Socket
Socket
Sign inDemoInstall

@cdklabs/cdk-enterprise-iac

Package Overview
Dependencies
77
Maintainers
2
Versions
451
Alerts
File Explorer

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

    @cdklabs/cdk-enterprise-iac

<!-- Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 -->


Version published
Maintainers
2
Created

Readme

Source

CDK Enterprise IaC

Utilities for using CDK within enterprise constraints.

Install

Typescript

npm install @cdklabs/cdk-enterprise-iac

Python

pip install cdklabs.cdk-enterprise-iac

Who this project is for

Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS.

This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached".

This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.)

Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver.

This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive.

Usage

There are many tools available, all detailed in API.md.

A few examples of these tools below:

Adding permissions boundaries to all generated IAM roles

Example for AddPermissionBoundary in Typescript project.

import * as cdk from 'aws-cdk-lib';
import { MyStack } from '../lib/my-project-stack';
import { Aspects } from 'aws-cdk-lib';
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac';

const app = new cdk.App();
new MyStack(app, 'MyStack');

Aspects.of(app).add(
  new AddPermissionBoundary({
    permissionsBoundaryPolicyName: 'MyPermissionBoundaryName',
    instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to ''
    policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to ''
    rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to ''
  })
);

Example for AddPermissionBoundary in Python project.

import aws_cdk as cdk
from cdklabs.cdk_enterprise_iac import AddPermissionBoundary
from test_py.test_py_stack import TestPyStack


app = cdk.App()
TestPyStack(app, "TestPyStack")

cdk.Aspects.of(app).add(AddPermissionBoundary(
    permissions_boundary_policy_name="MyPermissionBoundaryName",
    instance_profile_prefix="MY_PREFIX_",  # optional, Defaults to ""
    policy_prefix="MY_POLICY_PREFIX_",  # optional, Defaults to ""
    role_prefix="MY_ROLE_PREFIX_"  # optional, Defaults to ""
))

app.synth()

Resource extraction

:warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found here.

In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications.

For example there might be a networking team with permissions to deploy AWS::EC2::SecurityGroup and AWS::EC2::EIP, or a security team with permissions to deploy AWS::IAM::Role and AWS::IAM::Policy, but the developers deploying the CDK don't have those permissions.

When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an AWS::IAM::Role which is foundational to any project deployed into AWS.

An enterprise should allow builders to deploy these resources via CDK for many reasons, and can use Permissions Boundaries to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the ResourceExtractor can make it easier for builders to write good CDK while complying with enterprise policies.

Using the ResourceExtractor Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf.

Take the following example stack:

import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';

const app = new App();
const appStack = new Stack(app, 'MyAppStack');

const func = new Function(appStack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);

app.synth()

The synthesized Cloudformation would include all AWS resources required, including resources a developer might not have permissions to deploy

The above example would include the following snippet in the synthesized Cloudformation

TestLambdaServiceRoleC28C2D9C:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
      Version: 2012-10-17
    # excluding remaining properties
  TestLambda2F70C45E:
    Type: 'AWS::Lambda::Function'
    Properties:
      Role: !GetAtt
        - TestLambdaServiceRoleC28C2D9C
        - Arn
      # excluding remaining properties

While including bucket.grantReadWrite(func) in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer.

Using the ResourceExtractor, we can pull out an arbitrary list of Cloudformation resources that a developer doesn't have permissions to provision, and create a separate stack that can be sent to a security team.

import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
// Import ResourceExtractor
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac';

const app = new App();
const appStack = new Stack(app, 'MyAppStack');
// Set up a destination stack to extract resources to
const extractedStack = new Stack(app, 'ExtractedStack');

const func = new Function(appStack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);

// Capture the output of app.synth()
const synthedApp = app.synth();
// Apply the ResourceExtractor Aspect
Aspects.of(app).add(
  new ResourceExtractor({
    // synthesized stacks to examine
    stackArtifacts: synthedApp.stacks,
    // Array of Cloudformation resources to extract
    resourceTypesToExtract: [
      'AWS::IAM::Role',
      'AWS::IAM::Policy',
      'AWS::IAM::ManagedPolicy',
      'AWS::IAM::InstanceProfile',
    ],
    // Destination stack for extracted resources
    extractDestinationStack: extractedStack,
  })
);
// Resynthing since ResourceExtractor has modified the app
app.synth({ force: true });

In the example above, all resources are created in the appStack, and an empty extractedStack is also created.

We apply the ResourceExtractor Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions.

Now when we list stacks in the CDK project, we can see an added stack

$ cdk ls
MyAppStack
ExtractedStack

Taking a look at these synthesized stacks, in the ExtractedStack we'll find:

Resources:
  TestLambdaServiceRoleC28C2D9C:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: 2012-10-17
      # excluding remaining properties
Outputs:
  ExportAppStackTestLambdaServiceRoleC28C2D9C:
    Value:
      'Fn::GetAtt':
        - TestLambdaServiceRoleC28C2D9C
        - Arn
    Export:
      Name: 'AppStack:TestLambdaServiceRoleC28C2D9C'  # Exported name

And inside the synthesized MyAppStack template:

Resources:
  TestLambda2F70C45E:
    Type: 'AWS::Lambda::Function'
    Properties:
      Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C'  # Using ImportValue instrinsic function to use pre-created IAM role
      # excluding remaining properties

In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the ExtractedStack.

Once deployed, a developer can run cdk deploy MyAppStack without errors due to insufficient IAM privileges

Value Sharing methods

When resources are extracted from a stack, there must be a method to reference the resources that have been extracted.

There are three methods (see ResourceExtractorShareMethod enum)

  • CFN_OUTPUT
  • SSM_PARAMETER
  • API_LOOKUP
CFN_OUTPUT

The default sharing method is CFN_OUTPUT, which uses Cloudformation Export/Import to Export values in the extracted stack (see Outputs), and use the Fn::ImportValue intrinsic function to reference those values.

This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure.

SSM_PARAMETER

In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using aws_ssm.StringParameter.valueFromLookup() at synthesis time.

Example on using this method:

import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac';

Aspects.of(app).add(
  new ResourceExtractor({
    stackArtifacts: synthedApp.stacks,
    resourceTypesToExtract: [
      'AWS::IAM::Role',
      'AWS::IAM::Policy',
      'AWS::IAM::ManagedPolicy',
      'AWS::IAM::InstanceProfile',
    ],
    extractDestinationStack: extractedStack,
    valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER,  // Specify SSM_PARAMETER Method
  });
);
API_LOOKUP

The API_LOOKUP sharing method is a work in progress, and not yet supported

Resource Partials

Some resources that get extracted might reference resources that aren't yet created.

In our example CDK application we include the line

bucket.grantReadWrite(func);

This creates an AWS::IAM::Policy that includes the necessary Actions scoped down to the S3 bucket.

When the AWS::IAM::Policy is extracted, it's unable to use Ref or Fn::GetAtt to reference the S3 bucket since the S3 bucket wasn't extracted.

In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket.

There are multiple resource types supported out of the box (found in createDefaultTransforms). In the event you have a resource not yet supported, you'll receive a MissingTransformError. In this case you can either open an issue with the resource in question, or you can include the additionalTransforms property.

Consider the following:

const vpc = new Vpc(stack, 'TestVpc');
const db = new DatabaseInstance(stack, 'TestDb', {
  vpc,
  engine: DatabaseInstanceEngine.POSTGRES,
})
const func = new Function(stack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
db.secret?.grantRead(func)

const synthedApp = app.synth();
Aspects.of(app).add(
  new ResourceExtractor({
    extractDestinationStack: extractedStack,
    stackArtifacts: synthedApp.stacks,
    valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
    resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'],
    additionalTransforms: {
      'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`,
    },
  });
);
app.synth({ force: true });

In this case, there is a AWS::SecretsManager::SecretTargetAttachment generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret.

In the context of extracting the IAM policy, we want to tell the ResourceExtractor how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently.

In this case rather than using a Ref: LogicalIdForTheSecretTargetAttachment we construct the ARN we want to use.

Details in API.md

Generated API.md


Generated API.md below:

Expand to view API docs

CDK Enterprise IaC

Utilities for using CDK within enterprise constraints.

Install

Typescript

npm install @cdklabs/cdk-enterprise-iac

Python

pip install cdklabs.cdk-enterprise-iac

Who this project is for

Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS.

This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached".

This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.)

Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver.

This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive.

Usage

There are many tools available, all detailed in API.md.

A few examples of these tools below:

Adding permissions boundaries to all generated IAM roles

Example for AddPermissionBoundary in Typescript project.

import * as cdk from 'aws-cdk-lib';
import { MyStack } from '../lib/my-project-stack';
import { Aspects } from 'aws-cdk-lib';
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac';

const app = new cdk.App();
new MyStack(app, 'MyStack');

Aspects.of(app).add(
  new AddPermissionBoundary({
    permissionsBoundaryPolicyName: 'MyPermissionBoundaryName',
    instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to ''
    policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to ''
    rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to ''
  })
);

Example for AddPermissionBoundary in Python project.

import aws_cdk as cdk
from cdklabs.cdk_enterprise_iac import AddPermissionBoundary
from test_py.test_py_stack import TestPyStack


app = cdk.App()
TestPyStack(app, "TestPyStack")

cdk.Aspects.of(app).add(AddPermissionBoundary(
    permissions_boundary_policy_name="MyPermissionBoundaryName",
    instance_profile_prefix="MY_PREFIX_",  # optional, Defaults to ""
    policy_prefix="MY_POLICY_PREFIX_",  # optional, Defaults to ""
    role_prefix="MY_ROLE_PREFIX_"  # optional, Defaults to ""
))

app.synth()

Resource extraction

:warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found here.

In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications.

For example there might be a networking team with permissions to deploy AWS::EC2::SecurityGroup and AWS::EC2::EIP, or a security team with permissions to deploy AWS::IAM::Role and AWS::IAM::Policy, but the developers deploying the CDK don't have those permissions.

When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an AWS::IAM::Role which is foundational to any project deployed into AWS.

An enterprise should allow builders to deploy these resources via CDK for many reasons, and can use Permissions Boundaries to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the ResourceExtractor can make it easier for builders to write good CDK while complying with enterprise policies.

Using the ResourceExtractor Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf.

Take the following example stack:

import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';

const app = new App();
const appStack = new Stack(app, 'MyAppStack');

const func = new Function(appStack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);

app.synth()

The synthesized Cloudformation would include all AWS resources required, including resources a developer might not have permissions to deploy

The above example would include the following snippet in the synthesized Cloudformation

TestLambdaServiceRoleC28C2D9C:
  Type: 'AWS::IAM::Role'
  Properties:
    AssumeRolePolicyDocument:
      Statement:
        - Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: lambda.amazonaws.com
      Version: 2012-10-17
    # excluding remaining properties
  TestLambda2F70C45E:
    Type: 'AWS::Lambda::Function'
    Properties:
      Role: !GetAtt
        - TestLambdaServiceRoleC28C2D9C
        - Arn
      # excluding remaining properties

While including bucket.grantReadWrite(func) in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer.

Using the ResourceExtractor, we can pull out an arbitrary list of Cloudformation resources that a developer doesn't have permissions to provision, and create a separate stack that can be sent to a security team.

import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Bucket } from 'aws-cdk-lib/aws-s3';
// Import ResourceExtractor
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac';

const app = new App();
const appStack = new Stack(app, 'MyAppStack');
// Set up a destination stack to extract resources to
const extractedStack = new Stack(app, 'ExtractedStack');

const func = new Function(appStack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
const bucket = new Bucket(appStack, 'TestBucket', {
  autoDeleteObjects: true,
  removalPolicy: RemovalPolicy.DESTROY,
});
bucket.grantReadWrite(func);

// Capture the output of app.synth()
const synthedApp = app.synth();
// Apply the ResourceExtractor Aspect
Aspects.of(app).add(
  new ResourceExtractor({
    // synthesized stacks to examine
    stackArtifacts: synthedApp.stacks,
    // Array of Cloudformation resources to extract
    resourceTypesToExtract: [
      'AWS::IAM::Role',
      'AWS::IAM::Policy',
      'AWS::IAM::ManagedPolicy',
      'AWS::IAM::InstanceProfile',
    ],
    // Destination stack for extracted resources
    extractDestinationStack: extractedStack,
  })
);
// Resynthing since ResourceExtractor has modified the app
app.synth({ force: true });

In the example above, all resources are created in the appStack, and an empty extractedStack is also created.

We apply the ResourceExtractor Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions.

Now when we list stacks in the CDK project, we can see an added stack

$ cdk ls
MyAppStack
ExtractedStack

Taking a look at these synthesized stacks, in the ExtractedStack we'll find:

Resources:
  TestLambdaServiceRoleC28C2D9C:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
        Version: 2012-10-17
      # excluding remaining properties
Outputs:
  ExportAppStackTestLambdaServiceRoleC28C2D9C:
    Value:
      'Fn::GetAtt':
        - TestLambdaServiceRoleC28C2D9C
        - Arn
    Export:
      Name: 'AppStack:TestLambdaServiceRoleC28C2D9C'  # Exported name

And inside the synthesized MyAppStack template:

Resources:
  TestLambda2F70C45E:
    Type: 'AWS::Lambda::Function'
    Properties:
      Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C'  # Using ImportValue instrinsic function to use pre-created IAM role
      # excluding remaining properties

In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the ExtractedStack.

Once deployed, a developer can run cdk deploy MyAppStack without errors due to insufficient IAM privileges

Value Sharing methods

When resources are extracted from a stack, there must be a method to reference the resources that have been extracted.

There are three methods (see ResourceExtractorShareMethod enum)

  • CFN_OUTPUT
  • SSM_PARAMETER
  • API_LOOKUP
CFN_OUTPUT

The default sharing method is CFN_OUTPUT, which uses Cloudformation Export/Import to Export values in the extracted stack (see Outputs), and use the Fn::ImportValue intrinsic function to reference those values.

This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure.

SSM_PARAMETER

In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using aws_ssm.StringParameter.valueFromLookup() at synthesis time.

Example on using this method:

import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac';

Aspects.of(app).add(
  new ResourceExtractor({
    stackArtifacts: synthedApp.stacks,
    resourceTypesToExtract: [
      'AWS::IAM::Role',
      'AWS::IAM::Policy',
      'AWS::IAM::ManagedPolicy',
      'AWS::IAM::InstanceProfile',
    ],
    extractDestinationStack: extractedStack,
    valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER,  // Specify SSM_PARAMETER Method
  });
);
API_LOOKUP

The API_LOOKUP sharing method is a work in progress, and not yet supported

Resource Partials

Some resources that get extracted might reference resources that aren't yet created.

In our example CDK application we include the line

bucket.grantReadWrite(func);

This creates an AWS::IAM::Policy that includes the necessary Actions scoped down to the S3 bucket.

When the AWS::IAM::Policy is extracted, it's unable to use Ref or Fn::GetAtt to reference the S3 bucket since the S3 bucket wasn't extracted.

In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket.

There are multiple resource types supported out of the box (found in createDefaultTransforms). In the event you have a resource not yet supported, you'll receive a MissingTransformError. In this case you can either open an issue with the resource in question, or you can include the additionalTransforms property.

Consider the following:

const vpc = new Vpc(stack, 'TestVpc');
const db = new DatabaseInstance(stack, 'TestDb', {
  vpc,
  engine: DatabaseInstanceEngine.POSTGRES,
})
const func = new Function(stack, 'TestLambda', {
  code: Code.fromAsset(path.join(__dirname, 'lambda-handler')),
  handler: 'index.handler',
  runtime: Runtime.PYTHON_3_11,
});
db.secret?.grantRead(func)

const synthedApp = app.synth();
Aspects.of(app).add(
  new ResourceExtractor({
    extractDestinationStack: extractedStack,
    stackArtifacts: synthedApp.stacks,
    valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
    resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'],
    additionalTransforms: {
      'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`,
    },
  });
);
app.synth({ force: true });

In this case, there is a AWS::SecretsManager::SecretTargetAttachment generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret.

In the context of extracting the IAM policy, we want to tell the ResourceExtractor how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently.

In this case rather than using a Ref: LogicalIdForTheSecretTargetAttachment we construct the ARN we want to use.

Details in API.md

Generated API.md


Generated API.md below:

Expand to view API docs

API Reference

Constructs

EcsIsoServiceAutoscaler

Creates a EcsIsoServiceAutoscaler construct.

This construct allows you to scale an ECS service in an ISO region where classic ECS Autoscaling may not be available.

Initializers
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'

new EcsIsoServiceAutoscaler(scope: Construct, id: string, props: EcsIsoServiceAutoscalerProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsEcsIsoServiceAutoscalerPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'

EcsIsoServiceAutoscaler.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.
ecsScalingManagerFunctionaws-cdk-lib.aws_lambda.FunctionNo description.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


ecsScalingManagerFunctionRequired
public readonly ecsScalingManagerFunction: Function;
  • Type: aws-cdk-lib.aws_lambda.Function

PopulateWithConfig

Populate a provided VPC with subnets based on a provided configuration.

Example

const mySubnetConfig: SubnetConfig[] = [
   {
     groupName: 'app',
     cidrRange: '172.31.0.0/27',
     availabilityZone: 'a',
     subnetType: subnetType.PUBLIC,
   },
   {
     groupName: 'app',
     cidrRange: '172.31.0.32/27',
     availabilityZone: 'b',
     subnetType: subnetType.PUBLIC,
   },
   {
     groupName: 'db',
     cidrRange: '172.31.0.64/27',
     availabilityZone: 'a',
     subnetType: subnetType.PRIVATE_WITH_EGRESS,
   },
   {
     groupName: 'db',
     cidrRange: '172.31.0.96/27',
     availabilityZone: 'b',
     subnetType: subnetType.PRIVATE_WITH_EGRESS,
   },
   {
     groupName: 'iso',
     cidrRange: '172.31.0.128/26',
     availabilityZone: 'a',
     subnetType: subnetType.PRIVATE_ISOLATED,
   },
   {
     groupName: 'iso',
     cidrRange: '172.31.0.196/26',
     availabilityZone: 'b',
     subnetType: subnetType.PRIVATE_ISOLATED,
   },
 ];
new PopulateWithConfig(this, "vpcPopulater", {
  vpcId: 'vpc-abcdefg1234567',
  privateRouteTableId: 'rt-abcdefg123456',
  localRouteTableId: 'rt-123456abcdefg',
  subnetConfig: mySubnetConfig,
})
Initializers
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'

new PopulateWithConfig(scope: Construct, id: string, props: PopulateWithConfigProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsPopulateWithConfigPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'

PopulateWithConfig.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


SplitVpcEvenly

Splits a VPC evenly between a provided number of AZs (3 if not defined), and attaches a provided route table to each, and labels.

Example

// with more specific properties
new SplitVpcEvenly(this, 'evenSplitVpc', {
  vpcId: 'vpc-abcdefg123456',
  vpcCidr: '172.16.0.0/16',
  routeTableId: 'rt-abcdefgh123456',
  cidrBits: '10',
  numberOfAzs: 4,
  subnetType: subnetType.PRIVATE_ISOLATED,
});
Initializers
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'

new SplitVpcEvenly(scope: Construct, id: string, props: SplitVpcEvenlyProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsSplitVpcEvenlyPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'

SplitVpcEvenly.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


Structs

AddCfnInitProxyProps

Properties for the proxy server to use with cfn helper commands.

Initializer
import { AddCfnInitProxyProps } from '@cdklabs/cdk-enterprise-iac'

const addCfnInitProxyProps: AddCfnInitProxyProps = { ... }
Properties
NameTypeDescription
proxyHoststringhost of your proxy.
proxyPortnumberproxy port.
proxyCredentialsaws-cdk-lib.aws_secretsmanager.ISecretJSON secret containing user and password properties to use if your proxy requires credentials http://user:password@host:port could contain sensitive data, so using a Secret.
proxyTypeProxyTypeProxy Type.

proxyHostRequired
public readonly proxyHost: string;
  • Type: string

host of your proxy.


Example

example.com
proxyPortRequired
public readonly proxyPort: number;
  • Type: number

proxy port.


Example

8080
proxyCredentialsOptional
public readonly proxyCredentials: ISecret;
  • Type: aws-cdk-lib.aws_secretsmanager.ISecret

JSON secret containing user and password properties to use if your proxy requires credentials http://user:password@host:port could contain sensitive data, so using a Secret.

Note that while the user and password won't be visible in the cloudformation template they will be in plain text inside your UserData


Example

const secret = new Secret(stack, 'TestSecret', {
 secretObjectValue: {
   user: SecretValue,
   password: SecretValue,
 },
});
proxyTypeOptional
public readonly proxyType: ProxyType;

Proxy Type.


Example

ProxyType.HTTPS

AddPermissionBoundaryProps

Properties to pass to the AddPermissionBoundary.

Initializer
import { AddPermissionBoundaryProps } from '@cdklabs/cdk-enterprise-iac'

const addPermissionBoundaryProps: AddPermissionBoundaryProps = { ... }
Properties
NameTypeDescription
permissionsBoundaryPolicyNamestringName of Permissions Boundary Policy to add to all IAM roles.
instanceProfilePrefixstringA prefix to prepend to the name of the IAM InstanceProfiles (Default: '').
policyPrefixstringA prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: '').
rolePrefixstringA prefix to prepend to the name of IAM Roles (Default: '').

permissionsBoundaryPolicyNameRequired
public readonly permissionsBoundaryPolicyName: string;
  • Type: string

Name of Permissions Boundary Policy to add to all IAM roles.


instanceProfilePrefixOptional
public readonly instanceProfilePrefix: string;
  • Type: string

A prefix to prepend to the name of the IAM InstanceProfiles (Default: '').


policyPrefixOptional
public readonly policyPrefix: string;
  • Type: string

A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: '').


rolePrefixOptional
public readonly rolePrefix: string;
  • Type: string

A prefix to prepend to the name of IAM Roles (Default: '').


EcsIsoServiceAutoscalerProps

Initializer
import { EcsIsoServiceAutoscalerProps } from '@cdklabs/cdk-enterprise-iac'

const ecsIsoServiceAutoscalerProps: EcsIsoServiceAutoscalerProps = { ... }
Properties
NameTypeDescription
ecsClusteraws-cdk-lib.aws_ecs.ClusterThe cluster the service you wish to scale resides in.
ecsServiceaws-cdk-lib.aws_ecs.IServiceThe ECS service you wish to scale.
scaleAlarmaws-cdk-lib.aws_cloudwatch.AlarmBaseThe Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions.
maximumTaskCountnumberThe maximum number of tasks that the service will scale out to.
minimumTaskCountnumberThe minimum number of tasks the service will have.
roleaws-cdk-lib.aws_iam.IRoleOptional IAM role to attach to the created lambda to adjust the desired count on the ECS Service.
scaleInCooldownaws-cdk-lib.DurationHow long will the application wait before performing another scale in action.
scaleInIncrementnumberThe number of tasks that will scale in on scale in alarm status.
scaleOutCooldownaws-cdk-lib.DurationHow long will a the application wait before performing another scale out action.
scaleOutIncrementnumberThe number of tasks that will scale out on scale out alarm status.

ecsClusterRequired
public readonly ecsCluster: Cluster;
  • Type: aws-cdk-lib.aws_ecs.Cluster

The cluster the service you wish to scale resides in.


ecsServiceRequired
public readonly ecsService: IService;
  • Type: aws-cdk-lib.aws_ecs.IService

The ECS service you wish to scale.


scaleAlarmRequired
public readonly scaleAlarm: AlarmBase;
  • Type: aws-cdk-lib.aws_cloudwatch.AlarmBase

The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions.

Note: composite alarms can not be generated with CFN in all regions, while this allows you to pass in a composite alarm alarm creation is outside the scope of this construct


maximumTaskCountOptional
public readonly maximumTaskCount: number;
  • Type: number
  • Default: 10

The maximum number of tasks that the service will scale out to.

Note: This does not provide any protection from scaling out above the maximum allowed in your account, set this variable and manage account quotas appropriately.


minimumTaskCountOptional
public readonly minimumTaskCount: number;
  • Type: number
  • Default: 1

The minimum number of tasks the service will have.


roleOptional
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole
  • Default: A role is created for you with least privilege IAM policy

Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service.

Ensure this role has appropriate privileges. Example IAM policy statements:

{
  "PolicyDocument": {
    "Statement": [
      {
        "Action": "cloudwatch:DescribeAlarms",
        "Effect": "Allow",
        "Resource": "*"
      },
      {
        "Action": [
          "ecs:DescribeServices",
          "ecs:UpdateService"
        ],
        "Condition": {
          "StringEquals": {
            "ecs:cluster": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}"
          }
        },
        "Effect": "Allow",
        "Resource": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}"
      }
    ],
    "Version": "2012-10-17"
  }
}

scaleInCooldownOptional
public readonly scaleInCooldown: Duration;
  • Type: aws-cdk-lib.Duration
  • Default: 60 seconds

How long will the application wait before performing another scale in action.


scaleInIncrementOptional
public readonly scaleInIncrement: number;
  • Type: number
  • Default: 1

The number of tasks that will scale in on scale in alarm status.


scaleOutCooldownOptional
public readonly scaleOutCooldown: Duration;
  • Type: aws-cdk-lib.Duration
  • Default: 60 seconds

How long will a the application wait before performing another scale out action.


scaleOutIncrementOptional
public readonly scaleOutIncrement: number;
  • Type: number
  • Default: 1

The number of tasks that will scale out on scale out alarm status.


PopulateWithConfigProps

Initializer
import { PopulateWithConfigProps } from '@cdklabs/cdk-enterprise-iac'

const populateWithConfigProps: PopulateWithConfigProps = { ... }
Properties
NameTypeDescription
localRouteTableIdstringLocal route table ID, with routes only to local VPC.
privateRouteTableIdstringRoute table ID for a provided route table with routes to enterprise network.
subnetConfigSubnetConfig[]List of Subnet configs to provision to provision.
vpcIdstringID of the VPC provided that needs to be populated.

localRouteTableIdRequired
public readonly localRouteTableId: string;
  • Type: string

Local route table ID, with routes only to local VPC.


privateRouteTableIdRequired
public readonly privateRouteTableId: string;
  • Type: string

Route table ID for a provided route table with routes to enterprise network.

Both subnetType.PUBLIC and subnetType.PRIVATE_WITH_EGRESS will use this property


subnetConfigRequired
public readonly subnetConfig: SubnetConfig[];

List of Subnet configs to provision to provision.


vpcIdRequired
public readonly vpcId: string;
  • Type: string

ID of the VPC provided that needs to be populated.


RemoveTagsProps

Initializer
import { RemoveTagsProps } from '@cdklabs/cdk-enterprise-iac'

const removeTagsProps: RemoveTagsProps = { ... }
Properties
NameTypeDescription
cloudformationResourcestringName of Cloudformation resource Type (e.g. 'AWS::Lambda::Function').
tagPropertyNamestringName of the tag property to remove from the resource.

cloudformationResourceRequired
public readonly cloudformationResource: string;
  • Type: string

Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function').


tagPropertyNameOptional
public readonly tagPropertyName: string;
  • Type: string
  • Default: Tags

Name of the tag property to remove from the resource.


ResourceExtractorProps

Initializer
import { ResourceExtractorProps } from '@cdklabs/cdk-enterprise-iac'

const resourceExtractorProps: ResourceExtractorProps = { ... }
Properties
NameTypeDescription
extractDestinationStackaws-cdk-lib.StackStack to move found extracted resources into.
resourceTypesToExtractstring[]List of resource types to extract, ex: AWS::IAM::Role.
stackArtifactsaws-cdk-lib.cx_api.CloudFormationStackArtifact[]Synthed stack artifacts from your CDK app.
additionalTransforms{[ key: string ]: string}Additional resource transformations.
valueShareMethodResourceExtractorShareMethodThe sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s).

extractDestinationStackRequired
public readonly extractDestinationStack: Stack;
  • Type: aws-cdk-lib.Stack

Stack to move found extracted resources into.


resourceTypesToExtractRequired
public readonly resourceTypesToExtract: string[];
  • Type: string[]

List of resource types to extract, ex: AWS::IAM::Role.


stackArtifactsRequired
public readonly stackArtifacts: CloudFormationStackArtifact[];
  • Type: aws-cdk-lib.cx_api.CloudFormationStackArtifact[]

Synthed stack artifacts from your CDK app.


additionalTransformsOptional
public readonly additionalTransforms: {[ key: string ]: string};
  • Type: {[ key: string ]: string}

Additional resource transformations.


valueShareMethodOptional
public readonly valueShareMethod: ResourceExtractorShareMethod;

The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s).


SetApiGatewayEndpointConfigurationProps

Initializer
import { SetApiGatewayEndpointConfigurationProps } from '@cdklabs/cdk-enterprise-iac'

const setApiGatewayEndpointConfigurationProps: SetApiGatewayEndpointConfigurationProps = { ... }
Properties
NameTypeDescription
endpointTypeaws-cdk-lib.aws_apigateway.EndpointTypeAPI Gateway endpoint type to override to.

endpointTypeOptional
public readonly endpointType: EndpointType;
  • Type: aws-cdk-lib.aws_apigateway.EndpointType
  • Default: EndpointType.REGIONAL

API Gateway endpoint type to override to.

Defaults to EndpointType.REGIONAL


SplitVpcEvenlyProps

Initializer
import { SplitVpcEvenlyProps } from '@cdklabs/cdk-enterprise-iac'

const splitVpcEvenlyProps: SplitVpcEvenlyProps = { ... }
Properties
NameTypeDescription
routeTableIdstringRoute Table ID that will be attached to each subnet created.
vpcCidrstringCIDR range of the VPC you're populating.
vpcIdstringID of the existing VPC you're trying to populate.
cidrBitsstringcidrBits argument for the Fn::Cidr Cloudformation intrinsic function.
numberOfAzsnumberNumber of AZs to evenly split into.
subnetTypeaws-cdk-lib.aws_ec2.SubnetTypeNo description.

routeTableIdRequired
public readonly routeTableId: string;
  • Type: string

Route Table ID that will be attached to each subnet created.


vpcCidrRequired
public readonly vpcCidr: string;
  • Type: string

CIDR range of the VPC you're populating.


vpcIdRequired
public readonly vpcId: string;
  • Type: string

ID of the existing VPC you're trying to populate.


cidrBitsOptional
public readonly cidrBits: string;
  • Type: string
  • Default: '6'

cidrBits argument for the Fn::Cidr Cloudformation intrinsic function.


numberOfAzsOptional
public readonly numberOfAzs: number;
  • Type: number
  • Default: 3

Number of AZs to evenly split into.


subnetTypeOptional
public readonly subnetType: SubnetType;
  • Type: aws-cdk-lib.aws_ec2.SubnetType
  • Default: subnetType.PRIVATE

SubnetConfig

Initializer
import { SubnetConfig } from '@cdklabs/cdk-enterprise-iac'

const subnetConfig: SubnetConfig = { ... }
Properties
NameTypeDescription
availabilityZonestringWhich availability zone the subnet should be in.
cidrRangestringCidr range of the subnet to create.
groupNamestringLogical group name of a subnet.
subnetTypeaws-cdk-lib.aws_ec2.SubnetTypeWhat SubnetType to use.

availabilityZoneRequired
public readonly availabilityZone: string;
  • Type: string

Which availability zone the subnet should be in.


cidrRangeRequired
public readonly cidrRange: string;
  • Type: string

Cidr range of the subnet to create.


groupNameRequired
public readonly groupName: string;
  • Type: string

Logical group name of a subnet.


Example

db
subnetTypeRequired
public readonly subnetType: SubnetType;
  • Type: aws-cdk-lib.aws_ec2.SubnetType

What SubnetType to use.

This will govern the aws-cdk:subnet-type tag on the subnet

SubnetTypeaws-cdk:subnet-type tag value
PRIVATE_ISOLATED'Isolated'
PRIVATE_WITH_EGRESS'Private'
PUBLIC'Public'

Classes

AddCfnInitProxy

  • Implements: aws-cdk-lib.IAspect

Add proxy configuration to Cloudformation helper functions.

Initializers
import { AddCfnInitProxy } from '@cdklabs/cdk-enterprise-iac'

new AddCfnInitProxy(props: AddCfnInitProxyProps)
NameTypeDescription
propsAddCfnInitProxyPropsNo description.

propsRequired

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

AddLambdaEnvironmentVariables

  • Implements: aws-cdk-lib.IAspect

Add one or more environment variables to all lambda functions within a scope.

Initializers
import { AddLambdaEnvironmentVariables } from '@cdklabs/cdk-enterprise-iac'

new AddLambdaEnvironmentVariables(props: {[ key: string ]: string})
NameTypeDescription
props{[ key: string ]: string}: string} props - Key Value pair(s) for environment variables to add to all lambda functions.

propsRequired
  • Type: {[ key: string ]: string}

: string} props - Key Value pair(s) for environment variables to add to all lambda functions.


Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

AddPermissionBoundary

  • Implements: aws-cdk-lib.IAspect

A patch for Adding Permissions Boundaries to all IAM roles.

Additional options for adding prefixes to IAM role, policy and instance profile names

Can account for non commercial partitions (e.g. aws-gov, aws-cn)

Initializers
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac'

new AddPermissionBoundary(props: AddPermissionBoundaryProps)
NameTypeDescription
propsAddPermissionBoundaryPropsNo description.

propsRequired

Methods
NameDescription
checkAndOverrideNo description.
visitAll aspects can visit an IConstruct.

checkAndOverride
public checkAndOverride(node: CfnResource, prefix: string, length: number, cfnProp: string, cdkProp?: string): void
nodeRequired
  • Type: aws-cdk-lib.CfnResource

prefixRequired
  • Type: string

lengthRequired
  • Type: number

cfnPropRequired
  • Type: string

cdkPropOptional
  • Type: string

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

ConvertInlinePoliciesToManaged

  • Implements: aws-cdk-lib.IAspect

Patch for turning all Policies into ConvertInlinePoliciesToManaged.

Some users have policies in place that make it impossible to create inline policies. Instead, they must use managed policies.

Note that order matters with this aspect. Specifically, it should generally be added first. This is because other aspects may add overrides that would be lost if applied before this aspect since the original aspect is removed and replaced.

Example

// Replace all AWS::IAM::Policy resources with equivalent AWS::IAM::ManagedPolicy
Aspects.of(stack).add(new ConvertInlinePoliciesToManaged())
Initializers
import { ConvertInlinePoliciesToManaged } from '@cdklabs/cdk-enterprise-iac'

new ConvertInlinePoliciesToManaged()
NameTypeDescription

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

RemovePublicAccessBlockConfiguration

  • Implements: aws-cdk-lib.IAspect

Looks for S3 Buckets, and removes the PublicAccessBlockConfiguration property.

For use in regions where Cloudformation doesn't support this property

Initializers
import { RemovePublicAccessBlockConfiguration } from '@cdklabs/cdk-enterprise-iac'

new RemovePublicAccessBlockConfiguration()
NameTypeDescription

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

RemoveTags

  • Implements: aws-cdk-lib.IAspect

Patch for removing tags from a specific Cloudformation Resource.

In some regions, the 'Tags' property isn't supported in Cloudformation. This patch makes it easy to remove

Example

// Remove tags on a resource
Aspects.of(stack).add(new RemoveTags({
  cloudformationResource: 'AWS::ECS::Cluster',
}));
// Remove tags without the standard 'Tags' name
Aspects.of(stack).add(new RemoveTags({
  cloudformationResource: 'AWS::Backup::BackupPlan',
   tagPropertyName: 'BackupPlanTags',
}));
Initializers
import { RemoveTags } from '@cdklabs/cdk-enterprise-iac'

new RemoveTags(props: RemoveTagsProps)
NameTypeDescription
propsRemoveTagsPropsNo description.

propsRequired

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

ResourceExtractor

  • Implements: aws-cdk-lib.IAspect

This Aspect takes a CDK application, all synthesized CloudFormationStackArtifact, a value share method, and a list of Cloudformation resources that should be pulled out of the main CDK application, which should be synthesized to a cloudformation template that an external team (e.g. security team) to deploy, and adjusting the CDK application to reference pre-created resources already pulled out.

Example

 const app = App()
 const stack = new Stack(app, 'MyStack');
 extractedStack = new Stack(app, 'ExtractedStack');
 const synthedApp = app.synth();
 Aspects.of(app).add(new ResourceExtractor({
   extractDestinationStack: extractedStack,
   stackArtifacts: synthedApp.stacks,
   valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
   resourceTypesToExtract: [
     'AWS::IAM::Role',
     'AWS::IAM::Policy',
     'AWS::IAM::ManagedPolicy',
     'AWS::IAM::InstanceProfile',
   ],
 });
 app.synth({ force: true });
Initializers
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac'

new ResourceExtractor(props: ResourceExtractorProps)
NameTypeDescription
propsResourceExtractorPropsNo description.

propsRequired

Methods
NameDescription
visitEntrypoint.

visit
public visit(node: IConstruct): void

Entrypoint.

nodeRequired
  • Type: constructs.IConstruct

SetApiGatewayEndpointConfiguration

  • Implements: aws-cdk-lib.IAspect

Override RestApis to use a set endpoint configuration.

Some regions don't support EDGE endpoints, and some enterprises require specific endpoint types for RestApis

Initializers
import { SetApiGatewayEndpointConfiguration } from '@cdklabs/cdk-enterprise-iac'

new SetApiGatewayEndpointConfiguration(props?: SetApiGatewayEndpointConfigurationProps)
NameTypeDescription
propsSetApiGatewayEndpointConfigurationPropsNo description.

propsOptional

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Enums

ProxyType

Whether an http-proxy or https-proxy.

Members
NameDescription
HTTP--http-proxy.
HTTPS--https-proxy.

HTTP

-http-proxy.


HTTPS

-https-proxy.


ResourceExtractorShareMethod

The available value sharing methods to pass values from the extracted stack onto the original stack(s).

Members
NameDescription
CFN_OUTPUTNo description.
SSM_PARAMETERNo description.
API_LOOKUPNo description.

CFN_OUTPUT

SSM_PARAMETER

API_LOOKUP

ResourceTransform

Members
NameDescription
STACK_NAMENo description.
LOGICAL_IDNo description.

STACK_NAME

LOGICAL_ID

API Reference

Constructs

EcsIsoServiceAutoscaler

Creates a EcsIsoServiceAutoscaler construct.

This construct allows you to scale an ECS service in an ISO region where classic ECS Autoscaling may not be available.

Initializers
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'

new EcsIsoServiceAutoscaler(scope: Construct, id: string, props: EcsIsoServiceAutoscalerProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsEcsIsoServiceAutoscalerPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac'

EcsIsoServiceAutoscaler.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.
ecsScalingManagerFunctionaws-cdk-lib.aws_lambda.FunctionNo description.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


ecsScalingManagerFunctionRequired
public readonly ecsScalingManagerFunction: Function;
  • Type: aws-cdk-lib.aws_lambda.Function

PopulateWithConfig

Populate a provided VPC with subnets based on a provided configuration.

Example

const mySubnetConfig: SubnetConfig[] = [
   {
     groupName: 'app',
     cidrRange: '172.31.0.0/27',
     availabilityZone: 'a',
     subnetType: subnetType.PUBLIC,
   },
   {
     groupName: 'app',
     cidrRange: '172.31.0.32/27',
     availabilityZone: 'b',
     subnetType: subnetType.PUBLIC,
   },
   {
     groupName: 'db',
     cidrRange: '172.31.0.64/27',
     availabilityZone: 'a',
     subnetType: subnetType.PRIVATE_WITH_EGRESS,
   },
   {
     groupName: 'db',
     cidrRange: '172.31.0.96/27',
     availabilityZone: 'b',
     subnetType: subnetType.PRIVATE_WITH_EGRESS,
   },
   {
     groupName: 'iso',
     cidrRange: '172.31.0.128/26',
     availabilityZone: 'a',
     subnetType: subnetType.PRIVATE_ISOLATED,
   },
   {
     groupName: 'iso',
     cidrRange: '172.31.0.196/26',
     availabilityZone: 'b',
     subnetType: subnetType.PRIVATE_ISOLATED,
   },
 ];
new PopulateWithConfig(this, "vpcPopulater", {
  vpcId: 'vpc-abcdefg1234567',
  privateRouteTableId: 'rt-abcdefg123456',
  localRouteTableId: 'rt-123456abcdefg',
  subnetConfig: mySubnetConfig,
})
Initializers
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'

new PopulateWithConfig(scope: Construct, id: string, props: PopulateWithConfigProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsPopulateWithConfigPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac'

PopulateWithConfig.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


SplitVpcEvenly

Splits a VPC evenly between a provided number of AZs (3 if not defined), and attaches a provided route table to each, and labels.

Example

// with more specific properties
new SplitVpcEvenly(this, 'evenSplitVpc', {
  vpcId: 'vpc-abcdefg123456',
  vpcCidr: '172.16.0.0/16',
  routeTableId: 'rt-abcdefgh123456',
  cidrBits: '10',
  numberOfAzs: 4,
  subnetType: subnetType.PRIVATE_ISOLATED,
});
Initializers
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'

new SplitVpcEvenly(scope: Construct, id: string, props: SplitVpcEvenlyProps)
NameTypeDescription
scopeconstructs.ConstructNo description.
idstringNo description.
propsSplitVpcEvenlyPropsNo description.

scopeRequired
  • Type: constructs.Construct

idRequired
  • Type: string

propsRequired

Methods
NameDescription
toStringReturns a string representation of this construct.

toString
public toString(): string

Returns a string representation of this construct.

Static Functions
NameDescription
isConstructChecks if x is a construct.

isConstruct
import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac'

SplitVpcEvenly.isConstruct(x: any)

Checks if x is a construct.

xRequired
  • Type: any

Any object.


Properties
NameTypeDescription
nodeconstructs.NodeThe tree node.

nodeRequired
public readonly node: Node;
  • Type: constructs.Node

The tree node.


Structs

AddCfnInitProxyProps

Properties for the proxy server to use with cfn helper commands.

Initializer
import { AddCfnInitProxyProps } from '@cdklabs/cdk-enterprise-iac'

const addCfnInitProxyProps: AddCfnInitProxyProps = { ... }
Properties
NameTypeDescription
proxyHoststringhost of your proxy.
proxyPortnumberproxy port.
proxyCredentialsaws-cdk-lib.aws_secretsmanager.ISecretJSON secret containing user and password properties to use if your proxy requires credentials http://user:password@host:port could contain sensitive data, so using a Secret.
proxyTypeProxyTypeProxy Type.

proxyHostRequired
public readonly proxyHost: string;
  • Type: string

host of your proxy.


Example

example.com
proxyPortRequired
public readonly proxyPort: number;
  • Type: number

proxy port.


Example

8080
proxyCredentialsOptional
public readonly proxyCredentials: ISecret;
  • Type: aws-cdk-lib.aws_secretsmanager.ISecret

JSON secret containing user and password properties to use if your proxy requires credentials http://user:password@host:port could contain sensitive data, so using a Secret.

Note that while the user and password won't be visible in the cloudformation template they will be in plain text inside your UserData


Example

const secret = new Secret(stack, 'TestSecret', {
 secretObjectValue: {
   user: SecretValue,
   password: SecretValue,
 },
});
proxyTypeOptional
public readonly proxyType: ProxyType;

Proxy Type.


Example

ProxyType.HTTPS

AddPermissionBoundaryProps

Properties to pass to the AddPermissionBoundary.

Initializer
import { AddPermissionBoundaryProps } from '@cdklabs/cdk-enterprise-iac'

const addPermissionBoundaryProps: AddPermissionBoundaryProps = { ... }
Properties
NameTypeDescription
permissionsBoundaryPolicyNamestringName of Permissions Boundary Policy to add to all IAM roles.
instanceProfilePrefixstringA prefix to prepend to the name of the IAM InstanceProfiles (Default: '').
policyPrefixstringA prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: '').
rolePrefixstringA prefix to prepend to the name of IAM Roles (Default: '').

permissionsBoundaryPolicyNameRequired
public readonly permissionsBoundaryPolicyName: string;
  • Type: string

Name of Permissions Boundary Policy to add to all IAM roles.


instanceProfilePrefixOptional
public readonly instanceProfilePrefix: string;
  • Type: string

A prefix to prepend to the name of the IAM InstanceProfiles (Default: '').


policyPrefixOptional
public readonly policyPrefix: string;
  • Type: string

A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: '').


rolePrefixOptional
public readonly rolePrefix: string;
  • Type: string

A prefix to prepend to the name of IAM Roles (Default: '').


EcsIsoServiceAutoscalerProps

Initializer
import { EcsIsoServiceAutoscalerProps } from '@cdklabs/cdk-enterprise-iac'

const ecsIsoServiceAutoscalerProps: EcsIsoServiceAutoscalerProps = { ... }
Properties
NameTypeDescription
ecsClusteraws-cdk-lib.aws_ecs.ClusterThe cluster the service you wish to scale resides in.
ecsServiceaws-cdk-lib.aws_ecs.IServiceThe ECS service you wish to scale.
scaleAlarmaws-cdk-lib.aws_cloudwatch.AlarmBaseThe Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions.
maximumTaskCountnumberThe maximum number of tasks that the service will scale out to.
minimumTaskCountnumberThe minimum number of tasks the service will have.
roleaws-cdk-lib.aws_iam.IRoleOptional IAM role to attach to the created lambda to adjust the desired count on the ECS Service.
scaleInCooldownaws-cdk-lib.DurationHow long will the application wait before performing another scale in action.
scaleInIncrementnumberThe number of tasks that will scale in on scale in alarm status.
scaleOutCooldownaws-cdk-lib.DurationHow long will a the application wait before performing another scale out action.
scaleOutIncrementnumberThe number of tasks that will scale out on scale out alarm status.

ecsClusterRequired
public readonly ecsCluster: Cluster;
  • Type: aws-cdk-lib.aws_ecs.Cluster

The cluster the service you wish to scale resides in.


ecsServiceRequired
public readonly ecsService: IService;
  • Type: aws-cdk-lib.aws_ecs.IService

The ECS service you wish to scale.


scaleAlarmRequired
public readonly scaleAlarm: AlarmBase;
  • Type: aws-cdk-lib.aws_cloudwatch.AlarmBase

The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions.

Note: composite alarms can not be generated with CFN in all regions, while this allows you to pass in a composite alarm alarm creation is outside the scope of this construct


maximumTaskCountOptional
public readonly maximumTaskCount: number;
  • Type: number
  • Default: 10

The maximum number of tasks that the service will scale out to.

Note: This does not provide any protection from scaling out above the maximum allowed in your account, set this variable and manage account quotas appropriately.


minimumTaskCountOptional
public readonly minimumTaskCount: number;
  • Type: number
  • Default: 1

The minimum number of tasks the service will have.


roleOptional
public readonly role: IRole;
  • Type: aws-cdk-lib.aws_iam.IRole
  • Default: A role is created for you with least privilege IAM policy

Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service.

Ensure this role has appropriate privileges. Example IAM policy statements:

{
  "PolicyDocument": {
    "Statement": [
      {
        "Action": "cloudwatch:DescribeAlarms",
        "Effect": "Allow",
        "Resource": "*"
      },
      {
        "Action": [
          "ecs:DescribeServices",
          "ecs:UpdateService"
        ],
        "Condition": {
          "StringEquals": {
            "ecs:cluster": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}"
          }
        },
        "Effect": "Allow",
        "Resource": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}"
      }
    ],
    "Version": "2012-10-17"
  }
}

scaleInCooldownOptional
public readonly scaleInCooldown: Duration;
  • Type: aws-cdk-lib.Duration
  • Default: 60 seconds

How long will the application wait before performing another scale in action.


scaleInIncrementOptional
public readonly scaleInIncrement: number;
  • Type: number
  • Default: 1

The number of tasks that will scale in on scale in alarm status.


scaleOutCooldownOptional
public readonly scaleOutCooldown: Duration;
  • Type: aws-cdk-lib.Duration
  • Default: 60 seconds

How long will a the application wait before performing another scale out action.


scaleOutIncrementOptional
public readonly scaleOutIncrement: number;
  • Type: number
  • Default: 1

The number of tasks that will scale out on scale out alarm status.


PopulateWithConfigProps

Initializer
import { PopulateWithConfigProps } from '@cdklabs/cdk-enterprise-iac'

const populateWithConfigProps: PopulateWithConfigProps = { ... }
Properties
NameTypeDescription
localRouteTableIdstringLocal route table ID, with routes only to local VPC.
privateRouteTableIdstringRoute table ID for a provided route table with routes to enterprise network.
subnetConfigSubnetConfig[]List of Subnet configs to provision to provision.
vpcIdstringID of the VPC provided that needs to be populated.

localRouteTableIdRequired
public readonly localRouteTableId: string;
  • Type: string

Local route table ID, with routes only to local VPC.


privateRouteTableIdRequired
public readonly privateRouteTableId: string;
  • Type: string

Route table ID for a provided route table with routes to enterprise network.

Both subnetType.PUBLIC and subnetType.PRIVATE_WITH_EGRESS will use this property


subnetConfigRequired
public readonly subnetConfig: SubnetConfig[];

List of Subnet configs to provision to provision.


vpcIdRequired
public readonly vpcId: string;
  • Type: string

ID of the VPC provided that needs to be populated.


RemoveTagsProps

Initializer
import { RemoveTagsProps } from '@cdklabs/cdk-enterprise-iac'

const removeTagsProps: RemoveTagsProps = { ... }
Properties
NameTypeDescription
cloudformationResourcestringName of Cloudformation resource Type (e.g. 'AWS::Lambda::Function').
tagPropertyNamestringName of the tag property to remove from the resource.

cloudformationResourceRequired
public readonly cloudformationResource: string;
  • Type: string

Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function').


tagPropertyNameOptional
public readonly tagPropertyName: string;
  • Type: string
  • Default: Tags

Name of the tag property to remove from the resource.


ResourceExtractorProps

Initializer
import { ResourceExtractorProps } from '@cdklabs/cdk-enterprise-iac'

const resourceExtractorProps: ResourceExtractorProps = { ... }
Properties
NameTypeDescription
extractDestinationStackaws-cdk-lib.StackStack to move found extracted resources into.
resourceTypesToExtractstring[]List of resource types to extract, ex: AWS::IAM::Role.
stackArtifactsaws-cdk-lib.cx_api.CloudFormationStackArtifact[]Synthed stack artifacts from your CDK app.
additionalTransforms{[ key: string ]: string}Additional resource transformations.
valueShareMethodResourceExtractorShareMethodThe sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s).

extractDestinationStackRequired
public readonly extractDestinationStack: Stack;
  • Type: aws-cdk-lib.Stack

Stack to move found extracted resources into.


resourceTypesToExtractRequired
public readonly resourceTypesToExtract: string[];
  • Type: string[]

List of resource types to extract, ex: AWS::IAM::Role.


stackArtifactsRequired
public readonly stackArtifacts: CloudFormationStackArtifact[];
  • Type: aws-cdk-lib.cx_api.CloudFormationStackArtifact[]

Synthed stack artifacts from your CDK app.


additionalTransformsOptional
public readonly additionalTransforms: {[ key: string ]: string};
  • Type: {[ key: string ]: string}

Additional resource transformations.


valueShareMethodOptional
public readonly valueShareMethod: ResourceExtractorShareMethod;

The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s).


SetApiGatewayEndpointConfigurationProps

Initializer
import { SetApiGatewayEndpointConfigurationProps } from '@cdklabs/cdk-enterprise-iac'

const setApiGatewayEndpointConfigurationProps: SetApiGatewayEndpointConfigurationProps = { ... }
Properties
NameTypeDescription
endpointTypeaws-cdk-lib.aws_apigateway.EndpointTypeAPI Gateway endpoint type to override to.

endpointTypeOptional
public readonly endpointType: EndpointType;
  • Type: aws-cdk-lib.aws_apigateway.EndpointType
  • Default: EndpointType.REGIONAL

API Gateway endpoint type to override to.

Defaults to EndpointType.REGIONAL


SplitVpcEvenlyProps

Initializer
import { SplitVpcEvenlyProps } from '@cdklabs/cdk-enterprise-iac'

const splitVpcEvenlyProps: SplitVpcEvenlyProps = { ... }
Properties
NameTypeDescription
routeTableIdstringRoute Table ID that will be attached to each subnet created.
vpcCidrstringCIDR range of the VPC you're populating.
vpcIdstringID of the existing VPC you're trying to populate.
cidrBitsstringcidrBits argument for the Fn::Cidr Cloudformation intrinsic function.
numberOfAzsnumberNumber of AZs to evenly split into.
subnetTypeaws-cdk-lib.aws_ec2.SubnetTypeNo description.

routeTableIdRequired
public readonly routeTableId: string;
  • Type: string

Route Table ID that will be attached to each subnet created.


vpcCidrRequired
public readonly vpcCidr: string;
  • Type: string

CIDR range of the VPC you're populating.


vpcIdRequired
public readonly vpcId: string;
  • Type: string

ID of the existing VPC you're trying to populate.


cidrBitsOptional
public readonly cidrBits: string;
  • Type: string
  • Default: '6'

cidrBits argument for the Fn::Cidr Cloudformation intrinsic function.


numberOfAzsOptional
public readonly numberOfAzs: number;
  • Type: number
  • Default: 3

Number of AZs to evenly split into.


subnetTypeOptional
public readonly subnetType: SubnetType;
  • Type: aws-cdk-lib.aws_ec2.SubnetType
  • Default: subnetType.PRIVATE

SubnetConfig

Initializer
import { SubnetConfig } from '@cdklabs/cdk-enterprise-iac'

const subnetConfig: SubnetConfig = { ... }
Properties
NameTypeDescription
availabilityZonestringWhich availability zone the subnet should be in.
cidrRangestringCidr range of the subnet to create.
groupNamestringLogical group name of a subnet.
subnetTypeaws-cdk-lib.aws_ec2.SubnetTypeWhat SubnetType to use.

availabilityZoneRequired
public readonly availabilityZone: string;
  • Type: string

Which availability zone the subnet should be in.


cidrRangeRequired
public readonly cidrRange: string;
  • Type: string

Cidr range of the subnet to create.


groupNameRequired
public readonly groupName: string;
  • Type: string

Logical group name of a subnet.


Example

db
subnetTypeRequired
public readonly subnetType: SubnetType;
  • Type: aws-cdk-lib.aws_ec2.SubnetType

What SubnetType to use.

This will govern the aws-cdk:subnet-type tag on the subnet

SubnetTypeaws-cdk:subnet-type tag value
PRIVATE_ISOLATED'Isolated'
PRIVATE_WITH_EGRESS'Private'
PUBLIC'Public'

Classes

AddCfnInitProxy

  • Implements: aws-cdk-lib.IAspect

Add proxy configuration to Cloudformation helper functions.

Initializers
import { AddCfnInitProxy } from '@cdklabs/cdk-enterprise-iac'

new AddCfnInitProxy(props: AddCfnInitProxyProps)
NameTypeDescription
propsAddCfnInitProxyPropsNo description.

propsRequired

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

AddLambdaEnvironmentVariables

  • Implements: aws-cdk-lib.IAspect

Add one or more environment variables to all lambda functions within a scope.

Initializers
import { AddLambdaEnvironmentVariables } from '@cdklabs/cdk-enterprise-iac'

new AddLambdaEnvironmentVariables(props: {[ key: string ]: string})
NameTypeDescription
props{[ key: string ]: string}: string} props - Key Value pair(s) for environment variables to add to all lambda functions.

propsRequired
  • Type: {[ key: string ]: string}

: string} props - Key Value pair(s) for environment variables to add to all lambda functions.


Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

AddPermissionBoundary

  • Implements: aws-cdk-lib.IAspect

A patch for Adding Permissions Boundaries to all IAM roles.

Additional options for adding prefixes to IAM role, policy and instance profile names

Can account for non commercial partitions (e.g. aws-gov, aws-cn)

Initializers
import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac'

new AddPermissionBoundary(props: AddPermissionBoundaryProps)
NameTypeDescription
propsAddPermissionBoundaryPropsNo description.

propsRequired

Methods
NameDescription
checkAndOverrideNo description.
visitAll aspects can visit an IConstruct.

checkAndOverride
public checkAndOverride(node: CfnResource, prefix: string, length: number, cfnProp: string, cdkProp?: string): void
nodeRequired
  • Type: aws-cdk-lib.CfnResource

prefixRequired
  • Type: string

lengthRequired
  • Type: number

cfnPropRequired
  • Type: string

cdkPropOptional
  • Type: string

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

ConvertInlinePoliciesToManaged

  • Implements: aws-cdk-lib.IAspect

Patch for turning all Policies into ConvertInlinePoliciesToManaged.

Some users have policies in place that make it impossible to create inline policies. Instead, they must use managed policies.

Note that order matters with this aspect. Specifically, it should generally be added first. This is because other aspects may add overrides that would be lost if applied before this aspect since the original aspect is removed and replaced.

Example

// Replace all AWS::IAM::Policy resources with equivalent AWS::IAM::ManagedPolicy
Aspects.of(stack).add(new ConvertInlinePoliciesToManaged())
Initializers
import { ConvertInlinePoliciesToManaged } from '@cdklabs/cdk-enterprise-iac'

new ConvertInlinePoliciesToManaged()
NameTypeDescription

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

RemovePublicAccessBlockConfiguration

  • Implements: aws-cdk-lib.IAspect

Looks for S3 Buckets, and removes the PublicAccessBlockConfiguration property.

For use in regions where Cloudformation doesn't support this property

Initializers
import { RemovePublicAccessBlockConfiguration } from '@cdklabs/cdk-enterprise-iac'

new RemovePublicAccessBlockConfiguration()
NameTypeDescription

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

RemoveTags

  • Implements: aws-cdk-lib.IAspect

Patch for removing tags from a specific Cloudformation Resource.

In some regions, the 'Tags' property isn't supported in Cloudformation. This patch makes it easy to remove

Example

// Remove tags on a resource
Aspects.of(stack).add(new RemoveTags({
  cloudformationResource: 'AWS::ECS::Cluster',
}));
// Remove tags without the standard 'Tags' name
Aspects.of(stack).add(new RemoveTags({
  cloudformationResource: 'AWS::Backup::BackupPlan',
   tagPropertyName: 'BackupPlanTags',
}));
Initializers
import { RemoveTags } from '@cdklabs/cdk-enterprise-iac'

new RemoveTags(props: RemoveTagsProps)
NameTypeDescription
propsRemoveTagsPropsNo description.

propsRequired

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

ResourceExtractor

  • Implements: aws-cdk-lib.IAspect

This Aspect takes a CDK application, all synthesized CloudFormationStackArtifact, a value share method, and a list of Cloudformation resources that should be pulled out of the main CDK application, which should be synthesized to a cloudformation template that an external team (e.g. security team) to deploy, and adjusting the CDK application to reference pre-created resources already pulled out.

Example

 const app = App()
 const stack = new Stack(app, 'MyStack');
 extractedStack = new Stack(app, 'ExtractedStack');
 const synthedApp = app.synth();
 Aspects.of(app).add(new ResourceExtractor({
   extractDestinationStack: extractedStack,
   stackArtifacts: synthedApp.stacks,
   valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT,
   resourceTypesToExtract: [
     'AWS::IAM::Role',
     'AWS::IAM::Policy',
     'AWS::IAM::ManagedPolicy',
     'AWS::IAM::InstanceProfile',
   ],
 });
 app.synth({ force: true });
Initializers
import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac'

new ResourceExtractor(props: ResourceExtractorProps)
NameTypeDescription
propsResourceExtractorPropsNo description.

propsRequired

Methods
NameDescription
visitEntrypoint.

visit
public visit(node: IConstruct): void

Entrypoint.

nodeRequired
  • Type: constructs.IConstruct

SetApiGatewayEndpointConfiguration

  • Implements: aws-cdk-lib.IAspect

Override RestApis to use a set endpoint configuration.

Some regions don't support EDGE endpoints, and some enterprises require specific endpoint types for RestApis

Initializers
import { SetApiGatewayEndpointConfiguration } from '@cdklabs/cdk-enterprise-iac'

new SetApiGatewayEndpointConfiguration(props?: SetApiGatewayEndpointConfigurationProps)
NameTypeDescription
propsSetApiGatewayEndpointConfigurationPropsNo description.

propsOptional

Methods
NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Enums

ProxyType

Whether an http-proxy or https-proxy.

Members
NameDescription
HTTP--http-proxy.
HTTPS--https-proxy.

HTTP

-http-proxy.


HTTPS

-https-proxy.


ResourceExtractorShareMethod

The available value sharing methods to pass values from the extracted stack onto the original stack(s).

Members
NameDescription
CFN_OUTPUTNo description.
SSM_PARAMETERNo description.
API_LOOKUPNo description.

CFN_OUTPUT

SSM_PARAMETER

API_LOOKUP

ResourceTransform

Members
NameDescription
STACK_NAMENo description.
LOGICAL_IDNo description.

STACK_NAME

LOGICAL_ID

Keywords

FAQs

Last updated on 18 May 2024

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc