in packages/constructs/L2/custom-constructs/lib/custom.ts [41:249]
private static setProps(scope: Construct, props: MdaaCustomResourceProps) {
const stack = Stack.of(scope);
const handlerFunctionName = props.naming.resourceName(`${props.resourceType}-handler`, 64);
const handlerRoleResourceId = `custom-${props.resourceType}-handler-role`;
const existingHandlerRole = stack.node.tryFindChild(handlerRoleResourceId) as Role;
const handlerRole = existingHandlerRole
? existingHandlerRole
: new MdaaLambdaRole(stack, handlerRoleResourceId, {
roleName: `${props.resourceType}-handler`,
naming: props.naming,
logGroupNames: [handlerFunctionName],
createParams: false,
createOutputs: false,
});
const handlerPolicyResourceId = `custom-${props.resourceType}-handler-policy`;
const existingPolicy = stack.node.tryFindChild(handlerPolicyResourceId) as Policy;
const handlerPolicy = existingPolicy
? existingPolicy
: new Policy(stack, handlerPolicyResourceId, {
policyName: `${props.resourceType}-handler`,
document: new PolicyDocument({ statements: props.handlerRolePolicyStatements }),
});
if (existingPolicy) {
handlerPolicy.addStatements(...props.handlerRolePolicyStatements);
} else {
handlerRole.attachInlinePolicy(handlerPolicy);
MdaaNagSuppressions.addCodeResourceSuppressions(
handlerPolicy,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Function is for custom resource; inline policy use appropriate',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Function is for custom resource; inline policy use appropriate',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Function is for custom resource; inline policy use appropriate',
},
...(props.handlerPolicySuppressions || []),
],
true,
);
}
const handlerFunctionResourceId = `custom-${props.resourceType}-handler-function`;
const existingHandlerFunction = stack.node.tryFindChild(handlerFunctionResourceId) as MdaaLambdaFunction;
this.handlerFunctionPlaceHolder = existingHandlerFunction
? existingHandlerFunction
: new MdaaLambdaFunction(stack, handlerFunctionResourceId, {
naming: props.naming,
runtime: props.runtime,
code: props.code,
handler: props.handler,
role: handlerRole,
functionName: `${props.resourceType}-handler`,
layers: props.handlerLayers,
timeout: props.handlerTimeout ? props.handlerTimeout : Duration.seconds(60),
vpc: props.vpc,
vpcSubnets: props.subnet,
securityGroups: props.securityGroup ? [props.securityGroup] : undefined,
environment: props.environment
});
this.handlerFunctionPlaceHolder.node.addDependency(handlerPolicy);
MdaaNagSuppressions.addCodeResourceSuppressions(
this.handlerFunctionPlaceHolder,
[
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{ id: 'NIST.800.53.R5-LambdaInsideVPC', reason: 'Function is for custom resource.' },
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{ id: 'HIPAA.Security-LambdaInsideVPC', reason: 'Function is for custom resource.' },
{ id: 'PCI.DSS.321-LambdaInsideVPC', reason: 'Function is for custom resource.' },
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const providerFunctionName = props.naming.resourceName(`${props.resourceType}-provider`, 64);
const providerRoleResourceId = `custom-${props.resourceType}-provider-role`;
const existingProviderRole = stack.node.tryFindChild(providerRoleResourceId) as Role;
const providerRole = existingProviderRole
? existingProviderRole
: new MdaaLambdaRole(stack, providerRoleResourceId, {
description: 'CR Role',
roleName: `${props.resourceType}-provider`,
naming: props.naming,
logGroupNames: [providerFunctionName],
createParams: false,
createOutputs: false,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
providerRole,
[
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
],
true,
);
const providerResourceId = `custom-${props.resourceType}-provider`;
const existingProvider = stack.node.tryFindChild(providerResourceId) as Provider;
const provider = existingProvider
? existingProvider
: new Provider(stack, providerResourceId, {
onEventHandler: this.handlerFunctionPlaceHolder,
role: providerRole,
providerFunctionName: providerFunctionName,
});
MdaaNagSuppressions.addCodeResourceSuppressions(
provider,
[
{
id: 'AwsSolutions-L1',
reason: 'Lambda function Runtime set by CDK Provider Framework',
},
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with QuickSight APIs.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
],
true,
);
const crProps: CustomResourceProps = {
resourceType: `Custom::${props.resourceType}`,
serviceToken: provider.serviceToken,
properties: props.pascalCaseProperties
? (MdaaCustomResource.pascalCase(props.handlerProps) as ConfigurationElement)
: props.handlerProps,
};
return crProps;
}