aws-cdk-lib#Fn TypeScript Examples
The following examples show how to use
aws-cdk-lib#Fn.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: DatabaseDynamoDBSingleTable.ts From lift with MIT License | 6 votes |
|
permissions(): PolicyStatement[] {
return [
new PolicyStatement(
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem",
"dynamodb:UpdateItem",
],
[this.table.tableArn, Stack.of(this).resolve(Fn.join("/", [this.table.tableArn, "index", "*"]))]
),
];
}
Example #2
| Source File: bastion-host-forward.ts From bastion-host-forward with Apache License 2.0 | 6 votes |
|
protected constructor(scope: Construct, id: string, props: BastionHostForwardProps) {
super(scope, id);
this.securityGroup =
props.securityGroup ??
new SecurityGroup(this, 'BastionHostSecurityGroup', {
vpc: props.vpc,
allowAllOutbound: true,
});
this.bastionHost = new BastionHostLinux(this, 'BastionHost', {
instanceName: props.name ?? 'BastionHost',
vpc: props.vpc,
securityGroup: this.securityGroup,
});
const cfnBastionHost = this.bastionHost.instance.node.defaultChild as CfnInstance;
const shellCommands = generateEc2UserData({
address: props.address,
port: props.port,
clientTimeout: props.clientTimeout ?? 1,
serverTimeout: props.serverTimeout ?? 1,
});
cfnBastionHost.userData = Fn.base64(shellCommands.render());
this.instanceId = this.bastionHost.instance.instanceId;
}
Example #3
| Source File: ServerSideWebsite.ts From lift with MIT License | 5 votes |
|
variables(): Record<string, unknown> {
const domain = this.getMainCustomDomain() ?? this.distribution.distributionDomainName;
return {
url: Fn.join("", ["https://", domain]),
cname: this.distribution.distributionDomainName,
};
}
Example #4
| Source File: Storage.ts From lift with MIT License | 5 votes |
|
permissions(): PolicyStatement[] {
return [
new PolicyStatement(
["s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket"],
[this.bucket.bucketArn, Stack.of(this).resolve(Fn.join("/", [this.bucket.bucketArn, "*"]))]
),
];
}
Example #5
| Source File: ServerSideWebsite.ts From lift with MIT License | 4 votes |
|
constructor(
scope: Construct,
private readonly id: string,
readonly configuration: Configuration,
private readonly provider: AwsProvider
) {
super(scope, id);
if (configuration.domain !== undefined && configuration.certificate === undefined) {
throw new ServerlessError(
`Invalid configuration in 'constructs.${id}.certificate': if a domain is configured, then a certificate ARN must be configured as well.`,
"LIFT_INVALID_CONSTRUCT_CONFIGURATION"
);
}
if (configuration.errorPage !== undefined && !configuration.errorPage.endsWith(".html")) {
throw new ServerlessError(
`Invalid configuration in 'constructs.${id}.errorPage': the custom error page must be a static HTML file. '${configuration.errorPage}' does not end with '.html'.`,
"LIFT_INVALID_CONSTRUCT_CONFIGURATION"
);
}
const bucket = new Bucket(this, "Assets", {
// Assets are compiled artifacts, we can clear them on serverless remove
removalPolicy: RemovalPolicy.DESTROY,
});
/**
* We create custom "Origin Policy" and "Cache Policy" for the backend.
* "All URL query strings, HTTP headers, and cookies that you include in the cache key (using a cache policy) are automatically included in origin requests. Use the origin request policy to specify the information that you want to include in origin requests, but not include in the cache key."
* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html
*/
const backendOriginPolicy = new OriginRequestPolicy(this, "BackendOriginPolicy", {
originRequestPolicyName: `${this.provider.stackName}-${id}`,
comment: `Origin request policy for the ${id} website.`,
cookieBehavior: OriginRequestCookieBehavior.all(),
queryStringBehavior: OriginRequestQueryStringBehavior.all(),
headerBehavior: this.headersToForward(),
});
const backendCachePolicy = new CachePolicy(this, "BackendCachePolicy", {
cachePolicyName: `${this.provider.stackName}-${id}`,
comment: `Cache policy for the ${id} website.`,
// For the backend we disable all caching by default
defaultTtl: Duration.seconds(0),
// Authorization is an exception and must be whitelisted in the Cache Policy
// This is the reason why we don't use the managed `CachePolicy.CACHING_DISABLED`
headerBehavior: CacheHeaderBehavior.allowList("Authorization"),
});
const apiId =
configuration.apiGateway === "rest"
? this.provider.naming.getRestApiLogicalId()
: this.provider.naming.getHttpApiLogicalId();
const apiGatewayDomain = Fn.join(".", [Fn.ref(apiId), `execute-api.${this.provider.region}.amazonaws.com`]);
// Cast the domains to an array
this.domains = configuration.domain !== undefined ? flatten([configuration.domain]) : undefined;
const certificate =
configuration.certificate !== undefined
? acm.Certificate.fromCertificateArn(this, "Certificate", configuration.certificate)
: undefined;
this.distribution = new Distribution(this, "CDN", {
comment: `${provider.stackName} ${id} website CDN`,
defaultBehavior: {
// Origins are where CloudFront fetches content
origin: new HttpOrigin(apiGatewayDomain, {
// API Gateway only supports HTTPS
protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
}),
// For a backend app we all all methods
allowedMethods: AllowedMethods.ALLOW_ALL,
cachePolicy: backendCachePolicy,
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
// Forward all values (query strings, headers, and cookies) to the backend app
// See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policies-list
originRequestPolicy: backendOriginPolicy,
functionAssociations: [
{
function: this.createRequestFunction(),
eventType: FunctionEventType.VIEWER_REQUEST,
},
],
},
// All the assets paths are created in there
additionalBehaviors: this.createCacheBehaviors(bucket),
errorResponses: this.createErrorResponses(),
// Enable http2 transfer for better performances
httpVersion: HttpVersion.HTTP2,
certificate: certificate,
domainNames: this.domains,
});
// CloudFormation outputs
this.bucketNameOutput = new CfnOutput(this, "AssetsBucketName", {
description: "Name of the bucket that stores the website assets.",
value: bucket.bucketName,
});
let websiteDomain = this.getMainCustomDomain();
if (websiteDomain === undefined) {
// Fallback on the CloudFront domain
websiteDomain = this.distribution.distributionDomainName;
}
this.domainOutput = new CfnOutput(this, "Domain", {
description: "Website domain name.",
value: websiteDomain,
});
this.cnameOutput = new CfnOutput(this, "CloudFrontCName", {
description: "CloudFront CNAME.",
value: this.distribution.distributionDomainName,
});
this.distributionIdOutput = new CfnOutput(this, "DistributionId", {
description: "ID of the CloudFront distribution.",
value: this.distribution.distributionId,
});
}
Example #6
| Source File: Webhook.ts From lift with MIT License | 4 votes |
|
constructor(
scope: CdkConstruct,
private readonly id: string,
private readonly configuration: Configuration,
private readonly provider: AwsProvider
) {
super(scope, id);
this.api = new HttpApi(this, "HttpApi");
this.apiEndpointOutput = new CfnOutput(this, "HttpApiEndpoint", {
value: this.api.apiEndpoint,
});
this.bus = new EventBus(this, "Bus");
const apiGatewayRole = new Role(this, "ApiGatewayRole", {
assumedBy: new ServicePrincipal("apigateway.amazonaws.com"),
inlinePolicies: {
EventBridge: new PolicyDocument({
statements: [
new PolicyStatement({
actions: ["events:PutEvents"],
resources: [this.bus.eventBusArn],
}),
],
}),
},
});
const resolvedConfiguration = Object.assign({}, WEBHOOK_DEFAULTS, configuration);
if (resolvedConfiguration.insecure && resolvedConfiguration.authorizer !== undefined) {
throw new ServerlessError(
`Webhook ${id} is specified as insecure, however an authorizer is configured for this webhook. ` +
"Either declare this webhook as secure by removing `insecure: true` property (recommended), " +
"or specify the webhook as insecure and remove the authorizer property altogether.\n" +
"See https://github.com/getlift/lift/blob/master/docs/webhook.md#authorizer",
"LIFT_INVALID_CONSTRUCT_CONFIGURATION"
);
}
if (!resolvedConfiguration.insecure && resolvedConfiguration.authorizer === undefined) {
throw new ServerlessError(
`Webhook ${id} is specified as secure, however no authorizer is configured for this webhook. ` +
"Please provide an authorizer property for this webhook (recommended), " +
"or specify the webhook as insecure by adding `insecure: true` property.\n" +
"See https://github.com/getlift/lift/blob/master/docs/webhook.md#authorizer",
"LIFT_INVALID_CONSTRUCT_CONFIGURATION"
);
}
const eventBridgeIntegration = new CfnIntegration(this, "Integration", {
apiId: this.api.apiId,
connectionType: "INTERNET",
credentialsArn: apiGatewayRole.roleArn,
integrationSubtype: "EventBridge-PutEvents",
integrationType: "AWS_PROXY",
payloadFormatVersion: "1.0",
requestParameters: {
DetailType: resolvedConfiguration.eventType ?? "Webhook",
Detail: "$request.body",
Source: id,
EventBusName: this.bus.eventBusName,
},
});
const route = new CfnRoute(this, "Route", {
apiId: this.api.apiId,
routeKey: `POST ${resolvedConfiguration.path}`,
target: Fn.join("/", ["integrations", eventBridgeIntegration.ref]),
authorizationType: "NONE",
});
if (!resolvedConfiguration.insecure) {
const lambda = Function.fromFunctionArn(
this,
"LambdaAuthorizer",
Fn.getAtt(provider.naming.getLambdaLogicalId(`${id}Authorizer`), "Arn").toString()
);
lambda.grantInvoke(apiGatewayRole);
const authorizer = new CfnAuthorizer(this, "Authorizer", {
apiId: this.api.apiId,
authorizerPayloadFormatVersion: "2.0",
authorizerType: "REQUEST",
name: `${id}-authorizer`,
enableSimpleResponses: true,
authorizerUri: Fn.join("/", [
`arn:aws:apigateway:${this.provider.region}:lambda:path/2015-03-31/functions`,
lambda.functionArn,
"invocations",
]),
authorizerCredentialsArn: apiGatewayRole.roleArn,
});
route.authorizerId = authorizer.ref;
route.authorizationType = "CUSTOM";
}
this.endpointPathOutput = new CfnOutput(this, "Endpoint", {
value: route.routeKey,
});
this.appendFunctions();
}
Example #7
| Source File: index.ts From cloudstructs with Apache License 2.0 | 4 votes |
|
constructor(scope: Construct, id: string, props: UrlShortenerProps) {
super(scope, id);
const domainName = props.recordName ? `${props.recordName}.${props.hostedZone.zoneName}` : props.hostedZone.zoneName;
// Table to save a counter
const table = new dynamodb.Table(this, 'Table', {
partitionKey: {
name: 'key',
type: dynamodb.AttributeType.STRING,
},
removalPolicy: RemovalPolicy.DESTROY,
});
// Bucket to save redirects
const bucket = new s3.Bucket(this, 'Bucket', {
lifecycleRules: [{
expiration: props.expiration ?? Duration.days(365),
}],
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
bucketName: props.bucketName ?? `cloudstructs-url-shortener-${domainName}`,
});
// Redirect function
const redirectFunction = new RedirectFunction(this, 'Redirect');
bucket.grantRead(redirectFunction);
// CloudFront distribution
const certificate = new acm.DnsValidatedCertificate(this, 'Certificate', {
domainName,
hostedZone: props.hostedZone,
region: 'us-east-1',
});
const distribution = new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: new origins.S3Origin(bucket),
edgeLambdas: [
{
eventType: cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
functionVersion: redirectFunction,
},
],
},
certificate,
domainNames: [domainName],
});
// Route53 records
new route53.ARecord(this, 'ARecord', {
zone: props.hostedZone,
target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
recordName: props.recordName,
});
new route53.AaaaRecord(this, 'AaaaRecord', {
zone: props.hostedZone,
target: route53.RecordTarget.fromAlias(new targets.CloudFrontTarget(distribution)),
recordName: props.recordName,
});
// Lambda function to increment counter and write redirect in bucket
const shortenerFunction = new ShortenerFunction(this, 'Shortener', {
logRetention: logs.RetentionDays.ONE_MONTH,
environment: {
DOMAIN_NAME: domainName,
BUCKET_NAME: bucket.bucketName,
TABLE_NAME: table.tableName,
},
});
if (props.corsAllowOrigins) {
shortenerFunction.addEnvironment('CORS_ALLOW_ORIGINS', props.corsAllowOrigins.join(' '));
}
bucket.grantPut(shortenerFunction);
table.grant(shortenerFunction, 'dynamodb:UpdateItem');
// API
this.api = new apigateway.RestApi(this, `UrlShortener${props.hostedZone.zoneName}`, {
endpointTypes: props.apiGatewayEndpoint ? [apigateway.EndpointType.PRIVATE] : undefined,
policy: props.apiGatewayEndpoint
? new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['execute-api:Invoke'],
principals: [new iam.AnyPrincipal()],
resources: [Fn.join('', ['execute-api:/', '*'])],
conditions: {
StringEquals: { 'aws:SourceVpce': props.apiGatewayEndpoint.vpcEndpointId },
},
}),
],
})
: undefined,
defaultCorsPreflightOptions: props.corsAllowOrigins
? { allowOrigins: props.corsAllowOrigins }
: undefined,
});
this.api.root.addMethod('ANY', new apigateway.LambdaIntegration(shortenerFunction), {
authorizer: props.apiGatewayAuthorizer,
});
this.api.root
.addResource('{proxy+}')
.addMethod('ANY', new apigateway.LambdaIntegration(shortenerFunction), {
authorizer: props.apiGatewayAuthorizer,
});
this.apiEndpoint = this.api.url;
}
Example #8
| Source File: gitlab-runner-instance.ts From cdk-gitlab-runner with Apache License 2.0 | 4 votes |
|
constructor(scope: Construct, id: string, props: GitlabContainerRunnerProps) {
super(scope, id);
const spotFleetId = id;
const defaultProps = {
gitlabRunnerImage: 'public.ecr.aws/gitlab/gitlab-runner:alpine',
gitlaburl: 'https://gitlab.com/',
ec2type: 't3.micro',
tags: ['gitlab', 'awscdk', 'runner'],
};
const runnerProps = { ...defaultProps, ...props };
const runnerBucket = new Bucket(this, 'runnerBucket', {
removalPolicy: RemovalPolicy.DESTROY,
autoDeleteObjects: true,
});
const shell = UserData.forLinux();
shell.addCommands(...this.createUserData(runnerProps, runnerBucket.bucketName));
this.runnerRole =
runnerProps.ec2iamrole ??
new Role(this, 'runner-role', {
assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
description: 'For Gitlab EC2 Runner Role',
});
this.validUntil = runnerProps.validUntil;
const instanceProfile = new CfnInstanceProfile(this, 'InstanceProfile', {
roles: [this.runnerRole.roleName],
});
runnerBucket.grantWrite(this.runnerRole);
this.vpc =
runnerProps.selfvpc ??
new Vpc(this, 'VPC', {
cidr: '10.0.0.0/16',
maxAzs: 2,
subnetConfiguration: [
{
cidrMask: 26,
name: 'RunnerVPC',
subnetType: SubnetType.PUBLIC,
},
],
natGateways: 0,
});
this.defaultRunnerSG = new SecurityGroup(this, 'SpotFleetSg', {
vpc: this.vpc,
});
this.defaultRunnerSG.connections.allowFromAnyIpv4(Port.tcp(22));
const spotOrOnDemand = runnerProps.spotFleet ?? false;
if (spotOrOnDemand) {
//throw new Error('yes new spotfleet');
const imageId = MachineImage.latestAmazonLinux({
generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
}).getImage(this).imageId;
const lt = new CfnLaunchTemplate(this, 'LaunchTemplate', {
launchTemplateData: {
imageId,
instanceType: runnerProps.ec2type,
blockDeviceMappings: [
{
deviceName: '/dev/xvda',
ebs: {
volumeSize: runnerProps.ebsSize ?? 60,
},
},
],
userData: Fn.base64(shell.render()),
keyName: runnerProps.keyName,
tagSpecifications: [
{
resourceType: 'instance',
tags: [
{
key: 'Name',
value: `${Stack.of(this).stackName
}/spotFleetGitlabRunner/${spotFleetId}`,
},
],
},
],
instanceMarketOptions: {
marketType: 'spot',
spotOptions: {
blockDurationMinutes:
runnerProps.blockDuration ?? BlockDuration.ONE_HOUR,
instanceInterruptionBehavior:
runnerProps.instanceInterruptionBehavior ??
InstanceInterruptionBehavior.TERMINATE,
},
},
securityGroupIds: this.defaultRunnerSG.connections.securityGroups.map(
(m) => m.securityGroupId,
),
iamInstanceProfile: {
arn: instanceProfile.attrArn,
},
},
});
const spotFleetRole = new Role(this, 'FleetRole', {
assumedBy: new ServicePrincipal('spotfleet.amazonaws.com'),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName(
'service-role/AmazonEC2SpotFleetTaggingRole',
),
],
});
const vpcSubnetSelection = runnerProps.vpcSubnet ?? {
subnetType: SubnetType.PUBLIC,
};
const subnetConfig = this.vpc
.selectSubnets(vpcSubnetSelection)
.subnets.map((s) => ({
subnetId: s.subnetId,
}));
const cfnSpotFleet = new CfnSpotFleet(this, id, {
spotFleetRequestConfigData: {
launchTemplateConfigs: [
{
launchTemplateSpecification: {
launchTemplateId: lt.ref,
version: lt.attrLatestVersionNumber,
},
overrides: subnetConfig,
},
],
iamFleetRole: spotFleetRole.roleArn,
targetCapacity: 1,
validUntil: Lazy.string({ produce: () => this.validUntil }),
terminateInstancesWithExpiration: true,
},
});
const onEvent = new lambda.Function(this, 'OnEvent', {
code: lambda.Code.fromAsset(path.join(__dirname, '../assets/functions')),
handler: 'index.on_event',
runtime: lambda.Runtime.PYTHON_3_8,
timeout: Duration.seconds(60),
});
const isComplete = new lambda.Function(this, 'IsComplete', {
code: lambda.Code.fromAsset(path.join(__dirname, '../assets/functions')),
handler: 'index.is_complete',
runtime: lambda.Runtime.PYTHON_3_8,
timeout: Duration.seconds(60),
role: onEvent.role,
});
const myProvider = new cr.Provider(this, 'MyProvider', {
onEventHandler: onEvent,
isCompleteHandler: isComplete,
logRetention: logs.RetentionDays.ONE_DAY,
});
onEvent.addToRolePolicy(
new PolicyStatement({
actions: ['ec2:DescribeSpotFleetInstances'],
resources: ['*'],
}),
);
const fleetInstances = new CustomResource(this, 'GetInstanceId', {
serviceToken: myProvider.serviceToken,
properties: {
SpotFleetRequestId: cfnSpotFleet.ref,
},
});
fleetInstances.node.addDependency(cfnSpotFleet);
this.spotFleetInstanceId = Token.asString(
fleetInstances.getAtt('InstanceId'),
);
this.spotFleetRequestId = Token.asString(
fleetInstances.getAtt('SpotInstanceRequestId'),
);
new CfnOutput(this, 'InstanceId', { value: this.spotFleetInstanceId });
new CfnOutput(this, 'SpotFleetId', { value: cfnSpotFleet.ref });
} else {
this.runnerEc2 = new Instance(this, 'GitlabRunner', {
instanceType: new InstanceType(runnerProps.ec2type),
instanceName: 'Gitlab-Runner',
vpc: this.vpc,
vpcSubnets: runnerProps.vpcSubnet ?? {
subnetType: SubnetType.PUBLIC,
},
machineImage: MachineImage.latestAmazonLinux({
generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
}),
role: this.runnerRole,
userData: shell,
securityGroup: this.defaultRunnerSG,
blockDevices: [
{
deviceName: '/dev/xvda',
volume: BlockDeviceVolume.ebs(runnerProps.ebsSize ?? 60),
},
],
});
new CfnOutput(this, 'Runner-Instance-ID', {
value: this.runnerEc2.instanceId,
});
}
const unregisterRunnerOnEvent = new lambda.Function(this, 'unregisterRunnerOnEvent', {
code: lambda.Code.fromAsset(path.join(__dirname, '../assets/functions')),
handler: 'unregister_runner.on_event',
runtime: lambda.Runtime.PYTHON_3_8,
timeout: Duration.seconds(60),
});
const unregisterRunnerProvider = new cr.Provider(this, 'unregisterRunnerProvider', {
onEventHandler: unregisterRunnerOnEvent,
logRetention: logs.RetentionDays.ONE_DAY,
});
const unregisterRunnerCR = new CustomResource(this, 'unregisterRunnerCR', {
resourceType: 'Custom::unregisterRunnerProvider',
serviceToken: unregisterRunnerProvider.serviceToken,
properties: {
BucketName: runnerBucket.bucketName,
GitlabUrl: runnerProps.gitlaburl,
},
});
runnerBucket.grantReadWrite(unregisterRunnerOnEvent);
unregisterRunnerCR.node.addDependency(runnerBucket);
this.runnerRole.addManagedPolicy(
ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'),
);
new CfnOutput(this, 'Runner-Role-Arn', {
value: this.runnerRole.roleArn,
});
}
