-
Notifications
You must be signed in to change notification settings - Fork 3.9k
/
lambda-hook.ts
42 lines (38 loc) · 1.86 KB
/
lambda-hook.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import { Construct } from 'constructs';
import { createRole } from './common';
import { TopicHook } from './topic-hook';
import * as autoscaling from '../../aws-autoscaling';
import * as kms from '../../aws-kms';
import * as lambda from '../../aws-lambda';
import * as sns from '../../aws-sns';
import * as subs from '../../aws-sns-subscriptions';
/**
* Use a Lambda Function as a hook target
*
* Internally creates a Topic to make the connection.
*/
export class FunctionHook implements autoscaling.ILifecycleHookTarget {
/**
* @param fn Function to invoke in response to a lifecycle event
* @param encryptionKey If provided, this key is used to encrypt the contents of the SNS topic.
*/
constructor(private readonly fn: lambda.IFunction, private readonly encryptionKey?: kms.IKey) {
}
/**
* If the `IRole` does not exist in `options`, will create an `IRole` and an SNS Topic and attach both to the lifecycle hook.
* If the `IRole` does exist in `options`, will only create an SNS Topic and attach it to the lifecycle hook.
*/
public bind(_scope: Construct, options: autoscaling.BindHookTargetOptions): autoscaling.LifecycleHookTargetConfig {
const topic = new sns.Topic(_scope, 'Topic', {
masterKey: this.encryptionKey,
});
const role = createRole(_scope, options.role);
// Per: https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse
// Topic's grantPublish() is in a base class that does not know there is a kms key, and so does not
// grant appropriate permissions to the kms key. We do that here to ensure the correct permissions
// are in place.
this.encryptionKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey');
topic.addSubscription(new subs.LambdaSubscription(this.fn));
return new TopicHook(topic).bind(_scope, { lifecycleHook: options.lifecycleHook, role });
}
}