-
Notifications
You must be signed in to change notification settings - Fork 4k
/
Copy pathfunction-url.ts
272 lines (240 loc) · 7.34 KB
/
function-url.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
import { Construct } from 'constructs';
import { IAlias } from './alias';
import { IFunction } from './function-base';
import { IVersion } from './lambda-version';
import { CfnUrl } from './lambda.generated';
import * as iam from '../../aws-iam';
import { Duration, IResource, Resource } from '../../core';
/**
* The auth types for a function url
*/
export enum FunctionUrlAuthType {
/**
* Restrict access to authenticated IAM users only
*/
AWS_IAM = 'AWS_IAM',
/**
* Bypass IAM authentication to create a public endpoint
*/
NONE = 'NONE',
}
/**
* The invoke modes for a Lambda function
*/
export enum InvokeMode {
/**
* Default option. Lambda invokes your function using the Invoke API operation.
* Invocation results are available when the payload is complete.
* The maximum payload size is 6 MB.
*/
BUFFERED = 'BUFFERED',
/**
* Your function streams payload results as they become available.
* Lambda invokes your function using the InvokeWithResponseStream API operation.
* The maximum response payload size is 20 MB, however, you can request a quota increase.
*/
RESPONSE_STREAM = 'RESPONSE_STREAM',
}
/**
* All http request methods
*/
export enum HttpMethod {
/**
* The GET method requests a representation of the specified resource.
*/
GET = 'GET',
/**
* The PUT method replaces all current representations of the target resource with the request payload.
*/
PUT = 'PUT',
/**
* The HEAD method asks for a response identical to that of a GET request, but without the response body.
*/
HEAD = 'HEAD',
/**
* The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
*/
POST = 'POST',
/**
* The DELETE method deletes the specified resource.
*/
DELETE = 'DELETE',
/**
* The PATCH method applies partial modifications to a resource.
*/
PATCH = 'PATCH',
/**
* The OPTIONS method describes the communication options for the target resource.
*/
OPTIONS = 'OPTIONS',
/**
* The wildcard entry to allow all methods.
*/
ALL = '*',
}
/**
* Specifies a cross-origin access property for a function URL
*/
export interface FunctionUrlCorsOptions {
/**
* Whether to allow cookies or other credentials in requests to your function URL.
*
* @default false
*/
readonly allowCredentials?: boolean;
/**
* Headers that are specified in the Access-Control-Request-Headers header.
*
* @default - No headers allowed.
*/
readonly allowedHeaders?: string[];
/**
* An HTTP method that you allow the origin to execute.
*
* @default - [HttpMethod.ALL]
*/
readonly allowedMethods?: HttpMethod[];
/**
* One or more origins you want customers to be able to access the bucket from.
*
* @default - No origins allowed.
*/
readonly allowedOrigins?: string[];
/**
* One or more headers in the response that you want customers to be able to access from their applications.
*
* @default - No headers exposed.
*/
readonly exposedHeaders?: string[];
/**
* The time in seconds that your browser is to cache the preflight response for the specified resource.
*
* @default - Browser default of 5 seconds.
*/
readonly maxAge?: Duration;
}
/**
* A Lambda function Url
*/
export interface IFunctionUrl extends IResource {
/**
* The url of the Lambda function.
*
* @attribute FunctionUrl
*/
readonly url: string;
/**
* The ARN of the function this URL refers to
*
* @attribute FunctionArn
*/
readonly functionArn: string;
/**
* Grant the given identity permissions to invoke this Lambda Function URL
*/
grantInvokeUrl(identity: iam.IGrantable): iam.Grant;
}
/**
* Options to add a url to a Lambda function
*/
export interface FunctionUrlOptions {
/**
* The type of authentication that your function URL uses.
*
* @default FunctionUrlAuthType.AWS_IAM
*/
readonly authType?: FunctionUrlAuthType;
/**
* The cross-origin resource sharing (CORS) settings for your function URL.
*
* @default - No CORS configuration.
*/
readonly cors?: FunctionUrlCorsOptions;
/**
* The type of invocation mode that your Lambda function uses.
*
* @default InvokeMode.BUFFERED
*/
readonly invokeMode?: InvokeMode;
}
/**
* Properties for a FunctionUrl
*/
export interface FunctionUrlProps extends FunctionUrlOptions {
/**
* The function to which this url refers.
* It can also be an `Alias` but not a `Version`.
*/
readonly function: IFunction;
}
/**
* Defines a Lambda function url
*
* @resource AWS::Lambda::Url
*/
export class FunctionUrl extends Resource implements IFunctionUrl {
/**
* The url of the Lambda function.
*/
public readonly url: string;
/**
* The ARN of the function this URL refers to
*/
public readonly functionArn: string;
private readonly function: IFunction;
constructor(scope: Construct, id: string, props: FunctionUrlProps) {
super(scope, id);
if (this.instanceOfVersion(props.function)) {
throw new Error('FunctionUrl cannot be used with a Version');
}
// If the target function is an alias, then it must be configured using the underlying function
// ARN, and the alias name as a qualifier.
const { targetFunction, alias } = this.instanceOfAlias(props.function)
? { targetFunction: props.function.version.lambda, alias: props.function }
: { targetFunction: props.function, alias: undefined };
const resource: CfnUrl = new CfnUrl(this, 'Resource', {
authType: props.authType ?? FunctionUrlAuthType.AWS_IAM,
cors: props.cors ? this.renderCors(props.cors) : undefined,
invokeMode: props.invokeMode,
targetFunctionArn: targetFunction.functionArn,
qualifier: alias?.aliasName,
});
// The aliasName is a required physical name, so using it does not imply a dependency, so we
// must "manually" register the dependency, or else CFN may attempt to use before it exists.
if (alias?.node.defaultChild != null) {
resource.node.addDependency(alias.node.defaultChild);
}
this.url = resource.attrFunctionUrl;
this.functionArn = resource.attrFunctionArn;
this.function = props.function;
if (props.authType === FunctionUrlAuthType.NONE) {
props.function.addPermission('invoke-function-url', {
principal: new iam.AnyPrincipal(),
action: 'lambda:InvokeFunctionUrl',
functionUrlAuthType: props.authType,
});
}
}
public grantInvokeUrl(grantee: iam.IGrantable): iam.Grant {
return this.function.grantInvokeUrl(grantee);
}
private instanceOfVersion(fn: IFunction): fn is IVersion {
return 'version' in fn && !this.instanceOfAlias(fn);
}
private instanceOfAlias(fn: IFunction): fn is IAlias {
return 'aliasName' in fn;
}
private renderCors(cors: FunctionUrlCorsOptions): CfnUrl.CorsProperty {
if (cors.maxAge && !cors.maxAge.isUnresolved() && cors.maxAge.toSeconds() > 86400) {
throw new Error(`FunctionUrl CORS maxAge should be less than or equal to 86400 secs (got ${cors.maxAge.toSeconds()})`);
}
return {
allowCredentials: cors.allowCredentials,
allowHeaders: cors.allowedHeaders,
allowMethods: cors.allowedMethods ?? [HttpMethod.ALL],
allowOrigins: cors.allowedOrigins,
exposeHeaders: cors.exposedHeaders,
maxAge: cors.maxAge?.toSeconds(),
};
}
}