200 lines
7.7 KiB
TypeScript
200 lines
7.7 KiB
TypeScript
import { Construct } from 'constructs';
|
|
import type { LogOptions } from './waiter-state-machine';
|
|
import '../../../aws-cloudformation';
|
|
import type * as ec2 from '../../../aws-ec2';
|
|
import * as iam from '../../../aws-iam';
|
|
import type * as kms from '../../../aws-kms';
|
|
import * as lambda from '../../../aws-lambda';
|
|
import type * as logs from '../../../aws-logs';
|
|
import { Duration } from '../../../core';
|
|
/**
|
|
* Initialization properties for the `Provider` construct.
|
|
*/
|
|
export interface ProviderProps {
|
|
/**
|
|
* The AWS Lambda function to invoke for all resource lifecycle operations
|
|
* (CREATE/UPDATE/DELETE).
|
|
*
|
|
* This function is responsible to begin the requested resource operation
|
|
* (CREATE/UPDATE/DELETE) and return any additional properties to add to the
|
|
* event, which will later be passed to `isComplete`. The `PhysicalResourceId`
|
|
* property must be included in the response.
|
|
*/
|
|
readonly onEventHandler: lambda.IFunction;
|
|
/**
|
|
* The AWS Lambda function to invoke in order to determine if the operation is
|
|
* complete.
|
|
*
|
|
* This function will be called immediately after `onEvent` and then
|
|
* periodically based on the configured query interval as long as it returns
|
|
* `false`. If the function still returns `false` and the alloted timeout has
|
|
* passed, the operation will fail.
|
|
*
|
|
* @default - provider is synchronous. This means that the `onEvent` handler
|
|
* is expected to finish all lifecycle operations within the initial invocation.
|
|
*/
|
|
readonly isCompleteHandler?: lambda.IFunction;
|
|
/**
|
|
* Time between calls to the `isComplete` handler which determines if the
|
|
* resource has been stabilized.
|
|
*
|
|
* The first `isComplete` will be called immediately after `handler` and then
|
|
* every `queryInterval` seconds, and until `timeout` has been reached or until
|
|
* `isComplete` returns `true`.
|
|
*
|
|
* @default Duration.seconds(5)
|
|
*/
|
|
readonly queryInterval?: Duration;
|
|
/**
|
|
* Total timeout for the entire operation.
|
|
*
|
|
* The maximum timeout is 1 hour (yes, it can exceed the AWS Lambda 15 minutes)
|
|
*
|
|
* @default Duration.minutes(30)
|
|
*/
|
|
readonly totalTimeout?: Duration;
|
|
/**
|
|
* The number of days framework log events are kept in CloudWatch Logs. When
|
|
* updating this property, unsetting it doesn't remove the log retention policy.
|
|
* To remove the retention policy, set the value to `INFINITE`.
|
|
*
|
|
* This is a legacy API and we strongly recommend you migrate to `logGroup` if you can.
|
|
* `logGroup` allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.
|
|
*
|
|
* @default logs.RetentionDays.INFINITE
|
|
*/
|
|
readonly logRetention?: logs.RetentionDays;
|
|
/**
|
|
* The Log Group used for logging of events emitted by the custom resource's lambda function.
|
|
*
|
|
* Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16.
|
|
* If you are deploying to another type of region, please check regional availability first.
|
|
*
|
|
* @default - a default log group created by AWS Lambda
|
|
*/
|
|
readonly logGroup?: logs.ILogGroupRef;
|
|
/**
|
|
* The vpc to provision the lambda functions in.
|
|
*
|
|
* @default - functions are not provisioned inside a vpc.
|
|
*/
|
|
readonly vpc?: ec2.IVpc;
|
|
/**
|
|
* Which subnets from the VPC to place the lambda functions in.
|
|
*
|
|
* Only used if 'vpc' is supplied. Note: internet access for Lambdas
|
|
* requires a NAT gateway, so picking Public subnets is not allowed.
|
|
*
|
|
* @default - the Vpc default strategy if not specified
|
|
*/
|
|
readonly vpcSubnets?: ec2.SubnetSelection;
|
|
/**
|
|
* Security groups to attach to the provider functions.
|
|
*
|
|
* Only used if 'vpc' is supplied
|
|
*
|
|
* @default - If `vpc` is not supplied, no security groups are attached. Otherwise, a dedicated security
|
|
* group is created for each function.
|
|
*/
|
|
readonly securityGroups?: ec2.ISecurityGroup[];
|
|
/**
|
|
* AWS Lambda execution role.
|
|
*
|
|
* The role is shared by provider framework's onEvent, isComplete lambda, and onTimeout Lambda functions.
|
|
* This role will be assumed by the AWS Lambda, so it must be assumable by the 'lambda.amazonaws.com'
|
|
* service principal.
|
|
*
|
|
* @default - A default role will be created.
|
|
* @deprecated - Use frameworkOnEventRole, frameworkCompleteAndTimeoutRole
|
|
*/
|
|
readonly role?: iam.IRole;
|
|
/**
|
|
* Lambda execution role for provider framework's onEvent Lambda function. Note that this role must be assumed
|
|
* by the 'lambda.amazonaws.com' service principal.
|
|
*
|
|
* This property cannot be used with 'role' property
|
|
*
|
|
* @default - A default role will be created.
|
|
*/
|
|
readonly frameworkOnEventRole?: iam.IRole;
|
|
/**
|
|
* Lambda execution role for provider framework's isComplete/onTimeout Lambda function. Note that this role
|
|
* must be assumed by the 'lambda.amazonaws.com' service principal. To prevent circular dependency problem
|
|
* in the provider framework, please ensure you specify a different IAM Role for 'frameworkCompleteAndTimeoutRole'
|
|
* from 'frameworkOnEventRole'.
|
|
*
|
|
* This property cannot be used with 'role' property
|
|
*
|
|
* @default - A default role will be created.
|
|
*/
|
|
readonly frameworkCompleteAndTimeoutRole?: iam.IRole;
|
|
/**
|
|
* Provider Lambda name.
|
|
*
|
|
* The provider lambda function name.
|
|
*
|
|
* @default - CloudFormation default name from unique physical ID
|
|
*/
|
|
readonly providerFunctionName?: string;
|
|
/**
|
|
* AWS KMS key used to encrypt provider lambda's environment variables.
|
|
*
|
|
* @default - AWS Lambda creates and uses an AWS managed customer master key (CMK)
|
|
*/
|
|
readonly providerFunctionEnvEncryption?: kms.IKeyRef;
|
|
/**
|
|
* Defines what execution history events of the waiter state machine are logged and where they are logged.
|
|
*
|
|
* @default - A default log group will be created if logging for the waiter state machine is enabled.
|
|
*/
|
|
readonly waiterStateMachineLogOptions?: LogOptions;
|
|
/**
|
|
* Whether logging for the waiter state machine is disabled.
|
|
*
|
|
* @default - true
|
|
*/
|
|
readonly disableWaiterStateMachineLogging?: boolean;
|
|
/**
|
|
* Log level of the provider framework lambda
|
|
*
|
|
* @default true - Logging is disabled by default
|
|
*/
|
|
readonly frameworkLambdaLoggingLevel?: lambda.ApplicationLogLevel;
|
|
}
|
|
/**
|
|
* Defines an AWS CloudFormation custom resource provider.
|
|
*/
|
|
export declare class Provider extends Construct {
|
|
/**
|
|
* Uniquely identifies this class.
|
|
*/
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* The user-defined AWS Lambda function which is invoked for all resource
|
|
* lifecycle operations (CREATE/UPDATE/DELETE).
|
|
*/
|
|
readonly onEventHandler: lambda.IFunction;
|
|
/**
|
|
* The user-defined AWS Lambda function which is invoked asynchronously in
|
|
* order to determine if the operation is complete.
|
|
*/
|
|
readonly isCompleteHandler?: lambda.IFunction;
|
|
/**
|
|
* The service token to use in order to define custom resources that are
|
|
* backed by this provider.
|
|
*/
|
|
readonly serviceToken: string;
|
|
private readonly entrypoint;
|
|
private readonly logRetention?;
|
|
private readonly logGroup?;
|
|
private readonly vpc?;
|
|
private readonly vpcSubnets?;
|
|
private readonly securityGroups?;
|
|
private readonly role?;
|
|
private readonly providerFunctionEnvEncryption?;
|
|
private readonly frameworkLambdaLoggingLevel?;
|
|
constructor(scope: Construct, id: string, props: ProviderProps);
|
|
private addPermissions;
|
|
private createFunction;
|
|
}
|