+            statements: [
+                new iam.PolicyStatement({
+                    resources: [this.lambdaFunction.functionArn],
+                    actions: ['lambda:InvokeFunction'],
+                }),
+            ],
+            users: [this.lambdaIamUser],
+        });
+        this.lambdaUserAccessKey = new iam.CfnAccessKey(this, `${this.id}-access-key-${this.props.stage}`, {
+            userName: this.lambdaIamUser.userName,
+        });
+    }
+    /**
+     * @summary Method to create iam secret for the lambda function
+     * @protected
+     */
+    createIamSecretForLambdaFunction() {
+        this.lambdaUserAccessSecret = new secretsManager.Secret(this, `${this.id}-lambda-user-secret-${this.props.stage}`, this.props.lambdaSecret);
+        const cfnSecret = this.lambdaUserAccessSecret.node.defaultChild;
+        cfnSecret.generateSecretString = undefined;
+        cfnSecret.secretString = `{ "ACCESS_KEY_ID": "${this.lambdaUserAccessKey.ref}", "ACCESS_KEY_SECRET": "${this.lambdaUserAccessKey.attrSecretAccessKey}" }`;
+    }
+}
+exports.LambdaWithIamAccess = LambdaWithIamAccess;

package/dist/src/lib/construct/lambda-with-iam-access/types.d.ts

@@ -0,0 +1,15 @@
+import { CommonStackProps, LambdaEnvironment, LambdaProps } from '../../types';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { SecretProps } from 'aws-cdk-lib/aws-secretsmanager';
+export interface LambdaWithIamAccessProps extends CommonStackProps {
+    lambda: LambdaProps;
+    lambdaHandler?: string;
+    lambdaLayerSources: lambda.AssetCode[];
+    lambdaSecret: SecretProps;
+    lambdaSource: lambda.AssetCode;
+    logLevel: string;
+    nodeEnv: string;
+    timezone: string;
+}
+export interface LambdaWithIamAccessEnvironment extends LambdaEnvironment {
+}

package/dist/src/lib/construct/lambda-with-iam-access/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/lib/helper/api-to-eventbridge-target-rest-api.d.ts

@@ -1,6 +1,7 @@
 import * as apig from 'aws-cdk-lib/aws-apigateway';
 import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as logs from 'aws-cdk-lib/aws-logs';
 import * as route53 from 'aws-cdk-lib/aws-route53';
 import * as sns from 'aws-cdk-lib/aws-sns';
 import * as types from '../types/aws';
@@ -11,6 +12,7 @@ import * as types from '../types/aws';
  * @classdesc Provides a construct to contain api resources for ApiToEventBridgeTargetWithSns
  */
 export declare class ApiToEventbridgeTargetRestApi implements types.ApiToEventBridgeTargetRestApiType {
+    accessLogGroup: logs.LogGroup;
     api: apig.RestApi;
     certificate: acm.ICertificate;
     domain: apig.DomainName;

package/dist/src/lib/helper/api-to-eventbridge-target-rest-api.js

@@ -8,6 +8,7 @@ exports.ApiToEventbridgeTargetRestApi = void 0;
  * @classdesc Provides a construct to contain api resources for ApiToEventBridgeTargetWithSns
  */
 class ApiToEventbridgeTargetRestApi {
+    accessLogGroup;
     api;
     certificate;
     domain;

package/dist/src/lib/types/aws/index.d.ts

@@ -340,6 +340,7 @@ export interface ApiToEventBridgeTargetEventType {
  * @subcategory Types
  */
 export interface ApiToEventBridgeTargetRestApiType {
+    accessLogGroup: logs.LogGroup;
     api: apig.IRestApi;
     authoriser?: apig.IAuthorizer;
     certificate: acm.ICertificate;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gradientedge/cdk-utils",
-  "version": "8.83.0",
+  "version": "8.85.0",
   "description": "Utilities for AWS CDK provisioning",
   "main": "dist/index.js",
   "engines": {

package/src/lib/construct/api-to-eventbridge-target/main.ts

@@ -79,6 +79,7 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
     this.createApiToEventBridgeTargetIntegrationResponse()
     this.createApiToEventBridgeTargetIntegrationErrorResponse()
     this.createApiToEventBridgeTargetIntegration()
+    this.createApiToEventBridgeTargetRestApiLogGroup()
     this.createApiToEventBridgeTargetRestApi()
     this.createApiToEventBridgeTargetResource()
     this.createApiToEventBridgeTargetResponseModel()
@@ -360,6 +361,17 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
     }
   }
 
+  protected createApiToEventBridgeTargetRestApiLogGroup() {
+    this.apiToEventBridgeTargetRestApi.accessLogGroup = this.logManager.createLogGroup(
+      `${this.id}-rest-api-access-log`,
+      this,
+      {
+        logGroupName: `/custom/api/${this.id}-rest-api-access`,
+        removalPolicy: cdk.RemovalPolicy.DESTROY,
+      }
+    )
+  }
+
   /**
    * @summary Method to create rest restApi for Api
    * @protected
@@ -374,11 +386,6 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
       return
     }
 
-    const accessLogGroup = this.logManager.createLogGroup(`${this.id}-rest-api-access-log`, this, {
-      logGroupName: `/custom/api/${this.id}-rest-api-access`,
-      removalPolicy: cdk.RemovalPolicy.DESTROY,
-    })
-
     this.apiToEventBridgeTargetRestApi.api = new apig.RestApi(this, `${this.id}-rest-api`, {
       ...{
         cloudWatchRole: this.props.api.restApi?.cloudWatchRole ?? true,
@@ -397,7 +404,7 @@ export class ApiToEventBridgeTarget extends CommonConstruct {
           loggingLevel: apig.MethodLoggingLevel.INFO,
           metricsEnabled: true,
           stageName: this.props.stage,
-          accessLogDestination: new apig.LogGroupLogDestination(accessLogGroup),
+          accessLogDestination: new apig.LogGroupLogDestination(this.apiToEventBridgeTargetRestApi.accessLogGroup),
           accessLogFormat: apig.AccessLogFormat.jsonWithStandardFields(),
         },
         endpointConfiguration: {

package/src/lib/construct/index.ts

@@ -3,6 +3,7 @@ export * from './api-to-eventbridge-target-with-sns'
 export * from './api-to-lambda-target'
 export * from './graphql-api-lambda'
 export * from './graphql-api-lambda-with-cache'
+export * from './lambda-with-iam-access'
 export * from './rest-api-lambda'
 export * from './rest-api-lambda-with-cache'
 export * from './site-with-ecs-backend'

package/src/lib/construct/lambda-with-iam-access/index.ts

@@ -0,0 +1,2 @@
+export * from './main'
+export * from './types'

package/src/lib/construct/lambda-with-iam-access/main.ts

@@ -0,0 +1,166 @@
+import { CommonConstruct } from '../../common'
+import { Construct } from 'constructs'
+import { LambdaWithIamAccessEnvironment, LambdaWithIamAccessProps } from './types'
+import * as iam from 'aws-cdk-lib/aws-iam'
+import * as lambda from 'aws-cdk-lib/aws-lambda'
+import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'
+
+/**
+ * @category cdk-utils.lambda-with-iam-access
+ * @subcategory construct
+ * @classdesc Provides a construct to create a lambda function with IAM access
+ *
+ * @example
+ * import { LambdaWithIamAccess, LambdaWithIamAccessProps } '@gradientedge/cdk-utils'
+ * import { Construct } from 'constructs'
+ *
+ * class CustomConstruct extends LambdaWithIamAccess {
+ *   constructor(parent: Construct, id: string, props: LambdaWithIamAccessProps) {
+ *     super(parent, id, props)
+ *     this.props = props
+ *     this.id = id
+ *     this.initResources()
+ *   }
+ * }
+ * @mixin
+ */
+export class LambdaWithIamAccess extends CommonConstruct {
+  /* LambdaWithIamAccess props */
+  props: LambdaWithIamAccessProps
+  id: string
+
+  /* LambdaWithIamAccess resources */
+  lambdaPolicy: iam.PolicyDocument
+  lambdaRole: iam.Role
+  lambdaEnvironment: LambdaWithIamAccessEnvironment
+  lambdaLayers: lambda.LayerVersion[]
+  lambdaFunction: lambda.Function
+  lambdaIamUser: iam.User
+  lambdaUserAccessKey: iam.CfnAccessKey
+  lambdaUserAccessSecret: secretsManager.Secret
+
+  protected constructor(parent: Construct, id: string, props: LambdaWithIamAccessProps) {
+    super(parent, id, props)
+
+    this.props = props
+    this.id = id
+  }
+
+  /**
+   * @summary Initialise and provision resources
+   * @protected
+   */
+  public initResources() {
+    this.createLambdaPolicy()
+    this.createLambdaRole()
+    this.createLambdaEnvironment()
+    this.createLambdaLayers()
+    this.createLambdaFunction()
+    this.createIamUserForLambdaFunction()
+    this.createIamSecretForLambdaFunction()
+  }
+
+  /**
+   * @summary Method to create iam policy for Lambda function
+   * @protected
+   */
+  protected createLambdaPolicy() {
+    this.lambdaPolicy = new iam.PolicyDocument({
+      statements: [this.iamManager.statementForCreateAnyLogStream()],
+    })
+  }
+
+  /**
+   * @summary Method to create iam role for Lambda function
+   * @protected
+   */
+  protected createLambdaRole() {
+    this.lambdaRole = this.iamManager.createRoleForLambda(`${this.id}-lambda-role`, this, this.lambdaPolicy)
+  }
+
+  /**
+   * @summary Method to create environment variables for Lambda function
+   * @protected
+   */
+  protected createLambdaEnvironment() {
+    this.lambdaEnvironment = {
+      NODE_ENV: this.props.nodeEnv,
+      LOG_LEVEL: this.props.logLevel,
+      TZ: this.props.timezone,
+    }
+  }
+
+  /**
+   * @summary Method to create layers for Lambda function
+   * @protected
+   */
+  protected createLambdaLayers() {
+    const layers: lambda.LayerVersion[] = []
+
+    if (!this.props.lambdaLayerSources) return
+
+    this.props.lambdaLayerSources.forEach((source: lambda.AssetCode, index: number) => {
+      layers.push(this.lambdaManager.createLambdaLayer(`${this.id}-layer-${index}`, this, source))
+    })
+
+    this.lambdaLayers = layers
+  }
+
+  /**
+   * @summary Method to create lambda function
+   * @protected
+   */
+  protected createLambdaFunction() {
+    this.lambdaFunction = this.lambdaManager.createLambdaFunction(
+      `${this.id}-lambda`,
+      this,
+      this.props.lambda,
+      this.lambdaRole,
+      this.lambdaLayers,
+      this.props.lambdaSource,
+      this.props.lambdaHandler || 'index.handler',
+      this.lambdaEnvironment
+    )
+  }
+
+  /**
+   * @summary Method to create iam user for the lambda function
+   * @protected
+   */
+  protected createIamUserForLambdaFunction() {
+    this.lambdaIamUser = new iam.User(this, `${this.id}-lambda-user`, {
+      userName: `${this.id}-user-${this.props.stage}`,
+    })
+
+    new iam.Policy(this, `${this.id}-lambda-user-policy`, {
+      policyName: `${this.id}-policy-${this.props.stage}`,
+      statements: [
+        new iam.PolicyStatement({
+          resources: [this.lambdaFunction.functionArn],
+          actions: ['lambda:InvokeFunction'],
+        }),
+      ],
+      users: [this.lambdaIamUser],
+    })
+
+    this.lambdaUserAccessKey = new iam.CfnAccessKey(this, `${this.id}-access-key-${this.props.stage}`, {
+      userName: this.lambdaIamUser.userName,
+    })
+  }
+
+  /**
+   * @summary Method to create iam secret for the lambda function
+   * @protected
+   */
+  protected createIamSecretForLambdaFunction() {
+    this.lambdaUserAccessSecret = new secretsManager.Secret(
+      this,
+      `${this.id}-lambda-user-secret-${this.props.stage}`,
+      this.props.lambdaSecret
+    )
+
+    const cfnSecret = this.lambdaUserAccessSecret.node.defaultChild as secretsManager.CfnSecret
+    cfnSecret.generateSecretString = undefined
+    cfnSecret.secretString = `{ "ACCESS_KEY_ID": "${this.lambdaUserAccessKey.ref}", "ACCESS_KEY_SECRET": "${this.lambdaUserAccessKey.attrSecretAccessKey}" }`
+  }
+}

package/src/lib/construct/lambda-with-iam-access/types.ts

@@ -0,0 +1,16 @@
+import { CommonStackProps, LambdaEnvironment, LambdaProps } from '../../types'
+import * as lambda from 'aws-cdk-lib/aws-lambda'
+import { SecretProps } from 'aws-cdk-lib/aws-secretsmanager'
+
+export interface LambdaWithIamAccessProps extends CommonStackProps {
+  lambda: LambdaProps
+  lambdaHandler?: string
+  lambdaLayerSources: lambda.AssetCode[]
+  lambdaSecret: SecretProps
+  lambdaSource: lambda.AssetCode
+  logLevel: string
+  nodeEnv: string
+  timezone: string
+}
+
+export interface LambdaWithIamAccessEnvironment extends LambdaEnvironment {}

package/src/lib/helper/api-to-eventbridge-target-rest-api.ts

@@ -1,6 +1,7 @@
 import * as apig from 'aws-cdk-lib/aws-apigateway'
 import * as acm from 'aws-cdk-lib/aws-certificatemanager'
 import * as iam from 'aws-cdk-lib/aws-iam'
+import * as logs from 'aws-cdk-lib/aws-logs'
 import * as route53 from 'aws-cdk-lib/aws-route53'
 import * as sns from 'aws-cdk-lib/aws-sns'
 import * as types from '../types/aws'
@@ -12,6 +13,7 @@ import * as types from '../types/aws'
  * @classdesc Provides a construct to contain api resources for ApiToEventBridgeTargetWithSns
  */
 export class ApiToEventbridgeTargetRestApi implements types.ApiToEventBridgeTargetRestApiType {
+  accessLogGroup: logs.LogGroup
   api: apig.RestApi
   certificate: acm.ICertificate
   domain: apig.DomainName

package/src/lib/types/aws/index.ts

@@ -366,6 +366,7 @@ export interface ApiToEventBridgeTargetEventType {
  * @subcategory Types
  */
 export interface ApiToEventBridgeTargetRestApiType {
+  accessLogGroup: logs.LogGroup
   api: apig.IRestApi
   authoriser?: apig.IAuthorizer
   certificate: acm.ICertificate