in src/main/java/com/awslabs/aws/greengrass/provisioner/implementations/helpers/BasicGreengrassHelper.java [137:210]
public Function buildFunctionModel(String functionArn, FunctionConf functionConf) {
List<ResourceAccessPolicy> resourceAccessPolicies = new ArrayList<>();
// Local devices and volumes could be either read-only or read-write
List<LocalReadOnlyOrReadWriteResource> readOnlyOrReadWriteResources = new ArrayList<>();
readOnlyOrReadWriteResources.addAll(functionConf.getLocalDeviceResources());
readOnlyOrReadWriteResources.addAll(functionConf.getLocalVolumeResources());
// Only include local devices and volumes if the function is in the Greengrass container
if (functionConf.isGreengrassContainer()) {
resourceAccessPolicies.addAll(readOnlyOrReadWriteResources.stream()
.map(this::getResourceAccessPolicy)
.collect(Collectors.toList()));
}
// S3 and SageMaker resources are always read-write
List<LocalResource> readWriteResources = new ArrayList<>();
readWriteResources.addAll(functionConf.getLocalS3Resources());
readWriteResources.addAll(functionConf.getLocalSageMakerResources());
// Only include S3 and SageMaker resources if the function is in the Greengrass container
if (functionConf.isGreengrassContainer()) {
resourceAccessPolicies.addAll(readWriteResources.stream()
.map(this::getReadWriteResourceAccessPolicy)
.collect(Collectors.toList()));
}
// Secrets manager resources are always read-only
// NOTE: These are included for all functions, even when not running in the Greengrass container
resourceAccessPolicies.addAll(functionConf.getLocalSecretsManagerResources().stream()
.map(this::getSecretManagerResourceAccessPolicy)
.collect(Collectors.toList()));
FunctionConfigurationEnvironment.Builder functionConfigurationEnvironmentBuilder = FunctionConfigurationEnvironment.builder()
.variables(functionConf.getEnvironmentVariables());
FunctionConfiguration.Builder functionConfigurationBuilder = FunctionConfiguration.builder()
.encodingType(functionConf.getEncodingType())
.pinned(functionConf.isPinned())
.timeout(functionConf.getTimeoutInSeconds());
FunctionExecutionConfig.Builder functionExecutionConfigBuilder = FunctionExecutionConfig.builder();
if (functionConf.isGreengrassContainer()) {
functionExecutionConfigBuilder = functionExecutionConfigBuilder.isolationMode(FunctionIsolationMode.GREENGRASS_CONTAINER);
functionConfigurationEnvironmentBuilder.accessSysfs(functionConf.isAccessSysFs());
functionConfigurationBuilder = functionConfigurationBuilder.memorySize(functionConf.getMemorySizeInKb());
} else {
functionExecutionConfigBuilder = functionExecutionConfigBuilder.isolationMode(FunctionIsolationMode.NO_CONTAINER);
}
if (functionConf.getUid().isPresent() || functionConf.getGid().isPresent()) {
FunctionRunAsConfig.Builder functionRunAsConfigBuilder = FunctionRunAsConfig.builder();
functionConf.getUid().ifPresent(uid -> functionRunAsConfigBuilder.uid(uid));
functionConf.getGid().ifPresent(gid -> functionRunAsConfigBuilder.gid(gid));
functionExecutionConfigBuilder.runAs(functionRunAsConfigBuilder.build());
}
functionConfigurationEnvironmentBuilder.resourceAccessPolicies(resourceAccessPolicies);
functionConfigurationEnvironmentBuilder = functionConfigurationEnvironmentBuilder.execution(functionExecutionConfigBuilder.build());
functionConfigurationBuilder = functionConfigurationBuilder.environment(functionConfigurationEnvironmentBuilder.build());
Function function = Function.builder()
.functionArn(functionArn)
.id(ioHelper.getUuid())
.functionConfiguration(functionConfigurationBuilder.build())
.build();
return function;
}