-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathfunction-base.ts
435 lines (369 loc) · 12.3 KB
/
function-base.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import { ConstructNode, IResource, Resource } from '@aws-cdk/core';
import { AliasOptions } from './alias';
import { EventInvokeConfig, EventInvokeConfigOptions } from './event-invoke-config';
import { IEventSource } from './event-source';
import { EventSourceMapping, EventSourceMappingOptions } from './event-source-mapping';
import { IVersion } from './lambda-version';
import { CfnPermission } from './lambda.generated';
import { Permission } from './permission';
import { addAlias } from './util';
export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {
/**
* The name of the function.
*
* @attribute
*/
readonly functionName: string;
/**
* The ARN fo the function.
*
* @attribute
*/
readonly functionArn: string;
/**
* The IAM role associated with this function.
*/
readonly role?: iam.IRole;
/**
* Whether or not this Lambda function was bound to a VPC
*
* If this is is `false`, trying to access the `connections` object will fail.
*/
readonly isBoundToVpc: boolean;
/**
* The `$LATEST` version of this function.
*
* Note that this is reference to a non-specific AWS Lambda version, which
* means the function this version refers to can return different results in
* different invocations.
*
* To obtain a reference to an explicit version which references the current
* function configuration, use `lambdaFunction.currentVersion` instead.
*/
readonly latestVersion: IVersion;
/**
* The construct node where permissions are attached.
*/
readonly permissionsNode: ConstructNode;
/**
* Adds an event source that maps to this AWS Lambda function.
* @param id construct ID
* @param options mapping options
*/
addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping;
/**
* Adds a permission to the Lambda resource policy.
* @param id The id ƒor the permission construct
* @param permission The permission to grant to this Lambda function. @see Permission for details.
*/
addPermission(id: string, permission: Permission): void;
/**
* Adds a statement to the IAM role assumed by the instance.
*/
addToRolePolicy(statement: iam.PolicyStatement): void;
/**
* Grant the given identity permissions to invoke this Lambda
*/
grantInvoke(identity: iam.IGrantable): iam.Grant;
/**
* Return the given named metric for this Lambda
*/
metric(metricName: string, props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the Duration of this Lambda
*
* @default average over 5 minutes
*/
metricDuration(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the number of invocations of this Lambda
*
* @default sum over 5 minutes
*/
metricInvocations(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the number of throttled invocations of this Lambda
*
* @default sum over 5 minutes
*/
metricThrottles(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
addEventSource(source: IEventSource): void;
/**
* Configures options for asynchronous invocation.
*/
configureAsyncInvoke(options: EventInvokeConfigOptions): void;
}
/**
* Represents a Lambda function defined outside of this stack.
*/
export interface FunctionAttributes {
/**
* The ARN of the Lambda function.
*
* Format: arn:<partition>:lambda:<region>:<account-id>:function:<function-name>
*/
readonly functionArn: string;
/**
* The IAM execution role associated with this function.
*
* If the role is not specified, any role-related operations will no-op.
*/
readonly role?: iam.IRole;
/**
* Id of the security group of this Lambda, if in a VPC.
*
* This needs to be given in order to support allowing connections
* to this Lambda.
*
* @deprecated use `securityGroup` instead
*/
readonly securityGroupId?: string;
/**
* The security group of this Lambda, if in a VPC.
*
* This needs to be given in order to support allowing connections
* to this Lambda.
*/
readonly securityGroup?: ec2.ISecurityGroup;
}
export abstract class FunctionBase extends Resource implements IFunction {
/**
* The principal this Lambda Function is running as
*/
public abstract readonly grantPrincipal: iam.IPrincipal;
/**
* The name of the function.
*/
public abstract readonly functionName: string;
/**
* The ARN fo the function.
*/
public abstract readonly functionArn: string;
/**
* The IAM role associated with this function.
*
* Undefined if the function was imported without a role.
*/
public abstract readonly role?: iam.IRole;
/**
* The construct node where permissions are attached.
*/
public abstract readonly permissionsNode: ConstructNode;
/**
* Whether the addPermission() call adds any permissions
*
* True for new Lambdas, false for imported Lambdas (they might live in different accounts).
*/
protected abstract readonly canCreatePermissions: boolean;
/**
* Actual connections object for this Lambda
*
* May be unset, in which case this Lambda is not configured use in a VPC.
* @internal
*/
protected _connections?: ec2.Connections;
/**
* Adds a permission to the Lambda resource policy.
* @param id The id ƒor the permission construct
* @param permission The permission to grant to this Lambda function. @see Permission for details.
*/
public addPermission(id: string, permission: Permission) {
if (!this.canCreatePermissions) {
// FIXME: Report metadata
return;
}
const principal = this.parsePermissionPrincipal(permission.principal);
const action = permission.action || 'lambda:InvokeFunction';
const scope = permission.scope || this;
new CfnPermission(scope, id, {
action,
principal,
functionName: this.functionArn,
eventSourceToken: permission.eventSourceToken,
sourceAccount: permission.sourceAccount,
sourceArn: permission.sourceArn,
});
}
/**
* Adds a statement to the IAM role assumed by the instance.
*/
public addToRolePolicy(statement: iam.PolicyStatement) {
if (!this.role) {
return;
}
this.role.addToPolicy(statement);
}
/**
* Access the Connections object
*
* Will fail if not a VPC-enabled Lambda Function
*/
public get connections(): ec2.Connections {
if (!this._connections) {
// eslint-disable-next-line max-len
throw new Error('Only VPC-associated Lambda Functions have security groups to manage. Supply the "vpc" parameter when creating the Lambda, or "securityGroupId" when importing it.');
}
return this._connections;
}
public get latestVersion(): IVersion {
// Dynamic to avoid infinite recursion when creating the LatestVersion instance...
return new LatestVersion(this);
}
/**
* Whether or not this Lambda function was bound to a VPC
*
* If this is is `false`, trying to access the `connections` object will fail.
*/
public get isBoundToVpc(): boolean {
return !!this._connections;
}
public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping {
return new EventSourceMapping(this, id, {
target: this,
...options,
});
}
/**
* Grant the given identity permissions to invoke this Lambda
*/
public grantInvoke(grantee: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipalOrResource({
grantee,
actions: ['lambda:InvokeFunction'],
resourceArns: [this.functionArn],
// Fake resource-like object on which to call addToResourcePolicy(), which actually
// calls addPermission()
resource: {
addToResourcePolicy: (_statement) => {
// Couldn't add permissions to the principal, so add them locally.
const identifier = `Invoke${grantee.grantPrincipal}`; // calls the .toString() of the princpal
this.addPermission(identifier, {
principal: grantee.grantPrincipal!,
action: 'lambda:InvokeFunction',
});
return { statementAdded: true, policyDependable: this._functionNode().findChild(identifier) } as iam.AddToResourcePolicyResult;
},
node: this.node,
stack: this.stack,
env: this.env,
},
});
}
/**
* Adds an event source to this function.
*
* Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.
*
* The following example adds an SQS Queue as an event source:
*
* import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
* myFunction.addEventSource(new SqsEventSource(myQueue));
*
* @param source The event source to bind to this function
*/
public addEventSource(source: IEventSource) {
source.bind(this);
}
public configureAsyncInvoke(options: EventInvokeConfigOptions): void {
if (this.node.tryFindChild('EventInvokeConfig') !== undefined) {
throw new Error(`An EventInvokeConfig has already been configured for the function at ${this.node.path}`);
}
new EventInvokeConfig(this, 'EventInvokeConfig', {
function: this,
...options,
});
}
/**
* Checks whether this function is compatible for Lambda@Edge.
*
* @internal
*/
public _checkEdgeCompatibility(): void {
return;
}
/**
* Returns the construct tree node that corresponds to the lambda function.
* For use internally for constructs, when the tree is set up in non-standard ways. Ex: SingletonFunction.
* @internal
*/
protected _functionNode(): ConstructNode {
return this.node;
}
private parsePermissionPrincipal(principal?: iam.IPrincipal) {
if (!principal) {
return undefined;
}
// use duck-typing, not instance of
if ('accountId' in principal) {
return (principal as iam.AccountPrincipal).accountId;
}
if ('service' in principal) {
return (principal as iam.ServicePrincipal).service;
}
if ('arn' in principal) {
return (principal as iam.ArnPrincipal).arn;
}
throw new Error(`Invalid principal type for Lambda permission statement: ${principal.constructor.name}. ` +
'Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal');
}
}
export abstract class QualifiedFunctionBase extends FunctionBase {
public abstract readonly lambda: IFunction;
public readonly permissionsNode = this.node;
/**
* The qualifier of the version or alias of this function.
* A qualifier is the identifier that's appended to a version or alias ARN.
* @see https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#API_GetFunctionConfiguration_RequestParameters
*/
protected abstract readonly qualifier: string;
public get latestVersion() {
return this.lambda.latestVersion;
}
public configureAsyncInvoke(options: EventInvokeConfigOptions): void {
if (this.node.tryFindChild('EventInvokeConfig') !== undefined) {
throw new Error(`An EventInvokeConfig has already been configured for the qualified function at ${this.node.path}`);
}
new EventInvokeConfig(this, 'EventInvokeConfig', {
function: this.lambda,
qualifier: this.qualifier,
...options,
});
}
}
/**
* The $LATEST version of a function, useful when attempting to create aliases.
*/
class LatestVersion extends FunctionBase implements IVersion {
public readonly lambda: IFunction;
public readonly version = '$LATEST';
public readonly permissionsNode = this.node;
protected readonly canCreatePermissions = true;
constructor(lambda: FunctionBase) {
super(lambda, '$LATEST');
this.lambda = lambda;
}
public get functionArn() {
return `${this.lambda.functionArn}:${this.version}`;
}
public get functionName() {
return `${this.lambda.functionName}:${this.version}`;
}
public get grantPrincipal() {
return this.lambda.grantPrincipal;
}
public get latestVersion() {
return this;
}
public get role() {
return this.lambda.role;
}
public addAlias(aliasName: string, options: AliasOptions = {}) {
return addAlias(this, this, aliasName, options);
}
public get edgeArn(): never {
throw new Error('$LATEST function version cannot be used for Lambda@Edge');
}
}