feat(cloudformation): aws custom resource

packages/@aws-cdk/aws-cloudformation/lib/aws-custom-resource-provider/.gitignore

@@ -0,0 +1 @@
+!*.js

packages/@aws-cdk/aws-cloudformation/lib/aws-custom-resource-provider/index.js

@@ -0,0 +1,76 @@
+const AWS = require('aws-sdk');
+
+/**
+ * Flattens a nested object. Keys are path.
+ */
+function flatten(object) {
+  return Object.assign(
+    {},
+    ...function _flatten(child, path = []) {
+      return [].concat(...Object.keys(child).map(key => typeof child[key] === 'object'
+          ? _flatten(child[key], path.concat([key]))
+          : ({ [path.concat([key]).join('.')] : child[key] })
+      ));
+    }(object)
+  );
+}
+
+exports.handler = async function(event, context) {
+  try {
+    console.log(JSON.stringify(event));
+    console.log('AWS SDK VERSION: ' + AWS.VERSION);
+
+    let data = {};
+
+    const physicalResourceId = event.ResourceProperties.PhysicalResourceId;
+
+    if (event.ResourceProperties[event.RequestType]) {
+      const { service, action, parameters = {} } = event.ResourceProperties[event.RequestType];
+
+      const awsService = new AWS[service]();
+
+      const response = await awsService[action](parameters).promise();
+
+      data = flatten(response);
+    }
+
+    await respond('SUCCESS', 'OK', physicalResourceId, data);
+  } catch (e) {
+    console.log(e);
+    await respond('FAILED', e.message, context.logStreamName, {});
+  }
+
+  function respond(responseStatus, reason, physicalResourceId, data) {
+    const responseBody = JSON.stringify({
+      Status: responseStatus,
+      Reason: reason,
+      PhysicalResourceId: physicalResourceId,
+      StackId: event.StackId,
+      RequestId: event.RequestId,
+      LogicalResourceId: event.LogicalResourceId,
+      NoEcho: false,
+      Data: data
+    });
+
+    console.log('Responding', JSON.stringify(responseBody));
+
+    const parsedUrl = require('url').parse(event.ResponseURL);
+    const requestOptions = {
+      hostname: parsedUrl.hostname,
+      path: parsedUrl.path,
+      method: 'PUT',
+      headers: { 'content-type': '', 'content-length': responseBody.length }
+    };
+
+    return new Promise((resolve, reject) => {
+      try {
+        const request = require('https').request(requestOptions, resolve);
+        request.on('error', reject);
+        request.write(responseBody);
+        request.end();
+      } catch (e) {
+        reject(e);
+      }
+    });
+  }
+}

packages/@aws-cdk/aws-cloudformation/lib/aws-custom-resource.ts

@@ -0,0 +1,175 @@
+import iam = require('@aws-cdk/aws-iam');
+import lambda = require('@aws-cdk/aws-lambda');
+import cdk = require('@aws-cdk/cdk');
+import metadata = require('aws-sdk/apis/metadata.json');
+import path = require('path');
+import { CustomResource } from './custom-resource';
+
+/**
+ * AWS SDK service metadata.
+ */
+export type AwsSdkMetadata = {[key: string]: any};
+
+const awsSdkMetadata: AwsSdkMetadata = metadata;
+
+/**
+ * An AWS SDK call.
+ */
+export interface AwsSdkCall {
+  /**
+   * The service to call
+   */
+  readonly service: string;
+
+  /**
+   * The service action to call
+   */
+  readonly action: string;
+
+  /**
+   * The parameters for the service action
+   */
+  readonly parameters?: any;
+}
+
+export interface AwsCustomResourceProps {
+  /**
+   * The physical resource id of the custom resource.
+   */
+  readonly physicalResourceId: string;
+
+  /**
+   * The AWS SDK call to make when the resource is created.
+   * At least onCreate, onUpdate or onDelete must be specified.
+   *
+   * @default the call when the resource is updated
+   */
+  readonly onCreate?: AwsSdkCall;
+
+  /**
+   * The AWS SDK call to make when the resource is updated
+   *
+   * @default no call
+   */
+  readonly onUpdate?: AwsSdkCall;
+
+  /**
+   * THe AWS SDK call to make when the resource is deleted
+   *
+   * @default no call
+   */
+  readonly onDelete?: AwsSdkCall;
+
+  /**
+   * The IAM policy statements to allow the different calls. Use only if
+   * resource restriction is needed.
+   *
+   * @default Allow onCreate, onUpdate and onDelete calls on all resources ('*')
+   */
+  readonly policyStatements?: iam.PolicyStatement[];
+}
+
+export class AwsCustomResource extends cdk.Construct {
+  /**
+   * The physical resource id of the custom resource.
+   */
+  public readonly physicalResourceId: string;
+
+  /**
+   * The AWS SDK call made when the resource is created.
+   */
+  public readonly onCreate?: AwsSdkCall;
+
+  /**
+   * The AWS SDK call made when the resource is udpated.
+   */
+  public readonly onUpdate?: AwsSdkCall;
+
+  /**
+   * The AWS SDK call made when the resource is deleted.
+   */
+  public readonly onDelete?: AwsSdkCall;
+
+  /**
+   * The IAM policy statements used by the lambda provider.
+   */
+  public readonly policyStatements: iam.PolicyStatement[];
+
+  /**
+   * The custom resource making the AWS SDK calls.
+   */
+  private readonly customResource: CustomResource;
+
+  constructor(scope: cdk.Construct, id: string, props: AwsCustomResourceProps) {
+    super(scope, id);
+
+    if (!props.onCreate && !props.onUpdate && !props.onDelete) {
+      throw new Error('At least `onCreate`, `onUpdate` or `onDelete` must be specified.');
+    }
+
+    this.onCreate = props.onCreate || props.onUpdate;
+    this.onUpdate = props.onUpdate;
+    this.onDelete = props.onDelete;
+    this.physicalResourceId = props.physicalResourceId;
+
+    const fn = new lambda.SingletonFunction(this, 'Function', {
+      code: lambda.Code.asset(path.join(__dirname, 'aws-custom-resource-provider')),
+      runtime: lambda.Runtime.NodeJS810,
+      handler: 'index.handler',
+      uuid: '679f53fa-c002-430c-b0da-5b7982bd2287'
+    });
+
+    if (props.policyStatements) {
+      props.policyStatements.forEach(statement => {
+        fn.addToRolePolicy(statement);
+      });
+      this.policyStatements = props.policyStatements;
+    } else { // Derive statements from AWS SDK calls
+      this.policyStatements = [];
+
+      [this.onCreate, this.onUpdate, this.onDelete].forEach(call => {
+        if (call) {
+          const statement = new iam.PolicyStatement()
+            .addAction(awsSdkToIamAction(call.service, call.action))
+            .addAllResources();
+          fn.addToRolePolicy(statement); // TODO: remove duplicates?
+          this.policyStatements.push(statement);
+        }
+      });
+    }
+
+    this.customResource = new CustomResource(this, 'Resource', {
+      resourceType: 'Custom::AWS',
+      lambdaProvider: fn,
+      properties: {
+        physicalResourceId: this.physicalResourceId,
+        create: this.onCreate,
+        update: this.onUpdate,
+        delete: this.onDelete
+      }
+    });
+  }
+
+  /**
+   * Returns response data for the AWS SDK call.
+   * Example for S3 / listBucket : 'Buckets.0.Name'
+   *
+   * @param dataPath the path to the data
+   */
+  public getData(dataPath: string) {
+    return this.customResource.getAtt(dataPath);
+  }
+}
+
+/**
+ * Transform SDK service/action to IAM action using metadata from aws-sdk module.
+ * Example: CloudWatchLogs with putRetentionPolicy => logs:PutRetentionPolicy
+ *
+ * TODO: is this mapping correct for all services?
+ */
+function awsSdkToIamAction(service: string, action: string): string {
+  const srv = service.toLowerCase();
+  const iamService = awsSdkMetadata[srv].prefix || srv;
+  const iamAction = action.charAt(0).toUpperCase() + action.slice(1);
+  return `${iamService}:${iamAction}`;
+}

packages/@aws-cdk/aws-cloudformation/lib/index.ts

@@ -1,5 +1,6 @@
 export * from './custom-resource';
 export * from './pipeline-actions';
+export * from './aws-custom-resource';
 
 // AWS::CloudFormation CloudFormation Resources:
 export * from './cloudformation.generated';

packages/@aws-cdk/aws-cloudformation/package.json

@@ -73,8 +73,12 @@
     "@aws-cdk/aws-iam": "^0.26.0",
     "@aws-cdk/aws-lambda": "^0.26.0",
     "@aws-cdk/aws-sns": "^0.26.0",
-    "@aws-cdk/cdk": "^0.26.0"
+    "@aws-cdk/cdk": "^0.26.0",
+    "aws-sdk": "^2.409.0"
   },
+  "bundledDependencies": [
+    "aws-sdk"
+  ],
   "homepage": "https://github.com/awslabs/aws-cdk",
   "peerDependencies": {
     "@aws-cdk/aws-codepipeline-api": "^0.26.0",
@@ -92,4 +96,4 @@
       "construct-ctor:@aws-cdk/aws-cloudformation.PipelineCloudFormationDeployAction.<initializer>"
     ]
   }
-}
+}