in src/index.ts [111:170]
constructor(scope: Construct, id: string, props: ECRDeploymentProps) {
super(scope, id);
const memoryLimit = props.memoryLimit ?? 512;
const handler = new lambda.SingletonFunction(this, 'CustomResourceHandler', {
uuid: this.renderSingletonUuid(memoryLimit),
code: getCode(),
runtime: lambda.Runtime.GO_1_X,
handler: 'main',
environment: props.environment,
lambdaPurpose: 'Custom::CDKECRDeployment',
timeout: Duration.minutes(15),
role: props.role,
memorySize: memoryLimit,
vpc: props.vpc,
vpcSubnets: props.vpcSubnets,
});
const handlerRole = handler.role;
if (!handlerRole) { throw new Error('lambda.SingletonFunction should have created a Role'); }
handlerRole.addToPrincipalPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:GetRepositoryPolicy',
'ecr:DescribeRepositories',
'ecr:ListImages',
'ecr:DescribeImages',
'ecr:BatchGetImage',
'ecr:ListTagsForResource',
'ecr:DescribeImageScanFindings',
'ecr:InitiateLayerUpload',
'ecr:UploadLayerPart',
'ecr:CompleteLayerUpload',
'ecr:PutImage',
],
resources: ['*'],
}));
handlerRole.addToPrincipalPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
's3:GetObject',
],
resources: ['*'],
}));
new CustomResource(this, 'CustomResource', {
serviceToken: handler.functionArn,
resourceType: 'Custom::CDKBucketDeployment',
properties: {
SrcImage: props.src.uri,
SrcCreds: props.src.creds,
DestImage: props.dest.uri,
DestCreds: props.dest.creds,
},
});
}