in lib/ad-connector.ts [25:77]
constructor(scope: core.Construct, id: string, props: AdConnectorProps) {
super(scope, id);
const role = new iam.Role(this, 'AdConnectorLambdaCustomResourceRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
role.addToPolicy(new iam.PolicyStatement({
resources: [`${props.IdentityAccountAdConnectorSecretArn}-??????`],
actions: ['secretsmanager:GetSecretValue']
}));
role.addToPolicy(new iam.PolicyStatement({
resources: [props.IdentityAccountAdConnectorSecretKeyArn],
actions: ['kms:Decrypt']
}));
role.addToPolicy(new iam.PolicyStatement({
resources: ["*"],
actions: ['ds:ConnectDirectory', 'ds:DeleteDirectory']
}));
role.addToPolicy(new iam.PolicyStatement({
resources: ['*'],
actions: ['ec2:DescribeSubnets','ec2:DescribeVpcs','ec2:CreateSecurityGroup',
'ec2:CreateNetworkInterface','ec2:DescribeNetworkInterfaces','ec2:AuthorizeSecurityGroupIngress',
'ec2:AuthorizeSecurityGroupEgress','ec2:CreateTags']
}));
role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'));
const privateSubnetSelection = { subnetType: ec2.SubnetType.PRIVATE };
const privateSubnets = props.connectorVpc.selectSubnets(privateSubnetSelection).subnetIds;
const resource = new cfn.CustomResource(this, 'adConnector', {
provider: cfn.CustomResourceProvider.lambda(new lambda.SingletonFunction(this, 'Singleton', {
role: role,
uuid: "adConnectorLambda",
code: new lambda.InlineCode(fs.readFileSync('scripts/ad-connector-resource-handler.py', { encoding: 'utf-8' })),
handler: 'index.main',
timeout: core.Duration.seconds(300),
runtime: lambda.Runtime.PYTHON_3_7,
})),
properties: {
IdentityAccountAdConnectorSecretArn: props.IdentityAccountAdConnectorSecretArn,
Description: "AD Connector to Identity",
Size: "Small",
VpcId: props.connectorVpc.vpcId,
SubnetIds: privateSubnets
}
});
this.AdConnectorId = resource.ref;
}