def test_validate_working_directory(self):
ImageConfig(WorkingDirectory="x" * 1000).validate()
def test_validate_working_directory_too_long(self):
with self.assertRaises(ValueError):
ImageConfig(WorkingDirectory="x" * 1001).validate()
def test_validate_entry_point(self):
ImageConfig(EntryPoint=["something"] * 1500).validate()
def test_validate_entry_point_too_long(self):
with self.assertRaises(ValueError):
ImageConfig(EntryPoint=["something"] * 1501).validate()
def test_validate_command_too_long(self):
with self.assertRaises(ValueError):
ImageConfig(Command=["something"] * 1501).validate()
def test_validate_empty(self):
ImageConfig().validate()
def test_validate_command(self):
ImageConfig(Command=["something"] * 1500).validate()
def create_template():
template = Template(Description="User-defined code")
deployment_id = template.add_parameter(
Parameter(
"DeploymentId",
Type="String",
)
)
vpc_id = template.add_parameter(
Parameter(
"VpcId",
Type="String",
)
)
subnet_ids = template.add_parameter(
Parameter(
"SubnetIds",
Type="CommaDelimitedList",
)
)
file_system_access_point_arn = template.add_parameter(
Parameter(
"FileSystemAccessPointArn",
Type="String",
)
)
image_uri = template.add_parameter(
Parameter(
"ImageUri",
Type="String",
)
)
security_group = template.add_resource(
SecurityGroup(
"SecurityGroup",
GroupDescription=StackName,
VpcId=Ref(vpc_id),
)
)
role = template.add_resource(
Role(
"Role",
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[sts.AssumeRole],
Principal=Principal("Service", "lambda.amazonaws.com"),
),
],
),
Policies=[
Policy(
PolicyName="vpc-access",
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[
ec2.CreateNetworkInterface,
ec2.DescribeNetworkInterfaces,
ec2.DeleteNetworkInterface,
ec2.AssignPrivateIpAddresses,
ec2.UnassignPrivateIpAddresses,
],
Resource=["*"],
),
],
),
),
],
)
)
function, alias = common.add_versioned_lambda(
template,
Ref(deployment_id),
Function(
"Function",
MemorySize=256,
Role=GetAtt(role, "Arn"),
VpcConfig=VPCConfig(
SecurityGroupIds=[Ref(security_group)],
SubnetIds=Ref(subnet_ids),
),
FileSystemConfigs=[
FileSystemConfig(
Arn=Ref(file_system_access_point_arn),
LocalMountPath="/mnt/storage",
),
],
PackageType="Image",
Code=Code(
ImageUri=Ref(image_uri),
),
ImageConfig=ImageConfig(
Command=[
Join(":", (handler.__module__, handler.__name__)),
],
),
),
)
log_group = template.add_resource(
LogGroup(
"LogGroup",
LogGroupName=Join("/", ["/aws/lambda", Ref(function)]),
RetentionInDays=7,
)
)
policy = template.add_resource(
PolicyType(
"Policy",
PolicyName=Ref(function),
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Resource=GetAtt(log_group, "Arn"),
Action=[logs.CreateLogStream, logs.PutLogEvents],
),
],
),
Roles=[Ref(role)],
)
)
template.add_output(
Output(
"FunctionAliasArn",
Value=Ref(alias),
)
)
return template
def create_template():
template = Template(
Description="Stable availability zone discovery utility")
deployment_id = template.add_parameter(
Parameter(
"DeploymentId",
Type="String",
))
image_uri = template.add_parameter(Parameter(
"ImageUri",
Type="String",
))
role = template.add_resource(
Role(
"Role",
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[sts.AssumeRole],
Principal=Principal("Service", "lambda.amazonaws.com"),
),
],
),
))
function, alias = common.add_versioned_lambda(
template,
Ref(deployment_id),
Function(
"Function",
MemorySize=256,
Timeout=30,
Role=GetAtt(role, "Arn"),
PackageType="Image",
Code=Code(ImageUri=Ref(image_uri), ),
ImageConfig=ImageConfig(Command=[
Join(":", (handler.__module__, handler.__name__)),
], ),
),
)
log_group = template.add_resource(
LogGroup(
"LogGroup",
LogGroupName=Join("/",
["/aws/lambda", Ref(function)]),
RetentionInDays=common.LOG_RETENTION_DAYS,
))
policy = template.add_resource(
PolicyType(
"Policy",
PolicyName=Ref(role),
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[logs.PutLogEvents, logs.CreateLogStream],
Resource=[GetAtt(log_group, "Arn")],
),
Statement(
Effect=Allow,
Action=[ec2.DescribeAvailabilityZones],
Resource=["*"],
),
],
),
Roles=[Ref(role)],
))
availability_zones = template.add_resource(
CustomResource(
"AvailabilityZones",
ServiceToken=Ref(alias),
DeploymentId=Ref(deployment_id),
DependsOn=[policy],
))
template.add_output(
Output(
"AvailabilityZones",
Value=Ref(availability_zones),
))
return template
def create_template():
template = Template(
Description="Lambda VPC interface IP allocator utility")
vpc_id = template.add_parameter(Parameter("VpcId", Type="String"))
image_uri = template.add_parameter(Parameter(
"ImageUri",
Type="String",
))
deployment_id = template.add_parameter(
Parameter(
"DeploymentId",
Type="String",
))
role = template.add_resource(
Role(
"Role",
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[sts.AssumeRole],
Principal=Principal("Service", "lambda.amazonaws.com"),
),
],
),
))
function, alias = common.add_versioned_lambda(
template,
Ref(deployment_id),
Function(
"Function",
MemorySize=256,
Timeout=30,
Role=GetAtt(role, "Arn"),
PackageType="Image",
Code=Code(ImageUri=Ref(image_uri), ),
ImageConfig=ImageConfig(Command=[
Join(":", (handler.__module__, handler.__name__)),
], ),
),
)
log_group = template.add_resource(
LogGroup(
"FunctionLogs",
LogGroupName=Join("/",
["/aws/lambda", Ref(function)]),
RetentionInDays=common.LOG_RETENTION_DAYS,
))
policy = template.add_resource(
PolicyType(
"Policy",
PolicyName=Ref(role),
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[logs.PutLogEvents, logs.CreateLogStream],
Resource=[GetAtt(log_group, "Arn")],
),
# TODO scope down
Statement(
Effect=Allow,
Action=[
ec2.AllocateAddress,
ec2.ReleaseAddress,
ec2.AssociateAddress,
ec2.CreateTags,
],
Resource=[
Join(":", [
"arn", Partition, "ec2", Region, AccountId, "*"
])
],
),
Statement(
Effect=Allow,
Action=[
ec2.DescribeAddresses,
],
Resource=["*"],
),
],
),
Roles=[Ref(role)],
))
rule_create = template.add_resource(
Rule(
"RuleCreate",
EventPattern={
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateNetworkInterface"],
"responseElements": {
"networkInterface": {
"vpcId": [Ref(vpc_id)],
"description": [{
"prefix": "AWS Lambda VPC ENI"
}],
},
},
"errorCode": [{
"exists": False
}],
},
},
Targets=[
Target(
Id="default",
Arn=Ref(alias),
),
],
DependsOn=[policy],
))
template.add_resource(
Permission(
"PermissionCreate",
Principal="events.amazonaws.com",
Action="lambda:InvokeFunction",
FunctionName=Ref(alias),
SourceArn=GetAtt(rule_create, "Arn"),
))
rule_delete = template.add_resource(
Rule(
"RuleDelete",
EventPattern={
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["DeleteNetworkInterface"],
"errorCode": [{
"exists": False
}],
},
},
Targets=[
Target(
Id="default",
Arn=Ref(alias),
),
],
DependsOn=[policy],
))
template.add_resource(
Permission(
"PermissionDelete",
Principal="events.amazonaws.com",
Action="lambda:InvokeFunction",
FunctionName=Ref(alias),
SourceArn=GetAtt(rule_delete, "Arn"),
))
return template
def create_template():
template = Template(Description="ECR image tagger utility")
deployment_id = template.add_parameter(
Parameter(
"DeploymentId",
Type="String",
)
)
artifact_repository = template.add_parameter(
Parameter(
"ArtifactRepository",
Type="String",
)
)
image_digest = template.add_parameter(
Parameter(
"ImageDigest",
Type="String",
)
)
desired_image_tag = template.add_parameter(
Parameter(
"DesiredImageTag",
Type="String",
)
)
image_uri = template.add_parameter(
Parameter(
"ImageUri",
Type="String",
)
)
role = template.add_resource(
Role(
"Role",
AssumeRolePolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[sts.AssumeRole],
Principal=Principal("Service", "lambda.amazonaws.com"),
),
],
),
)
)
function, alias = common.add_versioned_lambda(
template,
Ref(deployment_id),
Function(
"Function",
MemorySize=256,
Timeout=30,
Role=GetAtt(role, "Arn"),
PackageType="Image",
Code=Code(
ImageUri=Ref(image_uri),
),
ImageConfig=ImageConfig(
Command=[
Join(":", (handler.__module__, handler.__name__)),
],
),
),
)
log_group = template.add_resource(
LogGroup(
"LogGroup",
LogGroupName=Join("/", ["/aws/lambda", Ref(function)]),
RetentionInDays=common.LOG_RETENTION_DAYS,
)
)
policy = template.add_resource(
PolicyType(
"Policy",
PolicyName=Ref(role),
PolicyDocument=PolicyDocument(
Version="2012-10-17",
Statement=[
Statement(
Effect=Allow,
Action=[logs.PutLogEvents, logs.CreateLogStream],
Resource=[GetAtt(log_group, "Arn")],
),
Statement(
Effect=Allow,
Action=[ecr.BatchGetImage, ecr.PutImage],
# TODO scope down
Resource=["*"],
),
],
),
Roles=[Ref(role)],
)
)
template.add_resource(
CustomResource(
"ImageTag",
ServiceToken=Ref(alias),
DeploymentId=Ref(deployment_id),
RepositoryName=Ref(artifact_repository),
ImageDigest=Ref(image_digest),
ImageTag=Ref(desired_image_tag),
DependsOn=[policy],
)
)
return template