1 | import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
|
2 | import * as ec2 from '@aws-cdk/aws-ec2';
|
3 | import * as iam from '@aws-cdk/aws-iam';
|
4 | import { ConstructNode, IResource, Resource } from '@aws-cdk/core';
|
5 | import { Architecture } from './architecture';
|
6 | import { EventInvokeConfigOptions } from './event-invoke-config';
|
7 | import { IEventSource } from './event-source';
|
8 | import { EventSourceMapping, EventSourceMappingOptions } from './event-source-mapping';
|
9 | import { FunctionUrlOptions, FunctionUrl } from './function-url';
|
10 | import { IVersion } from './lambda-version';
|
11 | import { Permission } from './permission';
|
12 | import { Construct } from '@aws-cdk/core';
|
13 | export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable {
|
14 | /**
|
15 | * The name of the function.
|
16 | *
|
17 | * @attribute
|
18 | */
|
19 | readonly functionName: string;
|
20 | /**
|
21 | * The ARN of the function.
|
22 | *
|
23 | * @attribute
|
24 | */
|
25 | readonly functionArn: string;
|
26 | /**
|
27 | * The IAM role associated with this function.
|
28 | */
|
29 | readonly role?: iam.IRole;
|
30 | /**
|
31 | * Whether or not this Lambda function was bound to a VPC
|
32 | *
|
33 | * If this is is `false`, trying to access the `connections` object will fail.
|
34 | */
|
35 | readonly isBoundToVpc: boolean;
|
36 | /**
|
37 | * The `$LATEST` version of this function.
|
38 | *
|
39 | * Note that this is reference to a non-specific AWS Lambda version, which
|
40 | * means the function this version refers to can return different results in
|
41 | * different invocations.
|
42 | *
|
43 | * To obtain a reference to an explicit version which references the current
|
44 | * function configuration, use `lambdaFunction.currentVersion` instead.
|
45 | */
|
46 | readonly latestVersion: IVersion;
|
47 | /**
|
48 | * The construct node where permissions are attached.
|
49 | */
|
50 | readonly permissionsNode: ConstructNode;
|
51 | /**
|
52 | * The system architectures compatible with this lambda function.
|
53 | */
|
54 | readonly architecture: Architecture;
|
55 | /**
|
56 | * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke().
|
57 | *
|
58 | * This property is for cdk modules to consume only. You should not need to use this property.
|
59 | * Instead, use grantInvoke() directly.
|
60 | */
|
61 | readonly resourceArnsForGrantInvoke: string[];
|
62 | /**
|
63 | * Adds an event source that maps to this AWS Lambda function.
|
64 | * @param id construct ID
|
65 | * @param options mapping options
|
66 | */
|
67 | addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping;
|
68 | /**
|
69 | * Adds a permission to the Lambda resource policy.
|
70 | * @param id The id for the permission construct
|
71 | * @param permission The permission to grant to this Lambda function. @see Permission for details.
|
72 | */
|
73 | addPermission(id: string, permission: Permission): void;
|
74 | /**
|
75 | * Adds a statement to the IAM role assumed by the instance.
|
76 | */
|
77 | addToRolePolicy(statement: iam.PolicyStatement): void;
|
78 | /**
|
79 | * Grant the given identity permissions to invoke this Lambda
|
80 | */
|
81 | grantInvoke(identity: iam.IGrantable): iam.Grant;
|
82 | /**
|
83 | * Grant the given identity permissions to invoke this Lambda Function URL
|
84 | */
|
85 | grantInvokeUrl(identity: iam.IGrantable): iam.Grant;
|
86 | /**
|
87 | * Return the given named metric for this Lambda
|
88 | */
|
89 | metric(metricName: string, props?: cloudwatch.MetricOptions): cloudwatch.Metric;
|
90 | /**
|
91 | * Metric for the Duration of this Lambda
|
92 | *
|
93 | * @default average over 5 minutes
|
94 | */
|
95 | metricDuration(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
|
96 | /**
|
97 | * Metric for the number of invocations of this Lambda
|
98 | *
|
99 | * @default sum over 5 minutes
|
100 | */
|
101 | metricInvocations(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
|
102 | /**
|
103 | * Metric for the number of throttled invocations of this Lambda
|
104 | *
|
105 | * @default sum over 5 minutes
|
106 | */
|
107 | metricThrottles(props?: cloudwatch.MetricOptions): cloudwatch.Metric;
|
108 | /**
|
109 | * Adds an event source to this function.
|
110 | *
|
111 | * Event sources are implemented in the @aws-cdk/aws-lambda-event-sources module.
|
112 | *
|
113 | * The following example adds an SQS Queue as an event source:
|
114 | * ```
|
115 | * import { SqsEventSource } from '@aws-cdk/aws-lambda-event-sources';
|
116 | * myFunction.addEventSource(new SqsEventSource(myQueue));
|
117 | * ```
|
118 | */
|
119 | addEventSource(source: IEventSource): void;
|
120 | /**
|
121 | * Configures options for asynchronous invocation.
|
122 | */
|
123 | configureAsyncInvoke(options: EventInvokeConfigOptions): void;
|
124 | /**
|
125 | * Adds a url to this lambda function.
|
126 | */
|
127 | addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl;
|
128 | }
|
129 | /**
|
130 | * Represents a Lambda function defined outside of this stack.
|
131 | */
|
132 | export interface FunctionAttributes {
|
133 | /**
|
134 | * The ARN of the Lambda function.
|
135 | *
|
136 | * Format: arn:<partition>:lambda:<region>:<account-id>:function:<function-name>
|
137 | */
|
138 | readonly functionArn: string;
|
139 | /**
|
140 | * The IAM execution role associated with this function.
|
141 | *
|
142 | * If the role is not specified, any role-related operations will no-op.
|
143 | */
|
144 | readonly role?: iam.IRole;
|
145 | /**
|
146 | * Id of the security group of this Lambda, if in a VPC.
|
147 | *
|
148 | * This needs to be given in order to support allowing connections
|
149 | * to this Lambda.
|
150 | *
|
151 | * @deprecated use `securityGroup` instead
|
152 | */
|
153 | readonly securityGroupId?: string;
|
154 | /**
|
155 | * The security group of this Lambda, if in a VPC.
|
156 | *
|
157 | * This needs to be given in order to support allowing connections
|
158 | * to this Lambda.
|
159 | */
|
160 | readonly securityGroup?: ec2.ISecurityGroup;
|
161 | /**
|
162 | * Setting this property informs the CDK that the imported function is in the same environment as the stack.
|
163 | * This affects certain behaviours such as, whether this function's permission can be modified.
|
164 | * When not configured, the CDK attempts to auto-determine this. For environment agnostic stacks, i.e., stacks
|
165 | * where the account is not specified with the `env` property, this is determined to be false.
|
166 | *
|
167 | * Set this to property *ONLY IF* the imported function is in the same account as the stack
|
168 | * it's imported in.
|
169 | * @default - depends: true, if the Stack is configured with an explicit `env` (account and region) and the account is the same as this function.
|
170 | * For environment-agnostic stacks this will default to `false`.
|
171 | */
|
172 | readonly sameEnvironment?: boolean;
|
173 | /**
|
174 | * Setting this property informs the CDK that the imported function ALREADY HAS the necessary permissions
|
175 | * for what you are trying to do. When not configured, the CDK attempts to auto-determine whether or not
|
176 | * additional permissions are necessary on the function when grant APIs are used. If the CDK tried to add
|
177 | * permissions on an imported lambda, it will fail.
|
178 | *
|
179 | * Set this property *ONLY IF* you are committing to manage the imported function's permissions outside of
|
180 | * CDK. You are acknowledging that your CDK code alone will have insufficient permissions to access the
|
181 | * imported function.
|
182 | *
|
183 | * @default false
|
184 | */
|
185 | readonly skipPermissions?: boolean;
|
186 | /**
|
187 | * The architecture of this Lambda Function (this is an optional attribute and defaults to X86_64).
|
188 | * @default - Architecture.X86_64
|
189 | */
|
190 | readonly architecture?: Architecture;
|
191 | }
|
192 | export declare abstract class FunctionBase extends Resource implements IFunction, ec2.IClientVpnConnectionHandler {
|
193 | /**
|
194 | * The principal this Lambda Function is running as
|
195 | */
|
196 | abstract readonly grantPrincipal: iam.IPrincipal;
|
197 | /**
|
198 | * The name of the function.
|
199 | */
|
200 | abstract readonly functionName: string;
|
201 | /**
|
202 | * The ARN fo the function.
|
203 | */
|
204 | abstract readonly functionArn: string;
|
205 | /**
|
206 | * The IAM role associated with this function.
|
207 | *
|
208 | * Undefined if the function was imported without a role.
|
209 | */
|
210 | abstract readonly role?: iam.IRole;
|
211 | /**
|
212 | * The construct node where permissions are attached.
|
213 | */
|
214 | abstract readonly permissionsNode: ConstructNode;
|
215 | /**
|
216 | * The architecture of this Lambda Function.
|
217 | */
|
218 | abstract readonly architecture: Architecture;
|
219 | /**
|
220 | * Whether the addPermission() call adds any permissions
|
221 | *
|
222 | * True for new Lambdas, false for version $LATEST and imported Lambdas
|
223 | * from different accounts.
|
224 | */
|
225 | protected abstract readonly canCreatePermissions: boolean;
|
226 | /**
|
227 | * The ARN(s) to put into the resource field of the generated IAM policy for grantInvoke()
|
228 | */
|
229 | abstract readonly resourceArnsForGrantInvoke: string[];
|
230 | /**
|
231 | * Whether the user decides to skip adding permissions.
|
232 | * The only use case is for cross-account, imported lambdas
|
233 | * where the user commits to modifying the permisssions
|
234 | * on the imported lambda outside CDK.
|
235 | * @internal
|
236 | */
|
237 | protected readonly _skipPermissions?: boolean;
|
238 | /**
|
239 | * Actual connections object for this Lambda
|
240 | *
|
241 | * May be unset, in which case this Lambda is not configured use in a VPC.
|
242 | * @internal
|
243 | */
|
244 | protected _connections?: ec2.Connections;
|
245 | private _latestVersion?;
|
246 | /**
|
247 | * Flag to delay adding a warning message until current version is invoked.
|
248 | * @internal
|
249 | */
|
250 | protected _warnIfCurrentVersionCalled: boolean;
|
251 | /**
|
252 | * Mapping of invocation principals to grants. Used to de-dupe `grantInvoke()` calls.
|
253 | * @internal
|
254 | */
|
255 | protected _invocationGrants: Record<string, iam.Grant>;
|
256 | /**
|
257 | * Mapping of fucntion URL invocation principals to grants. Used to de-dupe `grantInvokeUrl()` calls.
|
258 | * @internal
|
259 | */
|
260 | protected _functionUrlInvocationGrants: Record<string, iam.Grant>;
|
261 | /**
|
262 | * A warning will be added to functions under the following conditions:
|
263 | * - permissions that include `lambda:InvokeFunction` are added to the unqualified function.
|
264 | * - function.currentVersion is invoked before or after the permission is created.
|
265 | *
|
266 | * This applies only to permissions on Lambda functions, not versions or aliases.
|
267 | * This function is overridden as a noOp for QualifiedFunctionBase.
|
268 | */
|
269 | considerWarningOnInvokeFunctionPermissions(scope: Construct, action: string): void;
|
270 | protected warnInvokeFunctionPermissions(scope: Construct): void;
|
271 | /**
|
272 | * Adds a permission to the Lambda resource policy.
|
273 | * @param id The id for the permission construct
|
274 | * @param permission The permission to grant to this Lambda function. @see Permission for details.
|
275 | */
|
276 | addPermission(id: string, permission: Permission): void;
|
277 | /**
|
278 | * Adds a statement to the IAM role assumed by the instance.
|
279 | */
|
280 | addToRolePolicy(statement: iam.PolicyStatement): void;
|
281 | /**
|
282 | * Access the Connections object
|
283 | *
|
284 | * Will fail if not a VPC-enabled Lambda Function
|
285 | */
|
286 | get connections(): ec2.Connections;
|
287 | get latestVersion(): IVersion;
|
288 | /**
|
289 | * Whether or not this Lambda function was bound to a VPC
|
290 | *
|
291 | * If this is is `false`, trying to access the `connections` object will fail.
|
292 | */
|
293 | get isBoundToVpc(): boolean;
|
294 | addEventSourceMapping(id: string, options: EventSourceMappingOptions): EventSourceMapping;
|
295 | /**
|
296 | * Grant the given identity permissions to invoke this Lambda
|
297 | */
|
298 | grantInvoke(grantee: iam.IGrantable): iam.Grant;
|
299 | /**
|
300 | * Grant the given identity permissions to invoke this Lambda Function URL
|
301 | */
|
302 | grantInvokeUrl(grantee: iam.IGrantable): iam.Grant;
|
303 | addEventSource(source: IEventSource): void;
|
304 | configureAsyncInvoke(options: EventInvokeConfigOptions): void;
|
305 | addFunctionUrl(options?: FunctionUrlOptions): FunctionUrl;
|
306 | /**
|
307 | * Returns the construct tree node that corresponds to the lambda function.
|
308 | * For use internally for constructs, when the tree is set up in non-standard ways. Ex: SingletonFunction.
|
309 | * @internal
|
310 | */
|
311 | protected _functionNode(): ConstructNode;
|
312 | /**
|
313 | * Given the function arn, check if the account id matches this account
|
314 | *
|
315 | * Function ARNs look like this:
|
316 | *
|
317 | * arn:aws:lambda:region:account-id:function:function-name
|
318 | *
|
319 | * ..which means that in order to extract the `account-id` component from the ARN, we can
|
320 | * split the ARN using ":" and select the component in index 4.
|
321 | *
|
322 | * @returns true if account id of function matches the account specified on the stack, false otherwise.
|
323 | *
|
324 | * @internal
|
325 | */
|
326 | protected _isStackAccount(): boolean;
|
327 | private grant;
|
328 | /**
|
329 | * Translate IPrincipal to something we can pass to AWS::Lambda::Permissions
|
330 | *
|
331 | * Do some nasty things because `Permission` supports a subset of what the
|
332 | * full IAM principal language supports, and we may not be able to parse strings
|
333 | * outright because they may be tokens.
|
334 | *
|
335 | * Try to recognize some specific Principal classes first, then try a generic
|
336 | * fallback.
|
337 | */
|
338 | private parsePermissionPrincipal;
|
339 | private parseConditions;
|
340 | private isPrincipalWithConditions;
|
341 | }
|
342 | export declare abstract class QualifiedFunctionBase extends FunctionBase {
|
343 | abstract readonly lambda: IFunction;
|
344 | readonly permissionsNode: ConstructNode;
|
345 | /**
|
346 | * The qualifier of the version or alias of this function.
|
347 | * A qualifier is the identifier that's appended to a version or alias ARN.
|
348 | * @see https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#API_GetFunctionConfiguration_RequestParameters
|
349 | */
|
350 | protected abstract readonly qualifier: string;
|
351 | get latestVersion(): IVersion;
|
352 | get resourceArnsForGrantInvoke(): string[];
|
353 | configureAsyncInvoke(options: EventInvokeConfigOptions): void;
|
354 | considerWarningOnInvokeFunctionPermissions(_scope: Construct, _action: string): void;
|
355 | }
|