-
Notifications
You must be signed in to change notification settings - Fork 250
/
Copy pathindex.ts
140 lines (128 loc) · 4.79 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
/**
* Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
* with the License. A copy of the License is located at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
* OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
// Imports
import * as defaults from "@aws-solutions-constructs/core";
import * as lambda from "@aws-cdk/aws-lambda";
import * as secretsmanager from "@aws-cdk/aws-secretsmanager";
import * as ec2 from "@aws-cdk/aws-ec2";
import { Construct } from "@aws-cdk/core";
/**
* @summary The properties for the LambdaToSecretsmanager class.
*/
export interface LambdaToSecretsmanagerProps {
/**
* Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error.
*
* @default - None
*/
readonly existingLambdaObj?: lambda.Function;
/**
* User provided props to override the default props for the Lambda function.
*
* @default - Default properties are used.
*/
readonly lambdaFunctionProps?: lambda.FunctionProps;
/**
* Existing instance of Secret object, providing both this and secretProps will cause an error.
*
* @default - Default props are used
*/
readonly existingSecretObj?: secretsmanager.Secret;
/**
* Optional user-provided props to override the default props for the Secret.
*
* @default - Default props are used
*/
readonly secretProps?: secretsmanager.SecretProps;
/**
* An existing VPC for the construct to use (construct will NOT create a new VPC in this case)
*/
readonly existingVpc?: ec2.IVpc;
/**
* Properties to override default properties if deployVpc is true
*/
readonly vpcProps?: ec2.VpcProps;
/**
* Whether to deploy a new VPC
*
* @default - false
*/
readonly deployVpc?: boolean;
/**
* Optional Name for Lambda function environment variable containing the ARN of the secret.
*
* @default - SECRET_ARN
*/
readonly secretEnvironmentVariableName?: string;
/**
* Optional secret permissions to grant to the Lambda function.
* One of the following may be specified: "Read" or "ReadWrite".
*
* @default - Read only acess is given to the Lambda function if no value is specified.
*/
readonly grantWriteAccess?: string;
}
/**
* @summary The LambdaToSecretsmanager class.
*/
export class LambdaToSecretsmanager extends Construct {
public readonly lambdaFunction: lambda.Function;
public readonly secret: secretsmanager.Secret;
public readonly vpc?: ec2.IVpc;
/**
* @summary Constructs a new instance of the LambdaToSecretsmanager class.
* @param {cdk.App} scope - represents the scope for all the resources.
* @param {string} id - this is a a scope-unique id.
* @param {LambdaToSecretsmanagerProps} props - user provided props for the construct.
* @access public
*/
constructor(scope: Construct, id: string, props: LambdaToSecretsmanagerProps) {
super(scope, id);
defaults.CheckProps(props);
if (props.deployVpc || props.existingVpc) {
if (props.deployVpc && props.existingVpc) {
throw new Error("More than 1 VPC specified in the properties");
}
this.vpc = defaults.buildVpc(scope, {
defaultVpcProps: defaults.DefaultIsolatedVpcProps(),
existingVpc: props.existingVpc,
userVpcProps: props.vpcProps,
constructVpcProps: {
enableDnsHostnames: true,
enableDnsSupport: true,
},
});
defaults.AddAwsServiceEndpoint(scope, this.vpc, defaults.ServiceEndpointTypes.SECRETS_MANAGER);
}
// Setup the Lambda function
this.lambdaFunction = defaults.buildLambdaFunction(this, {
existingLambdaObj: props.existingLambdaObj,
lambdaFunctionProps: props.lambdaFunctionProps,
vpc: this.vpc,
});
// Setup the Secret
if (props.existingSecretObj) {
this.secret = props.existingSecretObj;
} else {
this.secret = defaults.buildSecretsManagerSecret(this, 'secret', props.secretProps);
}
// Configure environment variables
const secretEnvironmentVariableName = props.secretEnvironmentVariableName || 'SECRET_ARN';
this.lambdaFunction.addEnvironment(secretEnvironmentVariableName, this.secret.secretArn);
// Enable read permissions for the Lambda function by default
this.secret.grantRead(this.lambdaFunction);
if (props.grantWriteAccess === 'ReadWrite') {
this.secret.grantWrite(this.lambdaFunction);
}
}
}