1 | import * as iam from '@aws-cdk/aws-iam';
|
2 | import * as logs from '@aws-cdk/aws-logs';
|
3 | import * as cdk from '@aws-cdk/core';
|
4 | import { Construct } from 'constructs';
|
5 | import { Construct as CoreConstruct } from '@aws-cdk/core';
|
6 | /**
|
7 | * Reference to the physical resource id that can be passed to the AWS operation as a parameter.
|
8 | */
|
9 | export declare class PhysicalResourceIdReference implements cdk.IResolvable {
|
10 | readonly creationStack: string[];
|
11 | /**
|
12 | * toJSON serialization to replace `PhysicalResourceIdReference` with a magic string.
|
13 | */
|
14 | toJSON(): string;
|
15 | resolve(_: cdk.IResolveContext): any;
|
16 | toString(): string;
|
17 | }
|
18 | /**
|
19 | * Physical ID of the custom resource.
|
20 | */
|
21 | export declare class PhysicalResourceId {
|
22 | readonly responsePath?: string | undefined;
|
23 | readonly id?: string | undefined;
|
24 | /**
|
25 | * Extract the physical resource id from the path (dot notation) to the data in the API call response.
|
26 | */
|
27 | static fromResponse(responsePath: string): PhysicalResourceId;
|
28 | /**
|
29 | * Explicit physical resource id.
|
30 | */
|
31 | static of(id: string): PhysicalResourceId;
|
32 | /**
|
33 | * @param responsePath Path to a response data element to be used as the physical id.
|
34 | * @param id Literal string to be used as the physical id.
|
35 | */
|
36 | private constructor();
|
37 | }
|
38 | /**
|
39 | * An AWS SDK call.
|
40 | */
|
41 | export interface AwsSdkCall {
|
42 | /**
|
43 | * The service to call
|
44 | *
|
45 | * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
|
46 | */
|
47 | readonly service: string;
|
48 | /**
|
49 | * The service action to call
|
50 | *
|
51 | * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
|
52 | */
|
53 | readonly action: string;
|
54 | /**
|
55 | * The parameters for the service action
|
56 | *
|
57 | * @default - no parameters
|
58 | * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html
|
59 | */
|
60 | readonly parameters?: any;
|
61 | /**
|
62 | * The physical resource id of the custom resource for this call.
|
63 | * Mandatory for onCreate or onUpdate calls.
|
64 | *
|
65 | * @default - no physical resource id
|
66 | */
|
67 | readonly physicalResourceId?: PhysicalResourceId;
|
68 | /**
|
69 | * The regex pattern to use to catch API errors. The `code` property of the
|
70 | * `Error` object will be tested against this pattern. If there is a match an
|
71 | * error will not be thrown.
|
72 | *
|
73 | * @default - do not catch errors
|
74 | */
|
75 | readonly ignoreErrorCodesMatching?: string;
|
76 | /**
|
77 | * API version to use for the service
|
78 | *
|
79 | * @see https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/locking-api-versions.html
|
80 | * @default - use latest available API version
|
81 | */
|
82 | readonly apiVersion?: string;
|
83 | /**
|
84 | * The region to send service requests to.
|
85 | * **Note: Cross-region operations are generally considered an anti-pattern.**
|
86 | * **Consider first deploying a stack in that region.**
|
87 | *
|
88 | * @default - the region where this custom resource is deployed
|
89 | */
|
90 | readonly region?: string;
|
91 | /**
|
92 | * Restrict the data returned by the custom resource to a specific path in
|
93 | * the API response. Use this to limit the data returned by the custom
|
94 | * resource if working with API calls that could potentially result in custom
|
95 | * response objects exceeding the hard limit of 4096 bytes.
|
96 | *
|
97 | * Example for ECS / updateService: 'service.deploymentConfiguration.maximumPercent'
|
98 | *
|
99 | * @default - return all data
|
100 | *
|
101 | * @deprecated use outputPaths instead
|
102 | */
|
103 | readonly outputPath?: string;
|
104 | /**
|
105 | * Restrict the data returned by the custom resource to specific paths in
|
106 | * the API response. Use this to limit the data returned by the custom
|
107 | * resource if working with API calls that could potentially result in custom
|
108 | * response objects exceeding the hard limit of 4096 bytes.
|
109 | *
|
110 | * Example for ECS / updateService: ['service.deploymentConfiguration.maximumPercent']
|
111 | *
|
112 | * @default - return all data
|
113 | */
|
114 | readonly outputPaths?: string[];
|
115 | /**
|
116 | * Used for running the SDK calls in underlying lambda with a different role
|
117 | * Can be used primarily for cross-account requests to for example connect
|
118 | * hostedzone with a shared vpc
|
119 | *
|
120 | * Example for Route53 / associateVPCWithHostedZone
|
121 | *
|
122 | * @default - run without assuming role
|
123 | */
|
124 | readonly assumedRoleArn?: string;
|
125 | }
|
126 | /**
|
127 | * Options for the auto-generation of policies based on the configured SDK calls.
|
128 | */
|
129 | export interface SdkCallsPolicyOptions {
|
130 | /**
|
131 | * The resources that the calls will have access to.
|
132 | *
|
133 | * It is best to use specific resource ARN's when possible. However, you can also use `AwsCustomResourcePolicy.ANY_RESOURCE`
|
134 | * to allow access to all resources. For example, when `onCreate` is used to create a resource which you don't
|
135 | * know the physical name of in advance.
|
136 | *
|
137 | * Note that will apply to ALL SDK calls.
|
138 | */
|
139 | readonly resources: string[];
|
140 | }
|
141 | /**
|
142 | * The IAM Policy that will be applied to the different calls.
|
143 | */
|
144 | export declare class AwsCustomResourcePolicy {
|
145 | readonly statements: iam.PolicyStatement[];
|
146 | readonly resources?: string[] | undefined;
|
147 | /**
|
148 | * Use this constant to configure access to any resource.
|
149 | */
|
150 | static readonly ANY_RESOURCE: string[];
|
151 | /**
|
152 | * Explicit IAM Policy Statements.
|
153 | *
|
154 | * @param statements the statements to propagate to the SDK calls.
|
155 | */
|
156 | static fromStatements(statements: iam.PolicyStatement[]): AwsCustomResourcePolicy;
|
157 | /**
|
158 | * Generate IAM Policy Statements from the configured SDK calls.
|
159 | *
|
160 | * Each SDK call with be translated to an IAM Policy Statement in the form of: `call.service:call.action` (e.g `s3:PutObject`).
|
161 | *
|
162 | * This policy generator assumes the IAM policy name has the same name as the API
|
163 | * call. This is true in 99% of cases, but there are exceptions (for example,
|
164 | * S3's `PutBucketLifecycleConfiguration` requires
|
165 | * `s3:PutLifecycleConfiguration` permissions, Lambda's `Invoke` requires
|
166 | * `lambda:InvokeFunction` permissions). Use `fromStatements` if you want to
|
167 | * do a call that requires different IAM action names.
|
168 | *
|
169 | * @param options options for the policy generation
|
170 | */
|
171 | static fromSdkCalls(options: SdkCallsPolicyOptions): AwsCustomResourcePolicy;
|
172 | /**
|
173 | * @param statements statements for explicit policy.
|
174 | * @param resources resources for auto-generated from SDK calls.
|
175 | */
|
176 | private constructor();
|
177 | }
|
178 | /**
|
179 | * Properties for AwsCustomResource.
|
180 | *
|
181 | * Note that at least onCreate, onUpdate or onDelete must be specified.
|
182 | */
|
183 | export interface AwsCustomResourceProps {
|
184 | /**
|
185 | * Cloudformation Resource type.
|
186 | *
|
187 | * @default - Custom::AWS
|
188 | */
|
189 | readonly resourceType?: string;
|
190 | /**
|
191 | * The AWS SDK call to make when the resource is created.
|
192 | *
|
193 | * @default - the call when the resource is updated
|
194 | */
|
195 | readonly onCreate?: AwsSdkCall;
|
196 | /**
|
197 | * The AWS SDK call to make when the resource is updated
|
198 | *
|
199 | * @default - no call
|
200 | */
|
201 | readonly onUpdate?: AwsSdkCall;
|
202 | /**
|
203 | * The AWS SDK call to make when the resource is deleted
|
204 | *
|
205 | * @default - no call
|
206 | */
|
207 | readonly onDelete?: AwsSdkCall;
|
208 | /**
|
209 | * The policy that will be added to the execution role of the Lambda
|
210 | * function implementing this custom resource provider.
|
211 | *
|
212 | * The custom resource also implements `iam.IGrantable`, making it possible
|
213 | * to use the `grantXxx()` methods.
|
214 | *
|
215 | * As this custom resource uses a singleton Lambda function, it's important
|
216 | * to note the that function's role will eventually accumulate the
|
217 | * permissions/grants from all resources.
|
218 | *
|
219 | * @see Policy.fromStatements
|
220 | * @see Policy.fromSdkCalls
|
221 | */
|
222 | readonly policy: AwsCustomResourcePolicy;
|
223 | /**
|
224 | * The execution role for the singleton Lambda function implementing this custom
|
225 | * resource provider. This role will apply to all `AwsCustomResource`
|
226 | * instances in the stack. The role must be assumable by the
|
227 | * `lambda.amazonaws.com` service principal.
|
228 | *
|
229 | * @default - a new role is created
|
230 | */
|
231 | readonly role?: iam.IRole;
|
232 | /**
|
233 | * The timeout for the singleton Lambda function implementing this custom resource.
|
234 | *
|
235 | * @default Duration.minutes(2)
|
236 | */
|
237 | readonly timeout?: cdk.Duration;
|
238 | /**
|
239 | * The number of days log events of the singleton Lambda function implementing
|
240 | * this custom resource are kept in CloudWatch Logs.
|
241 | *
|
242 | * @default logs.RetentionDays.INFINITE
|
243 | */
|
244 | readonly logRetention?: logs.RetentionDays;
|
245 | /**
|
246 | * Whether to install the latest AWS SDK v2. Allows to use the latest API
|
247 | * calls documented at https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html.
|
248 | *
|
249 | * The installation takes around 60 seconds.
|
250 | *
|
251 | * @default true
|
252 | */
|
253 | readonly installLatestAwsSdk?: boolean;
|
254 | /**
|
255 | * A name for the singleton Lambda function implementing this custom resource.
|
256 | * The function name will remain the same after the first AwsCustomResource is created in a stack.
|
257 | *
|
258 | * @default - AWS CloudFormation generates a unique physical ID and uses that
|
259 | * ID for the function's name. For more information, see Name Type.
|
260 | */
|
261 | readonly functionName?: string;
|
262 | }
|
263 | /**
|
264 | * Defines a custom resource that is materialized using specific AWS API calls. These calls are created using
|
265 | * a singleton Lambda function.
|
266 | *
|
267 | * Use this to bridge any gap that might exist in the CloudFormation Coverage.
|
268 | * You can specify exactly which calls are invoked for the 'CREATE', 'UPDATE' and 'DELETE' life cycle events.
|
269 | *
|
270 | */
|
271 | export declare class AwsCustomResource extends CoreConstruct implements iam.IGrantable {
|
272 | private static breakIgnoreErrorsCircuit;
|
273 | readonly grantPrincipal: iam.IPrincipal;
|
274 | private readonly customResource;
|
275 | private readonly props;
|
276 | constructor(scope: Construct, id: string, props: AwsCustomResourceProps);
|
277 | /**
|
278 | * Returns response data for the AWS SDK call.
|
279 | *
|
280 | * Example for S3 / listBucket : 'Buckets.0.Name'
|
281 | *
|
282 | * Use `Token.asXxx` to encode the returned `Reference` as a specific type or
|
283 | * use the convenience `getDataString` for string attributes.
|
284 | *
|
285 | * Note that you cannot use this method if `ignoreErrorCodesMatching`
|
286 | * is configured for any of the SDK calls. This is because in such a case,
|
287 | * the response data might not exist, and will cause a CloudFormation deploy time error.
|
288 | *
|
289 | * @param dataPath the path to the data
|
290 | */
|
291 | getResponseFieldReference(dataPath: string): cdk.Reference;
|
292 | /**
|
293 | * Returns response data for the AWS SDK call as string.
|
294 | *
|
295 | * Example for S3 / listBucket : 'Buckets.0.Name'
|
296 | *
|
297 | * Note that you cannot use this method if `ignoreErrorCodesMatching`
|
298 | * is configured for any of the SDK calls. This is because in such a case,
|
299 | * the response data might not exist, and will cause a CloudFormation deploy time error.
|
300 | *
|
301 | * @param dataPath the path to the data
|
302 | */
|
303 | getResponseField(dataPath: string): string;
|
304 | private encodeJson;
|
305 | }
|
306 | /**
|
307 | * AWS SDK service metadata.
|
308 | */
|
309 | export declare type AwsSdkMetadata = {
|
310 | [key: string]: any;
|
311 | };
|