-
Notifications
You must be signed in to change notification settings - Fork 4k
/
function-base.ts
507 lines (436 loc) · 15.6 KB
/
function-base.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
import * as ec2 from '@aws-cdk/aws-ec2';
import * as iam from '@aws-cdk/aws-iam';
import { ConstructNode, IResource, Resource, Token } from '@aws-cdk/core';
import { AliasOptions } from './alias';
import { EventInvokeConfig, EventInvokeConfigOptions } from './event-invoke-config';
import { IEventSource } from './event-source';
import { EventSourceMapping, EventSourceMappingOptions } from './event-source-mapping';
import { IVersion } from './lambda-version';
import { CfnPermission } from './lambda.generated';
import { Permission } from './permission';
import { addAlias } from './util';
export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {
/**
* The name of the function.
*
* @attribute
*/
readonly functionName: string;
/**
* The ARN fo the function.
*
* @attribute
*/
readonly functionArn: string;
/**
* The IAM role associated with this function.
*/
readonly role?: iam.IRole;
/**
* Whether or not this Lambda function was bound to a VPC
*
* If this is is `false`, trying to access the `connections` object will fail.
*/
readonly isBoundToVpc: boolean;
/**
* The `$LATEST` version of this function.
*
* Note that this is reference to a non-specific AWS Lambda version, which
* means the function this version refers to can return different results in
* different invocations.
*
* To obtain a reference to an explicit version which references the current
* function configuration, use `lambdaFunction.currentVersion` instead.
*/
readonly latestVersion: IVersion;
/**
* The construct node where permissions are attached.
*/
readonly permissionsNode: ConstructNode;
/**
* Adds an event source that maps to this AWS Lambda function.
* @param id construct ID
* @param options mapping options
*/
addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping;
/**
* Adds a permission to the Lambda resource policy.
* @param id The id ƒor the permission construct
* @param permission The permission to grant to this Lambda function. @see Permission for details.
*/
addPermission(id: string, permission: Permission): void;
/**
* Adds a statement to the IAM role assumed by the instance.
*/
addToRolePolicy(statement: iam.PolicyStatement): void;
/**
* Grant the given identity permissions to invoke this Lambda
*/
grantInvoke(identity: iam.IGrantable): iam.Grant;
/**
* Return the given named metric for this Lambda
*/
metric(metricName: string, props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the Duration of this Lambda
*
* @default average over 5 minutes
*/
metricDuration(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the number of invocations of this Lambda
*
* @default sum over 5 minutes
*/
metricInvocations(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Metric for the number of throttled invocations of this Lambda
*
* @default sum over 5 minutes
*/
metricThrottles(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
/**
* Adds an event source to this function.
*
* Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.
*
* The following example adds an SQS Queue as an event source:
* ```
* import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
* myFunction.addEventSource(new SqsEventSource(myQueue));
* ```
*/
addEventSource(source: IEventSource): void;
/**
* Configures options for asynchronous invocation.
*/
configureAsyncInvoke(options: EventInvokeConfigOptions): void;
}
/**
* Represents a Lambda function defined outside of this stack.
*/
export interface FunctionAttributes {
/**
* The ARN of the Lambda function.
*
* Format: arn:<partition>:lambda:<region>:<account-id>:function:<function-name>
*/
readonly functionArn: string;
/**
* The IAM execution role associated with this function.
*
* If the role is not specified, any role-related operations will no-op.
*/
readonly role?: iam.IRole;
/**
* Id of the security group of this Lambda, if in a VPC.
*
* This needs to be given in order to support allowing connections
* to this Lambda.
*
* @deprecated use `securityGroup` instead
*/
readonly securityGroupId?: string;
/**
* The security group of this Lambda, if in a VPC.
*
* This needs to be given in order to support allowing connections
* to this Lambda.
*/
readonly securityGroup?: ec2.ISecurityGroup;
/**
* Setting this property informs the CDK that the imported function is in the same environment as the stack.
* This affects certain behaviours such as, whether this function's permission can be modified.
* When not configured, the CDK attempts to auto-determine this. For environment agnostic stacks, i.e., stacks
* where the account is not specified with the `env` property, this is determined to be false.
*
* Set this to property *ONLY IF* the imported function is in the same account as the stack
* it's imported in.
* @default - depends: true, if the Stack is configured with an explicit `env` (account and region) and the account is the same as this function.
* For environment-agnostic stacks this will default to `false`.
*/
readonly sameEnvironment?: boolean;
}
export abstract class FunctionBase extends Resource implements IFunction, ec2.IClientVpnConnectionHandler {
/**
* The principal this Lambda Function is running as
*/
public abstract readonly grantPrincipal: iam.IPrincipal;
/**
* The name of the function.
*/
public abstract readonly functionName: string;
/**
* The ARN fo the function.
*/
public abstract readonly functionArn: string;
/**
* The IAM role associated with this function.
*
* Undefined if the function was imported without a role.
*/
public abstract readonly role?: iam.IRole;
/**
* The construct node where permissions are attached.
*/
public abstract readonly permissionsNode: ConstructNode;
/**
* Whether the addPermission() call adds any permissions
*
* True for new Lambdas, false for version $LATEST and imported Lambdas
* from different accounts.
*/
protected abstract readonly canCreatePermissions: boolean;
/**
* Actual connections object for this Lambda
*
* May be unset, in which case this Lambda is not configured use in a VPC.
* @internal
*/
protected _connections?: ec2.Connections;
private _latestVersion?: LatestVersion;
/**
* Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls.
* @internal
*/
protected _invocationGrants: Record<string, iam.Grant> = {};
/**
* Adds a permission to the Lambda resource policy.
* @param id The id ƒor the permission construct
* @param permission The permission to grant to this Lambda function. @see Permission for details.
*/
public addPermission(id: string, permission: Permission) {
if (!this.canCreatePermissions) {
// FIXME: @deprecated(v2) - throw an error if calling `addPermission` on a resource that doesn't support it.
return;
}
const principal = this.parsePermissionPrincipal(permission.principal);
const action = permission.action || 'lambda:InvokeFunction';
const scope = permission.scope || this;
new CfnPermission(scope, id, {
action,
principal,
functionName: this.functionArn,
eventSourceToken: permission.eventSourceToken,
sourceAccount: permission.sourceAccount,
sourceArn: permission.sourceArn,
});
}
/**
* Adds a statement to the IAM role assumed by the instance.
*/
public addToRolePolicy(statement: iam.PolicyStatement) {
if (!this.role) {
return;
}
this.role.addToPrincipalPolicy(statement);
}
/**
* Access the Connections object
*
* Will fail if not a VPC-enabled Lambda Function
*/
public get connections(): ec2.Connections {
if (!this._connections) {
// eslint-disable-next-line max-len
throw new Error('Only VPC-associated Lambda Functions have security groups to manage. Supply the "vpc" parameter when creating the Lambda, or "securityGroupId" when importing it.');
}
return this._connections;
}
public get latestVersion(): IVersion {
if (!this._latestVersion) {
this._latestVersion = new LatestVersion(this);
}
return this._latestVersion;
}
/**
* Whether or not this Lambda function was bound to a VPC
*
* If this is is `false`, trying to access the `connections` object will fail.
*/
public get isBoundToVpc(): boolean {
return !!this._connections;
}
public addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping {
return new EventSourceMapping(this, id, {
target: this,
...options,
});
}
/**
* Grant the given identity permissions to invoke this Lambda
*/
public grantInvoke(grantee: iam.IGrantable): iam.Grant {
const identifier = `Invoke${grantee.grantPrincipal}`; // calls the .toString() of the principal
// Memoize the result so subsequent grantInvoke() calls are idempotent
let grant = this._invocationGrants[identifier];
if (!grant) {
grant = iam.Grant.addToPrincipalOrResource({
grantee,
actions: ['lambda:InvokeFunction'],
resourceArns: [this.functionArn],
// Fake resource-like object on which to call addToResourcePolicy(), which actually
// calls addPermission()
resource: {
addToResourcePolicy: (_statement) => {
// Couldn't add permissions to the principal, so add them locally.
this.addPermission(identifier, {
principal: grantee.grantPrincipal!,
action: 'lambda:InvokeFunction',
});
const permissionNode = this._functionNode().tryFindChild(identifier);
if (!permissionNode) {
throw new Error('Cannot modify permission to lambda function. Function is either imported or $LATEST version. '
+ 'If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.');
}
return { statementAdded: true, policyDependable: permissionNode };
},
node: this.node,
stack: this.stack,
env: this.env,
},
});
this._invocationGrants[identifier] = grant;
}
return grant;
}
public addEventSource(source: IEventSource) {
source.bind(this);
}
public configureAsyncInvoke(options: EventInvokeConfigOptions): void {
if (this.node.tryFindChild('EventInvokeConfig') !== undefined) {
throw new Error(`An EventInvokeConfig has already been configured for the function at ${this.node.path}`);
}
new EventInvokeConfig(this, 'EventInvokeConfig', {
function: this,
...options,
});
}
/**
* Returns the construct tree node that corresponds to the lambda function.
* For use internally for constructs, when the tree is set up in non-standard ways. Ex: SingletonFunction.
* @internal
*/
protected _functionNode(): ConstructNode {
return this.node;
}
/**
* Given the function arn, check if the account id matches this account
*
* Function ARNs look like this:
*
* arn:aws:lambda:region:account-id:function:function-name
*
* ..which means that in order to extract the `account-id` component from the ARN, we can
* split the ARN using ":" and select the component in index 4.
*
* @returns true if account id of function matches the account specified on the stack, false otherwise.
*
* @internal
*/
protected _isStackAccount(): boolean {
if (Token.isUnresolved(this.stack.account) || Token.isUnresolved(this.functionArn)) {
return false;
}
return this.stack.parseArn(this.functionArn).account === this.stack.account;
}
/**
* Translate IPrincipal to something we can pass to AWS::Lambda::Permissions
*
* Do some nasty things because `Permission` supports a subset of what the
* full IAM principal language supports, and we may not be able to parse strings
* outright because they may be tokens.
*
* Try to recognize some specific Principal classes first, then try a generic
* fallback.
*/
private parsePermissionPrincipal(principal?: iam.IPrincipal) {
if (!principal) {
return undefined;
}
// Try some specific common classes first.
// use duck-typing, not instance of
// @deprecated: after v2, we can change these to 'instanceof'
if ('accountId' in principal) {
return (principal as iam.AccountPrincipal).accountId;
}
if ('service' in principal) {
return (principal as iam.ServicePrincipal).service;
}
if ('arn' in principal) {
return (principal as iam.ArnPrincipal).arn;
}
// Try a best-effort approach to support simple principals that are not any of the predefined
// classes, but are simple enough that they will fit into the Permission model. Main target
// here: imported Roles, Users, Groups.
//
// The principal cannot have conditions and must have a single { AWS: [arn] } entry.
const json = principal.policyFragment.principalJson;
if (Object.keys(principal.policyFragment.conditions).length === 0 && json.AWS) {
if (typeof json.AWS === 'string') { return json.AWS; }
if (Array.isArray(json.AWS) && json.AWS.length === 1 && typeof json.AWS[0] === 'string') {
return json.AWS[0];
}
}
throw new Error(`Invalid principal type for Lambda permission statement: ${principal.constructor.name}. ` +
'Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal');
}
}
export abstract class QualifiedFunctionBase extends FunctionBase {
public abstract readonly lambda: IFunction;
public readonly permissionsNode = this.node;
/**
* The qualifier of the version or alias of this function.
* A qualifier is the identifier that's appended to a version or alias ARN.
* @see https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#API_GetFunctionConfiguration_RequestParameters
*/
protected abstract readonly qualifier: string;
public get latestVersion() {
return this.lambda.latestVersion;
}
public configureAsyncInvoke(options: EventInvokeConfigOptions): void {
if (this.node.tryFindChild('EventInvokeConfig') !== undefined) {
throw new Error(`An EventInvokeConfig has already been configured for the qualified function at ${this.node.path}`);
}
new EventInvokeConfig(this, 'EventInvokeConfig', {
function: this.lambda,
qualifier: this.qualifier,
...options,
});
}
}
/**
* The $LATEST version of a function, useful when attempting to create aliases.
*/
class LatestVersion extends FunctionBase implements IVersion {
public readonly lambda: IFunction;
public readonly version = '$LATEST';
public readonly permissionsNode = this.node;
protected readonly canCreatePermissions = false;
constructor(lambda: FunctionBase) {
super(lambda, '$LATEST');
this.lambda = lambda;
}
public get functionArn() {
return `${this.lambda.functionArn}:${this.version}`;
}
public get functionName() {
return `${this.lambda.functionName}:${this.version}`;
}
public get grantPrincipal() {
return this.lambda.grantPrincipal;
}
public get latestVersion() {
return this;
}
public get role() {
return this.lambda.role;
}
public addAlias(aliasName: string, options: AliasOptions = {}) {
return addAlias(this, this, aliasName, options);
}
public get edgeArn(): never {
throw new Error('$LATEST function version cannot be used for Lambda@Edge');
}
}