@cdklabs/cdk-enterprise-iac
v0.0.513
Published
<!-- Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 -->
Downloads
3,194
Readme
CDK Enterprise IaC
Utilities for using CDK within enterprise constraints.
Install
Typescript
npm install @cdklabs/cdk-enterprise-iac
Python
pip install cdklabs.cdk-enterprise-iac
Who this project is for
Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS.
This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached".
This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.)
Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver.
This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive.
Usage
There are many tools available, all detailed in API.md
.
A few examples of these tools below:
Adding permissions boundaries to all generated IAM roles
Example for AddPermissionBoundary
in Typescript project.
import * as cdk from 'aws-cdk-lib';
import { MyStack } from '../lib/my-project-stack';
import { Aspects } from 'aws-cdk-lib';
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac';
const app = new cdk.App();
new MyStack(app, 'MyStack');
Aspects.of(app).add(
new AddPermissionBoundary({
permissionsBoundaryPolicyName: 'MyPermissionBoundaryName',
instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to ''
policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to ''
rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to ''
})
);
Example for AddPermissionBoundary
in Python project.
import aws_cdk as cdk
from cdklabs.cdk_enterprise_iac import AddPermissionBoundary
from test_py.test_py_stack import TestPyStack
app = cdk.App()
TestPyStack(app, "TestPyStack")
cdk.Aspects.of(app).add(AddPermissionBoundary(
permissions_boundary_policy_name="MyPermissionBoundaryName",
instance_profile_prefix="MY_PREFIX_", # optional, Defaults to ""
policy_prefix="MY_POLICY_PREFIX_", # optional, Defaults to ""
role_prefix="MY_ROLE_PREFIX_" # optional, Defaults to ""
))
app.synth()
Resource extraction
:warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found here.
In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications.
For example there might be a networking team with permissions to deploy AWS::EC2::SecurityGroup
and AWS::EC2::EIP
, or a security team with permissions to deploy AWS::IAM::Role
and AWS::IAM::Policy
, but the developers deploying the CDK don't have those permissions.
When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an AWS::IAM::Role
which is foundational to any project deployed into AWS.
An enterprise should allow builders to deploy these resources via CDK for many reasons, and can use Permissions Boundaries to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the ResourceExtractor
can make it easier for builders to write good CDK while complying with enterprise policies.
Using the ResourceExtractor
Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf.
Take the following example stack:
import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
const app = new App();
const appStack = new Stack(app, 'MyAppStack');
const func = new Function(appStack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);
app.synth()
The synthesized Cloudformation would include all AWS resources required, including resources a developer might not have permissions to deploy
The above example would include the following snippet in the synthesized Cloudformation
TestLambdaServiceRoleC28C2D9C:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: 2012-10-17
# excluding remaining properties
TestLambda2F70C45E:
Type: 'AWS::Lambda::Function'
Properties:
Role: !GetAtt
- TestLambdaServiceRoleC28C2D9C
- Arn
# excluding remaining properties
While including bucket.grantReadWrite(func)
in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer.
Using the ResourceExtractor
, we can pull out an arbitrary list of Cloudformation resources that a developer doesn't have permissions to provision, and create a separate stack that can be sent to a security team.
import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
// Import ResourceExtractor
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac';
const app = new App();
const appStack = new Stack(app, 'MyAppStack');
// Set up a destination stack to extract resources to
const extractedStack = new Stack(app, 'ExtractedStack');
const func = new Function(appStack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);
// Capture the output of app.synth()
const synthedApp = app.synth();
// Apply the ResourceExtractor Aspect
Aspects.of(app).add(
new ResourceExtractor({
// synthesized stacks to examine
stackArtifacts: synthedApp.stacks,
// Array of Cloudformation resources to extract
resourceTypesToExtract: [
'AWS::IAM::Role',
'AWS::IAM::Policy',
'AWS::IAM::ManagedPolicy',
'AWS::IAM::InstanceProfile',
],
// Destination stack for extracted resources
extractDestinationStack: extractedStack,
})
);
// Resynthing since ResourceExtractor has modified the app
app.synth({ force: true });
In the example above, all resources are created in the appStack
, and an empty extractedStack
is also created.
We apply the ResourceExtractor
Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions.
Now when we list stacks in the CDK project, we can see an added stack
$ cdk ls
MyAppStack
ExtractedStack
Taking a look at these synthesized stacks, in the ExtractedStack
we'll find:
Resources:
TestLambdaServiceRoleC28C2D9C:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: 2012-10-17
# excluding remaining properties
Outputs:
ExportAppStackTestLambdaServiceRoleC28C2D9C:
Value:
'Fn::GetAtt':
- TestLambdaServiceRoleC28C2D9C
- Arn
Export:
Name: 'AppStack:TestLambdaServiceRoleC28C2D9C' # Exported name
And inside the synthesized MyAppStack
template:
Resources:
TestLambda2F70C45E:
Type: 'AWS::Lambda::Function'
Properties:
Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C' # Using ImportValue instrinsic function to use pre-created IAM role
# excluding remaining properties
In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the ExtractedStack
.
Once deployed, a developer can run cdk deploy MyAppStack
without errors due to insufficient IAM privileges
Value Sharing methods
When resources are extracted from a stack, there must be a method to reference the resources that have been extracted.
There are three methods (see ResourceExtractorShareMethod
enum)
CFN_OUTPUT
SSM_PARAMETER
API_LOOKUP
CFN_OUTPUT
The default sharing method is CFN_OUTPUT
, which uses Cloudformation Export/Import to Export values in the extracted stack (see Outputs), and use the Fn::ImportValue intrinsic function to reference those values.
This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure.
SSM_PARAMETER
In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using aws_ssm.StringParameter.valueFromLookup()
at synthesis time.
Example on using this method:
import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac';
Aspects.of(app).add(
new ResourceExtractor({
stackArtifacts: synthedApp.stacks,
resourceTypesToExtract: [
'AWS::IAM::Role',
'AWS::IAM::Policy',
'AWS::IAM::ManagedPolicy',
'AWS::IAM::InstanceProfile',
],
extractDestinationStack: extractedStack,
valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER, // Specify SSM_PARAMETER Method
});
);
API_LOOKUP
The API_LOOKUP
sharing method is a work in progress, and not yet supported
Resource Partials
Some resources that get extracted might reference resources that aren't yet created.
In our example CDK application we include the line
bucket.grantReadWrite(func);
This creates an AWS::IAM::Policy
that includes the necessary Actions scoped down to the S3 bucket.
When the AWS::IAM::Policy
is extracted, it's unable to use Ref
or Fn::GetAtt
to reference the S3 bucket since the S3 bucket wasn't extracted.
In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket.
There are multiple resource types supported out of the box (found in createDefaultTransforms
). In the event you have a resource not yet supported, you'll receive a MissingTransformError
. In this case you can either open an issue with the resource in question, or you can include the additionalTransforms
property.
Consider the following:
const vpc = new Vpc(stack, 'TestVpc');
const db = new DatabaseInstance(stack, 'TestDb', {
vpc,
engine: DatabaseInstanceEngine.POSTGRES,
})
const func = new Function(stack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
db.secret?.grantRead(func)
const synthedApp = app.synth();
Aspects.of(app).add(
new ResourceExtractor({
extractDestinationStack: extractedStack,
stackArtifacts: synthedApp.stacks,
valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'],
additionalTransforms: {
'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`,
},
});
);
app.synth({ force: true });
In this case, there is a AWS::SecretsManager::SecretTargetAttachment
generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret.
In the context of extracting the IAM policy, we want to tell the ResourceExtractor
how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently.
In this case rather than using a Ref: LogicalIdForTheSecretTargetAttachment
we construct the ARN we want to use.
Details in API.md
Generated API.md
Generated API.md below:
CDK Enterprise IaC
Utilities for using CDK within enterprise constraints.
Install
Typescript
npm install @cdklabs/cdk-enterprise-iac
Python
pip install cdklabs.cdk-enterprise-iac
Who this project is for
Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS.
This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached".
This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.)
Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver.
This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive.
Usage
There are many tools available, all detailed in API.md
.
A few examples of these tools below:
Adding permissions boundaries to all generated IAM roles
Example for AddPermissionBoundary
in Typescript project.
import * as cdk from 'aws-cdk-lib';
import { MyStack } from '../lib/my-project-stack';
import { Aspects } from 'aws-cdk-lib';
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac';
const app = new cdk.App();
new MyStack(app, 'MyStack');
Aspects.of(app).add(
new AddPermissionBoundary({
permissionsBoundaryPolicyName: 'MyPermissionBoundaryName',
instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to ''
policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to ''
rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to ''
})
);
Example for AddPermissionBoundary
in Python project.
import aws_cdk as cdk
from cdklabs.cdk_enterprise_iac import AddPermissionBoundary
from test_py.test_py_stack import TestPyStack
app = cdk.App()
TestPyStack(app, "TestPyStack")
cdk.Aspects.of(app).add(AddPermissionBoundary(
permissions_boundary_policy_name="MyPermissionBoundaryName",
instance_profile_prefix="MY_PREFIX_", # optional, Defaults to ""
policy_prefix="MY_POLICY_PREFIX_", # optional, Defaults to ""
role_prefix="MY_ROLE_PREFIX_" # optional, Defaults to ""
))
app.synth()
Resource extraction
:warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found here.
In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications.
For example there might be a networking team with permissions to deploy AWS::EC2::SecurityGroup
and AWS::EC2::EIP
, or a security team with permissions to deploy AWS::IAM::Role
and AWS::IAM::Policy
, but the developers deploying the CDK don't have those permissions.
When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an AWS::IAM::Role
which is foundational to any project deployed into AWS.
An enterprise should allow builders to deploy these resources via CDK for many reasons, and can use Permissions Boundaries to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the ResourceExtractor
can make it easier for builders to write good CDK while complying with enterprise policies.
Using the ResourceExtractor
Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf.
Take the following example stack:
import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
const app = new App();
const appStack = new Stack(app, 'MyAppStack');
const func = new Function(appStack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);
app.synth()
The synthesized Cloudformation would include all AWS resources required, including resources a developer might not have permissions to deploy
The above example would include the following snippet in the synthesized Cloudformation
TestLambdaServiceRoleC28C2D9C:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: 2012-10-17
# excluding remaining properties
TestLambda2F70C45E:
Type: 'AWS::Lambda::Function'
Properties:
Role: !GetAtt
- TestLambdaServiceRoleC28C2D9C
- Arn
# excluding remaining properties
While including bucket.grantReadWrite(func)
in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer.
Using the ResourceExtractor
, we can pull out an arbitrary list of Cloudformation resources that a developer doesn't have permissions to provision, and create a separate stack that can be sent to a security team.
import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
// Import ResourceExtractor
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac';
const app = new App();
const appStack = new Stack(app, 'MyAppStack');
// Set up a destination stack to extract resources to
const extractedStack = new Stack(app, 'ExtractedStack');
const func = new Function(appStack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
autoDeleteObjects: true,
removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);
// Capture the output of app.synth()
const synthedApp = app.synth();
// Apply the ResourceExtractor Aspect
Aspects.of(app).add(
new ResourceExtractor({
// synthesized stacks to examine
stackArtifacts: synthedApp.stacks,
// Array of Cloudformation resources to extract
resourceTypesToExtract: [
'AWS::IAM::Role',
'AWS::IAM::Policy',
'AWS::IAM::ManagedPolicy',
'AWS::IAM::InstanceProfile',
],
// Destination stack for extracted resources
extractDestinationStack: extractedStack,
})
);
// Resynthing since ResourceExtractor has modified the app
app.synth({ force: true });
In the example above, all resources are created in the appStack
, and an empty extractedStack
is also created.
We apply the ResourceExtractor
Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions.
Now when we list stacks in the CDK project, we can see an added stack
$ cdk ls
MyAppStack
ExtractedStack
Taking a look at these synthesized stacks, in the ExtractedStack
we'll find:
Resources:
TestLambdaServiceRoleC28C2D9C:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: 'sts:AssumeRole'
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: 2012-10-17
# excluding remaining properties
Outputs:
ExportAppStackTestLambdaServiceRoleC28C2D9C:
Value:
'Fn::GetAtt':
- TestLambdaServiceRoleC28C2D9C
- Arn
Export:
Name: 'AppStack:TestLambdaServiceRoleC28C2D9C' # Exported name
And inside the synthesized MyAppStack
template:
Resources:
TestLambda2F70C45E:
Type: 'AWS::Lambda::Function'
Properties:
Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C' # Using ImportValue instrinsic function to use pre-created IAM role
# excluding remaining properties
In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the ExtractedStack
.
Once deployed, a developer can run cdk deploy MyAppStack
without errors due to insufficient IAM privileges
Value Sharing methods
When resources are extracted from a stack, there must be a method to reference the resources that have been extracted.
There are three methods (see ResourceExtractorShareMethod
enum)
CFN_OUTPUT
SSM_PARAMETER
API_LOOKUP
CFN_OUTPUT
The default sharing method is CFN_OUTPUT
, which uses Cloudformation Export/Import to Export values in the extracted stack (see Outputs), and use the Fn::ImportValue intrinsic function to reference those values.
This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure.
SSM_PARAMETER
In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using aws_ssm.StringParameter.valueFromLookup()
at synthesis time.
Example on using this method:
import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac';
Aspects.of(app).add(
new ResourceExtractor({
stackArtifacts: synthedApp.stacks,
resourceTypesToExtract: [
'AWS::IAM::Role',
'AWS::IAM::Policy',
'AWS::IAM::ManagedPolicy',
'AWS::IAM::InstanceProfile',
],
extractDestinationStack: extractedStack,
valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER, // Specify SSM_PARAMETER Method
});
);
API_LOOKUP
The API_LOOKUP
sharing method is a work in progress, and not yet supported
Resource Partials
Some resources that get extracted might reference resources that aren't yet created.
In our example CDK application we include the line
bucket.grantReadWrite(func);
This creates an AWS::IAM::Policy
that includes the necessary Actions scoped down to the S3 bucket.
When the AWS::IAM::Policy
is extracted, it's unable to use Ref
or Fn::GetAtt
to reference the S3 bucket since the S3 bucket wasn't extracted.
In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket.
There are multiple resource types supported out of the box (found in createDefaultTransforms
). In the event you have a resource not yet supported, you'll receive a MissingTransformError
. In this case you can either open an issue with the resource in question, or you can include the additionalTransforms
property.
Consider the following:
const vpc = new Vpc(stack, 'TestVpc');
const db = new DatabaseInstance(stack, 'TestDb', {
vpc,
engine: DatabaseInstanceEngine.POSTGRES,
})
const func = new Function(stack, 'TestLambda', {
code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
handler: 'index.handler',
runtime: Runtime.PYTHON_3_11,
});
db.secret?.grantRead(func)
const synthedApp = app.synth();
Aspects.of(app).add(
new ResourceExtractor({
extractDestinationStack: extractedStack,
stackArtifacts: synthedApp.stacks,
valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'],
additionalTransforms: {
'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`,
},
});
);
app.synth({ force: true });
In this case, there is a AWS::SecretsManager::SecretTargetAttachment
generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret.
In the context of extracting the IAM policy, we want to tell the ResourceExtractor
how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently.
In this case rather than using a Ref: LogicalIdForTheSecretTargetAttachment
we construct the ARN we want to use.
Details in API.md
Generated API.md
Generated API.md below:
API Reference
Constructs
EcsIsoServiceAutoscaler
Creates a EcsIsoServiceAutoscaler construct.
This construct allows you to scale an ECS service in an ISO region where classic ECS Autoscaling may not be available.
Initializers
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'
new EcsIsoServiceAutoscaler(scope: Construct, id: string, props: EcsIsoServiceAutoscalerProps)
| Name | Type | Description | | --- | --- | --- | | scope | constructs.Construct | No description. | | id | string | No description. | | props | EcsIsoServiceAutoscalerProps | No description. |
scope
Required
- Type: constructs.Construct
id
Required
- Type: string
props
Required
- Type: EcsIsoServiceAutoscalerProps
Methods
| Name | Description | | --- | --- | | toString | Returns a string representation of this construct. |
toString
public toString(): string
Returns a string representation of this construct.
Static Functions
| Name | Description |
| --- | --- |
| isConstruct | Checks if x
is a construct. |
~~isConstruct
~~
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'
EcsIsoServiceAutoscaler.isConstruct(x: any)
Checks if x
is a construct.
x
Required
- Type: any
Any object.
Properties
| Name | Type | Description | | --- | --- | --- | | node | constructs.Node | The tree node. | | ecsScalingManagerFunction | aws-cdk-lib.aws_lambda.Function | No description. |
node
Required
public readonly node: Node;
- Type: constructs.Node
The tree node.
ecsScalingManagerFunction
Required
public readonly ecsScalingManagerFunction: Function;
- Type: aws-cdk-lib.aws_lambda.Function
PopulateWithConfig
Populate a provided VPC with subnets based on a provided configuration.
Example
const mySubnetConfig: SubnetConfig[] = [
{
groupName: 'app',
cidrRange: '172.31.0.0/27',
availabilityZone: 'a',
subnetType: subnetType.PUBLIC,
},
{
groupName: 'app',
cidrRange: '172.31.0.32/27',
availabilityZone: 'b',
subnetType: subnetType.PUBLIC,
},
{
groupName: 'db',
cidrRange: '172.31.0.64/27',
availabilityZone: 'a',
subnetType: subnetType.PRIVATE_WITH_EGRESS,
},
{
groupName: 'db',
cidrRange: '172.31.0.96/27',
availabilityZone: 'b',
subnetType: subnetType.PRIVATE_WITH_EGRESS,
},
{
groupName: 'iso',
cidrRange: '172.31.0.128/26',
availabilityZone: 'a',
subnetType: subnetType.PRIVATE_ISOLATED,
},
{
groupName: 'iso',
cidrRange: '172.31.0.196/26',
availabilityZone: 'b',
subnetType: subnetType.PRIVATE_ISOLATED,
},
];
new PopulateWithConfig(this, "vpcPopulater", {
vpcId: 'vpc-abcdefg1234567',
privateRouteTableId: 'rt-abcdefg123456',
localRouteTableId: 'rt-123456abcdefg',
subnetConfig: mySubnetConfig,
})
Initializers
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'
new PopulateWithConfig(scope: Construct, id: string, props: PopulateWithConfigProps)
| Name | Type | Description | | --- | --- | --- | | scope | constructs.Construct | No description. | | id | string | No description. | | props | PopulateWithConfigProps | No description. |
scope
Required
- Type: constructs.Construct
id
Required
- Type: string
props
Required
- Type: PopulateWithConfigProps
Methods
| Name | Description | | --- | --- | | toString | Returns a string representation of this construct. |
toString
public toString(): string
Returns a string representation of this construct.
Static Functions
| Name | Description |
| --- | --- |
| isConstruct | Checks if x
is a construct. |
~~isConstruct
~~
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'
PopulateWithConfig.isConstruct(x: any)
Checks if x
is a construct.
x
Required
- Type: any
Any object.
Properties
| Name | Type | Description | | --- | --- | --- | | node | constructs.Node | The tree node. |
node
Required
public readonly node: Node;
- Type: constructs.Node
The tree node.
SplitVpcEvenly
Splits a VPC evenly between a provided number of AZs (3 if not defined), and attaches a provided route table to each, and labels.
Example
// with more specific properties
new SplitVpcEvenly(this, 'evenSplitVpc', {
vpcId: 'vpc-abcdefg123456',
vpcCidr: '172.16.0.0/16',
routeTableId: 'rt-abcdefgh123456',
cidrBits: '10',
numberOfAzs: 4,
subnetType: subnetType.PRIVATE_ISOLATED,
});
Initializers
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'
new SplitVpcEvenly(scope: Construct, id: string, props: SplitVpcEvenlyProps)
| Name | Type | Description | | --- | --- | --- | | scope | constructs.Construct | No description. | | id | string | No description. | | props | SplitVpcEvenlyProps | No description. |
scope
Required
- Type: constructs.Construct
id
Required
- Type: string
props
Required
- Type: SplitVpcEvenlyProps
Methods
| Name | Description | | --- | --- | | toString | Returns a string representation of this construct. |
toString
public toString(): string
Returns a string representation of this construct.
Static Functions
| Name | Description |
| --- | --- |
| isConstruct | Checks if x
is a construct. |
~~isConstruct
~~
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'
SplitVpcEvenly.isConstruct(x: any)
Checks if x
is a construct.
x
Required
- Type: any
Any object.
Properties
| Name | Type | Description | | --- | --- | --- | | node | constructs.Node | The tree node. |
node
Required
public readonly node: Node;
- Type: constructs.Node
The tree node.
Structs
AddCfnInitProxyProps
Properties for the proxy server to use with cfn helper commands.
Initializer
import { AddCfnInitProxyProps } from '@cdklabs/cdk-enterprise-iac'
const addCfnInitProxyProps: AddCfnInitProxyProps = { ... }
Properties
| Name | Type | Description |
| --- | --- | --- |
| proxyHost | string | host of your proxy. |
| proxyPort | number | proxy port. |
| proxyCredentials | aws-cdk-lib.aws_secretsmanager.ISecret | JSON secret containing user
and password
properties to use if your proxy requires credentials http://user:password@host:port
could contain sensitive data, so using a Secret. |
| proxyType | ProxyType | Proxy Type. |
proxyHost
Required
public readonly proxyHost: string;
- Type: string
host of your proxy.
Example
example.com
proxyPort
Required
public readonly proxyPort: number;
- Type: number
proxy port.
Example
8080
proxyCredentials
Optional
public readonly proxyCredentials: ISecret;
- Type: aws-cdk-lib.aws_secretsmanager.ISecret
JSON secret containing user
and password
properties to use if your proxy requires credentials http://user:password@host:port
could contain sensitive data, so using a Secret.
Note that while the user
and password
won't be visible in the cloudformation template
they will be in plain text inside your UserData
Example
const secret = new Secret(stack, 'TestSecret', {
secretObjectValue: {
user: SecretValue,
password: SecretValue,
},
});
proxyType
Optional
public readonly proxyType: ProxyType;
- Type: ProxyType
- Default: ProxyType.HTTP
Proxy Type.
Example
ProxyType.HTTPS
AddPermissionBoundaryProps
Properties to pass to the AddPermissionBoundary.
Initializer
import { AddPermissionBoundaryProps } from '@cdklabs/cdk-enterprise-iac'
const addPermissionBoundaryProps: AddPermissionBoundaryProps = { ... }
Properties
| Name | Type | Description | | --- | --- | --- | | permissionsBoundaryPolicyName | string | Name of Permissions Boundary Policy to add to all IAM roles. | | instanceProfilePrefix | string | A prefix to prepend to the name of the IAM InstanceProfiles (Default: ''). | | policyPrefix | string | A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: ''). | | rolePrefix | string | A prefix to prepend to the name of IAM Roles (Default: ''). |
permissionsBoundaryPolicyName
Required
public readonly permissionsBoundaryPolicyName: string;
- Type: string
Name of Permissions Boundary Policy to add to all IAM roles.
instanceProfilePrefix
Optional
public readonly instanceProfilePrefix: string;
- Type: string
A prefix to prepend to the name of the IAM InstanceProfiles (Default: '').
policyPrefix
Optional
public readonly policyPrefix: string;
- Type: string
A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: '').
rolePrefix
Optional
public readonly rolePrefix: string;
- Type: string
A prefix to prepend to the name of IAM Roles (Default: '').
EcsIsoServiceAutoscalerProps
Initializer
import { EcsIsoServiceAutoscalerProps } from '@cdklabs/cdk-enterprise-iac'
const ecsIsoServiceAutoscalerProps: EcsIsoServiceAutoscalerProps = { ... }
Properties
| Name | Type | Description | | --- | --- | --- | | ecsCluster | aws-cdk-lib.aws_ecs.Cluster | The cluster the service you wish to scale resides in. | | ecsService | aws-cdk-lib.aws_ecs.IService | The ECS service you wish to scale. | | scaleAlarm | aws-cdk-lib.aws_cloudwatch.AlarmBase | The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions. | | maximumTaskCount | number | The maximum number of tasks that the service will scale out to. | | minimumTaskCount | number | The minimum number of tasks the service will have. | | role | aws-cdk-lib.aws_iam.IRole | Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service. | | scaleInCooldown | aws-cdk-lib.Duration | How long will the application wait before performing another scale in action. | | scaleInIncrement | number | The number of tasks that will scale in on scale in alarm status. | | scaleOutCooldown | aws-cdk-lib.Duration | How long will a the application wait before performing another scale out action. | | scaleOutIncrement | number | The number of tasks that will scale out on scale out alarm status. |
ecsCluster
Required
public readonly ecsCluster: Cluster;
- Type: aws-cdk-lib.aws_ecs.Cluster
The cluster the service you wish to scale resides in.
ecsService
Required
public readonly ecsService: IService;
- Type: aws-cdk-lib.aws_ecs.IService
The ECS service you wish to scale.
scaleAlarm
Required
public readonly scaleAlarm: AlarmBase;
- Type: aws-cdk-lib.aws_cloudwatch.AlarmBase
The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions.
Note: composite alarms can not be generated with CFN in all regions, while this allows you to pass in a composite alarm alarm creation is outside the scope of this construct
maximumTaskCount
Optional
public readonly maximumTaskCount: number;
- Type: number
- Default: 10
The maximum number of tasks that the service will scale out to.
Note: This does not provide any protection from scaling out above the maximum allowed in your account, set this variable and manage account quotas appropriately.
minimumTaskCount
Optional
public readonly minimumTaskCount: number;
- Type: number
- Default: 1
The minimum number of tasks the service will have.
role
Optional
public readonly role: IRole;
- Type: aws-cdk-lib.aws_iam.IRole
- Default: A role is created for you with least privilege IAM policy
Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service.
Ensure this role has appropriate privileges. Example IAM policy statements:
{
"PolicyDocument": {
"Statement": [
{
"Action": "cloudwatch:DescribeAlarms",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:DescribeServices",
"ecs:UpdateService"
],
"Condition": {
"StringEquals": {
"ecs:cluster": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}"
}
},
"Effect": "Allow",
"Resource": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}"
}
],
"Version": "2012-10-17"
}
}
scaleInCooldown
Optional
public readonly scaleInCooldown: Duration;
- Type: aws-cdk-lib.Duration
- Default: 60 seconds
How long will the application wait before performing another scale in action.
scaleInIncrement
Optional
public readonly scaleInIncrement: number;
- Type: number
- Default: 1
The number of tasks that will scale in on scale in alarm status.
scaleOutCooldown
Optional
public readonly scaleOutCooldown: Duration;
- Type: aws-cdk-lib.Duration
- Default: 60 seconds
How long will a the application wait before performing another scale out action.
scaleOutIncrement
Optional
public readonly scaleOutIncrement: number;
- Type: number
- Default: 1
The number of tasks that will scale out on scale out alarm status.
PopulateWithConfigProps
Initializer
import { PopulateWithConfigProps } from '@cdklabs/cdk-enterprise-iac'
const populateWithConfigProps: PopulateWithConfigProps = { ... }
Properties
| Name | Type | Description | | --- | --- | --- | | localRouteTableId | string | Local route table ID, with routes only to local VPC. | | privateRouteTableId | string | Route table ID for a provided route table with routes to enterprise network. | | subnetConfig | SubnetConfig[] | List of Subnet configs to provision to provision. | | vpcId | string | ID of the VPC provided that needs to be populated. |
localRouteTableId
Required
public readonly localRouteTableId: string;
- Type: string
Local route table ID, with routes only to local VPC.
privateRouteTableId
Required
public readonly privateRouteTableId: string;
- Type: string
Route table ID for a provided route table with routes to enterprise network.
Both subnetType.PUBLIC and subnetType.PRIVATE_WITH_EGRESS will use this property
subnetConfig
Required
public readonly subnetConfig: SubnetConfig[];
- Type: SubnetConfig[]
List of Subnet configs to provision to provision.
vpcId
Required
public readonly vpcId: string;
- Type: string
ID of the VPC provided that needs to be populated.
RemoveTagsProps
Initializer
import { RemoveTagsProps } from '@cdklabs/cdk-enterprise-iac'
const removeTagsProps: RemoveTagsProps = { ... }
Properties
| Name | Type | Description | | --- | --- | --- | | cloudformationResource | string | Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function'). | | tagPropertyName | string | Name of the tag property to remove from the resource. |
cloudformationResource
Required
public readonly cloudformationResource: string;
- Type: string
Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function').
tagPropertyName
Optional
public readonly tagPropertyName: string;
- Type: string
- Default: Tags
Name of the tag property to remove from the resource.
ResourceExtractorProps
Initializer
import { ResourceExtractorProps } from '@cdklabs/cdk-enterprise-iac'
const resourceExtractorProps: ResourceExtractorProps = { ... }
Properties
| Name | Type | Description |
| --- | --- | --- |
| extractDestinationStack | aws-cdk-lib.Stack | Stack to move found extracted resources into. |
| resourceTypesToExtract | string[] | List of resource types to extract, ex: AWS::IAM::Role
. |
| stackArtifacts | aws-cdk-lib.cx_api.CloudFormationStackArtifact[] | Synthed stack artifacts from your CDK app. |
| additionalTransforms | {[ key: string ]: string} | Additional resource transformations. |
| valueShareMethod | ResourceExtractorShareMethod | The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s). |
extractDestinationStack
Required
public readonly extractDestinationStack: Stack;
- Type: aws-cdk-lib.Stack
Stack to move found extracted resources into.
resourceTypesToExtract
Required
public readonly resourceTypesToExtract: string[];
- Type: string[]
List of resource types to extract, ex: AWS::IAM::Role
.
stackArtifacts
Required
public readonly stackArtifacts: CloudFormationStackArtifact[];
- Type: aws-cdk-lib.cx_api.CloudFormationStackArtifact[]
Synthed stack artifacts from your CDK app.
additionalTransforms
Optional
public readonly additionalTransforms: {[ key: string ]: string};
- Type: {[ key: string ]: string}
Additional resource transformations.
valueShareMethod
Optional
public readonly valueShareMethod: ResourceExtractorShareMethod;
- Type: ResourceExtractorShareMethod
The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s).
SetApiGatewayEndpointConfigurationProps
Initializer
import { SetApiGatewayEndpointConfigurationProps } from '@cdklabs/cdk-enterprise-iac'
const setApiGatewayEndpointConfigurationProps: SetApiGatewayEndpointConfigurationProps = { ... }
Properties
| Name | Type | Description | | --- | --- | --- | | endpointType | aws-cdk-lib.aws_apigateway.EndpointType | API Gateway endpoint type to override to. |
endpointType
Optional
public readonly endpointType: EndpointType;
- Type: aws-cdk-lib.aws_apigateway.EndpointType
- Default: EndpointType.REGIONAL
API Gateway endpoint type to override to.
Defaults to EndpointType.REGIONAL
SplitVpcEvenlyProps
Initializer
import { SplitVpcEvenlyProps } from '@cdklabs/cdk-enterprise-iac'
const splitVpcEvenlyProps: SplitVpcEvenlyProps = { ... }
Properties
| Name | Type | Description |
| --- | --- | --- |
| routeTableId | string | Route Table ID that will be attached to each subnet created. |
| vpcCidr | string | CIDR range of the VPC you're populating. |
| vpcId | string | ID of the existing VPC you're trying to populate. |
| cidrBits | string | cidrBits
argument for the Fn::Cidr
Cloudformation intrinsic function. |
| numberOfAzs | number | Number of AZs to evenly split into. |
| subnetType | aws-cdk-lib.aws_ec2.SubnetType | No description. |
routeTableId
Required
public readonly routeTableId: string;
- Type: string
Route Table ID that will be attached to each subnet created.
vpcCidr
Required
public readonly vpcCidr: string;
- Type: string
CIDR range of the VPC you're populating.
vpcId
Required
public readonly vpcId: string;
- Type: string
ID of the existing VPC you're trying to populate.
cidrBits
Optional
public readonly cidrBits: string;
- Type: string
- Default: '6'
cidrBits
argument for the Fn::Cidr
Cloudformation intrinsic function.