in source/constructs/lib/common-resources/custom-resources/custom-resource-construct.ts [51:114]
constructor(scope: Construct, id: string, props: CustomResourcesConstructProps) {
super(scope, id);
this.sourceCodeBucket = Bucket.fromBucketName(this, 'ImageHandlerLambdaSource', props.sourceCodeBucketName);
this.sourceCodeKeyPrefix = props.sourceCodeKeyPrefix;
this.solutionVersion = props.solutionVersion;
this.conditions = props.conditions;
this.customResourceRole = new Role(this, 'CustomResourceRole', {
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
path: '/',
inlinePolicies: {
CloudWatchLogsPolicy: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
resources: [Stack.of(this).formatArn({ service: 'logs', resource: 'log-group', resourceName: '/aws/lambda/*', arnFormat: ArnFormat.COLON_RESOURCE_NAME })]
}),
new PolicyStatement({
actions: ['s3:putBucketAcl', 's3:putEncryptionConfiguration', 's3:putBucketPolicy', 's3:CreateBucket', 's3:GetObject', 's3:PutObject', 's3:ListBucket'],
resources: [Stack.of(this).formatArn({ partition: Aws.PARTITION, service: 's3', region: '', account: '', resource: '*', arnFormat: ArnFormat.COLON_RESOURCE_NAME })]
})
]
}),
EC2Policy: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['ec2:DescribeRegions'],
resources: ['*']
})
]
})
}
});
addCfnSuppressRules(this.customResourceRole, [
{
id: 'W11',
reason: "Allow '*' because it is required for making DescribeRegions API call as it doesn't support resource-level permissions and require to choose all resources."
}
]);
props.secretsManagerPolicy.attachToRole(this.customResourceRole);
this.customResourceLambda = new LambdaFunction(this, 'CustomResourceFunction', {
description: `${props.solutionDisplayName} (${props.solutionVersion}): Custom resource`,
runtime: Runtime.NODEJS_14_X,
handler: 'custom-resource/index.handler',
timeout: Duration.minutes(1),
memorySize: 128,
code: Code.fromBucket(this.sourceCodeBucket, [props.sourceCodeKeyPrefix, 'custom-resource.zip'].join('/')),
role: this.customResourceRole,
environment: {
SOLUTION_ID: props.solutionId,
RETRY_SECONDS: '5',
SOLUTION_VERSION: props.solutionVersion
}
});
const customResourceUuid = this.createCustomResource('CustomResourceUuid', this.customResourceLambda, { Region: Aws.REGION, CustomAction: 'createUuid' });
this.uuid = customResourceUuid.getAttString('UUID');
}