aws-cdk-lib aws_lambda TypeScript Examples

Source File: index.ts From cdk-ec2-key-pair with Apache License 2.0

5 votes

/**
   * The lambda function that is created
   */
  public readonly lambda: aws_lambda.IFunction;

Source File: index.ts From cdk-ssm-document with Apache License 2.0

5 votes

private ensureLambda(): aws_lambda.Function {
    const stack = Stack.of(this);
    const constructName = 'SSM-Document-Manager-Lambda';
    const existing = stack.node.tryFindChild(constructName);
    if (existing) {
      return existing as aws_lambda.Function;
    }

    const policy = new aws_iam.ManagedPolicy(
      stack,
      'SSM-Document-Manager-Policy',
      {
        managedPolicyName: `${stack.stackName}-${cleanID}`,
        description: `Used by Lambda ${cleanID}, which is a custom CFN resource, managing SSM documents`,
        statements: [
          new aws_iam.PolicyStatement({
            actions: ['ssm:ListDocuments', 'ssm:ListTagsForResource'],
            resources: ['*'],
          }),
          new aws_iam.PolicyStatement({
            actions: ['ssm:AddTagsToResource', 'ssm:CreateDocument'],
            resources: ['*'],
            conditions: {
              StringLike: {
                'aws:RequestTag/CreatedByCfnCustomResource': ID,
              },
            },
          }),
          new aws_iam.PolicyStatement({
            actions: [
              'ssm:AddTagsToResource',
              'ssm:DeleteDocument',
              'ssm:DescribeDocument',
              'ssm:GetDocument',
              'ssm:ListDocumentVersions',
              'ssm:ModifyDocumentPermission',
              'ssm:RemoveTagsFromResource',
              'ssm:UpdateDocument',
              'ssm:UpdateDocumentDefaultVersion',
            ],
            resources: ['*'],
            conditions: {
              StringLike: {
                'ssm:ResourceTag/CreatedByCfnCustomResource': ID,
              },
            },
          }),
        ],
      }
    );

    const role = new aws_iam.Role(stack, 'SSM-Document-Manager-Role', {
      roleName: `${stack.stackName}-${cleanID}`,
      description: `Used by Lambda ${cleanID}, which is a custom CFN resource, managing SSM documents`,
      assumedBy: new aws_iam.ServicePrincipal('lambda.amazonaws.com'),
      managedPolicies: [
        policy,
        aws_iam.ManagedPolicy.fromAwsManagedPolicyName(
          'service-role/AWSLambdaBasicExecutionRole'
        ),
      ],
    });

    const fn = new aws_lambda.Function(stack, constructName, {
      functionName: `${stack.stackName}-${cleanID}`,
      role: role,
      description: 'Custom CFN resource: Manage SSM Documents',
      runtime: aws_lambda.Runtime.NODEJS_14_X,
      handler: 'index.handler',
      code: aws_lambda.Code.fromAsset(
        path.join(__dirname, '../lambda/code.zip')
      ),
      timeout: Duration.minutes(lambdaTimeout),
    });

    return fn;
  }

Source File: index.ts From cdk-ssm-document with Apache License 2.0

5 votes

/**
   * The lambda function that is created
   */
  public readonly lambda: aws_lambda.IFunction;

Source File: index.ts From cdk-ec2-key-pair with Apache License 2.0

4 votes

private ensureLambda(): aws_lambda.Function {
    const stack = Stack.of(this);
    const constructName = 'EC2-Key-Name-Manager-Lambda';
    const existing = stack.node.tryFindChild(constructName);
    if (existing) {
      return existing as aws_lambda.Function;
    }

    const resources = [`arn:${stack.partition}:ec2:*:*:key-pair/*`];

    const policy = new aws_iam.ManagedPolicy(
      stack,
      'EC2-Key-Pair-Manager-Policy',
      {
        managedPolicyName: `${this.prefix}-${cleanID}`,
        description: `Used by Lambda ${cleanID}, which is a custom CFN resource, managing EC2 Key Pairs`,
        statements: [
          new aws_iam.PolicyStatement({
            actions: ['ec2:DescribeKeyPairs'],
            resources: ['*'],
          }),
          new aws_iam.PolicyStatement({
            actions: [
              'ec2:CreateKeyPair',
              'ec2:CreateTags',
              'ec2:ImportKeyPair',
            ],
            conditions: {
              StringLike: {
                'aws:RequestTag/CreatedByCfnCustomResource': ID,
              },
            },
            resources,
          }),
          new aws_iam.PolicyStatement({
            // allow delete/update, only if createdByTag is set
            actions: ['ec2:CreateTags', 'ec2:DeleteKeyPair', 'ec2:DeleteTags'],
            conditions: {
              StringLike: {
                'ec2:ResourceTag/CreatedByCfnCustomResource': ID,
              },
            },
            resources,
          }),

          new aws_iam.PolicyStatement({
            // we need this to check if a secret exists before attempting to delete it
            actions: ['secretsmanager:ListSecrets'],
            resources: ['*'],
          }),
          new aws_iam.PolicyStatement({
            actions: [
              'secretsmanager:CreateSecret',
              'secretsmanager:TagResource',
            ],
            conditions: {
              StringLike: {
                'aws:RequestTag/CreatedByCfnCustomResource': ID,
              },
            },
            resources: ['*'],
          }),
          new aws_iam.PolicyStatement({
            // allow delete/update, only if createdByTag is set
            actions: [
              'secretsmanager:DeleteResourcePolicy',
              'secretsmanager:DeleteSecret',
              'secretsmanager:DescribeSecret',
              'secretsmanager:GetResourcePolicy',
              'secretsmanager:GetSecretValue',
              'secretsmanager:ListSecretVersionIds',
              'secretsmanager:PutResourcePolicy',
              'secretsmanager:PutSecretValue',
              'secretsmanager:RestoreSecret',
              'secretsmanager:UntagResource',
              'secretsmanager:UpdateSecret',
              'secretsmanager:UpdateSecretVersionStage',
            ],
            conditions: {
              StringLike: {
                'secretsmanager:ResourceTag/CreatedByCfnCustomResource': ID,
              },
            },
            resources: ['*'],
          }),
        ],
      }
    );

    const role = new aws_iam.Role(stack, 'EC2-Key-Pair-Manager-Role', {
      roleName: `${this.prefix}-${cleanID}`,
      description: `Used by Lambda ${cleanID}, which is a custom CFN resource, managing EC2 Key Pairs`,
      assumedBy: new aws_iam.ServicePrincipal('lambda.amazonaws.com'),
      managedPolicies: [
        policy,
        aws_iam.ManagedPolicy.fromAwsManagedPolicyName(
          'service-role/AWSLambdaBasicExecutionRole'
        ),
      ],
    });

    const fn = new aws_lambda.Function(stack, constructName, {
      functionName: `${this.prefix}-${cleanID}`,
      role: role,
      description: 'Custom CFN resource: Manage EC2 Key Pairs',
      runtime: aws_lambda.Runtime.NODEJS_14_X,
      handler: 'index.handler',
      code: aws_lambda.Code.fromAsset(
        path.join(__dirname, '../lambda/code.zip')
      ),
      timeout: Duration.minutes(lambdaTimeout),
    });

    return fn;
  }

aws-cdk-lib#aws_lambda TypeScript Examples