# API Reference API Reference AWS Solutions Constructs (Constructs) is an open-source extension of the AWS Cloud Development Kit (AWS CDK) that provides multi-service, well-architected patterns for quickly defining solutions in code to create predictable and repeatable infrastructure. Constructs’s goal is to accelerates the experience for developers to build solutions of any size using pattern-based definitions for their architecture. The patterns defined in Constructs are high level, multi-service abstractions of AWS CDK constructs that have default configurations based on well-architected best practices. The library is organized into logical modules using object-oriented techniques to create each architectural pattern model. The CDK is available in the following languages: + JavaScript, TypeScript (Node.js ≥ 10.3.0) + Python (Python ≥ 3.6) + Java (Java ≥ 1.8) ## Modules AWS Solutions Constructs is organized into several modules. They are named like this: + **aws-xxx**: Well-architected pattern package for the indicated services. This package will contain constructs that contain multiple AWS CDK service modules to configure the given pattern. + **xxx**: Packages that don’t start "**aws-**" are Constructs core modules that are used to configure best practice defaults for services used within the pattern library. Any function in these modules is internal and not intended to be called by clients directly - changes in implementation may result in the breaking changes to the interfaces on these functions. Some of this functionality has been exposed for safe client use in the aws-constructs-factories. ## Module Contents Modules contain the following types: + **Patterns** - All higher-level, multi-services constructs in this library. + **Other Types** - All non-construct classes, interfaces, structs and enums that exist to support the patterns. Patterns take a set of (input) properties in their constructor; the set of properties (and which ones are required) can be seen on a pattern’s documentation page. The pattern’s documentation page also lists the available methods to call and the properties which can be used to retrieve information about the pattern after it has been instantiated. # aws-alb-fargate ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_alb_fargate` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-alb-fargate` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.albfargate` | ## Overview This AWS Solutions Construct implements an an Application Load Balancer to an AWS Fargate service Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { AlbToFargate, AlbToFargateProps } from '@aws-solutions-constructs/aws-alb-fargate'; import * as acm from 'aws-cdk-lib/aws-certificatemanager'; const certificate = acm.Certificate.fromCertificateArn( this, 'existing-cert', "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ); const constructProps: AlbToFargateProps = { ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", ecrImageVersion: "latest", listenerProps: { certificates: [certificate] }, publicApi: true }; // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, 'id', {env: {account: '123456789012', region: 'us-east-1' }}); new AlbToFargate(this, 'new-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_alb_fargate import AlbToFargate, AlbToFargateProps from aws_cdk import ( aws_certificatemanager as acm, aws_elasticloadbalancingv2 as alb, Stack ) from constructs import Construct # Obtain a pre-existing certificate from your account certificate = acm.Certificate.from_certificate_arn( self, 'existing-cert', "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ) # Note - all alb constructs turn on ELB logging by default, so require that an environment including account # and region be provided when creating the stack # # MyStack(app, 'id', env=cdk.Environment(account='123456789012', region='us-east-1')) AlbToFargate(self, 'new-construct', ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", ecr_image_version="latest", listener_props=alb.BaseApplicationListenerProps( certificates=[certificate], ), public_api=True) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.elasticloadbalancingv2.*; import software.amazon.awsconstructs.services.albfargate.*; // The code that defines your stack goes here // Obtain a pre-existing certificate from your account ListenerCertificate listenerCertificate = ListenerCertificate .fromArn("arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012"); // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, "id", StackProps.builder() // .env(Environment.builder() // .account("123456789012") // .region("us-east-1") // .build()); new AlbToFargate(this, "AlbToFargatePattern", new AlbToFargateProps.Builder() .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .ecrImageVersion("latest") .listenerProps(new BaseApplicationListenerProps.Builder() .certificates(List.of(listenerCertificate)) .build()) .publicApi(true) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC and ALB. | | loadBalancerProps? | [elasticloadbalancingv2.ApplicationLoadBalancerProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancerProps.html) | Optional custom properties for a new loadBalancer. Providing both this and existingLoadBalancer causes an error. This cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. | | existingLoadBalancerObj? | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | existing Application Load Balancer to incorporate into the construct architecture. Providing both this and loadBalancerProps is an error. The VPC containing this loadBalancer must match the VPC provided in existingVpc. | | listenerProps? | [ApplicationListenerProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps.html) | Props to define the listener. Must be provided when adding the listener to an ALB (eg - when creating the alb), may not be provided when adding a second target to an already established listener. When provided, must include either a certificate or protocol: HTTP | | targetGroupProps? | [ApplicationTargetGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationTargetGroupProps.html) | Optional custom properties for a new target group. If your application requires end to end encryption, then you should set the protocol attribute to [elb.ApplicationProtocol.HTTPS](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationProtocol.html) and use a container that can accept HTTPS traffic. | | ruleProps? | [AddRuleProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.AddRuleProps.html) | Rules for directing traffic to the target being created. Must not be specified for the first listener added to an ALB, and must be specified for the second target added to a listener. Add a second target by instantiating this construct a second time and providing the existingAlb from the first instantiation. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by the new ALB and any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | logAlbAccessLogs? | boolean | Whether to turn on Access Logs for the Application Load Balancer. Uses an S3 bucket with associated storage costs.Enabling Access Logging is a best practice. default - true | | albLoggingBucketProps? | [s3.BucketProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional properties to customize the bucket used to store the ALB Access Logs. Supplying this and setting logAccessLogs to false is an error. @default - none | | clusterProps? | [ecs.ClusterProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | string | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | string | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [ecs.ContainerDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [ecs.FargateTaskDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [ecs.FargateServiceProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) | Optional properties to override default values for the Fargate service. Service will set up in the Public or Isolated subnets of the VPC by default, override that (e.g. - choose Private subnets) by setting vpcSubnets on this object. | | existingFargateServiceObject? | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: existingImageObject, ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps, existingClusterInterface | | existingContainerDefinitionObject? | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or providedb by the client) | | loadBalancer | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | The Load Balancer used by the construct (whether created by the construct or provided by the client) | | listener | [elb.ApplicationListener](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html) | The listener used by this pattern. | | service | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Application Load Balancer + Creates or configures an Application Load Balancer with: + Required listeners + New target group with routing rules if appropriate ### AWS Fargate Service + Sets up an AWS Fargate service as a target of the Application Load Balancer + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets ## Architecture ![\[Application Load Balancer directing traffic to AWS Fargate and Amazon S3 services.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-alb-fargate.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-alb-fargate) for this pattern to view the code, read/create issues and pull requests and more. # aws-alb-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_alb_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-alb-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.alblambda` | ## Overview This AWS Solutions Construct implements an an Application Load Balancer to an AWS Lambda function Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { AlbToLambda, AlbToLambdaProps } from '@aws-solutions-constructs/aws-alb-lambda'; import * as acm from 'aws-cdk-lib/aws-certificatemanager'; import * as lambda from 'aws-cdk-lib/aws-lambda'; // Obtain a pre-existing certificate from your account const certificate = acm.Certificate.fromCertificateArn( this, 'existing-cert', "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ); const constructProps: AlbToLambdaProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, listenerProps: { certificates: [certificate] }, publicApi: true }; // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, 'id', {env: {account: '123456789012', region: 'us-east-1' }}); new AlbToLambda(this, 'new-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_alb_lambda import AlbToLambda, AlbToLambdaProps from aws_cdk import ( aws_certificatemanager as acm, aws_lambda as _lambda, aws_elasticloadbalancingv2 as alb, Stack ) from constructs import Construct # Obtain a pre-existing certificate from your account certificate = acm.Certificate.from_certificate_arn( self, 'existing-cert', "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ) # Note - all alb constructs turn on ELB logging by default, so require that an environment including account # and region be provided when creating the stack # # MyStack(app, 'id', env=cdk.Environment(account='123456789012', region='us-east-1')) AlbToLambda(self, 'new-construct', lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.PYTHON_3_14, code=_lambda.Code.from_asset('lambda'), handler='index.handler', ), listener_props=alb.BaseApplicationListenerProps( certificates=[certificate] ), public_api=True) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.elasticloadbalancingv2.*; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.alblambda.*; // Obtain a pre-existing certificate from your account ListenerCertificate listenerCertificate = ListenerCertificate .fromArn("arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012"); // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, "id", StackProps.builder() // .env(Environment.builder() // .account("123456789012") // .region("us-east-1") // .build()); new AlbToLambda(this, "AlbToLambdaPattern", new AlbToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .listenerProps(new BaseApplicationListenerProps.Builder() .certificates(List.of(listenerCertificate)) .build()) .publicApi(true) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | loadBalancerProps? | [elasticloadbalancingv2.ApplicationLoadBalancerProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancerProps.html) | Optional custom properties for a new loadBalancer. Providing both this and existingLoadBalancer causes an error. This cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. | | existingLoadBalancerObj? | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | Existing Application Load Balancer to incorporate into the construct architecture. Providing both this and loadBalancerProps causes an error. The VPC containing this loadBalancer must match the VPC provided in existingVpc. | | listenerProps? | [ApplicationListenerProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps.html) | Props to define the listener. Must be provided when adding the listener to an ALB (eg - when creating the alb), may not be provided when adding a second target to an already established listener. When provided, must include either a certificate or protocol: HTTP | | targetProps? | [ApplicationTargetGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationTargetGroupProps.html) | Optional custom properties for a new target group. While this is a standard attribute of props for ALB constructs, there are few pertinent properties for a Lambda target. | | ruleProps? | [AddRuleProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.AddRuleProps.html) | Rules for directing traffic to the target being created. May not be specified for the first listener added to an ALB, and must be specified for the second target added to a listener. Add a second target by instantiating this construct a second time and providing the existingAlb from the first instantiation. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by the new ALB and any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | logAlbAccessLogs? | boolean | Whether to turn on Access Logs for the Application Load Balancer. Uses an S3 bucket with associated storage costs.Enabling Access Logging is a best practice. default - true | | albLoggingBucketProps? | [s3.BucketProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional properties to customize the bucket used to store the ALB Access Logs. Supplying this and setting logAccessLogs to false is an error. @default - none | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC and ALB. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or providedb by the client) | | loadBalancer | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | The Load Balancer used by the construct (whether created by the construct or provided by the client) | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function used in the pattern. | | listener | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html) | The listener used by this pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Application Load Balancer + Creates or configures an Application Load Balancer with: + Required listeners + New target group with routing rules if appropriate ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[AWS architecture diagram showing Application Load Balancer, Lambda function, S3, and CloudWatch interactions.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-alb-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-alb-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-dynamodb ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_dynamodb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-dynamodb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewaydynamodb` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway REST API connected to Amazon DynamoDB table. Here is a minimal deployable pattern definition in: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToDynamoDBProps, ApiGatewayToDynamoDB } from "@aws-solutions-constructs/aws-apigateway-dynamodb"; new ApiGatewayToDynamoDB(this, 'test-api-gateway-dynamodb-default', {}); ``` ``` from aws_solutions_constructs.aws_apigateway_dynamodb import ApiGatewayToDynamoDB from aws_cdk import Stack from constructs import Construct ApiGatewayToDynamoDB(self, 'test-api-gateway-dynamodb-default') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.apigatewaydynamodb.*; new ApiGatewayToDynamoDB(this, "test-api-gateway-dynamodb-default", new ApiGatewayToDynamoDBProps.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Existing instance of DynamoDB table object, providing both this and `dynamoTableProps` will cause an error. | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html) | Optional - user provided props to override the default props for the API Gateway. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | resourceName? | `string` | Optional name of the resource on the API Gateway. Defaults to the table’s partitionKeyName | | allowCreateOperation? | `boolean` | Whether to deploy an API Gateway Method for POST HTTP operations on the DynamoDB table (i.e. dynamodb:PutItem). | | createRequestTemplate? | `string` | API Gateway Request Template for the create method for the default `application/json` content-type. This property is required if the `allowCreateOperation` property is set to true. | | additionalCreateRequestTemplates? | `{ [contentType: string]: string; }` | Optional Create Request Templates for content-types other than `application/json`. Use the `createRequestTemplate` property to set the request template for the `application/json` content-type. This property can only be specified if the `allowCreateOperation` property is set to true. | | createIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the create method. This property can only be specified if the `allowCreateOperation` property is set to true. | | createMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the create action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | allowReadOperation? | `boolean` | Whether to deploy an API Gateway Method for GET HTTP operations on DynamoDB table (i.e. dynamodb:Query). | | readRequestTemplate? | `string` | API Gateway Request Template for the read method for the default `application/json` content-type. The default template only supports a partition key and not partition \$1 sort keys. | | additionalReadRequestTemplates? | `{ [contentType: string]: string; }` | Optional Read Request Templates for content-types other than `application/json`. Use the `readRequestTemplate` property to set the request template for the `application/json` content-type. | | readIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the read method. | | allowUpdateOperation? | `boolean` | Whether to deploy API Gateway Method for PUT HTTP operations on DynamoDB table (i.e. dynamodb:UpdateItem). | | readMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the read action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | updateRequestTemplate? | `string` | API Gateway Request Template for the update method. This property is required if the `allowUpdateOperation` property is set to true. | | additionalUpdateRequestTemplates? | `{ [contentType: string]: string; }` | Optional Update Request Templates for content-types other than `application/json`. Use the `updateRequestTemplate` property to set the request template for the `application/json` content-type. This property can only be specified if the `allowUpdateOperation` property is set to true. | | updateIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the update method. This property can only be specified if the `allowUpdateOperation` property is set to true. | | updateMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the update action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | allowDeleteOperation? | `boolean` | Whether to deploy API Gateway Method for DELETE HTTP operations on DynamoDB table (i.e. dynamodb:DeleteItem). | | deleteRequestTemplate? | `string` | API Gateway Request Template for the delete method for the default `application/json` content-type. | | additionalDeleteRequestTemplates? | `{ [contentType: string]: string; }` | Optional Delete request templates for content-types other than `application/json`. Use the `deleteRequestTemplate` property to set the request template for the `application/json` content-type. This property can only be specified if the `allowDeleteOperation` property is set to true. | | deleteIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the delete method. This property can only be specified if the `allowDeleteOperation` property is set to true. | | deleteMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the delete action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the api.RestApi created by the construct. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | dynamoTable | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | ## API Gateway Request/Response Template Properties Overview This construct allows you to implement four DynamoDB API operations, CREATE/READ/UPDATE/DELETE (corresponding the HTTP POST/GET/PUT/DELETE requests respectively). They are completely independent and each follows the same pattern: \$1 Setting `allowCreateOperation` to true will implement the `application/json` content-type with default request and response templates \$1 The request template for `application/json` requests can be customized using the `createRequestTemplate` prop values \$1 *Additional* request templates can be specified using the `additionalCreateRequestTemplates` prop value. Note - these DO NOT replace the `application/json` content-type \$1 Customized integration responses can be specified for any content type in the `createIntegrationResponses` prop value. Supplying any of these values without setting allowCreateOperation to true will result in an error. This pattern is the same for all four API operations. ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery ## Architecture ![\[Diagram showing data flow from code to database, with security and cloud search components.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-dynamodb.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-dynamodb) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-iot ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_iot` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-iot` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewayiot` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway REST API connected to AWS IoT pattern. This construct creates a scalable HTTPS proxy between API Gateway and AWS IoT. This comes in handy when wanting to allow legacy devices that do not support the MQTT or MQTT/Websocket protocol to interact with the AWS IoT platform. This implementation enables write-only messages to be published on given MQTT topics, and also supports shadow updates of HTTPS devices to allowed things in the device registry. It does not involve Lambda functions for proxying messages, and instead relies on direct API Gateway to AWS IoT integration which supports both JSON messages as well as binary messages. Here is a minimal deployable pattern definition, note that the ATS endpoint for IoT must be used to avoid SSL certificate issues: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToIot } from '@aws-solutions-constructs/aws-apigateway-iot'; new ApiGatewayToIot(this, 'ApiGatewayToIotPattern', { iotEndpoint: 'a1234567890123-ats' }); ``` ``` from aws_solutions_constructs.aws_apigateway_iot import ApiGatewayToIot from aws_cdk import Stack from constructs import Construct ApiGatewayToIot(self, 'ApiGatewayToIotPattern', iot_endpoint='a1234567890123-ats' ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.apigatewayiot.*; new ApiGatewayToIot(this, "ApiGatewayToIotPattern", new ApiGatewayToIotProps.Builder() .iotEndpoint("a1234567890123-ats") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | iotEndpoint | `string` | The AWS IoT endpoint subdomain to integrate the API Gateway with (e.g a1234567890123-ats). Note that this must point to the ATS endpoint to avoid SSL certificate trust issues. The endpoint can be retrieved by running `aws iot describe-endpoint --endpoint-type iot:Data-ATS`. | | apiGatewayCreateApiKey? | `boolean` | If set to `true`, an API Key is created and associated to a UsagePlan. User should specify `x-api-key` header while accessing RestApi. Default value set to `false` | | apiGatewayExecutionRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | IAM Role used by the API Gateway to access AWS IoT. If not specified, a default role is created with wildcard (’\$1’) access to all topics and things. | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html) | Optional user-provided props to override the default props for the API Gateway. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API Endpoint + Creates API Resources with `POST` Method to publish messages to IoT Topics + Creates API Resources with `POST` Method to publish messages to ThingShadow & NamedShadows + Enable CloudWatch logging for API Gateway + Configure IAM role for API Gateway with access to all topics and things + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing + Creates a UsagePlan and associates to `prod` stage Below is a description of the different resources and methods exposed by the API Gateway after deploying the Construct. | Method | Resource | Query parameter(s) | Return code(s) | Description | | --- | --- | --- | --- | --- | | **POST** | `/message/` | **qos** | `200/403/500` | By calling this endpoint, you need to pass the topics on which you would like to publish (e.g `/message/device/foo`). | | **POST** | `/shadow/` | **None** | `200/403/500` | This route allows to update the shadow document of a thing, given its `thingName` using Unnamed (classic) shadow type. The body shall comply with the standard shadow structure comprising a `state` node and associated `desired` and `reported` nodes. | | **POST** | `/shadow//` | **None** | `200/403/500` | This route allows to update the named shadow document of a thing, given its `thingName` and the `shadowName` using the Named shadow type. The body shall comply with the standard shadow structure comprising a `state` node and associated `desired` and `reported` nodes. | ## Architecture ![\[IoT architecture diagram showing device, API Gateway, IoT Core, and related components.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-iot.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-iot) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-kinesisstreams ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_kinesisstreams` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-kinesisstreams` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewaykinesisstreams` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway connected to an Amazon Kinesis Data Stream pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToKinesisStreams, ApiGatewayToKinesisStreamsProps } from '@aws-solutions-constructs/aws-apigateway-kinesisstreams'; new ApiGatewayToKinesisStreams(this, 'test-apigw-kinesis', {}); ``` ``` from aws_solutions_constructs.aws_apigateway_kinesisstreams import ApiGatewayToKinesisStreams from aws_cdk import Stack from constructs import Construct ApiGatewayToKinesisStreams(self, 'test-apigw-kinesis') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.apigatewaykinesisstreams.*; new ApiGatewayToKinesisStreams(this, "test-apigw-kinesis", new ApiGatewayToKinesisStreamsProps.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html) | Optional - user provided props to override the default props for the API Gateway. | | putRecordRequestTemplate? | `string` | API Gateway request template for the PutRecord action. If not provided, a default one will be used. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | additionalPutRecordRequestTemplates? | `{ [contentType: string]: string; }` | Optional PutRecord Request Templates for content-types other than `application/json`. Use the `putRecordRequestTemplate` property to set the request template for the `application/json` content-type. | | putRecordRequestModel? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.ModelOptions.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.ModelOptions.html) | API Gateway request model for the PutRecord action. If not provided, a default one will be created. | | putRecordIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the PutRecord action. | | putRecordMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the putRecord action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | putRecordsRequestTemplate? | `string` | API Gateway request template for the PutRecords action. If not provided, a default one will be used. | | additionalPutRecordsRequestTemplates? | `{ [contentType: string]: string; }` | Optional PutRecords Request Templates for content-types other than `application/json`. Use the `putRecordsRequestTemplate` property to set the request template for the `application/json` content-type. | | putRecordsRequestModel? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.ModelOptions.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.ModelOptions.html) | API Gateway request model for the PutRecords action. If not provided, a default one will be created. | | putRecordsIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the PutRecords action. | | putRecordsMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the putRecords action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis stream. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms for Kinesis Data Stream. Default value is set to `true` | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created or used by the pattern. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns an array of recommended CloudWatch Alarms created by the construct for Kinesis Data stream | ## Sample API Usage | **Method** | **Request Path** | **Request Body** | **Stream Action** | **Description** | | --- | --- | --- | --- | --- | | POST | `/record` | `{ "data": "Hello World!", "partitionKey": "pk001" }` | `kinesis:PutRecord` | Writes a single data record into the stream. | | POST | `/records` | `{ "records": [{ "data": "abc", "partitionKey": "pk001" }, { "data": "xyz", "partitionKey": "pk001" }] }` | `kinesis:PutRecords` | Writes multiple data records into the stream in a single call. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing + Validate request body before passing data to Kinesis ### Amazon Kinesis Data Stream + Configure least privilege access IAM role for Kinesis Stream + Enable server-side encryption for Kinesis Stream using AWS Managed KMS Key ## Architecture ![\[Diagram showing data flow between cloud search, code analysis, and network components.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-kinesisstreams.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-kinesisstreams) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewaylambda` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway REST API connected to an AWS Lambda function pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToLambda } from '@aws-solutions-constructs/aws-apigateway-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new ApiGatewayToLambda(this, 'ApiGatewayToLambdaPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_apigateway_lambda import ApiGatewayToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct ApiGatewayToLambda(self, 'ApiGatewayToLambdaPattern', lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler', code=_lambda.Code.from_asset('lambda') ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.apigatewaylambda.*; new ApiGatewayToLambda(this, "ApiGatewayToLambdaPattern", new ApiGatewayToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html) | Optional - user-provided props to override the default props for the API Gateway API. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing interaction between Amazon API Gateway, AWS Lambda, and Amazon CloudWatch with roles.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-sagemakerendpoint ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_sagemakerendpoint` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-sagemakerendpoint` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewaysagemakerendpoint` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway connected to an Amazon SageMaker endpoint pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToSageMakerEndpoint, ApiGatewayToSageMakerEndpointProps } from '@aws-solutions-constructs/aws-apigateway-sagemakerendpoint'; // Below is an example VTL (Velocity Template Language) mapping template for mapping the Api GET request to the Sagemaker POST request const requestTemplate = ` { "instances": [ # set( $user_id = $input.params("user_id") ) # set( $items = $input.params("items") ) # foreach( $item in $items.split(",") ) # if( $foreach.hasNext ),#end {"in0": [$user_id], "in1": [$item]} $esc.newline # end ] }` // Replace 'my-endpoint' with your Sagemaker Inference Endpoint new ApiGatewayToSageMakerEndpoint(this, 'test-apigw-sagemakerendpoint', { endpointName: 'my-endpoint', resourcePath: '{user_id}', requestMappingTemplate: requestTemplate }); ``` ``` from aws_solutions_constructs.aws_apigateway_sagemakerendpoint import ApiGatewayToSageMakerEndpoint from aws_cdk import Stack from constructs import Construct # Below is an example VTL (Velocity Template Language) mapping template for mapping the Api GET request to the Sagemaker POST request request_template = """ { "instances": [ # set( $user_id = $input.params("user_id") ) # set( $items = $input.params("items") ) # foreach( $item in $items.split(",") ) # if( $foreach.hasNext ),#end {"in0": [$user_id], "in1": [$item]} $esc.newline # end ] }""" # Replace 'my-endpoint' with your Sagemaker Inference Endpoint ApiGatewayToSageMakerEndpoint(self, 'test-apigw-sagemakerendpoint', endpoint_name='my-endpoint', resource_path='{user_id}', request_mapping_template=request_template ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.apigatewaysagemakerendpoint.*; // Create an example VTL (Velocity Template Language) mapping template for mapping the Api GET request to the Sagemaker POST request final String requestTemplate = "{" + "\"instances\": [" + "# set( $user_id = $input.params(\"user_id\") )" + "# set( $items = $input.params(\"items\") )" + "# foreach( $item in $items.split(\",\") )" + "# if( $foreach.hasNext ),#end" + "{\"in0\": [$user_id], \"in1\": [$item]}" + " $esc.newline" + "# end" + "]" + "}"; // Replace ""my-endpoint"" with your Sagemaker Inference Endpoint new ApiGatewayToSageMakerEndpoint(this, "ApiGatewayToSageMakerEndpointPattern", new ApiGatewayToSageMakerEndpointProps.Builder() .endpointName("my-endpoint") .resourcePath("{user_id}") .requestMappingTemplate(requestTemplate) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html) | Optional - user provided props to override the default props for the API Gateway. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | apiGatewayExecutionRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | IAM Role used by API Gateway to invoke the SageMaker endpoint. If not specified, a default role is created with access to `endpointName`. | | endpointName | `string` | Name of the deployed SageMaker inference endpoint. | | resourceName? | `string` | Optional resource name where the GET method will be available. | | resourcePath | `string` | Resource path for the GET method. The variable defined here can be referenced in `requestMappingTemplate`. | | requestMappingTemplate | `string` | Mapping template to convert GET requests for the default `application/json` content-type received on the REST API to POST requests expected by the SageMaker endpoint. | | additionalRequestTemplates | `{ [contentType: string]: string; }` | Optional Request Templates for content-types other than `application/json`. Use the `requestMappingTemplate` property to set the request template for the `application/json` content-type. | | responseMappingTemplate? | `string` | Optional mapping template to convert responses received from the SageMaker endpoint. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | ## Sample API Usage **Note**: Each SageMaker endpoint is unique, and the response from the API will depend on the deployed model. The example given below assumes the sample from [this blog post](https://aws.amazon.com/blogs/machine-learning/creating-a-machine-learning-powered-rest-api-with-amazon-api-gateway-mapping-templates-and-amazon-sagemaker/). For a reference on how that’d be implemented, please refer to [integ.apigateway-sagemakerendpoint-overwrite.ts](test/integ.apigateway-sagemakerendpoint-overwrite.ts). | **Method** | **Request Path** | **Query String** | **SageMaker Action** | **Description** | | --- | --- | --- | --- | --- | | GET | `/321` | `items=101,131,162` | `sagemaker:InvokeEndpoint` | Retrieves the predictions for a specific user and items. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing + Validate request parameters before passing data to SageMaker ## Architecture ![\[Diagram showing Amazon CloudWatch, API Gateway, SageMaker AI endpoint, and IAM roles connections.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-sagemakerendpoint.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-sagemakerendpoint) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigateway-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigateway_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigateway-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewaysqs` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway connected to an Amazon SQS queue pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ApiGatewayToSqs, ApiGatewayToSqsProps } from "@aws-solutions-constructs/aws-apigateway-sqs"; new ApiGatewayToSqs(this, 'ApiGatewayToSqsPattern', {}); ``` ``` from aws_solutions_constructs.aws_apigateway_sqs import ApiGatewayToSqs from aws_cdk import Stack from constructs import Construct ApiGatewayToSqs(self, 'ApiGatewayToSqsPattern') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.apigatewaysqs.*; new ApiGatewayToSqs(this, "ApiGatewayToSqsPattern", new ApiGatewayToSqsProps.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiProps.html) | Optional - user provided props to override the default props for the API Gateway. | | createUsagePlan? | boolean | Whether to create a Usage Plan attached to the API. Must be true if apiGatewayProps.defaultMethodOptions.apiKeyRequired is true. @default - true (to match legacy behavior) | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deployDeadLetterQueue? | `boolean` | Whether to deploy a secondary queue to be used as a dead letter queue. Defaults to `true`. | | maxReceiveCount | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead-letter queue. | | allowCreateOperation? | `boolean` | Whether to deploy an API Gateway Method for POST HTTP operations on the queue (i.e. sqs:SendMessage). | | createRequestTemplate? | `string` | API Gateway Request Template for the create method for the default `application/json` content-type. This property is required if the `allowCreateOperation` property is set to true. | | additionalCreateRequestTemplates? | `{ [contentType: string]: string; }` | Optional Create Request Templates for content-types other than `application/json`. Use the `createRequestTemplate` property to set the request template for the `application/json` content-type. This property can only be specified if the `allowCreateOperation` property is set to true. | | createIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the create method. This property can only be specified if the `allowCreateOperation` property is set to true. | | createMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the create action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | allowReadOperation? | `boolean` | Whether to deploy an API Gateway Method for GET HTTP operations on the queue (i.e. sqs:ReceiveMessage). | | readRequestTemplate? | `string` | API Gateway Request Template for the read method for the default `application/json` content-type. | | additionalReadRequestTemplates? | `{ [contentType: string]: string; }` | Optional Read Request Templates for content-types other than `application/json`. Use the `readRequestTemplate` property to set the request template for the `application/json` content-type. | | readIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the read method. | | readMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the read action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | allowDeleteOperation? | `boolean` | Whether to deploy an API Gateway Method for HTTP DELETE operations on the queue (i.e. sqs:DeleteMessage). | | deleteRequestTemplate? | `string` | API Gateway Request Template for THE delete method for the default `application/json` content-type. This property can only be specified if the `allowDeleteOperation` property is set to true. | | additionalDeleteRequestTemplates? | `{ [contentType: string]: string; }` | Optional Delete request templates for content-types other than `application/json`. Use the `deleteRequestTemplate` property to set the request template for the `application/json` content-type. This property can only be specified if the `allowDeleteOperation` property is set to true. | | deleteIntegrationResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IntegrationResponse.html) | Optional, custom API Gateway Integration Response for the delete method. This property can only be specified if the `allowDeleteOperation` property is set to true. | | deleteMethodResponses? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.MethodResponse.html) | Optional, custom API Gateway Method Responses for the delete action. default: [\$1 statusCode: "200", responseParameters: \$1 "method.response.header.Content-Type": true \$1\$1,\$1 statusCode: "500", responseParameters: \$1 "method.response.header.Content-Type": true \$1 \$1 ] | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | | messageSchema? | \$1 [contentType: string]: [api.JsonSchema](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.JsonSchema.html); \$1 | Optional schema to define format of incoming message in API request body. Example: \$1 "application/json": \$1 schema: api.JsonSchemaVersion.DRAFT4, title: "pollResponse", type: api.JsonSchemaType.OBJECT, required: ["firstProperty", "antotherProperty"], additionalProperties: false, properties: \$1 firstProperty: \$1 type: api.JsonSchemaType.STRING \$1, antotherProperty: \$1 type: api.JsonSchemaType.STRING \$1 \$1 \$1 Only relevant for create operation, if allowCreateOperation is not true, then supplying this causes an error. Sending this value causes this construct to turn on validation for the request body. @default - None | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.DeadLetterQueue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.DeadLetterQueue.html) | Returns an instance of the DeadLetterQueue created by the pattern. | ## Sample API Usage | **Method** | **Request Path** | **Request Body** | **Queue Action** | **Description** | | --- | --- | --- | --- | --- | | GET | `/` | | `sqs::ReceiveMessage` | Retrieves a message from the queue. | | POST | `/` | `{ "data": "Hello World!" }` | `sqs::SendMessage` | Delivers a message to the queue. | | DELETE | `/message?receiptHandle=[value]` | | `sqs::DeleteMessage` | Deletes a specified message from the queue | ## API Gateway Request/Response Template Properties Overview This construct allows you to implement four DynamoDB API operations, CREATE/READ/DELETE (corresponding the HTTP POST/GET/DELETE requests respectively). They are completely independent and each follows the same pattern: \$1 Setting `allowCreateOperation` to true will implement the `application/json` content-type with default request and response templates \$1 The request template for `application/json` requests can be customized using the `createRequestTemplate` prop value \$1 *Additional* request templates can be specified using the `additionalCreateRequestTemplates` prop value. Note - these DO NOT replace the `application/json` content-type \$1 Customized integration responses can be specified for any content type in the `createIntegrationResponses` prop value. Supplying any of these values without setting allowCreateOperation to true will result in an error. This pattern is the same for all four API operations. ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to IAM + Enable X-Ray Tracing ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue + Enable server-side encryption for source SQS Queue using AWS Managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing Amazon API Gateway, CloudWatch, and Simple Queue Service interactions with roles.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigateway-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigateway-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-apigatewayv2websocket-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_apigatewayv2websocket_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-apigatewayv2websocket-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.apigatewayv2websocketsqs` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway WebSocket connected to an Amazon SQS queue pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from "constructs"; import { Stack, StackProps } from "aws-cdk-lib"; import { ApiGatewayV2WebSocketToSqs, ApiGatewayV2WebSocketToSqsProps, } from "@aws-solutions-constructs/aws-apigatewayv2websocket-sqs"; import { WebSocketLambdaAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers'; const authorizer = new WebSocketLambdaAuthorizer('Authorizer', authHandler); new ApiGateApiGatewayV2WebSocketToSqswayToSqs(this, "ApiGatewayV2WebSocketToSqsPattern", { webSocketApiProps: { connectRouteOptions: { integration: new WebSocketLambdaIntegration("ConnectIntegration", connectLambda), authorizer: authorizer, }, disconnectRouteOptions: { integration: new WebSocketLambdaIntegration("DisconnectIntegration", disconnectLambda), }, }, createDefaultRoute: true }); ``` ``` from aws_solutions_constructs.aws_apigateway_sqs import ApiGatewayV2WebSocketToSqs from aws_cdk.aws_apigatewayv2_authorizers import WebSocketLambdaAuthorizer from aws_cdk import Stack from constructs import Construct authorizer = WebSocketLambdaAuthorizer("Authorizer", auth_handler) ApiGatewayV2WebSocketToSqs(self, 'ApiGatewayV2WebSocketToSqsPattern', connect_route_options=apigwv2.WebSocketRouteOptions( integration=WebSocketLambdaIntegration("ConnectIntegration", connect_lambda), authorizer=authorizer ), disconnect_route_options=apigwv2.WebSocketRouteOptions( integration=WebSocketLambdaIntegration("DisConnectIntegration", disconnect_lambda), ), create_default_route=True ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.aws_apigatewayv2_authorizers.*; import software.amazon.awscdk.aws_apigatewayv2_integrations.*; import software.amazon.awsconstructs.services.apigatewaysqs.*; new ApiGatewayV2WebSocketToSqs(this, "ApiGatewayV2WebSocketToSqsPattern", new ApiGatewayV2WebSocketToSqsProps.Builder() .webSocketApiProps(new WebSocketApiProps.Builder() .connectRouteOptions(new WebSocketRouteOptions.builder() .integration(new WebSocketLambdaIntegration("ConnectIntegration", connect_lambda))) .disconnectRouteOptions(new WebSocketRouteOptions.builder() .integration(new WebSocketLambdaIntegration("DisConnectIntegration", disconnect_lambda))) .createDefaultRoute(true) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingWebSocketApi? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApi.html) | Optional API Gateway WebSocket instance. Providing both existingWebSocketApi and webSocketApiProps will cause an error. | | webSocketApiProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApiProps.html) | Optional user-provided props to override the default props for the API Gateway. Providing both existingWebSocketApi and webSocketApiProps will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Optional existing instance of SQS Queue. Providing both existingQueueObj and queueProps will cause an error. | | deployDeadLetterQueue? | `boolean` | Whether to deploy a secondary queue to be used as a dead letter queue. Defaults to `true`. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional properties to use for creating dead letter queue. Note that if you are creating a FIFO Queue, the dead letter queue should also be FIFO. | | maxReceiveCount | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead-letter queue. | | createDefaultRoute? | `boolean` | Whether to create a default route. At least one of createDefaultRoute or customRouteName must be provided. If set to true, then it will use the value supplied with `defaultRouteRequestTemplate`. | | defaultRouteRequestTemplate? | `{ [contentType: string]: string }` | Optional user provided API Gateway Request Template for the default route and/ or customRoute (if customRouteName is provided). This property will only be used if createDefaultRoute is `true`. If createDefaultRoute is `true` and this property is not provided, the construct will create the default route with the following VTL mapping `"Action=SendMessage&MessageGroupId=$input.path('$.MessageGroupId')&MessageDeduplicationId=$context.requestId&MessageAttribute.1.Name=connectionId&MessageAttribute.1.Value.StringValue=$context.connectionId&MessageAttribute.1.Value.DataType=String&MessageAttribute.2.Name=requestId&MessageAttribute.2.Value.StringValue=$context.requestId&MessageAttribute.2.Value.DataType=String&MessageBody=$util.urlEncode($input.json($util.escapeJavaScript('$').replaceAll(\"\\\\'\",\"'\")))"`. | | defaultIamAuthorization? | `boolean` | Add IAM authorization to the connect\$1 path by default. Only set this to false if: 1) If plan to provide an authorizer with the `$connectroute`; or 2) The API should be open (no authorization) (AWS recommends against deploying unprotected APIs). If an authorizer is specified in connectRouteOptions, this parameter is ignored and no default IAM authorizer will be created. | | customRouteName? | `string` | The name of the route that will be sent through WebSocketApiProps.routeSelectionExpression when invoking the WebSocket endpoint. At least one of createDefaultRoute or customRouteName must be provided. Default - None | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | webSocketApi | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketApi.html) | Returns an instance of the API Gateway WebSocket API created by the pattern. | | apiGatewayRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway. | | webSocketStage | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketStage.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.WebSocketStage.html) | Returns an instance of the WebSocketStage created by the construct. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.DeadLetterQueue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.DeadLetterQueue.html) | Returns an instance of the DeadLetterQueue created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy a WebSocket endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Enable X-Ray Tracing ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue + Enable server-side encryption for source SQS Queue using AWS Managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing AWS services interaction: Client, API Gateway, CloudWatch, and SQS.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-apigatewayv2websocket-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-apigatewayv2websocket-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-cloudfront-apigateway-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_cloudfront_apigateway_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-cloudfront-apigateway-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.cloudfrontapigatewaylambda` | ## Overview This AWS Solutions Construct implements an AWS CloudFront fronting an Amazon API Gateway Lambda backed REST API. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CloudFrontToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cloudfront-apigateway-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new CloudFrontToApiGatewayToLambda(this, 'test-cloudfront-apigateway-lambda', { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, apiGatewayProps: { defaultMethodOptions: { authorizationType: api.AuthorizationType.NONE } }, }); ``` ``` from aws_solutions_constructs.aws_cloudfront_apigateway_lambda import CloudFrontToApiGatewayToLambda from aws_cdk import ( aws_lambda as _lambda, aws_apigateway as apigw, Stack ) from constructs import Construct CloudFrontToApiGatewayToLambda( self, 'CloudFrontApiGatewayToLambda', lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.PYTHON_3_14, code=_lambda.Code.from_asset('lambda'), handler='hello.handler', ), # NOTE - we use RestApiProps here because the actual type, LambdaRestApiProps requires # the handler function which does not yet exist. As RestApiProps is a subset of of LambdaRestApiProps # (although does not *extend* that interface) this works fine when the props object reaches the # underlying TypeScript code that implements Constructs api_gateway_props=apigw.RestApiProps( default_method_options=apigw.MethodOptions( authorization_type=apigw.AuthorizationType.NONE ) ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.cloudfrontapigatewaylambda.*; import software.amazon.awsconstructs.services.cloudfrontapigatewaylambda.CloudFrontToApiGatewayToLambdaProps; new CloudFrontToApiGatewayToLambda(this, "ApiGatewayToLambdaPattern", new CloudFrontToApiGatewayToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) // execution environment .code(Code.fromAsset("lambda")) // code loaded from the `lambda` directory (under root, next to `src`) .handler("hello.handler") // file is `hello`, function is `handler` .build()) // NOTE - we use RestApiProps here because the actual type, LambdaRestApiProps requires // the handler function which does not yet exist. As RestApiProps is a subset of of LambdaRestApiProps // (although does not *extend* that interface) this works fine when the props object reaches the // underlying TypeScript code that implements Constructs .apiGatewayProps(new RestApiProps.Builder() .defaultMethodOptions(new MethodOptions.Builder() .authorizationType(AuthorizationType.NONE) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional user provided props to override the default props for the Lambda function. | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApiProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApiProps.html) | User provided props to override the default props for the API Gateway. As of release 2.48.0, clients must include this property with `defaultMethodOptions: { authorizationType: string }` specified. See Issue1043 in the github repo https://github.com/awslabs/aws-solutions-constructs/issues/1043 | | cloudFrontDistributionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html) | Optional user provided props to override the default props for CloudFront Distribution | | insertHttpSecurityHeaders? | `boolean` | Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront | | responseHeadersPolicyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup. | | cloudFrontLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Logging Bucket. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | Returns an instance of cloudfront.Distribution created by the construct | | cloudFrontFunction? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html) | Returns an instance of the Cloudfront function created by the pattern. | | cloudFrontLoggingBucket | [https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html) | Returns an instance of the logging bucket for CloudFront Distribution. | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon CloudFront + Configure Access logging for CloudFront Distribution + Enable automatic injection of best practice HTTP security headers in all responses from CloudFront Distribution ### Amazon API Gateway + Deploy a regional API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to NONE + Enable X-Ray Tracing ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing data flow between AWS services including CloudFront, Api Gateway and Lambda\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-cloudfront-apigateway-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-cloudfront-apigateway-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-cloudfront-apigateway ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_cloudfront_apigateway` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-cloudfront-apigateway` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.cloudfrontapigateway` | ## Overview This AWS Solutions Construct implements an AWS CloudFront fronting an Amazon API Gateway REST API. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CloudFrontToApiGateway } from '@aws-solutions-constructs/aws-cloudfront-apigateway'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as api from 'aws-cdk-lib/aws-apigateway'; const lambdaProps: lambda.FunctionProps = { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }; const lambdafunction = new lambda.Function(this, 'LambdaFunction', lambdaProps); const apiGatewayProps: api.LambdaRestApiProps = { handler: lambdafunction, endpointConfiguration: { types: [api.EndpointType.REGIONAL] }, defaultMethodOptions: { authorizationType: api.AuthorizationType.NONE } }; const apiGateway = new api.LambdaRestApi(this, 'LambdaRestApi', apiGatewayProps); new CloudFrontToApiGateway(this, 'test-cloudfront-apigateway', { existingApiGatewayObj: apiGateway }); ``` ``` from aws_solutions_constructs.aws_cloudfront_apigateway import CloudFrontToApiGateway from aws_cdk import ( aws_lambda as _lambda, aws_apigateway as api, Stack ) from constructs import Construct lambda_function = _lambda.Function(self, 'LambdaFunction', code=_lambda.Code.from_asset( 'lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler') api_gateway = api.LambdaRestApi(self, 'LambdaRestApi', handler=lambda_function, endpoint_configuration=api.EndpointConfiguration( types=[api.EndpointType.REGIONAL] ), default_method_options=api.MethodOptions( authorization_type=api.AuthorizationType.NONE )) CloudFrontToApiGateway(self, 'test-cloudfront-apigateway', existing_api_gateway_obj=api_gateway ) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.apigateway.*; import software.amazon.awsconstructs.services.cloudfrontapigateway.*; final Function lambdaFunction = Function.Builder.create(this, "IndexHandler") .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build(); final LambdaRestApi apiGateway = LambdaRestApi.Builder.create(this, "myapi") .handler(lambdaFunction) .endpointConfiguration(new EndpointConfiguration.Builder() .types(List.of(EndpointType.REGIONAL)) .build()) .build(); new CloudFrontToApiGateway(this, "test-cloudfront-apigateway", new CloudFrontToApiGatewayProps.Builder() .existingApiGatewayObj(apiGateway) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingApiGatewayObj | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | The regional API Gateway that will be fronted with the CloudFront | | cloudFrontDistributionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html) \$1 any | Optional user provided props to override the default props for CloudFront Distribution | | insertHttpSecurityHeaders? | `boolean` | Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront | | responseHeadersPolicyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses. | | cloudFrontLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Logging Bucket. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | Returns an instance of cloudfront.Distribution created by the construct | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | cloudFrontFunction? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html) | Returns an instance of the Cloudfront function created by the pattern. | | cloudFrontLoggingBucket | [https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html) | Returns an instance of the logging bucket for CloudFront Distribution. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon CloudFront + Configure Access logging for CloudFront Distribution + Enable automatic injection of best practice HTTP security headers in all responses from CloudFront Distribution ### Amazon API Gateway + User provided API Gateway object is used as-is + Enable X-Ray Tracing ## Architecture ![\[Diagram showing data flow between network, code, storage, and cloud search components.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-cloudfront-apigateway.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-cloudfront-apigateway) for this pattern to view the code, read/create issues and pull requests and more. # aws-cloudfront-oai-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_cloudfront_oai_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-cloudfront-oai-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.cloudfrontoais3` | ## Overview This AWS Solutions Construct provisions an Amazon CloudFront Distribution that serves objects from an AWS S3 Bucket via an Origin Access Identity (OAI). **Important** The recommended architecture for this pattern is to use an Origin Access Control, which is available in aws-cloudfront-s3. This construct is provided to support China regions where Origin Access Controls are not available. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CloudFrontToOaiToS3 } from '@aws-solutions-constructs/aws-cloudfront-oai-s3'; new CloudFrontToOaiToS3(this, 'test-cloudfront-oai-s3', {}); ``` ``` from aws_solutions_constructs.aws_cloudfront_oai_s3 import CloudFrontToOaiToS3 from aws_cdk import Stack from constructs import Construct CloudFrontToOaiToS3(self, 'test-cloudfront-oai-s3') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.cloudfrontoais3.*; new CloudFrontToOaiToS3(this, "test-cloudfront-oai-s3", new CloudFrontToOaiToS3Props.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontDistributionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html) | Optional user provided props to override the default props for CloudFront Distribution | | insertHttpSecurityHeaders? | `boolean` | Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront | | responseHeadersPolicyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses. | | originPath? | `string` | Optional user provided props to provide anhttps://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws\$1cloudfront\$1origins.S3OriginProps.html\$1originpath[originPath] that CloudFront appends to the origin domain name when CloudFront requests content from the origin. The string should start with a `/`, for example: `/production`. Default value is `'/'` | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps will cause an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Content Bucket, providing both this and `existingBucketObj` will cause an error. Note - to log S3 access for this bucket to an existing S3 bucket, put the existing log bucket in bucketProps: `serverAccessLogsBucket` | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | cloudFrontLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Logging Bucket. Note: to use an existing bucketto hold CloudFront logs, pass the existing log bucket in | | logCloudFrontAccessLog | `boolean` | Optional - Whether to maintain access logs for the CloudFront Logging bucket. Specifying false for this while providing info about the log bucket will cause an error. Default = true | | cloudFrontLoggingBucketAccessLogBucketProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Log Bucket Access Log bucket. Providing both this and `existingcloudFrontLoggingBucketAccessLogBucket` will cause an error. To provide an existing bucket to accept these logs, pass the existing bucket in `cloudFrontLoggingBucketProps::serverAccessLogBucket` | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | Returns an instance of cloudfront.Distribution created by the construct. | | cloudFrontFunction? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html) | Returns an instance of the Cloudfront function created by the construct. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct. IMPORTANT: If `existingBucketObj` was provided in Pattern Construct Props, this property will be `undefined` | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | cloudFrontLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The S3 bucket created by the construct to hold CloudFront logs. Only populated if the construct creates the bucket (not if an existing bucket is passed in via DistributionProps) | | cloudFrontLoggingBucketAccessLogBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The S3 bucket containing the S3 access logs for the CloudFront log bucket. Only populated if the construct creates the bucket (not if the bucket is passed in via `cloudFrontLoggingBucketProps::serverAccessLogBucket` | | originaAccessIdentity? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.OriginAccessIdentity.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.OriginAccessIdentity.html) | The Origina Access Identity created to connect the CloudFront distribution to the S3 bucket (only suStable for use in regions without OAC, such as China) | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon CloudFront + Configure Access logging for CloudFront Distribution + Enable automatic injection of best practice HTTP security headers in all responses from CloudFront Distribution + CloudFront originPath set to `'/'` + Create an Origin Access Identity to access S3 bucket ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Block public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing data flow between AWS services including CLoudFront, S3, and an Origin Access Identity\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-cloudfront-oai-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-cloudfront-oai-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-cloudfront-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_cloudfront_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-cloudfront-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.cloudfronts3` | ## Overview This AWS Solutions Construct provisions an Amazon CloudFront Distribution that serves objects from an AWS S3 Bucket via an Origin Access Control (OAC). Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CloudFrontToS3 } from '@aws-solutions-constructs/aws-cloudfront-s3'; new CloudFrontToS3(this, 'test-cloudfront-s3', {}); ``` ``` from aws_solutions_constructs.aws_cloudfront_s3 import CloudFrontToS3 from aws_cdk import Stack from constructs import Construct CloudFrontToS3(self, 'test-cloudfront-s3') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.cloudfronts3.*; new CloudFrontToS3(this, "test-cloudfront-s3", new CloudFrontToS3Props.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontDistributionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.DistributionProps.html) | Optional user provided props to override the default props for CloudFront Distribution | | insertHttpSecurityHeaders? | `boolean` | Optional user provided props to turn on/off the automatic injection of best practice HTTP security headers in all responses from CloudFront | | responseHeadersPolicyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.ResponseHeadersPolicyProps.html) | Optional user provided configuration that cloudfront applies to all http responses. | | originPath? | `string` | Optional user provided props to provide anhttps://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws\$1cloudfront\$1origins.S3OriginProps.html\$1originpath[originPath] that CloudFront appends to the origin domain name when CloudFront requests content from the origin. The string should start with a `/`, for example: `/production`. Default value is `'/'` | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps will cause an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Content Bucket, providing both this and `existingBucketObj` will cause an error. Note - to log S3 access for this bucket to an existing S3 bucket, put the existing log bucket in bucketProps: `serverAccessLogsBucket` | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | cloudFrontLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Logging Bucket. Note: to use an existing bucketto hold CloudFront logs, pass the existing log bucket in | | logCloudFrontAccessLog | `boolean` | Optional - Whether to maintain access logs for the CloudFront Logging bucket. Specifying false for this while providing info about the log bucket will cause an error. Default = true | | cloudFrontLoggingBucketAccessLogBucketProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the CloudFront Log Bucket Access Log bucket. Providing both this and `existingcloudFrontLoggingBucketAccessLogBucket` will cause an error. To provide an existing bucket to accept these logs, pass the existing bucket in `cloudFrontLoggingBucketProps::serverAccessLogBucket` | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | Returns an instance of cloudfront.Distribution created by the construct. | | cloudFrontFunction? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Function.html) | Returns an instance of the Cloudfront function created by the construct. | | originAccessControl? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.cloudfront.CfnOriginAccessControl.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.cloudfront.CfnOriginAccessControl.html) | Returns an instance of cloudfront.CfnOriginAccessControl created by the construct. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct. IMPORTANT: If `existingBucketObj` was provided in Pattern Construct Props, this property will be `undefined` | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | cloudFrontLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The S3 bucket created by the construct to hold CloudFront logs. Only populated if the construct creates the bucket (not if an existing bucket is passed in via DistributionProps) | | cloudFrontLoggingBucketAccessLogBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The S3 bucket containing the S3 access logs for the CloudFront log bucket. Only populated if the construct creates the bucket (not if the bucket is passed in via `cloudFrontLoggingBucketProps::serverAccessLogBucket` | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon CloudFront + Configure Access logging for CloudFront Distribution + Enable automatic injection of best practice HTTP security headers in all responses from CloudFront Distribution + CloudFront originPath set to `'/'` + Create an Origin Access Control to access S3 bucket + The construct will assign the origin created by the construct to any `DistributionProps.additionalBehaviors` provided that do not have an origin specified. ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing data flow between AWS services including CLoudFront, S3, and an Origin Access Control\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-cloudfront-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-cloudfront-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-cognito-apigateway-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_cognito_apigateway_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-cognito-apigateway-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.cognitoapigatewaylambda` | ## Overview This AWS Solutions Construct implements an Amazon Cognito securing an Amazon API Gateway Lambda backed REST APIs pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' } }); ``` ``` from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*; new CognitoToApiGatewayToLambda(this, "test-cognito-apigateway-lambda", new CognitoToApiGatewayToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` If you are defining resources and methods on your API (e.g. proxy = false), then you must call addAuthorizers() after the API is fully defined to ensure every method is protected. Here is an example: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CognitoToApiGatewayToLambda } from '@aws-solutions-constructs/aws-cognito-apigateway-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const construct = new CognitoToApiGatewayToLambda(this, 'test-cognito-apigateway-lambda', { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, apiGatewayProps: { proxy: false } }); const resource = construct.apiGateway.root.addResource('foobar'); resource.addMethod('POST'); // Mandatory to call this method to Apply the Cognito Authorizers on all API methods construct.addAuthorizers(); ``` ``` from aws_solutions_constructs.aws_cognito_apigateway_lambda import CognitoToApiGatewayToLambda from aws_cdk import ( aws_lambda as _lambda, aws_apigateway as api, Stack ) from constructs import Construct from typing import Any # Overriding LambdaRestApiProps with type Any gateway_props = dict[Any, Any] construct = CognitoToApiGatewayToLambda(self, 'test-cognito-apigateway-lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset( 'lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), api_gateway_props=gateway_props( proxy=False ) ) resource = construct.api_gateway.root.add_resource('foobar') resource.add_method('POST') # Mandatory to call this method to Apply the Cognito Authorizers on all API methods construct.add_authorizers() ``` ``` import software.constructs.Construct; import java.util.HashMap; import java.util.Map; import java.util.Optional; import software.amazon.awscdk.*; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.apigateway.IResource; import software.amazon.awsconstructs.services.cognitoapigatewaylambda.*; // Overriding LambdaRestApiProps with type Any Map> gatewayProps = new HashMap>(); gatewayProps.put("proxy", Optional.of(false)); final CognitoToApiGatewayToLambda construct = new CognitoToApiGatewayToLambda(this, "test-cognito-apigateway-lambda", new CognitoToApiGatewayToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .apiGatewayProps(gatewayProps) .build()); final IResource resource = construct.getApiGateway().getRoot().addResource("foobar"); resource.addMethod("POST"); // Mandatory to call this method to Apply the Cognito Authorizers on all API methods construct.addAuthorizers(); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.LambdaRestApi.html) | Optional - user-provided props to override the default props for the API Gateway API. | | cognitoUserPoolProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolProps.html) | Optional user provided props to override the default props for Cognito User Pool | | cognitoUserPoolClientProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClientProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClientProps.html) | Optional user provided props to override the default props for Cognito User Pool Client | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | userPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) | Returns an instance of cognito.UserPool created by the construct | | userPoolClient | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html) | Returns an instance of cognito.UserPoolClient created by the construct | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of api.RestApi created by the construct | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | | apiGatewayAuthorizer | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.CfnAuthorizer.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.CfnAuthorizer.html) | Returns an instance of the api.CfnAuthorizer created by the construct for API Gateway methods authorization. | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Cognito + Set password policy for User Pools + Enforce the advanced security mode for User Pools ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Set the default authorizationType for all API methods to Cognito User Pool + Enable X-Ray Tracing ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing data flow between AWS services including Cognito, API Gateway, Lambda, CloudWatch and IAM Roles\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-cognito-apigateway-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-cognito-apigateway-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-constructs-factories ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_constructs_factories` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-constructs-factories` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.constructsfactories` | ## Overview This AWS Solutions Construct exposes the same code used to create our underlying resources as factories, so clients can create individual resources that are well-architected. There are factories to create: [Launch an S3 Bucket](#s3-buckets-docs) - Create a well architected S3 bucket (e.g. - includes an access logging bucket) [Launch an Step Functions State Machine](#step-functions-state-machines-docs) - - Create a well architected Step Functions state machine and log group (e.g. log group has /aws/vendedlogs/ name prefix to avoid resource policy issues) [Launch an SQS Queue](#sqs-queues-docs) - Create a well architected SQS queue (with configured Dead Letter Queue) [Launch a VPC](#vpc-docs) - Create a well architected VPC ## S3 Buckets Create fully well-architected S3 buckets with as little as one function call. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ConstructsFactories } from '@aws-solutions-constructs/aws-constructs-factories'; const factories = new ConstructsFactories(this, 'MyFactories'); factories.s3BucketFactory('GoodBucket', {}); ``` ``` from aws_cdk import ( Stack, ) from constructs import Construct from aws_solutions_constructs import ( aws_constructs_factories as cf ) factories = cf.ConstructsFactories(self, 'MyFactories') factories.s3_bucket_factory('GoodBucket') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.constructsfactories.ConstructsFactories; import software.amazon.awsconstructs.services.constructsfactories.S3BucketFactoryProps; final ConstructsFactories factories = new ConstructsFactories(this, "MyFactories"); factories.s3BucketFactory("GoodBucket", new S3BucketFactoryProps.Builder().build()); ``` ## S3BucketFactory Function Signature ``` s3BucketFactory(id: string, props: S3BucketFactoryProps): S3BucketFactoryResponse ``` ## S3BucketFactoryProps | **Name** | **Type** | **Description** | | --- | --- | --- | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. | | logS3AccessLogs? | `boolean` | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | ## S3BucketFactoryResponse | **Name** | **Type** | **Description** | | --- | --- | --- | | s3Bucket | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The s3.Bucket created by the factory. | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | The s3.Bucket created by the construct as the logging bucket for the primary bucket. If the logS3AccessLogs property is false, this value will be undefined. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: + An S3 Content Bucket + AWS managed Server Side Encryption (AES256) + Lifecycle rule to transition objects to Glacier storage class in 90 days + Access Logging enabled + All Public access blocked + Versioning enabled + UpdateReplacePolicy is delete + Deletion policy is delete + Bucket policy requiring SecureTransport + An S3 Bucket for Access Logs + AWS managed Server Side Encryption (AES256) + All public access blocked + Versioning enabled + UpdateReplacePolicy is delete + Deletion policy is delete + Bucket policy requiring SecureTransport + Bucket policy granting PutObject privileges to the S3 logging service, from the content bucket in the content bucket account. + cfn\$1nag suppression of access logging finding (not logging access to the access log bucket) ## Architecture ![\[Diagram showing the S3 bucket and Access Log bucket created by the factory.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-constructs-factories-s3.png) ## Step Functions State Machines Create fully well-architected Step Functions state machine with log group. The log group name includes the vendedlogs prefix. Here but is unique to the stack, avoiding naming collions between instances. is a minimal deployable pattern definition: **Example** ``` import { App, Stack } from "aws-cdk-lib"; import { ConstructsFactories } from "../../lib"; import { generateIntegStackName, CreateTestStateMachineDefinitionBody } from '@aws-solutions-constructs/core'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const placeholderTask = new sftasks.EvaluateExpression(this, 'placeholder', { expression: '$.argOne + $.argTwo' }); const factories = new ConstructsFactories(this, 'minimalImplementation'); factories.stateMachineFactory('testsm', { stateMachineProps: { definitionBody: sfn.DefinitionBody.fromChainable(placeholderTask) } }); ``` ``` # Pending ``` ``` // Pending ``` ## stateMachineFactory Function Signature ``` stateMachineFactory(id: string, props: StateMachineFactoryProps): StateMachineFactoryResponse ``` ## StateMachineFactoryProps | **Name** | **Type** | **Description** | | --- | --- | --- | | stateMachineProps | [sfn.StateMachineProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | The CDK properties that define the state machine. This property is required and must include a definitionBody or definition (definition is deprecated) | | logGroupProps | [`ogs.LogGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | An existing LogGroup to which the new state machine will write log entries. Default: LogGroup will use default AWS settings | | logGroup? | [logs.LogGroup](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | An existing LogGroup to which the new state machine will write log entries. Default: none, the construct will create a new log group. | | createCloudWatchAlarms? | boolean | Whether to create recommended CloudWatch alarms for the State Machine. Default: the alarms are created | | cloudWatchAlarmsPrefix? | string | Creating multiple State Machines with one Factories construct will result in name collisions as the cloudwatch alarms originally had fixed resource ids. This value was added to avoid collisions while not making changes that would be destructive for existing stacks. Unless you are creating multiple State Machines using factories you can ignore it | ## StateMachineFactoryResponse | **Name** | **Type** | **Description** | | --- | --- | --- | | stateMachine | [`sfn.StateMachine](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | The state machine created by the factory (the state machine role is available as a property on this resource | | logGroup? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | The log group that will receive log messages from the state machine. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | The alarms created by the factory (ExecutionFailed, ExecutionThrottled, ExecutionAborted) | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: + An AWS Step Functions State Machine + Configured to log to the new log group at LogLevel.ERROR + Amazon CloudWatch Logs Log Group + Log name is prefaced with /aws/vendedlogs/ to avoid resource policy [issues](https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html#cloudwatch-iam-policy). The Log Group name is still created to be unique to the stack to avoid name collisions. + CloudWatch alarms for: + 1 or more failed executions + 1 or more executions being throttled + 1 or more executions being aborted ## Architecture ![\[Diagram showing the State Machine, CloudWatch Logs and Alarms, and IAM Role launched by the factory.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-constructs-factories-sf.png) ## SQS Queues Create SQS queues complete with DLQs and KMS CMKs with one function call. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ConstructsFactories } from '@aws-solutions-constructs/aws-constructs-factories'; const factories = new ConstructsFactories(this, 'MyFactories'); factories.sqsQueueFacgory('GoodQueue', {}); ``` ``` Pending ``` ``` Pendiong ``` ## SqsQueueFactory Function Signature ``` SqsQueueFactory(id: string, props: SqsQueueFactoryProps): SqsQueueFactoryResponse ``` ## SqsQueueFactoryProps | **Name** | **Type** | **Description** | | --- | --- | --- | | queueProps? | [sqs.QueueProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided props to override the default props for the primary queue. | | enableEncryptionWithCustomerManagedKey? | boolean | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. default - False if queueProps.encryptionMasterKey, encryptionKey, and encryptionKeyProps are all undefined. | | encryptionKey? | [kms.Key](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. Default - none | | encryptionKeyProps? | [kms.KeyProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.KeyProps.html) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS Queue with. @default - None | | deployDeadLetterQueue? | boolean | Whether to deploy a secondary queue to be used as a dead letter queue. | | deadLetterQueueProps? | [sqs.QueueProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided properties for the dead letter queue | | maxReceiveCount? | number | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. default - [code](https://github.com/awslabs/aws-solutions-constructs/blob/8b30791902e09db2f7c49410a03d5d95ccc2ef51/source/patterns/%40aws-solutions-constructs/core/lib/sqs-defaults.ts#L32) | ## SqsQueueFactoryResponse | **Name** | **Type** | **Description** | | --- | --- | --- | | queue | [sqs.Queue](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | The queue created by the factory. | | key | [kms.IKey](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | The key used to encrypt the queue, if the queue was configured to use a CMK | | deadLetterQueue? | [sqs.DeadLetterQueue](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.DeadLetterQueue.html) | The dead letter queue associated with the queue created by the factory | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: + An SQS queue + Encrypted by default with KMS managed key by default, can be KMS CMK if flag is set + Only queue owner can perform operations by default (your IAM policies can override) + Enforced encryption for data in transit + DLQ configured + An SQS dead letter queue + Receives messages not processable in maxReceiveCount attempts + Encrypted with KMS managed key + Enforced encryption for data in transit ## Architecture ![\[Diagram showing the KMS keys, SQS Queue and Dead Letter Queue launched by the factory.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-constructs-factories-sqs.png) ## Virtual Private Cloud (VPC) Creates a VPC with a flow log enabled and any requested VPC Endpoints configured. **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { ConstructsFactories } from '@aws-solutions-constructs/aws-constructs-factories'; const factories = new ConstructsFactories(this, 'MyFactories'); // This will create a VPC with subnets that cannot interact with the Internet, // e.g. - there is no Internet Gateway, nor NAT Gateway(s) factories.vpcFactory('new-vpc', { subnetTypes: [ ec2.SubnetType.PRIVATE_ISOLATED ]}); ``` ``` Pending ``` ``` Pendiong ``` ## VpcFactory Function Signature ``` VpcFactory(id: string, props: VpcFactoryProps): VpcFactoryResponse ``` ## VpcFactoryProps This construct can either create subnets wholly based on the subnetTypes and subnetIPAddresses specified in attributes of the VpcFactoryProps object ddefined below; or wholly based on values passed in the VpcProps.subnetConfiguration property passed in the vpcProps property of VpcFactoryProps. It cannot combine and blend those two sources - so clients must provide subnet configuration information in one, and only one, of vpcProps.subnetConfiguration or the direct VpcFactoryProps attributes (vpcProps.subnetTypes, vpcProps.subnetIPAddresses). Other vpcProps attributes can be combined with a subnetConfiguration generated from the direct VpcFactoryProps attributes. | **Name** | **Type** | **Description** | | --- | --- | --- | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html) \$1 any | Optional user provided props to override the default props for the vpc. If this property defines subnetConfiguration, then subnetTypes and subnetIPAddrresses must be undefined. | | subnetTypes? | [ec2.SubnetType[]](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SubnetType.html) | Optional - Determines the various groups of subnets that will be created in the VPC. Multiple types of subnets can be specified. If this value is populated, then vpcProps.subnetConfiguration must be undefined. | | subnetIPAddresses? | number | Optional - the number of available IP addresses to required in each subnet. This value is used to calculate the cidrMask. If omitted, the cidrMask uses The CDK default of 17 (up to 32763 addresses). If this value is populated, then vpcProps.subnetConfiguration must be undefined. | | endPoints? | ServiceEndpointTypes[] | Optional - A list of all VPC service endpoints to launch in the VPC. They are specified using ServiceEndpointTypes, an enum defined in the Factories construct. @default - None | ## VpcFactoryResponse | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.Vpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html) | The vpc created by the factory. | ## Default settings The minimal implementation of the VPC requires the client to specify what types of subnets to launch. Any values not specified default to the default values implemented by the CDK L2 VPC construct: + A Virtual Private Cloud + All requested subnet layers. By default each subnet type is deployed to 2 Availability Zones. To use more AZs, create an enviroment for your stack (account and region) and set maxAZs on vpcProps. PUBLIC subnets will cause the construct to deploy an Internet Gateway. PRIVATE\$1WITH\$1EGRESS subnets will cause the construct to deploy a Nat Gateway in each AZ, as well as an Internet Gateway. + A configured VPC Flow log in CloudWatch Logs + All VPC Endpoints that are specified in endPoints. Interface endpoints are deployed with recommended Security Groups. ## Architecture Wnile the architecture deployed will vary depending on the Subnet configuration, the diagram below represents what is deployed if the client requests PUBLIC and PRIVATE\$1WITH\$1EGRESS subnet. ![\[Diagram showing the VPC, Subnets, Route Tables, Internet Gateway, NAT Gateways, Interface Endpoint and Flow Log.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-constructs-factories-vpc.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-constructs-factories) for this pattern to view the code, read/create issues and pull requests and more. # aws-dynamodbstreams-lambda-elasticsearch-kibana ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_dynamodbstreams_elasticsearch_kibana` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-dynamodbstreams-lambda-elasticsearch-kibana` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.dynamodbstreamslambdaelasticsearchkibana` | ## Overview This AWS Solutions Construct implements Amazon DynamoDB table with stream, AWS Lambda function and Amazon Elasticsearch Service with the least privileged permissions. **Some cluster configurations (e.g VPC access) require the existence of the `AWSServiceRoleForAmazonElasticsearchService` Service-Linked Role in your account.** **You will need to create the service-linked role using the AWS CLI once in any account using this construct (it may have already been run to support other stacks):** ``` aws iam create-service-linked-role --aws-service-name es.amazonaws.com ``` Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Aws } from 'aws-cdk-lib'; import { DynamoDBStreamsToLambdaToElasticSearchAndKibana, DynamoDBStreamsToLambdaToElasticSearchAndKibanaProps } from '@aws-solutions-constructs/aws-dynamodbstreams-lambda-elasticsearch-kibana'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: DynamoDBStreamsToLambdaToElasticSearchAndKibanaProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, domainName: 'test-domain', // NOTE: Ensure the Cognito domain name is globally unique cognitoDomainName: 'globallyuniquedomain' + Aws.ACCOUNT_ID }; new DynamoDBStreamsToLambdaToElasticSearchAndKibana(this, 'test-dynamodbstreams-lambda-elasticsearch-kibana', constructProps); ``` ``` from aws_solutions_constructs.aws_dynamodbstreams_lambda_elasticsearch_kibana import DynamoDBStreamsToLambdaToElasticSearchAndKibana, DynamoDBStreamsToLambdaToElasticSearchAndKibanaProps from aws_cdk import ( Stack, aws_lambda as _lambda, Aws, ) from constructs import Construct DynamoDBStreamsToLambdaToElasticSearchAndKibana( self, 'test-dynamodbstreams-lambda-elasticsearch-kibana', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), domain_name='test-domain', # NOTE: Ensure the Cognito domain name is globally unique cognito_domain_name='globallyuniquedomain' + Aws.ACCOUNT_ID) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Aws; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.dynamodbstreamslambdaelasticsearchkibana.*; new DynamoDBStreamsToLambdaToElasticSearchAndKibana(this, "test-dynamodb-stream-lambda-elasticsearch-kibana", new DynamoDBStreamsToLambdaToElasticSearchAndKibanaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .domainName("test-domain") .cognitoDomainName("globallyuniquedomain" + Aws.ACCOUNT_ID) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Optional - existing DynamoDB table, providing both this and `dynamoTableProps` will cause an error. | | dynamoEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html) | Optional user provided props to override the default props for DynamoDB Event Source | | esDomainProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomainProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomainProps.html) | Optional user provided props to override the default props for the Elasticsearch Service | | domainName | `string` | Domain name for the Cognito and the Elasticsearch Service | | cognitoDomainName? | `string` | Optional Cognito Domain Name, if provided it will be used for Cognito Domain, and domainName will be used for the Elasticsearch Domain. | | deploySqsDlqQueue? | `boolean` | Whether to deploy a SQS dead letter queue when a data record reaches the Maximum Retry Attempts or Maximum Record Age, its metadata like shard ID and stream ARN will be sent to an SQS queue. | | sqsDlqQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided properties for the SQS dead letter queue | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and `vpcProps` causes an error. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the Construct, so any values for those properties supplied here will be overridden. If `deployVpc?` is not `true` then this property will be ignored. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | dynamoTableInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Returns an instance of dynamodb.ITable created by the construct | | dynamoTable? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct. IMPORTANT: If existingTableInterface was provided in Pattern Construct Props, this property will be `undefined` | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | | userPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) | Returns an instance of cognito.UserPool created by the construct | | userPoolClient | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html) | Returns an instance of cognito.UserPoolClient created by the construct | | identityPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html) | Returns an instance of cognito.CfnIdentityPool created by the construct | | elasticsearchDomain | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomain.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomain.html) | Returns an instance of elasticsearch.CfnDomain created by the construct | | elasticsearchDomain | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of iam.Role created by the construct for elasticsearch.CfnDomain | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of cloudwatch.Alarm created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an instance of the VPC created by the pattern, if `deployVpc?` is `true`, or `existingVpc?` is provided. | ## Lambda Function This pattern requires a lambda function that can post data into the Elasticsearch from DynamoDB stream. A sample function is provided [here](https://github.com/awslabs/aws-solutions-constructs/blob/master/source/patterns/%40aws-solutions-constructs/aws-dynamodbstreams-lambda-elasticsearch-kibana/test/lambda/index.js). ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Enable Failure-Handling features like enable bisect on function Error, set defaults for Maximum Record Age (24 hours) & Maximum Retry Attempts (500) and deploy SQS dead-letter queue as destination on failure + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon Cognito + Set password policy for User Pools + Enforce the advanced security mode for User Pools ### Amazon Elasticsearch Service + Deploy best practices CloudWatch Alarms for the Elasticsearch Domain + Secure the Kibana dashboard access with Cognito User Pools + Enable server-side encryption for Elasticsearch Domain using AWS managed KMS Key + Enable node-to-node encryption for Elasticsearch Domain + Configure the cluster for the Amazon ES domain ## Architecture ![\[Diagram showing data flow between AWS services including ElasticsSearch, Cognito, DynamoDB, Lambda, CloudWatch and an IAM Role\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-dynamodbstreams-lambda-elasticsearch-kibana.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-dynamodbstreams-lambda-elasticsearch-kibana) for this pattern to view the code, read/create issues and pull requests and more. # aws-dynamodbstreams-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_dynamodbstreams_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-dynamodbstreams-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.dynamodbstreamslambda` | ## Overview This AWS Solutions Construct implements an Amazon DynamoDB table with stream that invokes an AWS Lambda function with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { DynamoDBStreamsToLambdaProps, DynamoDBStreamsToLambda} from '@aws-solutions-constructs/aws-dynamodbstreams-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new DynamoDBStreamsToLambda(this, 'test-dynamodbstreams-lambda', { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, }); ``` ``` from aws_solutions_constructs.aws_dynamodbstreams_lambda import DynamoDBStreamsToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct DynamoDBStreamsToLambda(self, 'test-dynamodbstreams-lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.dynamodbstreamslambda.*; new DynamoDBStreamsToLambda(this, "test-dynamodbstreams-lambda", new DynamoDBStreamsToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Optional - existing DynamoDB table, providing both this and `dynamoTableProps` will cause an error. this and `dynamoTableProps` will cause an error. | | dynamoEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html) | Optional user provided props to override the default props for DynamoDB Event Source | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | dynamoTableInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Returns an instance of dynamodb.ITable created by the construct | | dynamoTable? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct. IMPORTANT: If existingTableInterface was provided in Pattern Construct Props, this property will be `undefined` | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Enable Failure-Handling features like enable bisect on function Error, set defaults for Maximum Record Age (24 hours) & Maximum Retry Attempts (500) and deploy SQS dead-letter queue as destination on failure + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing data flow between AWS services including DynamoDB, Lambda, CloudWatch and an IAM Role\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-dynamodbstreams-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-dynamodbstreams-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-dynamodbstreams-pipes-stepfunctions ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_dynamodbstreams_pipes_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-dynamodbstreams-pipes-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.dynamodbstreamspipesstepfunctions` | ## Overview This AWS Solutions Construct implements an Amazon DynamoDB table with stream that that executes an AWS Step Functions state machine via an Amazon Eventbridge pipe. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import { DynamoDBStreamsToPipesToStepfunctions, DynamoDBStreamsToPipesToStepfunctionsProps } from "@aws-solutions-constructs/aws-dynamodbstreams-pipes-stepfunctions"; const startState = new sfn.Pass(this, 'StartState'); new DynamoDBStreamsToPipesToStepfunctions(this, 'DynamoDBStreamsToPipesToStepfunctionsPattern', { stateMachineProps: { definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))), } }); ``` ``` from constructs import Construct from aws_cdk import ( aws_stepfunctions as _sfn, Stack ) from aws_solutions_constructs import ( aws_dynamodbstreams_pipes_stepfunctions as dynamodbstreams_pipes_stepfunctions ) dynamodbstreams_pipes_stepfunctions.DynamoDBStreamsToPipesToStepfunctions( self, 'DynamoDBStreamsToPipesToStepfunctions', state_machine_props=_sfn.StateMachineProps( definition_body=_sfn.DefinitionBody.from_chainable(_sfn.Chain.start(_sfn.Pass(self, "pass"))) ) ) ``` ``` package com.myorg; import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.stepfunctions.*; import software.amazon.awsconstructs.services.dynamodbstreamspipesstepfunctions.DynamoDBStreamsToPipesToStepfunctions; import software.amazon.awsconstructs.services.dynamodbstreamspipesstepfunctions.DynamoDBStreamsToPipesToStepfunctionsProps; new DynamoDBStreamsToPipesToStepfunctions(this, "DynamoDBStreamsToPipesToStepfunctionsPattern", DynamoDBStreamsToPipesToStepfunctionsProps.builder() .stateMachineProps(StateMachineProps.builder() .definitionBody(DefinitionBody.fromChainable(Chain.start(new Pass(scope, "Pass")))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Optional - existing DynamoDB table, providing both this and `dynamoTableProps` will cause an error. | | dynamoEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.DynamoEventSourceProps.html) | Optional user provided props to override the default props for DynamoDB Event Source | | deploySqsDlqQueue | boolean | Whether to deploy a SQS dead letter queue when a data record reaches the Maximum Retry Attempts or Maximum Record Age, its metadata like shard ID and stream ARN will be sent to an SQS queue. The construct will create and configure the DLQ with a default maximumRetryAttempts of 2. To customize this, you should set maximumRecordAgeInSeconds and/or maximumRetryAttempts attempts in pipeProps.sourceParameters.dynamoDbStreamParameters. Default - deploy queue, MaximumRetryAttempts is set to 3, and maximumRecordAge is left to default (-1, or infinite) | | sqsDlqQueueProps | [sqs.QueueProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided properties for the SQS dead letter queue | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. | | existingStateMachineObj | [sfn.StateMachine](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Optional existing state machine to incorporate into the construct | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms | | logGroupProps? | [logs.logGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup for the state machine. | | pipeProps? | [pipes.CfnPipeProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_pipes.CfnPipeProps.html) | Optional customer provided ettings for the EventBridge pipe. source, target and roleArn are set by the construct and cannot be overriden. The construct will generate default sourceParameters, targetParameters and logConfiguration that can be overriden by populating those values in these props. If the client wants to implement enrichment or a filter, this is where that information can be provided. Any other props can be freely overridden. To control aspects of the Streams feed (e.g. batchSize, startingPosition), do that here under sourceParameters.dynamoDbStreamParameters. | | enrichmentFunction? | [lambda.Function](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - Lambda function that the construct will configure to be called to enrich the message between source and target. The construct will configure the pipe IAM role to allow invoking the function (but will not affect the IArole assigned to the function). Specifying both this and enrichmentStateMachine causes an error. Default - undefined | | enrichmentStateMachine? | [sfn.StateMachine](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Optional - Step Functions state machine that the construct will configure to be called to enrich the message between source and target. The construct will configure the pipe IAM role to allow executing the state machine (but will not affect the IAM role assigned to the state machine). Specifying both this and enrichmentStateMachine causes an error. Default - undefined | | logLevel? | PipesLogLevel | Threshold for what messages the new pipe sends to the log, PipesLogLevel.OFF, PipesLogLevel.ERROR, PipesLogLevel.INFO, PipesLogLevel.TRACE. The default is INFO. Setting the level to OFF will prevent any log group from being created. Providing pipeProps.logConfiguration will controls all aspects of logging and any construct provided log configuration is disabled. If pipeProps.logConfiguration is provided then specifying this or pipeLogProps causes an error. | | pipeLogProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Default behavior is for this construct to create a new CloudWatch Logs log group for the pipe. These props are used to override defaults set by AWS or this construct. If there are concerns about the cost of log storage, this is where a client can specify a shorter retention duration (in days) | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | dynamoTableInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Returns an instance of dynamodb.ITable created by the construct | | dynamoTable? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct. IMPORTANT: If existingTableInterface was provided in Pattern Construct | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the ILogGroup created by the construct for StateMachine | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of alarms created by the construct. | | pipe | [pipes.CfnPipe](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_pipes.CfnPipe.html) | The L1 pipe construct created by this Solutions Construct. | | pipeRole | [iam.Role](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | The role created that allows the pipe to access both the source and the target. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery + A DynamoDB stream based on the table. ### AWS Step Functions State Machine + Deploy Step Functions standard state machine + Create CloudWatch log group with /vendedlogs/ prefix in name + Deploy best practices CloudWatch Alarms for the Step Functions ### AWS EventBridge Pipe + Pipe configured with an DynamoDB stream source and state machine target + A least privilege IAM role assigned to the pipe to access the queue and state machine + CloudWatch logs set up at the "INFO" level + Encrypted with an AWS managed KMS key ## Architecture ![\[Diagram showing data flow between AWS services including DynamoDB, EventBridge Pipe, CloudWatch log groups, State Machine and an IAM role.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-dynamodbstreams-pipes-stepfunctions.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-dynamodbstreams-pipes-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-kinesisfirehose-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_kinesisfirehose_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgekinesisfirehoses3` | ## Overview This AWS Solutions Construct implements an Amazon EventBridge Rule to send data to an Amazon Kinesis Data Firehose delivery stream connected to an Amazon S3 bucket. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import { EventbridgeToKinesisFirehoseToS3, EventbridgeToKinesisFirehoseToS3Props } from '@aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3'; import * as events from 'aws-cdk-lib/aws-events'; const EventbridgeToKinesisFirehoseToS3Props: EventbridgeToKinesisFirehoseToS3Props = { eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)) } }; new EventbridgeToKinesisFirehoseToS3(this, 'test-eventbridge-firehose-s3', EventbridgeToKinesisFirehoseToS3Props); ``` ``` from aws_solutions_constructs.aws_eventbridge_kinesis_firehose_s3 import EventbridgeToKinesisFirehoseToS3, EventbridgeToKinesisFirehoseToS3Props from aws_cdk import ( aws_events as events, Duration, Stack ) from constructs import Construct EventbridgeToKinesisFirehoseToS3(self, 'test-eventbridge-firehose-s3', event_rule_props=events.RuleProps( schedule=events.Schedule.rate( Duration.minutes(5)) )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awsconstructs.services.eventbridgekinesisfirehoses3.*; new EventbridgeToKinesisFirehoseToS3(this, "test-eventbridge-firehose-s3", new EventbridgeToKinesisFirehoseToS3Props.Builder() .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults. | | kinesisFirehoseProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html) | Optional user provided props to override the default props for Kinesis Firehose Delivery Stream | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | **Note** `existingLoggingBucketObj` has been deprecated - to specify an existing Log Bucket, use `bucketProps.serverAccessLogsBucket`. ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct. | | kinesisFirehose | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | Returns an instance of kinesisfirehose.CfnDeliveryStream created by the construct | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | eventsRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Events Rule | | kinesisFirehoseRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis Data Firehose delivery stream | | kinesisFirehoseLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for Kinesis Data Firehose delivery stream | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon EventBridge Rule + Configure least privilege access IAM role for Amazon EventBridge Rule to publish to the Kinesis Firehose Delivery Stream. ### Amazon Kinesis Firehose + Enable CloudWatch logging for Kinesis Firehose + Configure least privilege access IAM role for Amazon Kinesis Firehose ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the EventBridge rule, IAM roles, Kinesis data firehose, S3 buckets, CloudWatch log group and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-kinesisfirehose-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-kinesisfirehose-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-kinesisstreams ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_kinesisstreams` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-kinesisstreams` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgekinesisstreams` | ## Overview This AWS Solutions Construct implements an Amazon EventBridge rule to send data to an Amazon Kinesis Data Stream Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import { EventbridgeToKinesisStreams, EventbridgeToKinesisStreamsProps } from "@aws-solutions-constructs/aws-eventbridge-kinesisstreams"; import * as events from 'aws-cdk-lib/aws-events'; const constructProps: EventbridgeToKinesisStreamsProps = { eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)), } }; new EventbridgeToKinesisStreams(this, 'test-eventbridge-kinesis-streams', constructProps); ``` ``` from aws_solutions_constructs.aws_eventbridge_kinesis_streams import EventbridgeToKinesisStreams, EventbridgeToKinesisStreamsProps from aws_cdk import ( aws_events as events, Duration, Stack ) from constructs import Construct EventbridgeToKinesisStreams(self, 'test-eventbridge-kinesis-streams', event_rule_props=events.RuleProps( schedule=events.Schedule.rate(Duration.minutes(5)), )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awsconstructs.services.eventbridgekinesisstreams.*; new EventbridgeToKinesisStreams(this, "test-eventbridge-kinesis-streams", new EventbridgeToKinesisStreamsProps.Builder() .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults. | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis stream. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct. | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created by the pattern. | | eventsRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for events rule. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns an instance of the cloudwatch.Alarm[] created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon EventBridge Rule + Configure least privilege access IAM role for EventBridge Rule to publish to the Kinesis Data Stream. ### Amazon Kinesis Stream + Enable server-side encryption for Kinesis Data Stream using AWS Managed KMS Key. ## Architecture ![\[Diagram showing the EventBridge rule, Kinesis data stream and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-kinesisstreams.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-kinesisstreams) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgelambda` | ## Overview This AWS Solutions Construct implements an AWS EventBridge rule and an AWS Lambda function. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import { EventbridgeToLambdaProps, EventbridgeToLambda } from '@aws-solutions-constructs/aws-eventbridge-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as events from 'aws-cdk-lib/aws-events'; const constructProps: EventbridgeToLambdaProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)) } }; new EventbridgeToLambda(this, 'test-eventbridge-lambda', constructProps); ``` ``` from aws_solutions_constructs.aws_eventbridge_lambda import EventbridgeToLambda, EventbridgeToLambdaProps from aws_cdk import ( aws_lambda as _lambda, aws_events as events, Duration, Stack ) from constructs import Construct EventbridgeToLambda(self, 'test-eventbridge-lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), event_rule_props=events.RuleProps( schedule=events.Schedule.rate( Duration.minutes(5)) )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.eventbridgelambda.*; new EventbridgeToLambda(this, "test-eventbridge-lambda", new EventbridgeToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon EventBridge Rule + Grant least privilege permissions to EventBridge rule to trigger the Lambda Function ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the EventBridge rule, Lambda function, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-sns ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_sns` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-sns` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgesns` | ## Overview This AWS Solutions Construct implements an AWS Events rule and an AWS SNS Topic. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import * as events from 'aws-cdk-lib/aws-events'; import * as iam from 'aws-cdk-lib/aws-iam'; import { EventbridgeToSnsProps, EventbridgeToSns } from "@aws-solutions-constructs/aws-eventbridge-sns"; const constructProps: EventbridgeToSnsProps = { eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)) } }; const constructStack = new EventbridgeToSns(this, 'test-construct', constructProps); // Grant yourself permissions to use the Customer Managed KMS Key const policyStatement = new iam.PolicyStatement({ actions: ["kms:Encrypt", "kms:Decrypt"], effect: iam.Effect.ALLOW, principals: [new iam.AccountRootPrincipal()], resources: ["*"] }); constructStack.encryptionKey?.addToResourcePolicy(policyStatement); ``` ``` from aws_solutions_constructs.aws_eventbridge_sns import EventbridgeToSns, EventbridgeToSnsProps from aws_cdk import ( aws_events as events, aws_iam as iam, Duration, Stack ) from constructs import Construct construct_stack = EventbridgeToSns(self, 'test-construct', event_rule_props=events.RuleProps( schedule=events.Schedule.rate( Duration.minutes(5)) )) # Grant yourself permissions to use the Customer Managed KMS Key policy_statement = iam.PolicyStatement( actions=["kms:Encrypt", "kms:Decrypt"], effect=iam.Effect.ALLOW, principals=[iam.AccountRootPrincipal()], resources=["*"] ) construct_stack.encryption_key.add_to_resource_policy(policy_statement) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awscdk.services.iam.*; import software.amazon.awsconstructs.services.eventbridgesns.*; final EventbridgeToSns constructStack = new EventbridgeToSns(this, "test-construct", new EventbridgeToSnsProps.Builder() .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); // Grant yourself permissions to use the Customer Managed KMS Key final PolicyStatement policyStatement = PolicyStatement.Builder.create() .actions(List.of("kms:Encrypt", "kms:Decrypt")) .effect(Effect.ALLOW) .principals(List.of(new AccountRootPrincipal())) .resources(List.of("*")) .build(); constructStack.getEncryptionKey().addToResourcePolicy(policyStatement); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults. | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Existing instance of SNS Topic object, providing both this and `topicProps` will cause an error. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | User provided props to override the default props for the SNS Topic. | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of sns.Topic created by the construct | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns an instance of kms Key used for the SNS Topic. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon EventBridge Rule + Grant least privilege permissions to EventBridge Rule to publish to the SNS Topic. ### Amazon SNS Topic + Configure least privilege access permissions for SNS Topic. + Enable server-side encryption forSNS Topic using Customer managed KMS Key. + Enforce encryption of data in transit. ## Architecture ![\[Diagram showing the EventBridge rule, SNS topic, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-sns.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-sns) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgesqs` | ## Overview This AWS Solutions Construct implements an Amazon EventBridge rule and an AWS SQS Queue. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import * as events from 'aws-cdk-lib/aws-events'; import * as iam from 'aws-cdk-lib/aws-iam'; import { EventbridgeToSqsProps, EventbridgeToSqs } from "@aws-solutions-constructs/aws-eventbridge-sqs"; const constructProps: EventbridgeToSqsProps = { eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)) } }; const constructStack = new EventbridgeToSqs(this, 'test-construct', constructProps); // Grant yourself permissions to use the Customer Managed KMS Key const policyStatement = new iam.PolicyStatement({ actions: ["kms:Encrypt", "kms:Decrypt"], effect: iam.Effect.ALLOW, principals: [new iam.AccountRootPrincipal()], resources: ["*"] }); constructStack.encryptionKey?.addToResourcePolicy(policyStatement); ``` ``` from aws_solutions_constructs.aws_eventbridge_sqs import EventbridgeToSqsProps, EventbridgeToSqs from aws_cdk import ( aws_events as events, aws_iam as iam, Duration, Stack ) from constructs import Construct construct_stack = EventbridgeToSqs(self, 'test-construct', event_rule_props=events.RuleProps( schedule=events.Schedule.rate( Duration.minutes(5)) )) # Grant yourself permissions to use the Customer Managed KMS Key policy_statement = iam.PolicyStatement( actions=["kms:Encrypt", "kms:Decrypt"], effect=iam.Effect.ALLOW, principals=[iam.AccountRootPrincipal()], resources=["*"] ) construct_stack.encryption_key.add_to_resource_policy(policy_statement) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awscdk.services.iam.*; import software.amazon.awsconstructs.services.eventbridgesqs.*; final EventbridgeToSqs constructStack = new EventbridgeToSqs(this, "test-construct", new EventbridgeToSqsProps.Builder() .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); // Grant yourself permissions to use the Customer Managed KMS Key final PolicyStatement policyStatement = PolicyStatement.Builder.create() .actions(List.of("kms:Encrypt", "kms:Decrypt")) .effect(Effect.ALLOW) .principals(List.of(new AccountRootPrincipal())) .resources(List.of("*")) .build(); constructStack.getEncryptionKey().addToResourcePolicy(policyStatement); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults. | | targetProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.SqsQueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets.SqsQueueProps.html) | Optional user provided properties to define the SQS target on the Event Rule. If you specify a deadLetterQueue for the rule here, you are responsible for adding a resource policy to the queue allowing events.amazonaws.com permission to SendMessage, GetQueueUrl and GetQueueAttributes. You cannot send a DLQ in this property and set deployEventRuleDlq to true. Default is undefined and all system defaults are used. | | eventRuleDlqKeyProps | [kms.KeyProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.KeyProps.html) | Optional properties to define the key created to protect the ruleDlq. Only valid if deployRuleDlq is set to true. Defaults to CloudFormation defaults. | | deployEventRuleDlq? | boolean | Whether to deploy a DLQ for the Event Rule. If set to `true`, this DLQ will receive any messages that can’t be delivered to the target SQS queue. Defaults to `false`. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | enableQueuePurging? | `boolean` | Whether to grant additional permissions to the Lambda function enabling it to purge the SQS queue. Defaults to `false`. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to `true`. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter queue. Only used if the `deployDeadLetterQueue` property is set to true. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to `15`. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct | | eventRuleDlq? | `sqs.Queue`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws\$1sqs.Queue.html) | If the client sets deployEventRuleDlq to "true", then this value will contain the DLQ set up for the rule. | | eventRuleDlqKey | [kms.IKey](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | The key created to encrypt the eventRuleDlq. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of sqs.Queue created by the construct | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns an instance of kms Key used for the SQS queue. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead-letter SQS queue created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon EventBridge Rule + Grant least privilege permissions to EventBridge rule to publish to the SQS Queue. ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue. + Enable server-side encryption for source SQS Queue using Customer managed KMS Key. + Enforce encryption of data in transit. ## Architecture ![\[Diagram showing the EventBridge rule, SQS queue and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-eventbridge-stepfunctions ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_eventbridge_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-eventbridge-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.eventbridgestepfunctions` | ## Overview This AWS Solutions Construct implements an AWS Events rule and an AWS Step Functions State Machine Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import { EventbridgeToStepfunctions, EventbridgeToStepfunctionsProps } from '@aws-solutions-constructs/aws-eventbridge-stepfunctions'; import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions'; import * as events from 'aws-cdk-lib/aws-events'; const startState = new stepfunctions.Pass(this, 'StartState'); const constructProps: EventbridgeToStepfunctionsProps = { stateMachineProps: { definition: startState }, eventRuleProps: { schedule: events.Schedule.rate(Duration.minutes(5)) } }; new EventbridgeToStepfunctions(this, 'test-eventbridge-stepfunctions-stack', constructProps); ``` ``` from aws_solutions_constructs.aws_eventbridge_stepfunctions import EventbridgeToStepfunctions, EventbridgeToStepfunctionsProps from aws_cdk import ( aws_stepfunctions as stepfunctions, aws_events as events, Duration, Stack ) from constructs import Construct startState = stepfunctions.Pass(self, 'StartState') EventbridgeToStepfunctions(self, 'test-eventbridge-stepfunctions-stack', state_machine_props=stepfunctions.StateMachineProps( definition=startState ), event_rule_props=events.RuleProps( schedule=events.Schedule.rate( Duration.minutes(5)) )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.events.*; import software.amazon.awscdk.services.stepfunctions.*; import software.amazon.awsconstructs.services.eventbridgestepfunctions.*; final Pass startState = new Pass(this, "StartState"); new EventbridgeToStepfunctions(this, "test-eventbridge-stepfunctions-stack", new EventbridgeToStepfunctionsProps.Builder() .stateMachineProps(new StateMachineProps.Builder() .definition(startState) .build()) .eventRuleProps(new RuleProps.Builder() .schedule(Schedule.rate(Duration.minutes(5))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. This or existingStateMachine is required. If you provide a value for logs.destination, it must be an ILogGroup even though the prop type is ILogGroupRef. The CDK change to ILogGroupRef in v2.235.0 is incompatible with our interface without introducing breaking changes, so we still require an ILogGroup (as this implements ILogGroupRef, you can just assign it to logs.destination) | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | User provided eventRuleProps to override the defaults | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | eventsRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.Rule.html) | Returns an instance of events.Rule created by the construct | | stateMachine | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Returns an instance of sfn.StateMachine created by the construct | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the ILogGroup created by the construct for StateMachine | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of cloudwatch.Alarm created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon CloudWatch Events Rule + Grant least privilege permissions to CloudWatch Events to trigger the Lambda Function ### AWS Step Function + Enable CloudWatch logging for API Gateway + Deploy best practices CloudWatch Alarms for the Step Function ## Architecture ![\[Diagram showing the CloudWatch event rule, State Machine, log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-eventbridge-stepfunctions.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-eventbridge-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-dynamodb ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_dynamodb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-dynamodb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatedynamodb` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write/read to an Amazon DynamoDB table Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToDynamoDB, FargateToDynamoDBProps } from '@aws-solutions-constructs/aws-fargate-dynamodb'; const constructProps: FargateToDynamoDBProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", }; new FargateToDynamoDB(stack, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_dynamodb import FargateToDynamoDB, FargateToDynamoDBProps from aws_cdk import ( Stack ) from constructs import Construct FargateToDynamoDB(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargatedynamodb.*; new FargateToDynamoDB(this, "test-construct", new FargateToDynamoDBProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Optional - existing DynamoDB table, providing both this and `dynamoTableProps` will cause an error. | | tablePermissions? | `string` | Optional table permissions to grant to the Fargate service. One of the following may be specified: `All`, `Read`, `ReadWrite`, `Write`. | | tableArnEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the ARN for the DynamoDB table. Default: DYNAMODB\$1TABLE\$1ARN | | tableEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the DynamoDB table name. Default: DYNAMODB\$1TABLE\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | dynamoTableInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.ITable.html) | Returns an instance of `dynamodb.ITable` created by the construct or the interface provided in existingTableInterface. | | dynamoTable? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of `dynamodb.Table` created by the construct. IMPORTANT: If existingTableInterface was provided in Pattern Construct Props, this property will be `undefined`. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the ARN and Name of the DynamoDB table + Add permissions to the container IAM role allowing it to publish to the DynamoDB table ### Amazon DynamoDB Table + Sets up an Amazon DynamoDB table + Uses an existing table if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for DynamoDB (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, DynamoDB table, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-dynamodb.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-dynamodb) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-eventbridge ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_eventbridge` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-eventbridge` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargateeventbridge` | This AWS Solutions Construct implements an AWS Fargate service connected to an Amazon EventBridge. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToEventbridge, FargateToEventbridgeProps } from '@aws-solutions-constructs/aws-fargate-eventbridge'; const constructProps: FargateToEventbridgeProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", }; new FargateToEventbridge(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_eventbridge import FargateToEventbridge, FargateToEventbridgeProps from aws_cdk import ( Stack ) from constructs import Construct FargateToEventbridge(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargateeventbridge.*; new FargateToEventbridge(this, "test_construct", new FargateToEventbridgeProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [ecs.ClusterProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [ecs.ContainerDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [ecs.FargateTaskDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [ecs.FargateServiceProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | eventBusEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the DynamoDB table name. Default: EVENTBUS\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of `events.IEventBus` used by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the Name of the event bus + Default: EVENTBUS\$1NAME + Add permissions to the container IAM role allowing it to put events in the EventBridge event bus ### Amazon EventBridge Event Bus + Sets up an Amazon EventBridge event bus + Uses an existing event bus if one is provided, otherwise creates a new one if `eventBusProps` is provided + If neither `eventBusProps` nor `existingEventBusInterface` is provided, the construct will use the `default` event bus. + Adds an Interface Endpoint to the VPC for EventBridge (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, EventBridge bus and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-eventbridge.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-eventbridge) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-kinesisfirehose ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_kinesisfirehose` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-kinesisfirehose` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatekinesisfirehose` | ## Overview This AWS Solutions Construct deploys an AWS Fargate Service that can put records on an Amazon Firehose Delivery Stream. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToKinesisFirehoseProps } from '@aws-solutions-constructs/aws-fargate-kinesisfirehose'; import * as fargate from 'aws-cdk-lib/aws-fargate'; // The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted // from a previously instantiated construct that created an Firehose Delivery Stream const existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; new FargateToKinesisFirehose(this, 'FargateToKinesisFirehose', { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", existingKinesisFirehose: existingFirehoseDeliveryStream }); ``` ``` from aws_solutions_constructs.aws_fargate_kinesisfirehose import FargateToKinesisFirehose from aws_cdk import ( aws_fargate as _fargate, Stack ) from constructs import Construct # The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted # from a previously instantiated construct that created an Firehose Delivery Stream existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; FargateToKinesisFirehose(self, 'FargateToKinesisFirehose', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", existingKinesisFirehose=existingFirehoseDeliveryStream ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.fargate.*; import software.amazon.awscdk.services.fargate.eventsources.*; import software.amazon.awscdk.services.fargate.Runtime; import software.amazon.awsconstructs.services.fargatekinesisfirehose.*; // The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted // from a previously instantiated construct that created an Firehose Delivery Stream existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; new FargateToKinesisFirehose(this, "FargateToKinesisFirehose", new FargateToKinesisFirehoseProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .existingKinesisFirehose(existingFirehoseDeliveryStream) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | True if the VPC provisioned by this construct should contain Public/Private Subnets, otherwise False for the VPC to contain Isolated Subnets only. Note this property is ignored if an existing VPC is specified in the existingVpc property. If you are getting a container from a public repo, this must be true so the repo can be accessed from the network. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a new VPC the construct will create. Providing both this and `existingVpc` causes an error. An Amazon Kinesis Firehose Interface Endpoint will be added to this VPC. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the Fargate Service. Providing both this and `vpcProps` causes an error. If the client provides an existing Fargate Service in the `existingFargateServiceObject` property, this value must be the VPC where the service is running. An Amazon Kinesis Firehose Interface Endpoint will be added to this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service. (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct. (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the `existingFargateServiceObject`. | | existingKinesisFirehose | [kinesisfirehose.CfnDeliveryStream](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | An existing Kinesis Firehose Delivery Stream to which the Fargate container can put data. Note - the delivery stream construct must have already been created and have the deliveryStreamName set. This construct will *not* create a new Delivery Stream. | | firehoseEnvironmentVariableName? | `string` | Optional Name for the Fargate container environment variable set to the name of the delivery stream. Default: FIREHOSE\$1DELIVERYSTREAM\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The new or existing VPC used by the construct. | | fargateService | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The new or existing AWS Fargate service used by this construct. | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | kinesisFirehose | [kinesisfirehose.CfnDeliveryStream](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | The Kinesis Firehose Delivery Stream used by the construct. | ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Fargate Service + An AWS Fargate Service running in the isolated subnets of a new VPC + Minimally-permissive IAM role for the Fargate Service to put records on the Firehose Delivery Stream + Sets an Environment Variable named FIREHOSE\$1DELIVERYSTREAM\$1NAME that holds the Firehose Delivery Stream Name, which is a required property of the Kinesis Firehose SDK when making calls to it ### Amazon Firehose Delivery Stream + This construct must be provided a configured Firehose Data Stream construct, it does not change this Stream. ## Architecture ![\[Diagram showing the Fargate service, Kinesis firehose and IAM role created by the construct. A VPC is shown that can be created by the construct or provided by the client.\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-kinesisfirehose.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-kinesisfirehose) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-kinesisstreams ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_kinesisstreams` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-kinesisstreams` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatekinesisstreams` | ## Overview This AWS Solutions Construct deploys an AWS Fargate Service that can put records on an Amazon Kinesis Data Stream. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToKinesisStreamsProps } from '@aws-solutions-constructs/aws-fargate-kinesisstreams'; import * as fargate from 'aws-cdk-lib/aws-fargate'; new FargateToKinesisStreams(this, 'FargateToKinesisStreams', { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", }); ``` ``` from aws_solutions_constructs.aws_fargate_kinesisstreams import FargateToKinesisStreams from aws_cdk import ( aws_fargate as _fargate, Stack ) from constructs import Construct FargateToKinesisStreams(self, 'FargateToKinesisStreams', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo" ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.fargate.*; import software.amazon.awscdk.services.fargate.eventsources.*; import software.amazon.awscdk.services.fargate.Runtime; import software.amazon.awsconstructs.services.fargatekinesisstreams.*; new FargateToKinesisStreams(this, "FargateToKinesisStreams", new FargateToKinesisStreamsProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | True if the VPC provisioned by this construct should contain Public/Private Subnets, otherwise False for the VPC to contain Isolated Subnets only. Note this property is ignored if an existing VPC is specified in the `existingVpc` property. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a new VPC the construct will create. Providing both this and `existingVpc` causes an error. An Amazon Kinesis Streams Interface Endpoint will be added to this VPC. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the Fargate Service. Providing both this and `vpcProps` causes an error. If the client provides an existing Fargate Service in the `existingFargateServiceObject` property, this value must be the VPC where the service is running. An Amazon Kinesis Streams Interface Endpoint will be added to this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service. (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct. (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the `existingFargateServiceObject`. | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of a Kinesis Data Stream. Providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis Data Stream. Providing both this and `existingStreamObj` will cause an error. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch Alarms for the Kinesis Stream (defaults to true). | | streamEnvironmentVariableName? | `string` | Optional Name to override the Fargate Service default environment variable name that holds the Kinesis Data Stream name value. Default: KINESIS\$1DATASTREAM\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The new or existing VPC used by the construct. | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The new or existing AWS Fargate service used by this construct. | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | The new or existing Kinesis Data Stream used by this construct. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns the CloudWatch Alarms created to monitor the Kinesis Data Stream. | ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Fargate Service + An AWS Fargate Service running in the isolated subnets of a new VPC + Minimally-permissive IAM role for the Fargate Service to put records on the Kinesis Data Stream + Sets an Environment Variable named KINESIS\$1DATASTREAM\$1NAME that holds the Kinesis Data Stream Name, which is a required property of the Kinesis Data Streams SDK when making calls to it ### Amazon Kinesis Stream + Enable server-side encryption for the Kinesis Data Stream using an AWS Managed CMK + Deploy best practices CloudWatch Alarms for the Kinesis Data Stream + An Interface Endpoint on the VPC for private communication between the Fargate Service and the Kinesis Data Stream ## Architecture ![\[Diagram showing the Fargate service, Kinesis data stream and CloudWatch alarms created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-kinesisstreams.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-kinesisstreams) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-opensearch ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_opensearch` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-opensearch` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargateopensearch` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write/read to an Amazon OpenSearch Service domain. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToOpenSearch, FargateToOpenSearchProps } from '@aws-solutions-constructs/aws-fargate-opensearch'; const constructProps: FargateToOpenSearchProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", openSearchDomainName: 'testdomain', // NOTE: Ensure the Cognito domain name is globally unique cognitoDomainName: 'globallyuniquedomain' + Aws.ACCOUNT_ID }; new FargateToOpenSearch(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_opensearch import FargateToOpenSearch, FargateToOpenSearchProps from aws_cdk import ( Stack ) from constructs import Construct FargateToOpenSearch(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", open_search_domain_name='testdomain', # NOTE: Ensure the Cognito domain name is globally unique cognito_domain_name='globallyuniquedomain' + Aws.ACCOUNT_ID) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargateopensearch.*; new FargateToOpenSearch(this, "test_construct", new FargateToOpenSearchProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo" .openSearchDomainName("testdomain") // NOTE: Ensure the Cognito domain name is globally unique .cognitoDomainName("globallyuniquedomain" + Aws.ACCOUNT_ID) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest". | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts). | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts). | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps. | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject. | | openSearchDomainProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomainProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomainProps.html) | Optional user provided props to override the default props for the OpenSearch Service. | | openSearchDomainName | `string` | Domain name for the OpenSearch Service. | | cognitoDomainName? | `string` | Optional Amazon Cognito domain name. If omitted the Amazon Cognito domain will default to the OpenSearch Service domain name. | | createCloudWatchAlarms? | `boolean` | Whether to create the recommended CloudWatch alarms. | | domainEndpointEnvironmentVariableName? | `string` | Optional name for the OpenSearch Service domain endpoint environment variable set for the Lambda function. Default is `DOMAIN_ENDPOINT`. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client). | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization). | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | userPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) | Returns an instance of `cognito.UserPool` created by the construct. | | userPoolClient | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html) | Returns an instance of `cognito.UserPoolClient` created by the construct. | | identityPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html) | Returns an instance of `cognito.CfnIdentityPool` created by the construct. | | openSearchDomain | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html) | Returns an instance of `opensearch.CfnDomain` created by the construct. | | openSearchRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of `iam.Role` created by the construct for `opensearch.CfnDomain`. | | cloudWatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of `cloudwatch.Alarm` created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the OpenSearch Service domain endpoint + Add permissions to the container IAM role allowing it to write/read to the OpenSearch Service domain endpoint ### Amazon Cognito + Set password policy for User Pools + Enforce the advanced security mode for User Pools ### Amazon OpenSearch Service + Deploy best practices CloudWatch Alarms for the OpenSearch Service domain + Secure the OpenSearch Service dashboard access with Cognito User Pools + Enable server-side encryption for OpenSearch Service domain using AWS managed KMS Key + Enable node-to-node encryption for the OpenSearch Service domain + Configure the cluster for the OpenSearch Service domain ## Architecture ![\[Diagram showing the Fargate service, OpenSearch domain, Cognito domain and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-opensearch.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-opensearch) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargates3` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write/read to an Amazon S3 Bucket Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToS3, FargateToS3Props } from '@aws-solutions-constructs/aws-fargate-s3'; const constructProps: FargateToS3Props = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", }; new FargateToS3(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_s3 import FargateToS3, FargateToS3Props from aws_cdk import ( Stack ) from constructs import Construct FargateToS3(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargates3.*; new FargateToS3(this, "test_construct", new FargateToS3Props.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [ecs.ClusterProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | string | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | string | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [ecs.ContainerDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [ecs.FargateTaskDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [ecs.FargateServiceProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps results in an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | bucketPermissions? | `string[]` | Optional bucket permissions to grant to the Fargate service. One or more of the following may be specified: `Delete`, `Read`, and `Write`. Default is ["Read", "Write"] which includes `[s3:GetObject*, s3:GetBucket*, s3:List*, s3:DeleteObject*, s3:PutObject*, s3:Abort*]`. | | bucketArnEnvironmentVariableName? | string | Optional Name for the container environment variable set to the bucket ARN. Default: S3\$1BUCKET\$1ARN | | bucketEnvironmentVariableName? | string | Optional Optional Name for the container environment variable set to the bucket name. Default: S3\$1BUCKET\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | s3Bucket? | [s3.IBucket](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.Bucket created by the construct | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | | s3LoggingBucket? | [s3.Bucket](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the ARN and Name of the S3 Bucket + Add permissions to the container IAM role allowing it to publish to the S3 Bucket ### Amazon S3 Bucket + Sets up an Amazon S3 Bucket + Uses an existing bucket if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for S3 (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, S3 bucket and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-secretsmanager ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_secretsmanager` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-secretsmanager` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatesecretsmanager` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write/read to an AWS Secrets Manager Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToSecretsmanager, FargateToSecretsmanagerProps } from '@aws-solutions-constructs/aws-fargate-secretsmanager'; const constructProps: FargateToSecretsmanagerProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", }; new FargateToSecretsmanager(stack, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_secretsmanager import FargateToSecretsmanager, FargateToSecretsmanagerProps from aws_cdk import ( Stack ) from constructs import Construct FargateToSecretsmanager(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargatesecretsmanager.*; new FargateToSecretsmanager(this, "test-construct", new FargateToSecretsmanagerProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | secretProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.SecretProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.SecretProps.html) | Optional user provided props to override the default props for Secrets Manager | | existingSecretObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html) | Existing instance of Secrets Manager Secret object, If this is set then the secretProps is ignored | | grantWriteAccess? | `boolean` | Optional write access to the Secret for the Fargate service (Read-Only by default) | | secretEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the ARN of the secret. Default: SECRET\$1ARN | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | secret | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html) | Returns an instance of `secretsmanager.Secret` created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the ARN and Name of the Secrets Manager secret + Add permissions to the container IAM role allowing it to publish to the Secrets Manager secret ### Amazon Secrets Manager Secret + Sets up an Amazon Secrets Manager secret + Uses an existing secret if one is provided, otherwise creates a new one + (default) random name + (default) random value + Adds an Interface Endpoint to the VPC for Secrets Manager (the service by default runs in Isolated or Private subnets) + Retain the Secret when deleting the CloudFormation stack ## Architecture ![\[Diagram showing the Fargate service, Secrets Manager secret and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-secretsmanager.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-secretsmanager) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-sns ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_sns` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-sns` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatesns` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write to an Amazon SNS topic Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToSns, FargateToSnsProps } from '@aws-solutions-constructs/aws-fargate-sns'; const constructProps: FargateToSnsProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo" }; new FargateToSns(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_sns import FargateToSns, FargateToSnsProps from aws_cdk import ( Stack ) from constructs import Construct FargateToSns(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargatesns.*; new FargateToSns(this, "test_construct", new FargateToSnsProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [ecs.ClusterProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | string | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | string | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [ecs.ContainerDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [ecs.FargateTaskDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [ecs.FargateServiceProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | existingTopicObj? | [sns.Topic](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Existing instance of SNS Topic object, providing both this and `topicProps` will cause an error. | | topicProps? | [sns.TopicProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. | | topicArnEnvironmentVariableName? | string | Optional Name for the container environment variable set to the ARN of the topic. Default: SNS\$1TOPIC\$1ARN | | topicNameEnvironmentVariableName? | string | Optional Name for the container environment variable set to the name of the topic. Default: SNS\$1TOPIC\$1NAME | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the ARN and Name of the SNS topic + Add permissions to the container IAM role allowing it to publish to the SNS topic ### Amazon SNS Topic + Sets up an Amazon SNS topic + Uses an existing topic if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for SNS (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, SNS topic and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-sns.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-sns) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-sqs ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatesqs` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can write to an Amazon SQS queue Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToSqs, FargateToSqsProps } from '@aws-solutions-constructs/aws-fargate-sqs'; const constructProps: FargateToSqsProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo" }; new FargateToSqs(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_sqs import FargateToSqs, FargateToSqsProps from aws_cdk import ( Stack ) from constructs import Construct FargateToSqs(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargatesqs.*; new FargateToSqs(this, "test_construct", new FargateToSqsProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [ecs.ClusterProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | string | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | string | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [ecs.ContainerDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [ecs.FargateTaskDefinitionProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [ecs.FargateServiceProps \$1 any](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | existingQueueObj? | [sqs.Queue](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and queueProps will cause an error. | | queueProps? | [sqs.QueueProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deployDeadLetterQueue? | boolean | Whether to create a secondary queue to be used as a dead letter queue. Defaults to `true`. | | deadLetterQueueProps? | [sqs.QueueProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter queue. Only used if the `deployDeadLetterQueue` property is set to true. | | maxReceiveCount? | integer | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to `15`. | | queueUrlEnvironmentVariableName? | string | Optional Name for the container environment variable set to the URL of the queue. Default: SQS\$1QUEUE\$1URL | | queueArnEnvironmentVariableName? | string | Optional Name for the container environment variable set to the arn of the queue. Default: SQS\$1QUEUE\$1ARN | | queuePermissions? | `string[]` | Optional queue permissions to grant to the Fargate service. One or more of the following may be specified: `Read`,`Write`. Default is `Write` | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [ecs.FargateService](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [ecs.ContainerDefinition](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | sqsQueue | [sqs.Queue](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [sqs.Queue](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead letter queue created by the pattern, if one is deployed. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the name of the SQS queue + Add permissions to the container IAM role allowing it to publish to the SQS queue ### Amazon SQS Queue + Sets up an Amazon SQS queue + Uses an existing queue if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for SQS (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, SQS queue and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-ssmstringparameter ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_ssmstringparameter` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-ssmstringparameter` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatessmstringparameter` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can read/write to an AWS Systems Manager String Parameter Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToSsmstringparameter, FargateToSsmstringparameterProps } from '@aws-solutions-constructs/aws-fargate-ssmstringparameter'; const constructProps: FargateToSsmstringparameterProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", stringParameterProps: { stringValue: "test-string-value" } }; new FargateToSsmstringparameter(stack, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_ssmstringparameter import FargateToSsmstringparameter, FargateToSsmstringparameterProps from aws_cdk import ( Stack, aws_ssm as ssm ) from constructs import Construct FargateToSsmstringparameter(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", string_parameter_props=ssm.StringParameterProps( string_value="test-string-value")) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.ssm.*; import software.amazon.awsconstructs.services.fargatessmstringparameter.*; new FargateToSsmstringparameter(this, "test-construct", new FargateToSsmstringparameterProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .stringParameterProps(new StringParameterProps.Builder() .stringValue("test-string-value") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | existingStringParameterObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html) | Existing instance of SSM String parameter object, providing both this and `stringParameterProps` will cause an error | | stringParameterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html) | Optional user provided props to override the default props for SSM String parameter. If existingStringParameterObj is not set stringParameterProps is required. The only supported [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html#type](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html#type) is [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.ParameterType.html#string](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.ParameterType.html#string) if a different value is provided it will be overridden. | | stringParameterPermissions? | `string` | Optional SSM String parameter permissions to grant to the Fargate service. One of the following may be specified: "Read", "ReadWrite". | | stringParameterEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the SSM parameter name. Default: SSM\$1STRING\$1PARAMETER\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | stringParameter | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html) | Returns an instance of `ssm.StringParameter` created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds environment variables to the container with the ARN and Name of the SSM parameter + Add permissions to the container IAM role allowing it to read/write to the SSM parameter ### AWS SSM String Parameter + Sets up an AWS SSM String Parameter + Uses an existing parameter if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for SSM parameter (the service by default runs in Isolated or Private subnets) ## Architecture ![\[Diagram showing the Fargate service, SSM string paramter and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-ssmstringparameter.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-ssmstringparameter) for this pattern to view the code, read/create issues and pull requests and more. # aws-fargate-stepfunctions ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_fargate_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-fargate-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.fargatestepfunctions` | ## Overview This AWS Solutions Construct implements an AWS Fargate service that can execute an AWS Step Functions state machine Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { FargateToStepfunctions, FargateToStepfunctionsProps } from '@aws-solutions-constructs/aws-fargate-stepfunctions'; import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions'; const startState = new stepfunctions.Pass(this, 'StartState'); const constructProps: FargateToStepfunctionsProps = { publicApi: true, ecrRepositoryArn: "arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", stateMachineProps: { definition: startState } }; new FargateToStepfunctions(this, 'test-construct', constructProps); ``` ``` from aws_solutions_constructs.aws_fargate_stepfunctions import FargateToStepfunctions, FargateToStepfunctionsProps from aws_cdk import ( aws_stepfunctions as stepfunctions, Stack ) from constructs import Construct start_state = stepfunctions.Pass(self, 'start_state') FargateToStepfunctions(self, 'test_construct', public_api=True, ecr_repository_arn="arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo", state_machine_props=stepfunctions.StateMachineProps( definition=start_state)) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.fargatestepfunctions.*; import software.amazon.awscdk.services.stepfunctions.*; start_state = stepfunctions.Pass(self, 'start_state') new FargateToStepfunctions(this, "test-construct", new FargateToStepfunctionsProps.Builder() .publicApi(true) .ecrRepositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/your-ecr-repo") .stateMachineProps(new StateMachineProps.Builder() .definition(startState) .build() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | `boolean` | Whether the construct is deploying a private or public API. This has implications for the VPC. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | clusterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ClusterProps.html) | Optional properties to create a new ECS cluster. To provide an existing cluster, use the cluster attribute of fargateServiceProps. | | ecrRepositoryArn? | `string` | The arn of an ECR Repository containing the image to use to generate the containers. Either this or the image property of containerDefinitionProps must be provided. format: arn:aws:ecr:\$1region\$1:\$1account number\$1:repository/*Repository Name* | | ecrImageVersion? | `string` | The version of the image to use from the repository. Defaults to "Latest" | | containerDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinitionProps.html) \$1 any | Optional props to define the container created for the Fargate Service (defaults found in fargate-defaults.ts) | | fargateTaskDefinitionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateTaskDefinitionProps.html) \$1 any | Optional props to define the Fargate Task Definition for this construct (defaults found in fargate-defaults.ts) | | fargateServiceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateServiceProps.html) \$1 any | Optional values to override default Fargate Task definition properties (fargate-defaults.ts). The construct will default to launching the service is the most isolated subnets available (precedence: Isolated, Private and Public). Override those and other defaults here. | | existingFargateServiceObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | A Fargate Service already instantiated (probably by another Solutions Construct). If this is specified, then no props defining a new service can be provided, including: ecrImageVersion, containerDefinitionProps, fargateTaskDefinitionProps, ecrRepositoryArn, fargateServiceProps, clusterProps | | existingContainerDefinitionObject? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | A container definition already instantiated as part of a Fargate service. This must be the container in the existingFargateServiceObject | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. This or existingStateMachine is required. If you provide a value for logs.destination, it must be an ILogGroup even though the prop type is ILogGroupRef. The CDK change to ILogGroupRef in v2.235.0 is incompatible with our interface without introducing breaking changes, so we still require an ILogGroup (as this implements ILogGroupRef, you can just assign it to logs.destination) | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms. Default is true. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup. | | stateMachineEnvironmentVariableName? | `string` | Optional Name for the container environment variable set to the ARN of the state machine. Default: STATE\$1MACHINE\$1ARN | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or provided by the client) | | service | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.FargateService.html) | The AWS Fargate service used by this construct (whether created by this construct or passed to this construct at initialization) | | container | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.ContainerDefinition.html) | The container associated with the AWS Fargate service in the service property. | | stateMachine | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Returns an instance of `sfn.StateMachine` created by the construct. | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the `logs.ILogGroup` created by the construct for StateMachine. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of `cloudwatch.Alarm` created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Fargate Service + Sets up an AWS Fargate service + Uses the existing service if provided + Creates a new service if none provided. + Service will run in isolated subnets if available, then private subnets if available and finally public subnets + Adds an environment variable to the container containing the ARN of the state machine + Default name is `STATE_MACHINE_ARN` + Add permissions to the container IAM role allowing it to start the execution of a state machine ### AWS Step Functions + Sets up an AWS Step Functions state machine + Uses an existing state machine if one is provided, otherwise creates a new one + Adds an Interface Endpoint to the VPC for Step Functions (the service by default runs in Isolated or Private subnets) + Enables CloudWatch logging ## Architecture ![\[Diagram showing the Fargate service, State Machine, log group and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-fargate-stepfunctions.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-fargate-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-kinesisfirehose-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_kinesisfirehose_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-kinesisfirehose-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iotkinesisfirehoses3` | ## Overview This AWS Solutions Construct implements an AWS IoT MQTT topic rule to send data to an Amazon Kinesis Data Firehose delivery stream connected to an Amazon S3 bucket. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToKinesisFirehoseToS3Props, IotToKinesisFirehoseToS3 } from '@aws-solutions-constructs/aws-iot-kinesisfirehose-s3'; const constructProps: IotToKinesisFirehoseToS3Props = { iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Persistent storage of connected vehicle telematics data", sql: "SELECT * FROM 'connectedcar/telemetry/#'", actions: [] } } }; new IotToKinesisFirehoseToS3(this, 'test-iot-firehose-s3', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_kinesisfirehose_s3 import IotToKinesisFirehoseToS3Props, IotToKinesisFirehoseToS3 from aws_cdk import ( aws_iot as iot, Stack ) from constructs import Construct IotToKinesisFirehoseToS3(self, 'test_iot_firehose_s3', iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Persistent storage of connected vehicle telematics data", sql="SELECT * FROM 'connectedcar/telemetry/#'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iotkinesisfirehoses3.*; new IotToKinesisFirehoseToS3(this, "test-iot-firehose-s3", new IotToKinesisFirehoseToS3Props.Builder() .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Persistent storage of connected vehicle telematics data") .sql("SELECT * FROM 'connectedcar/telemetry/#'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided CfnTopicRuleProps to override the defaults | | kinesisFirehoseProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html) | Optional user provided props to override the default props for Kinesis Firehose Delivery Stream | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. `bucketProps` will cause an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | kinesisFirehose | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | Returns an instance of kinesisfirehose.CfnDeliveryStream created by the construct | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of iot.CfnTopicRule created by the construct | | iotActionsRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for IoT Rule | | kinesisFirehoseRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis Data Firehose delivery stream | | kinesisFirehoseLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for Kinesis Data Firehose delivery stream | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure least privilege access IAM role for Amazon IoT ### Amazon Kinesis Firehose + Enable CloudWatch logging for Kinesis Firehose + Configure least privilege access IAM role for Amazon Kinesis Firehose ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the IOT rule, Kinesis data firehose, S3 buckets, log group and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-kinesisfirehose-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-kinesisfirehose-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-kinesisstreams ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_kinesisstreams` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-kinesisstreams` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iotkinesisstreams` | ## Overview This AWS Solutions Construct implements an AWS IoT MQTT topic rule to send data to an Amazon Kinesis Data Stream. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToKinesisStreamsProps, IotToKinesisStreams } from '@aws-solutions-constructs/aws-iot-kinesisstreams'; const constructProps: IotToKinesisStreamsProps = { iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Sends data to kinesis data stream", sql: "SELECT * FROM 'solutions/construct'", actions: [] } } }; new IotToKinesisStreams(this, 'test-iot-kinesisstreams', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_kinesisstreams import IotToKinesisStreamsProps, IotToKinesisStreams from aws_cdk import ( aws_iot as iot, Stack ) from constructs import Construct IotToKinesisStreams(self, 'test-iot-kinesisstreams', iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Sends data to kinesis data stream", sql="SELECT * FROM 'solutions/construct'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iotkinesisstreams.*; new IotToKinesisStreams(this, "test-iot-kinesisstreams", new IotToKinesisStreamsProps.Builder() .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Sends data to kinesis data stream") .sql("SELECT * FROM 'solutions/construct'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided CfnTopicRuleProps to override the defaults | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis data stream, providing both this and `existingStreamObj` will cause an error | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms for Kinesis Data Stream. Default value is set to `true` | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of iot.CfnTopicRule created by the construct | | iotActionsRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for IoT Rule | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created by the construct. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns an array of recommended CloudWatch Alarms created by the construct for Kinesis Data stream | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure least privilege access IAM role for Amazon IoT Rule ### Amazon Kinesis Data Stream + Configure recommended CloudWatch Alarms for Amazon Kinesis Data Stream + Configure least privilege access IAM role for Amazon Kinesis Data Stream ## Architecture ![\[Diagram showing the IoT rule, Kinesis data stream, CloudWatch alarm and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-kinesisstreams.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-kinesisstreams) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-lambda-dynamodb ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_lambda_dynamodb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-lambda-dynamodb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iotlambdadynamodb` | ## Overview This AWS Solutions Construct implements an AWS IoT topic rule, an AWS Lambda function and Amazon DynamoDB table with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToLambdaToDynamoDBProps, IotToLambdaToDynamoDB } from '@aws-solutions-constructs/aws-iot-lambda-dynamodb'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: IotToLambdaToDynamoDBProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Processing of DTC messages from the AWS Connected Vehicle Solution.", sql: "SELECT * FROM 'connectedcar/dtc/#'", actions: [] } } }; new IotToLambdaToDynamoDB(this, 'test-iot-lambda-dynamodb-stack', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_lambda_dynamodb import IotToLambdaToDynamoDB from aws_cdk import ( aws_iot as iot, aws_lambda as _lambda, Stack ) from constructs import Construct IotToLambdaToDynamoDB(self, 'test-iot-lambda-dynamodb-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Processing of DTC messages from the AWS Connected Vehicle Solution.", sql="SELECT * FROM 'connectedcar/dtc/#'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iotlambdadynamodb.*; new IotToLambdaToDynamoDB(this, "test-iot-lambda-dynamodb-stack", new IotToLambdaToDynamoDBProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Processing of DTC messages from the AWS Connected Vehicle Solution.") .sql("SELECT * FROM 'connectedcar/dtc/#'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | iotTopicRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided props to override the default props | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | tablePermissions? | `string` | Optional table permissions to grant to the Lambda function. One of the following may be specified: `All`, `Read`, `ReadWrite`, `Write`. | | existingTableObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Existing instance of DynamoDB table object, providing both this and `dynamoTableProps` will cause an error. StableEnvironmentVariableName? | | `string` | Optional Name for the Lambda function environment variable set to the name of the DynamoDB table. Default: DDB\$1TABLE\$1NAME | existingVpc? | | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and a Gateway Endpoint will be created in the VPC for Amazon DynamoDB. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | vpcProps? | | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | deployVpc? | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of iot.CfnTopicRule created by the construct | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | | dynamoTable | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure least privilege access IAM role for Amazon IoT ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery ## Architecture ![\[Diagram showing the IoT rule, Lambda function, DynamoDB table, log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-lambda-dynamodb.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-lambda-dynamodb) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iotlambda` | ## Overview This AWS Solutions Construct implements an AWS IoT MQTT topic rule and an AWS Lambda function pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToLambdaProps, IotToLambda } from '@aws-solutions-constructs/aws-iot-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: IotToLambdaProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Processing of DTC messages from the AWS Connected Vehicle Solution.", sql: "SELECT * FROM 'connectedcar/dtc/#'", actions: [] } } }; new IotToLambda(this, 'test-iot-lambda-integration', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_lambda import IotToLambdaProps, IotToLambda from aws_cdk import ( aws_iot as iot, aws_lambda as _lambda, Stack ) from constructs import Construct IotToLambda(self, 'test_iot_lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Sends data to kinesis data stream", sql="SELECT * FROM 'solutions/construct'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iotlambda.*; new IotToLambda(this, "test-iot-lambda-integration", new IotToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Processing of DTC messages from the AWS Connected Vehicle Solution.") .sql("SELECT * FROM 'connectedcar/dtc/#'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | iotTopicRuleProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided CfnTopicRuleProps to override the defaults | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of iot.CfnTopicRule created by the construct | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure least privilege access IAM role for Amazon IoT ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the IoT rule, Lambda function, log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-s3 ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iots3` | ## Overview This AWS Solutions Construct implements an AWS IoT MQTT topic rule and an Amazon S3 Bucket pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToS3Props, IotToS3 } from '@aws-solutions-constructs/aws-iot-s3'; const constructProps: IotToS3Props = { iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Testing the IotToS3 Pattern", sql: "SELECT * FROM 'solutions/constructs'", actions: [] } } }; new IotToS3(this, 'test-iot-s3-integration', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_s3 import IotToS3Props, IotToS3 from aws_cdk import ( aws_iot as iot, Stack ) from constructs import Construct IotToS3(self, 'test_iot_s3', iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Testing the IotToS3 Pattern", sql="SELECT * FROM 'solutions/constructs'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iots3.*; new IotToS3(this, "test_iot_s3", new IotToS3Props.Builder() .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Testing the IotToS3 Pattern") .sql("SELECT * FROM 'solutions/constructs'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing S3 Bucket interface. Providing this property and `bucketProps` results in an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. Providing this and `existingBucketObj` reults in an error. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | iotTopicRuleProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided CfnTopicRuleProps to override the defaults. | | s3Key | `string` | User provided s3Key to override the default (`${topic()}/${timestamp()}`) object key. Used to store messages matched by the IoT Rule. | | logS3AccessLogs? | `boolean` | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the S3 bucket created by the pattern. If an existingBucketInterface is provided in IotToS3Props, then this value will be undefined | | s3BucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns S3 Bucket interface created or used by the pattern. If an existingBucketInterface is provided in IotToS3Props, then only this value will be set and s3Bucket will be undefined. If the construct creates the bucket, then both properties will be set. | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of `s3.Bucket` created by the construct as the logging bucket for the primary bucket. | | iotActionsRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of `iam.Role` created by the construct, which allows IoT to publish messages to the S3 bucket. | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of `iot.CfnTopicRule` created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure an IoT Rule to send messages to the S3 Bucket ### Amazon IAM Role + Configure least privilege access IAM role for Amazon IoT to be able to publish messages to the S3 Bucket ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the IoT rule, S3 buckets and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-iot-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_iot_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-iot-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.iotsqs` | ## Overview This AWS Solutions Construct implements an AWS IoT MQTT topic rule and an AWS SQS Queue pattern. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { IotToSqsProps, IotToSqs } from '@aws-solutions-constructs/aws-iot-sqs'; const constructProps: IotToSqsProps = { iotTopicRuleProps: { topicRulePayload: { ruleDisabled: false, description: "Testing the IotToSqs Pattern", sql: "SELECT * FROM 'iot/sqs/#'", actions: [] } } }; new IotToSqs(this, 'test-iot-sqs-integration', constructProps); ``` ``` from aws_solutions_constructs.aws_iot_sqs import IotToSqs from aws_cdk import ( aws_iot as iot, Stack ) from constructs import Construct IotToSqs(self, 'test_iot_sqs', iot_topic_rule_props=iot.CfnTopicRuleProps( topic_rule_payload=iot.CfnTopicRule.TopicRulePayloadProperty( rule_disabled=False, description="Testing the IotToSqs Pattern", sql="SELECT * FROM 'iot/sqs/#'", actions=[] ) )) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.iot.*; import software.amazon.awscdk.services.iot.CfnTopicRule.TopicRulePayloadProperty; import software.amazon.awsconstructs.services.iotsqs.*; new IotToSqs(this, "test_iot_sqs", new IotToSqsProps.Builder() .iotTopicRuleProps(new CfnTopicRuleProps.Builder() .topicRulePayload(new TopicRulePayloadProperty.Builder() .ruleDisabled(false) .description("Testing the IotToSqs Pattern") .sql("SELECT * FROM 'iot/sqs/#'") .actions(List.of()) .build()) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | iotTopicRuleProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRuleProps.html) | User provided CfnTopicRuleProps to override the defaults | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Existing instance of SQS queue object, providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided properties for the dead letter queue. | | deployDeadLetterQueue? | `boolean` | Whether to deploy a secondary queue to be used as a dead letter queue. Default `true`. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead-letter queue. Required field if `deployDeadLetterQueue`=`true`. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns an instance of `kms.Key` used for the SQS queue. | | iotActionsRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of `iam.Role` created by the construct, which allows IoT to publish messages to the SQS Queue | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of `sqs.Queue` created by the construct | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead-letter SQS queue created by the pattern. | | iotTopicRule | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnTopicRule.html) | Returns an instance of `iot.CfnTopicRule` created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon IoT Rule + Configure an IoT Rule to send messages to the SQS Queue ### Amazon IAM Role + Configure least privilege access IAM role for Amazon IoT to be able to publish messages to the SQS Queue ### Amazon SQS Queue + Deploy a dead-letter queue for the source queue. + Enable server-side encryption for the source queue using a customer-managed AWS KMS key. + Enforce encryption of data in transit. ## Architecture ![\[Diagram showing the IoT rule, SQS queue and dlg, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-iot-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-iot-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-kinesisfirehose-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_kinesis_firehose_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-kinesisfirehose-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.kinesisfirehoses3` | ## Overview This AWS Solutions Construct implements an Amazon Kinesis Data Firehose delivery stream connected to an Amazon S3 bucket. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { KinesisFirehoseToS3 } from '@aws-solutions-constructs/aws-kinesisfirehose-s3'; new KinesisFirehoseToS3(this, 'test-firehose-s3', {}); ``` ``` from aws_solutions_constructs.aws_kinesis_firehose_s3 import KinesisFirehoseToS3 from aws_cdk import Stack from constructs import Construct KinesisFirehoseToS3(self, 'test_firehose_s3') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.kinesisfirehoses3.*; new KinesisFirehoseToS3(this, "test_firehose_s3", new KinesisFirehoseToS3Props.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | existingLoggingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional existing instance of logging S3 Bucket for the S3 Bucket created by the pattern. | | kinesisFirehoseProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html)\$1`any` | Optional user provided props to override the default props for Kinesis Firehose Delivery Stream. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | kinesisFirehose | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | Returns an instance of kinesisfirehose.CfnDeliveryStream created by the construct | | kinesisFirehoseLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the logs.LogGroup created by the construct for Kinesis Data Firehose delivery stream | | kinesisFirehoseRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis Data Firehose delivery stream | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Kinesis Firehose + Enable CloudWatch logging for Kinesis Firehose + Configure least privilege access IAM role for Amazon Kinesis Firehose ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the KInesis data firehose, S3 buckets, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-kinesisfirehose-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-kinesisfirehose-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-kinesisstreams-gluejob ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_kinesis_streams_gluejob` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-kinesisstreams-gluejob` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.kinesisstreamsgluejob` | ## Overview This AWS Solutions Construct deploys a Kinesis Stream and configures a AWS Glue Job to perform custom ETL transformation with the appropriate resources/properties for interaction and security. It also creates an S3 bucket where the python script for the AWS Glue Job can be uploaded. Here is a minimal deployable pattern definition: **Example** ``` import * as glue from "@aws-cdk/aws-glue"; import * as s3assets from "@aws-cdk/aws-s3-assets"; import { KinesisstreamsToGluejob } from "@aws-solutions-constructs/aws-kinesisstreams-gluejob"; const fieldSchema: glue.CfnTable.ColumnProperty[] = [ { name: "id", type: "int", comment: "Identifier for the record", }, { name: "name", type: "string", comment: "Name for the record", }, { name: "address", type: "string", comment: "Address for the record", }, { name: "value", type: "int", comment: "Value for the record", }, ]; const customEtlJob = new KinesisstreamsToGluejob(this, "CustomETL", { glueJobProps: { command: { name: "gluestreaming", pythonVersion: "3", }, }, fieldSchema: fieldSchema, etlCodeAsset: new s3assets.Asset(this, "ScriptLocation", { path: `${__dirname}/../etl/transform.py`, }), }); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis stream. | | glueJobProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJobProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJobProps.html) | User provided props to override the default props for the AWS Glue Job. | | existingGlueJob? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJob.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJob.html) | Existing instance of AWS Glue Job, providing both this and `glueJobProps` will cause an error. | | fieldSchema? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.ColumnProperty.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.ColumnProperty.html) | User provided schema structure to create an AWS Glue Table. | | existingTable? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.html) | Existing instance of AWS Glue Table. If this is set, tableProps and fieldSchema are ignored. | | tableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.TableProps.html) | User provided AWS Glue Table props to override default props used to create a Glue Table. | | existingDatabase? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabase.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabase.html) | Existing instance of AWS Glue Database. If this is set, then databaseProps is ignored. | | databaseProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabaseProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabaseProps.html) | User provided Glue Database Props to override the default props used to create the Glue Database. | | outputDataStore? | [#sinkdatastoreprops](#sinkdatastoreprops) | User provided properties for S3 bucket that stores Glue Job output. Current datastore types supported is only S3. | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms for Kinesis Data Stream. Default value is set to `true`. | | etlCodeAsset? | [s3assets.Asset](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3_assets.Asset.html) | User provided instance of the Asset class that represents the ETL code on the local filesystem | ### SinkDataStoreProps | **Name** | **Type** | **Description** | | --- | --- | --- | | existingS3OutputBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Existing instance of S3 bucket where the data should be written. Providing both this and `outputBucketProps` will cause an error. | | outputBucketProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | User provided bucket properties to create the S3 bucket to store the output from the AWS Glue Job. | | datastoreType | [#sinkstoretype](#sinkstoretype) | Sink data store type. | ### SinkStoreType Enumeration of data store types that could include S3, DynamoDB, DocumentDB, RDS or Redshift. Current construct implementation only supports S3, but potential to add other output types in the future. | **Name** | **Type** | **Description** | | --- | --- | --- | | S3 | `string` | S3 storage type | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created or used by the pattern. | | glueJob | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJob.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnJob.html) | Returns an instance of AWS Glue Job created by the construct. | | glueJobRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the IAM Role created by the construct for the Glue Job. | | database | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabase.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnDatabase.html) | Returns an instance of AWS Glue Database created by the construct. | | table | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_glue.CfnTable.html) | Returns an instance of the AWS Glue Table created by the construct | | outputBucket? | [https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html) | Returns an instance of the output bucket created by the construct for the AWS Glue Job. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns an array of recommended CloudWatch Alarms created by the construct for Kinesis Data stream. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Kinesis Stream + Configure least privilege access IAM role for Kinesis Stream + Enable server-side encryption for Kinesis Stream using AWS Managed KMS Key + Deploy best practices CloudWatch Alarms for the Kinesis Stream ### Glue Job + Create a Glue Security Config that configures encryption for CloudWatch, Job Bookmarks, and S3. CloudWatch and Job Bookmarks are encrypted using AWS Managed KMS Key created for AWS Glue Service. The S3 bucket is configured with SSE-S3 encryption mode + Configure service role policies that allow AWS Glue to read from Kinesis Data Streams ### Glue Database + Create an AWS Glue database. An AWS Glue Table will be added to the database. This table defines the schema for the records buffered in the Amazon Kinesis Data Streams ### Glue Table + Create an AWS Glue table. The table schema definition is based on the JSON structure of the records buffered in the Amazon Kinesis Data Streams ### IAM Role + A job execution role that has privileges to 1) read the ETL script from the S3 bucket location, 2) read records from the Kinesis Stream, and 3) execute the Glue Job ### Output S3 Bucket + An S3 bucket to store the output of the ETL transformation. This bucket will be passed as an argument to the created glue job so that it can be used in the ETL script to write data into it ### Cloudwatch Alarms + A CloudWatch Alarm to report when consumer application is reading data slower than expected + A CloudWatch Alarm to report when consumer record processing is falling behind (to avoid risk of data loss due to record expiration) ## Architecture ![\[Diagram showing the Kinesis data stream, Glue job, S3 bucket, storage destinations and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-kinesisstreams-gluejob.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-kinesisstreams-gluejob) for this pattern to view the code, read/create issues and pull requests and more. ## Reference Implementation A sample use case which uses this pattern is available under [https://github.com/awslabs/aws-solutions-constructs/tree/master/source/use_cases/aws-custom-glue-etl](https://github.com/awslabs/aws-solutions-constructs/tree/master/source/use_cases/aws-custom-glue-etl). # aws-kinesisstreams-kinesisfirehose-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_kinesisstreams_kinesisfirehose_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-kinesis-streams-kinesis-firehose-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.kinesisstreamskinesisfirehoses3` | ## Overview This AWS Solutions Construct implements an Amazon Kinesis Data Stream (KDS) connected to Amazon Kinesis Data Firehose (KDF) delivery stream connected to an Amazon S3 bucket. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { KinesisStreamsToKinesisFirehoseToS3 } from '@aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3'; new KinesisStreamsToKinesisFirehoseToS3(this, 'test-stream-firehose-s3', {}); ``` ``` from aws_solutions_constructs.aws_kinesis_streams_kinesis_firehose_s3 import KinesisStreamsToKinesisFirehoseToS3 from aws_cdk import Stack from constructs import Construct KinesisStreamsToKinesisFirehoseToS3(self, 'test_stream_firehose_s3') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.kinesisstreamskinesisfirehoses3.*; new KinesisStreamsToKinesisFirehoseToS3(this, "test_stream_firehose_s3", new KinesisStreamsToKinesisFirehoseToS3Props.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. | | createCloudWatchAlarms? | `boolean` | Optional whether to create recommended CloudWatch alarms. | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. then also providing bucketProps causes an error. | | existingLoggingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional existing instance of logging S3 Bucket object for the S3 Bucket created by the pattern. | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Optional existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisFirehoseProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStreamProps.html)\$1`any` | Optional user provided props to override the default props for Kinesis Firehose Delivery Stream. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis stream. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of cloudwatch.Alarm created by the construct | | kinesisFirehose | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | Returns an instance of kinesisfirehose.CfnDeliveryStream created by the construct | | kinesisFirehoseLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the logs.LogGroup created by the construct for Kinesis Data Firehose delivery stream | | kinesisFirehoseRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis Data Firehose delivery stream | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created by the pattern | | kinesisStreamRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis stream | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Kinesis Stream + Configure least privilege access IAM role for Kinesis Stream + Enable server-side encryption for Kinesis Stream using AWS Managed KMS Key + Deploy best practices CloudWatch Alarms for the Kinesis Stream ### Amazon Kinesis Firehose + Enable CloudWatch logging for Kinesis Firehose + Configure least privilege access IAM role for Amazon Kinesis Firehose ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the Kinesis data stream, Kinesis data firehose, CloudWatch log group, S3 buckets and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-kinesisstreams-kinesisfirehose-s3.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-kinesisstreams-kinesisfirehose-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-kinesisstreams-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws-kinesis-streams-lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-kinesisstreams-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.kinesisstreamslambda` | ## Overview This AWS Solutions Construct deploys a Kinesis Stream and Lambda function with the appropriate resources/properties for interaction and security. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { KinesisStreamsToLambda } from '@aws-solutions-constructs/aws-kinesisstreams-lambda'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new KinesisStreamsToLambda(this, 'KinesisToLambdaPattern', { kinesisEventSourceProps: { startingPosition: lambda.StartingPosition.TRIM_HORIZON, batchSize: 1 }, lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_kinesis_streams_lambda import KinesisStreamsToLambda from aws_cdk import ( aws_lambda as _lambda, aws_lambda_event_sources as sources, aws_kinesis as kinesis, Stack ) from constructs import Construct KinesisStreamsToLambda(self, 'KinesisToLambdaPattern', kinesis_event_source_props=sources.KinesisEventSourceProps( starting_position=_lambda.StartingPosition.TRIM_HORIZON, batch_size=1 ), lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler', code=_lambda.Code.from_asset( 'lambda') ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.eventsources.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.kinesisstreamslambda.*; new KinesisStreamsToLambda(this, "KinesisToLambdaPattern", new KinesisStreamsToLambdaProps.Builder() .kinesisEventSourceProps(new KinesisEventSourceProps.Builder() .startingPosition(StartingPosition.TRIM_HORIZON) .batchSize(1) .build()) .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis stream. | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of Kinesis Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.KinesisEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.KinesisEventSourceProps.html) | Optional user-provided props to override the default props for the Lambda event source mapping. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis stream created by the pattern. | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | kinesisStreamRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for Kinesis stream. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of cloudwatch.Alarm created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Kinesis Stream + Configure least privilege access IAM role for Kinesis Stream + Enable server-side encryption for Kinesis Stream using AWS Managed KMS Key + Deploy best practices CloudWatch Alarms for the Kinesis Stream ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Enable Failure-Handling features like enable bisect on function Error, set defaults for Maximum Record Age (24 hours) & Maximum Retry Attempts (500) and deploy SQS dead-letter queue as destination on failure + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the Kinesis data stream, CloudWatch log group, Lambda function and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-kinesisstreams-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-kinesisstreams-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-bedrockinferenceprofile ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_bedrockinferenceprofile` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-bedrockinferenceprofile` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdabedrockinferenceprofile` | ## Overview This AWS Solutions Construct implements a Lambda function granted access to a new Bedrock Inference Profile. [Inference profiles](https://aws.amazon.com/blogs/machine-learning/getting-started-with-cross-region-inference-in-amazon-bedrock/) allow: \$1 Greater scalability of applications by distributing Bedrock Invoke calls across multiple regions \$1 Cost management by adding Cost Allocation Tags to an inference to track costs for specific applications. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToBedrockInferenceProfile } from "@aws-solutions-constructs/aws-lambda-bedrockinferenceprofile"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToBedrockInferenceProfile(this, 'LambdaToBedrockPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) }, model: "amazon.nova-lite-v1:0" }); ``` ``` from constructs import Construct from aws_cdk import ( aws_lambda as _lambda, Stack ) from aws_solutions_constructs import ( aws_lambda_bedrockinferenceprofile as lambda_bedrock ) lambda_bedrock.LambdaToBedrockinferenceprofile( self, 'bedrock-construct', bedrock_model_id="amazon.nova-lite-v1:0", lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.NODEJS_22_X, code=_lambda.Code.from_asset('lambda'), handler='index.handler', ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdabedrockinferenceprofile.*; new LambdaToBedrockinferenceprofile(this, "ApiGatewayToLambdaPattern", new LambdaToBedrockinferenceprofileProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .bedrockModelId("amazon.nova-lite-v1:0") .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon Bedrock and Bedrock-Runtime. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | bedrockModelId | `string` | The foundation model to use with the inference profile. Depending on whether the deployment is cross region or single region, he construct will create the correct inference profile name and and assign IAM permissions to the Lambda function allowing access to the foundation model in all appropriate regions. For all of this to occur, the model must be specified here and *not* in `inferenceProfileProps`. Be certain that the account is granted access to the foundation model in [all the regions covered by the cross-region inference profile](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html). | | inferenceProfileProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrock.CfnApplicationInferenceProfileProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrock.CfnApplicationInferenceProfileProps.html) | This is where you set tags required for tracking inference calls. Do not populate the copyFrom attribute - the construct will populate this based upon the model sent in bedrockModelId (this allows the construct to correctly create all the other dependencies like the required IAM policies). If the copyFrom attribute is supplied here the construct will throw an error. The construct will also set a unique, stack specific inferenceProfileName - you may override that name here, but it is not recommended. | | deployCrossRegionProfile | boolean | Whether to deploy a cross-region inference profile that will automatically distribute Invoke calls across multiple regions. Note that at the time of this writing, cross-region profiles are only available in [US, EMEA and APAC](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html). Single region profiles are available in every region supporting Bedrock models. Defaults to `true`. | | foundationModelEnvironmentVariableName? | string | Optional Name for the Lambda function environment variable set to the Model name. Defaults to BEDROCK\$1MODEL | | inferenceProfileEnvironmentVariableName? | string | Optional Name for the Lambda function environment variable set to the inference profile arn. Defaults to BEDROCK\$1PROFILE | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | inferenceProfile | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrock.CfnApplicationInferenceProfile.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_bedrock.CfnApplicationInferenceProfile.html) | The inference profile created by the construct. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function, granting Invoke privileges for: + The new inference profile + The appropriate foundation model in all regions in the geographic area. For single region inference profiles, access is only granted to model in the current region. + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) BEDROCK\$1PROFILE + (default) BEDROCK\$1MODEL ### Amazon Bedrock Inference Profile + Cross-region inference profile for provided model by default + Geographic area prefix in arn defaults to value appropriate for deployment region (e.g. would us "us" for us-east-1 deployment) ## Architecture ![\[Diagram showing the Lambda function and Bedrock inference profile created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-bedrockinferenceprofile.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-bedrockinferenceprofile) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-dynamodb ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_dynamodb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-dynamodb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdadynamodb` | ## Overview This AWS Solutions Construct implements the AWS Lambda function and Amazon DynamoDB table with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToDynamoDBProps, LambdaToDynamoDB } from '@aws-solutions-constructs/aws-lambda-dynamodb'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: LambdaToDynamoDBProps = { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, }; new LambdaToDynamoDB(this, 'test-lambda-dynamodb-stack', constructProps); ``` ``` from aws_solutions_constructs.aws_lambda_dynamodb import LambdaToDynamoDBProps, LambdaToDynamoDB from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToDynamoDB(self, 'test_lambda_dynamodb_stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset( 'lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdadynamodb.*; new LambdaToDynamoDB(this, "test_lambda_dynamodb_stack", new LambdaToDynamoDBProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | dynamoTableProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.TableProps.html) | Optional user provided props to override the default props for the DynamoDB Table. Providing both this and `existingTableInterface` causes an error. | | existingTableObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Existing instance of DynamoDB table object, providing both this and `dynamoTableProps` will cause an error. | | tablePermissions? | `string` | Optional table permissions to grant to the Lambda function. One of the following may be specified: `All`, `Read`, `ReadWrite`, `Write`. | | tableEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the DynamoDB table. Default: DDB\$1TABLE\$1NAME | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and a Gateway Endpoint will be created in the VPC for Amazon DynamoDB. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | | dynamoTable | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb.Table.html) | Returns an instance of dynamodb.Table created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) DDB\$1TABLE\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon DynamoDB Table + Set the billing mode for DynamoDB Table to On-Demand (Pay per request) + Enable server-side encryption for DynamoDB Table using AWS managed KMS Key + Creates a partition key called "id" for DynamoDB Table + Retain the Table when deleting the CloudFormation stack + Enable continuous backups and point-in-time recovery ## Architecture ![\[Diagram showing the Lambda function, CloudWatch log group, DynamoDB table and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-dynamodb.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call DynamoDB, here is a DynamoDB example for CreateTableCommand, PutCommand, GetCommand, DeleteCommand, UpdateCommand, and more: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/dynamodb/scenarios/basic.js). (this example is in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-dynamodb) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-elasticachememcached ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_elasticachememcached` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-elasticachememcached` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdaelasticachememcached` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon Elasticache Memcached cluster. Here is a minimal deployable pattern definition : **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToElasticachememcached } from '@aws-solutions-constructs/aws-lambda-elasticachememcached'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToElasticachememcached(this, 'LambdaToElasticachememcachedPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_elasticachememcached import LambdaToElasticachememcached from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToElasticachememcached(self, 'LambdaToCachePattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdaelasticachememcached.*; new LambdaToElasticachememcached(this, "LambdaToCachePattern", new LambdaToElasticachememcachedProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon Elasticache. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `subnetConfiguration` is set by the pattern, so any values for those properties supplied here will be overridden. | | cacheEndpointEnvironmentVariableName? | string | Optional Name for the Lambda function environment variable set to the cache endpoint. Default: CACHE\$1ENDPOINT | | cacheProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheClusterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheClusterProps.html) | Optional user provided props to override the default props for the Elasticache Cluster. Providing both this and `existingCache` will cause an error. | | existingCache? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheCluster.html#attrconfigurationendpointport](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheCluster.html#attrconfigurationendpointport) | Existing instance of Elasticache Cluster object, providing both this and `cacheProps` will cause an error. If you provide this, you must provide the associated VPC in existingVpc. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function used by the pattern. | | vpc | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern. This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | | cache | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheCluster.html#attrconfigurationendpointport](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnCacheCluster.html#attrconfigurationendpointport) | The Elasticache Memcached cluster used by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Attached to self referencing security group to grant access to cache + Set Environment Variables + (default) CACHE\$1ENDPOINT + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon Elasticache Memcached Cluster + Creates multi node, cross-az cluster by default + 2 cache nodes, type: cache.t3.medium + Self referencing security group attached to cluster endpoint ## Architecture ![\[Diagram showing the Lambda function, Elasticache memcached cache and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-elasticachememcached.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-elasticachememcached) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-elasticsearch-kibana ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_elasticsearch_kibana` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-elasticsearch-kibana` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdaelasticsearchkibana` | ## Overview This AWS Solutions Construct implements an AWS Lambda function and Amazon Elasticsearch Service with the least privileged permissions. **Some cluster configurations (e.g VPC access) require the existence of the `AWSServiceRoleForAmazonElasticsearchService` Service-Linked Role in your account.** **You will need to create the service-linked role using the AWS CLI once in any account using this construct (it may have already been run to support other stacks):** ``` aws iam create-service-linked-role --aws-service-name es.amazonaws.com ``` Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Aws } from 'aws-cdk-lib'; import { LambdaToElasticSearchAndKibana } from '@aws-solutions-constructs/aws-lambda-elasticsearch-kibana'; import * as lambda from "aws-cdk-lib/aws-lambda"; const lambdaProps: lambda.FunctionProps = { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }; new LambdaToElasticSearchAndKibana(this, 'sample', { lambdaFunctionProps: lambdaProps, domainName: 'testdomain', // NOTE: Ensure the Cognito domain name is globally unique cognitoDomainName: 'globallyuniquedomain' + Aws.ACCOUNT_ID }); ``` ``` from aws_solutions_constructs.aws_lambda_elasticsearch_kibana import LambdaToElasticSearchAndKibana from aws_cdk import ( aws_lambda as _lambda, Aws, Stack ) from constructs import Construct lambda_props = _lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) LambdaToElasticSearchAndKibana(self, 'sample', lambda_function_props=lambda_props, domain_name='testdomain', # NOTE: Ensure the Cognito domain name is globally unique cognito_domain_name='globallyuniquedomain' + Aws.ACCOUNT_ID ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Aws; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdaelasticsearchkibana.*; new LambdaToElasticSearchAndKibana(this, "sample", new LambdaToElasticSearchAndKibanaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .domainName("testdomain") // NOTE: Ensure the Cognito domain name is globally unique .cognitoDomainName("globallyuniquedomain" + Aws.ACCOUNT_ID) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | esDomainProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomainProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomainProps.html) | Optional user provided props to override the default props for the Elasticsearch Service | | domainName | `string` | Domain name for the Cognito and the Elasticsearch Service | | cognitoDomainName? | `string` | Optional Cognito Domain Name, if provided it will be used for Cognito Domain, and domainName will be used for the Elasticsearch Domain | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms | | domainEndpointEnvironmentVariableName? | `string` | Optional Name for the ElasticSearch domain endpoint environment variable set for the Lambda function. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of `lambda.Function` created by the construct | | userPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) | Returns an instance of `cognito.UserPool` created by the construct | | userPoolClient | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html) | Returns an instance of `cognito.UserPoolClient` created by the construct | | identityPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html) | Returns an instance of `cognito.CfnIdentityPool` created by the construct | | elasticsearchDomain | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomain.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticsearch.CfnDomain.html) | Returns an instance of `elasticsearch.CfnDomain` created by the construct | | elasticsearchRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of `iam.Role` created by the construct for `elasticsearch.CfnDomain` | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of `cloudwatch.Alarm` created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Lambda Function This pattern requires a lambda function that can post data into the Elasticsearch. A sample function is provided [here](https://github.com/awslabs/aws-solutions-constructs/blob/master/source/patterns/%40aws-solutions-constructs/aws-lambda-elasticsearch-kibana/test/lambda/index.js). ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for Node.js Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) DOMAIN\$1ENDPOINT + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED ### Amazon Cognito + Set password policy for User Pools + Enforce the advanced security mode for User Pools ### Amazon Elasticsearch Service + Deploy best practices CloudWatch Alarms for the Elasticsearch Service domain + Secure the Kibana dashboard access with Cognito User Pools + Enable server-side encryption for the Elasticsearch Service domain using AWS managed KMS Key + Enable node-to-node encryption for the Elasticsearch Service domain + Configure the cluster for the Elasticsearch Service domain ## Architecture ![\[Diagram showing the Lambda function, Elasticsearch domain, Cognito domain, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-elasticsearch-kibana.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-elasticsearch-kibana) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-eventbridge ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_eventbridge` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-eventbridge` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdaeventbridge` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon EventBridge. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Aws } from 'aws-cdk-lib'; import { LambdaToEventbridge, LambdaToEventbridgeProps } from "@aws-solutions-constructs/aws-lambda-eventbridge"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToEventbridge(this, 'LambdaToEventbridgePattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_eventbridge import LambdaToEventbridge from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToEventbridge(self, 'LambdaToEventbridgePattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdaeventbridge.*; new LambdaToEventbridge(this, "LambdaToEventbridgePattern", new LambdaToEventbridgeProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingEventBusInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Optional - user provided custom EventBus for this construct to use. Providing both this and `eventBusProps` causes an error. | | eventBusProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.EventBusProps.html) | Optional - user provided properties to override the default properties when creating a custom EventBus. Setting this value to `{}` will create a custom EventBus using all default properties. If neither this nor `existingEventBusInterface` is provided the construct will use the default EventBus. Providing both this and `existingEventBusInterface` causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon EventBridge. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | eventBusEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the Event bus. Default: EVENTBUS\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | eventBus? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.IEventBus.html) | Returns the instance of events.IEventBus used by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function. + Enable reusing connections with Keep-Alive for NodeJs Lambda function. + Allow the function to put events to EventBus (custom EventBus can be used by specifying `existingEventBusInterface` or `eventBusProps` property). + Enable X-Ray Tracing + Set Environment Variables + EVENTBUS\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the Lambda function, CloudWatch log group, EventBridge bus and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-eventbridge.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call EventBridge, here is a EventBridge example for PutEventsCommand: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/eventbridge/actions/put-events.js). (this example is in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-eventbridge) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-kendra ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_kendra` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-kendra` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdakendra` | ## Overview This AWS Solutions Construct implements an AWS Lambda function and Amazon Kendra index with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Aws } from 'aws-cdk-lib'; import { LambdaToKendra } from '@aws-solutions-constructs/aws-lambda-kendra'; import * as lambda from "aws-cdk-lib/aws-lambda"; import * as s3 from "aws-cdk-lib/aws-s3"; const lambdaProps: lambda.FunctionProps = { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }; new LambdaToKendra(this, 'sample', { lambdaFunctionProps: lambdaProps, kendraIndexProps: {}, kendraDataSourceProps: [{ type: 'S3', dataSourceConfiguration: { s3Configuration: { bucketName: 'your-bucket-name', } } ], }); ``` ``` TBD ``` ``` TBD ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | kendraIndexProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html) | Optional user provided props to override the default props for the Kendra index. Providing both these and existingKendraIndexObj is an error. | | kendraDataSourcesProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnDataSource.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnDataSource.html) | A list of data sources that will provide data to the Kendra index. *At least 1 must be specified*. We will do majority of processing for some data sources (S3 crawler initially), but for others the props must be complete (e.g. proper roleArn, etc.) | | indexPermissions? | `string[]` | Optional - index permissions to grant to the Lambda function. One or more of the following may be specified: `Read`, `SubmitFeedback` and `Write`. Default is `["Read", "SubmitFeedback"]`. Read is all the operations IAM defines as Read and List. SubmitFeedback is only the SubmitFeedback action. Write is all the operations IAM defines as Write and Tag. This functionality may be overridden by providing a specific role arn in lambdaFunctionProps | | existingKendraIndexObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html) | An existing Kendra index to which the Lambda function will be granted access. Supplying along with kendraIndexProps or kendraDataSourceProps will throw an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to `true` will deploy the minimal, most private VPC to run the pattern, consisting of (1) one isolated subnet in each Availability Zone used by the CDK program; and (2) `enableDnsHostnames` and `enableDnsSupport` both being set to `true`. If this property is `true` then `existingVpc` cannot be specified. Defaults to `false`. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of `lambda.Function` managed by the construct | | kendraIndex | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnIndex.html) | Returns an instance of `kendra.cfnIndex` managed by the construct | | kendraDataSources | DataSourceProperties[] (this interface is defined by Solutions Constructs and described below) | A list of data sources created for this construct/index, each in an object that includes the role for that data source. | | lambdaRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | The role assumed by the Lambda function | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | interface DataSourceProperties \$1 role?: [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html), source: \$1 [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnDataSource.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kendra.CfnDataSource.html) \$1 \$1\$1 Lambda Function This pattern requires a lambda function that can access a Kendra index. ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for Node.js Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) KENDRA\$1INDEX\$1ID + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED ### Amazon Kendra Index + Creates Amazon Kendra endpoint in VPC if appropriate + Defaults to DEVELOPER\$1EDITION **Amazon Kendra DataSources** + Sets up correct IAM roles to access data for: + S3 data sources + Which others should we support in MLP? https://docs.aws.amazon.com/kendra/latest/dg/iam-roles.html + Adds each data source to Kendra index ## Architecture ![\[Diagram showing the Lambda function, Kendra index, CloudWatch log group and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-kendra.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-kendra) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-kinesisfirehose ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_kinesisfirehose` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-kinesisfirehose` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdakinesisfirehose` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an existing Amazon Kinesis Firehose Delivery Stream. Here is a minimal deployable pattern definition : **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToS3 } from '@aws-solutions-constructs/aws-lambda-kinesisfirehose'; import * as lambda from 'aws-cdk-lib/aws-lambda'; // The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted // from a previously instantiated construct that created an Firehose Delivery Stream const existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; new LambdaToKinesisFirehose(this, 'LambdaToFirehosePattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) }, existingKinesisFirehose: existingFirehoseDeliveryStream }); ``` ``` from aws_solutions_constructs.aws_lambda_kinesisfirehose import LambdaToKinesisFirehose from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct # The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted # from a previously instantiated construct that created an Firehose Delivery Stream existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; LambdaToKinesisFirehose(self, 'LambdaToFirehosePattern', existingKinesisFirehose=existingFirehoseDeliveryStream, lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdakinesisfirehose.*; // The construct requires an existing Firehose Delivery Stream, this can be created in raw CDK or extracted // from a previously instantiated construct that created an Firehose Delivery Stream existingFirehoseDeliveryStream = previouslyCreatedKinesisFirehoseToS3Construct.kinesisFirehose; new LambdaToKinesisFirehose(this, "LambdaToFirehosePattern", new LambdaToKinesisFirehoseProps.Builder() .existingKinesisFirehose(existingFirehoseDeliveryStream) .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingKinesisFirehose | [kinesisfirehose.CfnDeliveryStream](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | An existing Kinesis Firehose Delivery Stream to which the Lambda function can put data. Note - the delivery stream construct must have already been created and have the deliveryStreamName set. This construct will *not* create a new Delivery Stream. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon Kinesis Data Firehose. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | firehoseEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the delivery stream. Default: FIREHOSE\$1DELIVERYSTREAM\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | kinesisFirehose | [kinesisfirehose.CfnDeliveryStream](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesisfirehose.CfnDeliveryStream.html) | The Kinesis Firehose Delivery Stream used by the construct. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) FIREHOSE\$1DELIVERYSTREAM\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED ### Amazon Kinesis Firehose Delivery Stream + This construct must be provided a configured Stream construct, it does not change this Stream. ## Architecture ![\[Diagram showing the Lambda function, Kinesis firehose and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-kinesisfirehose.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call Firehose, here is an example of calling Firehose: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/python/example_code/firehose/scenarios/firehose-put-actions/firehose.py). (this example is in Python, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-kinesisfirehose) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-kinesisstreams ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_kinesis_stream` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-kinesisstreams` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdakinesisstreams` | ## Overview This AWS Solutions Construct deploys an AWS Lambda Function that can put records on an Amazon Kinesis Data Stream. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToKinesisStreamsProps } from '@aws-solutions-constructs/aws-lambda-kinesisstreams'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToKinesisStreams(this, 'LambdaToKinesisStreams', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_kinesis_stream import LambdaToKinesisStreams from aws_cdk import ( aws_lambda as _lambda, aws_kinesis as kinesis, Stack ) from constructs import Construct LambdaToKinesisStreams(self, 'LambdaToKinesisStreams', lambda_function_props=_lambda.FunctionProps( runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler', code=_lambda.Code.from_asset('lambda') ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.eventsources.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdakinesisstreams.*; new LambdaToKinesisStreams(this, "LambdaToKinesisStreams", new LambdaToKinesisStreamsProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingStreamObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Existing instance of a Kinesis Data Stream, providing both this and `kinesisStreamProps` will cause an error. | | kinesisStreamProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.StreamProps.html) | Optional user-provided props to override the default props for the Kinesis Data Stream. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch Alarms (defaults to true). | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon Kinesis Streams. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | streamEnvironmentVariableName? | `string` | Optional Name to override the Lambda Function default environment variable name that holds the Kinesis Data Stream name value. Default: KINESIS\$1DATASTREAM\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda Function. | | kinesisStream | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html) | Returns an instance of the Kinesis Data Stream. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns the CloudWatch Alarms created to monitor the Kinesis Data Stream. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface to the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Lambda Function + Minimally-permissive IAM role for the Lambda Function to put records on the Kinesis Data Stream + Enable X-Ray Tracing + Sets an Environment Variable named KINESIS\$1DATASTREAM\$1NAME that holds the Kinesis Data Stream Name, which is a required property Kinesis Data Streams SDK when making calls to it ### Amazon Kinesis Stream + Enable server-side encryption for the Kinesis Data Stream using AWS Managed CMK + Deploy best practices CloudWatch Alarms for the Kinesis Data Stream ## Architecture ![\[Diagram showing the Lambda function, Kinesis data stream and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-kinesisstreams.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call Kinesis, here is an example of calling Kinesis PutRecords: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/transcribe/src/transcribe_create_job.js). (this example is in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-kinesisstreams) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-opensearch ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_opensearch` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-opensearch` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdaopensearch` | ## Overview This AWS Solutions Construct implements an AWS Lambda function and Amazon OpenSearch Service with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Aws } from 'aws-cdk-lib'; import { LambdaToOpenSearch } from '@aws-solutions-constructs/aws-lambda-opensearch'; import * as lambda from "aws-cdk-lib/aws-lambda"; const lambdaProps: lambda.FunctionProps = { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }; new LambdaToOpenSearch(this, 'sample', { lambdaFunctionProps: lambdaProps, openSearchDomainName: 'testdomain', // NOTE: Ensure the Cognito domain name is globally unique cognitoDomainName: 'globallyuniquedomain' + Aws.ACCOUNT_ID }); ``` ``` from aws_solutions_constructs.aws_lambda_opensearch import LambdaToOpenSearch from aws_cdk import ( aws_lambda as _lambda, Aws, Stack ) from constructs import Construct lambda_props = _lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) LambdaToOpenSearch(self, 'sample', lambda_function_props=lambda_props, open_search_domain_name='testdomain', # NOTE: Ensure the Cognito domain name is globally unique cognito_domain_name='globallyuniquedomain' + Aws.ACCOUNT_ID ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Aws; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdaopensearch.*; new LambdaToOpenSearch(this, "sample", new LambdaToOpenSearchProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .openSearchDomainName("testdomain") // NOTE: Ensure the Cognito domain name is globally unique .cognitoDomainName("globallyuniquedomain" + Aws.ACCOUNT_ID) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | openSearchDomainProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomainProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomainProps.html) | Optional user provided props to override the default props for the OpenSearch Service. | | openSearchDomainName | `string` | Domain name for the OpenSearch Service. | | cognitoDomainName? | `string` | Optional Amazon Cognito domain name. If omitted the Amazon Cognito domain will default to the OpenSearch Service domain name. | | createCloudWatchAlarms? | `boolean` | Whether to create the recommended CloudWatch alarms. | | domainEndpointEnvironmentVariableName? | `string` | Optional name for the OpenSearch domain endpoint environment variable set for the Lambda function. Default is `DOMAIN_ENDPOINT`. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of `lambda.Function` created by the construct | | userPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPool.html) | Returns an instance of `cognito.UserPool` created by the construct | | userPoolClient | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClient.html) | Returns an instance of `cognito.UserPoolClient` created by the construct | | identityPool | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.CfnIdentityPool.html) | Returns an instance of `cognito.CfnIdentityPool` created by the construct | | openSearchDomain | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_opensearchservice.CfnDomain.html) | Returns an instance of `opensearch.CfnDomain` created by the construct | | openSearchRole | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of `iam.Role` created by the construct for `opensearch.CfnDomain` | | cloudWatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of `cloudwatch.Alarm` created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Lambda Function This pattern requires a lambda function that can post data into the OpenSearch. A sample function is provided [here](https://github.com/awslabs/aws-solutions-constructs/blob/master/source/patterns/%40aws-solutions-constructs/aws-lambda-opensearch/test/lambda/index.js). ## Default settings Out of the box implementation of the Construct without any overrides will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for Node.js Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) DOMAIN\$1ENDPOINT + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED ### Amazon Cognito + Set password policy for User Pools + Enforce the advanced security mode for User Pools ### Amazon OpenSearch Service + Deploy best practices CloudWatch Alarms for the OpenSearch Service domain + Secure the OpenSearch Service dashboard access with Cognito User Pools + Enable server-side encryption for OpenSearch Service domain using AWS managed KMS Key + Enable node-to-node encryption for the OpenSearch Service domain + Configure the cluster for the OpenSearch Service domain ## Architecture ![\[Diagram showing the Lambda function, OpenSearch domain, Cognito domain, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-opensearch.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-opensearch) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-polly ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_polly` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-polly` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdapolly` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to Amazon Polly text-to-speech service. For asynchronous speech synthesis tasks, the construct can optionally create an S3 bucket for audio output and an SNS topic for completion notifications, with appropriate IAM permissions for the Lambda function to interact with Amazon Polly service. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToPolly } from '@aws-solutions-constructs/aws-lambda-polly'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToPolly(this, 'LambdaToPollyPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_polly import LambdaToPolly from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToPolly(self, 'LambdaToPollyPattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdapolly.*; new LambdaToPolly(this, "LambdaToPollyPattern", new LambdaToPollyProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. Function will have these Polly permissions: ['polly:SynthesizeSpeech']. When asyncJobs is true, function will also have ['polly:StartSpeechSynthesisTask', 'polly:GetSpeechSynthesisTask', 'polly:ListSpeechSynthesisTasks']. | | asyncJobs? | `boolean` | Whether to enable asynchronous speech synthesis tasks. When true, an S3 bucket for audio output and an SNS topic for completion notifications will be created, and the Lambda function will be granted permissions to start and monitor asynchronous synthesis tasks. Default: false | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for audio output, providing both this and `bucketProps` will cause an error. Only valid when asyncJobs is true. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. Only valid when asyncJobs is true. | | bucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the output bucket. Only valid when asyncJobs is true. Default: OUTPUT\$1BUCKET\$1NAME | | logS3AccessLogs? | `boolean` | Whether to turn on Access Logs for the S3 bucket with the associated storage costs. Enabling Access Logging is a best practice. Only valid when asyncJobs is true. Default: true | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. Only valid when asyncJobs is true. | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Optional - existing instance of SNS topic object, providing both this and `topicProps` will cause an error. Only valid when asyncJobs is true. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. Only valid when asyncJobs is true. | | topicEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the SNS topic used for asynchronous task completion notifications. Only valid when asyncJobs is true. Default: SNS\$1TOPIC\$1ARN | | existingTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | If an existing topic is provided in the `existingTopicObj` property, and that topic is encrypted with a customer managed KMS key, this property must specify that key. Only valid when asyncJobs is true. | | topicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. Only valid when asyncJobs is true. | | topicEncryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. Only valid when asyncJobs is true. | | enableTopicEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, topicEncryptionKey or topicEncryptionKeyProps. Only valid when asyncJobs is true. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC for the construct to use (construct will NOT create a new VPC in this case) | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Properties to override default properties if deployVpc is true | | deployVpc? | `boolean` | Whether to deploy a new VPC. Default: false | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | destinationBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the S3 bucket if it is created by the pattern. | | loggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the destination bucket. | | destinationBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the destination bucket whether created by the pattern or supplied from the client. | | snsNotificationTopic? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created for asynchronous task completion notifications when asyncJobs is true. | | notificationTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | Returns an instance of kms.IKey used for the SNS Topic. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) OUTPUT\$1BUCKET\$1NAME (when asyncJobs is true) + (default) SNS\$1TOPIC\$1ARN (when asyncJobs is true) + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) + Grant permissions to use Amazon Polly service (['polly:SynthesizeSpeech'] by default) + When asyncJobs is true, grant permissions to start and monitor asynchronous synthesis tasks (['polly:StartSpeechSynthesisTask', 'polly:GetSpeechSynthesisTask', 'polly:ListSpeechSynthesisTasks']), and read/write to the S3 bucket ### Amazon S3 Bucket (when asyncJobs is true) + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon SNS Topic (when asyncJobs is true) + Configure server-side encryption using AWS managed KMS Key + Create topic for asynchronous task completion notifications ### Amazon Polly Service + Lambda function will have permissions to call ['polly:SynthesizeSpeech'] operation **When asyncJobs is true** + Lambda function will add permissions to call ['polly:StartSpeechSynthesisTask', 'polly:GetSpeechSynthesisTask', 'polly:ListSpeechSynthesisTasks'] + When asyncJobs is true, an SNS topic will be created and the Lambda function is granted permission to call ['sns:Publish'] ### Amazon VPC + If deployVpc is true, a minimal VPC will be created with: + Interface Endpoints for Amazon Polly + Gateway Endpoints for Amazon S3 (when asyncJobs is true) + Private subnets for Lambda function + Appropriate security groups and routing ## Architecture **Default Implementation** ![\[Diagram showing the Lambda function, Amazon Polly service, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-polly.png) **Default Implementation when asyncJobs = true** ![\[Diagram showing the Lambda function, destination S3 bucket (when asyncJobs is true), SNS topic, Amazon Polly service, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-polly-async.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call Polly, here are examples of calling Polly: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/polly/general-examples/src/polly_synthesize_to_s3.js). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-polly) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-s3 ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_s3` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-s3` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdas3` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon S3 bucket. Here is a minimal deployable pattern definition : **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToS3 } from '@aws-solutions-constructs/aws-lambda-s3'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToS3(this, 'LambdaToS3Pattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_s3 import LambdaToS3 from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToS3(self, 'LambdaToS3Pattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdas3.*; new LambdaToS3(this, "LambdaToS3Pattern", new LambdaToS3Props.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | bucketPermissions? | `string[]` | Optional bucket permissions to grant to the Lambda function. One or more of the following may be specified: `Delete`, `Put`, `Read`, `ReadWrite`, `Write`. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon S3. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | bucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the bucket. Default: S3\$1BUCKET\$1NAME | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the S3 bucket created by the pattern. | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) S3\$1BUCKET\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ## Architecture ![\[Diagram showing the Lambda function, S3 bucket and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-s3.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call S3, here are examples of many different S3 operations: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/s3/actions). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-s3) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-sagemakerendpoint ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_sagemakerendpoint` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-sagemakerendpoint` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdasagemakerendpoint` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon Sagemaker Endpoint. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps, Duration } from 'aws-cdk-lib'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import { LambdaToSagemakerEndpoint, LambdaToSagemakerEndpointProps } from '@aws-solutions-constructs/aws-lambda-sagemakerendpoint'; const constructProps: LambdaToSagemakerEndpointProps = { modelProps: { primaryContainer: { image: '.dkr.ecr..amazonaws.com/linear-learner:latest', modelDataUrl: "s3:////model.tar.gz", }, }, lambdaFunctionProps: { runtime: lambda.Runtime.PYTHON_3_8, code: lambda.Code.fromAsset(`lambda`), handler: 'index.handler', timeout: Duration.minutes(5), memorySize: 128, }, }; new LambdaToSagemakerEndpoint(this, 'LambdaToSagemakerEndpointPattern', constructProps); ``` ``` from constructs import Construct from aws_solutions_constructs.aws_lambda_sagemakerendpoint import LambdaToSagemakerEndpoint, LambdaToSagemakerEndpointProps from aws_cdk import ( aws_lambda as _lambda, aws_sagemaker as sagemaker, Duration, Stack ) from constructs import Construct LambdaToSagemakerEndpoint( self, 'LambdaToSagemakerEndpointPattern', model_props=sagemaker.CfnModelProps( primary_container=sagemaker.CfnModel.ContainerDefinitionProperty( image='.dkr.ecr..amazonaws.com/linear-learner:latest', model_data_url='s3:////model.tar.gz', ), execution_role_arn="executionRoleArn" ), lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler', timeout=Duration.minutes(5), memory_size=128 )) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.Duration; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.sagemaker.*; import software.amazon.awsconstructs.services.lambdasagemakerendpoint.*; new LambdaToSagemakerEndpoint(this, "LambdaToSagemakerEndpointPattern", new LambdaToSagemakerEndpointProps.Builder() .modelProps(new CfnModelProps.Builder() .primaryContainer(new CfnModel.ContainerDefinitionProperty.Builder() .image(".dkr.ecr..amazonaws.com/linear_learner:latest") .modelDataUrl("s3:////model.tar.gz") .build()) .executionRoleArn("executionRoleArn") .build()) .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .timeout(Duration.minutes(5)) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingSagemakerEndpointObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpoint.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpoint.html) | An optional, existing SageMaker Endpoint to be used. Providing both this and `endpointProps?` will cause an error. | | modelProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnModelProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnModelProps.html) \$1 `any` | User-provided properties to override the default properties for the SageMaker Model. At least `modelProps?.primaryContainer` must be provided to create a model. By default, the pattern will create a role with the minimum required permissions, but the client can provide a custom role with additional capabilities using `modelProps?.executionRoleArn`. | | endpointConfigProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointConfigProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointConfigProps.html) | Optional user-provided properties to override the default properties for the SageMaker Endpoint Config. | | endpointProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointProps.html) | Optional user-provided properties to override the default properties for the SageMaker Endpoint Config. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this construct should be deployed. When deployed in a VPC, the Lambda function and Sagemaker Endpoint will use ENIs in the VPC to access network resources. An Interface Endpoint will be created in the VPC for Amazon SageMaker Runtime, and Amazon S3 VPC Endpoint. If an existing VPC is provided, the `deployVpc?` property cannot be `true`. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the Construct, so any values for those properties supplied here will be overridden. If `deployVpc?` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | sagemakerEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the SageMaker endpoint. Default: SAGEMAKER\$1ENDPOINT\$1NAME | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sagemakerEndpoint | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpoint.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpoint.html) | Returns an instance of the SageMaker Endpoint created by the pattern. | | sagemakerEndpointConfig? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointConfig.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnEndpointConfig.html) | Returns an instance of the SageMaker EndpointConfig created by the pattern, if `existingSagemakerEndpointObj?` is not provided. | | sagemakerModel? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnModel.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sagemaker.CfnModel.html) | Returns an instance of the SageMaker Model created by the pattern, if `existingSagemakerEndpointObj?` is not provided. | | vpc? | `ec2.IVpc` | Returns an instance of the VPC created by the pattern, if `deployVpc?` is `true`, or `existingVpc?` is provided. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Allow the function to invoke the SageMaker endpoint for Inferences + Configure the function to access resources in the VPC, where the SageMaker endpoint is deployed + Enable X-Ray Tracing + Set environment variables: + (default) SAGEMAKER\$1ENDPOINT\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions). ### Amazon SageMaker Endpoint + Configure limited privilege to create SageMaker resources + Deploy SageMaker model, endpointConfig, and endpoint + Configure the SageMaker endpoint to be deployed in a VPC + Deploy S3 VPC Endpoint and SageMaker Runtime VPC Interface ## Architecture ![\[Diagram showing the Lambda function, SageMaker endpoint, CloudWatch log group and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-sagemakerendpoint.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to interact with SageMaker, this repo has several SageMaker examples: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/sagemaker). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-sagemakerendpoint) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-secretsmanager ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_secretsmanager` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-secretsmanager` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdasecretsmanager` | ## Overview This AWS Solutions Construct implements the AWS Lambda function and AWS Secrets Manager secret with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToSecretsmanagerProps, LambdaToSecretsmanager } from '@aws-solutions-constructs/aws-lambda-secretsmanager'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: LambdaToSecretsmanagerProps = { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, code: lambda.Code.fromAsset(`lambda`), handler: 'index.handler' }, }; new LambdaToSecretsmanager(this, 'test-lambda-secretsmanager-stack', constructProps); ``` ``` from aws_solutions_constructs.aws_lambda_secretsmanager import LambdaToSecretsmanagerProps, LambdaToSecretsmanager from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToSecretsmanager( self, 'test-lambda-secretsmanager-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdasecretsmanager.*; new LambdaToSecretsmanager(this, "test-lambda-secretsmanager-stack", new LambdaToSecretsmanagerProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | secretProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.SecretProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.SecretProps.html) | Optional user provided props to override the default props for Secrets Manager | | existingSecretObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html) | Existing instance of Secrets Manager Secret object, If this is set then the secretProps is ignored | | grantWriteAccess? | `string` | Optional Access granted to the Lambda function for the secret. "Read" or ’ReadWrite”. Default is "Read" | | secretEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the secret. Default: SECRET\$1ARN. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for AWS Secrets Manager. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | | secret | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html) | Returns an instance of secretsmanager.Secret created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SECRET\$1ARN containing the ARN of the secret as return by CDK [secretArn property](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_secretsmanager.Secret.html#secretarn). + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon SecretsManager Secret + Enable read-only access for the associated AWS Lambda Function + Creates a new Secret + (default) random name + (default) random value + Retain the Secret when deleting the CloudFormation stack ## Architecture ![\[Diagram showing the Lambda function, Secrets Manager secret, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-secretsmanager.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to get a Secret from Secrets Manager, there is example code available here: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/secrets-manager/actions/get-secret-value.js). (this example is in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-secretsmanager) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-sns ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_sns` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-sns` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdasns` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon SNS topic. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToSns, LambdaToSnsProps } from "@aws-solutions-constructs/aws-lambda-sns"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToSns(this, 'test-lambda-sns', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_sns import LambdaToSns from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToSns( self, 'test-lambda-sns-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdasns.*; new LambdaToSns(this, "test-lambda-sns-stack", new LambdaToSnsProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - existing instance of SNS topic object, providing both this and `topicProps` will cause an error. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon SNS. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | topicArnEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the arn of the topic. Default: SNS\$1TOPIC\$1ARN | | topicNameEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the topic. Default: SNS\$1TOPIC\$1NAME | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created by the pattern. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function to access the Firehose Delivery Stream + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SNS\$1TOPIC\$1NAME + (default) SNS\$1TOPIC\$1ARN + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon SNS Topic + Configure least privilege access permissions for SNS Topic + Enable server-side encryption forSNS Topic using AWS managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the Lambda function, SNS topic and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-sns.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call SNS, here are many examples: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/sns/actions). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-sns) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-sqs-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_sqs_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-sqs-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdasqslambda` | ## Overview This AWS Solutions Construct implements (1) an AWS Lambda function that is configured to send messages to a queue; (2) an Amazon SQS queue; and (3) an AWS Lambda function configured to consume messages from the queue. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToSqsToLambda, LambdaToSqsToLambdaProps } from "@aws-solutions-constructs/aws-lambda-sqs-lambda"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToSqsToLambda(this, 'LambdaToSqsToLambdaPattern', { producerLambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`producer-lambda`) }, consumerLambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`consumer-lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_sqs_lambda import LambdaToSqsToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToSqsToLambda( self, 'LambdaToSqsToLambdaPattern', producer_lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('producer_lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), consumer_lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('consumer_lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdasqslambda.*; new LambdaToSqsToLambda(this, "LambdaToSqsToLambdaPattern", new LambdaToSqsToLambdaProps.Builder() .producerLambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("producer-lambda")) .handler("index.handler") .build()) .consumerLambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("consumer-lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingProducerLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | An optional, existing Lambda function to be used instead of the default function for sending messages to the queue. Providing both this and `producerLambdaFunctionProps` will cause an error. | | producerLambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional user-provided properties to override the default properties for the producer Lambda function. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to `true`. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter queue. Only used if the `deployDeadLetterQueue` property is set to `true`. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to `15`. | | existingConsumerLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | An optional, existing Lambda function to be used instead of the default function for receiving/consuming messages from the queue. Providing both this and `consumerLambdaFunctionProps` will cause an error. | | consumerLambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional user-provided properties to override the default properties for the consumer Lambda function. | | queueEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the URL of the queue. Default: SQS\$1QUEUE\$1URL | | sqsEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SqsEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SqsEventSourceProps.html) | Optional user provided properties for the queue event source. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon SQS. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | producerLambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the producer Lambda function created by the pattern. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead letter queue created by the pattern, if one is deployed. | | consumerLambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the consumer Lambda function created by the pattern. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default Settings Out-of-the-box implementation of this Construct (without any overridden properties) will adhere to the following defaults: ### AWS Lambda Functions + Configure limited privilege access IAM role for Lambda functions. + Enable reusing connections with Keep-Alive for NodeJs Lambda functions. + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon SQS Queue + Deploy a dead letter queue for the primary queue. + Enable server-side encryption for the primary queue using an AWS Managed KMS Key. + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the Lambda functions, SQS queue and dlq, CloudWatch log groups and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-sqs-lambda.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function interact with SQS, here many examples: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/sqs/actions). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-sqs-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdasqs` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon SQS queue. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToSqs, LambdaToSqsProps } from "@aws-solutions-constructs/aws-lambda-sqs"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToSqs(this, 'LambdaToSqsPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_sqs import LambdaToSqs from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToSqs( self, 'test-lambda-sqs-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdasqs.*; new LambdaToSqs(this, "test-lambda-sqs-stack", new LambdaToSqsProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | enableQueuePurging? | `boolean` | Whether to grant additional permissions to the Lambda function enabling it to purge the SQS queue. Defaults to `false`. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to `true`. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter queue. Only used if the `deployDeadLetterQueue` property is set to true. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to `15`. | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon SQS. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | queueEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the URL of the queue. Default: SQS\$1QUEUE\$1URL | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead letter queue created by the pattern, if one is deployed. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function. + Enable reusing connections with Keep-Alive for NodeJs Lambda function. + Allow the function to send messages only to the queue (purging can be enabled using the `enableQueuePurge` property). + Enable X-Ray Tracing + Set Environment Variables + SQS\$1QUEUE\$1URL + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue. + Enable server-side encryption for source SQS Queue using AWS Managed KMS Key. + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the Lambda function, SQS queue and dlq, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-sqs.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function interact with SQS, here many examples: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/sqs/actions). (these examples are in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-ssmstringparameter ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_ssm_string_parameter` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-ssmstringparameter` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdassmstringparameter` | ## Overview This AWS Solutions Construct implements the AWS Lambda function and AWS Systems Manager Parameter Store String parameter with the least privileged permissions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToSsmstringparameterProps, LambdaToSsmstringparameter } from '@aws-solutions-constructs/aws-lambda-ssmstringparameter'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const constructProps: LambdaToSsmstringparameterProps = { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, code: lambda.Code.fromAsset(`lambda`), handler: 'index.handler' }, stringParameterProps: { stringValue: "test-string-value" } }; new LambdaToSsmstringparameter(this, 'test-lambda-ssmstringparameter-stack', constructProps); ``` ``` from aws_solutions_constructs.aws_lambda_ssmstringparameter import LambdaToSsmstringparameter from aws_cdk import ( aws_lambda as _lambda, aws_ssm as ssm, Stack ) from constructs import Construct LambdaToSsmstringparameter( self, 'test-lambda-ssmstringparameter-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), string_parameter_props=ssm.StringParameterProps( string_value="test-string-value") ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.ssm.*; import software.amazon.awsconstructs.services.lambdassmstringparameter.*; new LambdaToSsmstringparameter(this, "test-lambda-ssmstringparameter-stack", new LambdaToSsmstringparameterProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .stringParameterProps(new StringParameterProps.Builder() .stringValue("test-string-value") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingStringParameterObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html) | Existing instance of SSM String parameter object, providing both this and `stringParameterProps` will cause an error | | stringParameterProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html) | Optional user provided props to override the default props for SSM String parameter. If existingStringParameterObj is not set stringParameterProps is required. The only supported [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html#type](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameterProps.html#type) is [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.ParameterType.html#string](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.ParameterType.html#string) if a different value is provided it will be overridden. | | stringParameterEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the parameter. Default: SSM\$1STRING\$1PARAMETER\$1NAME | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for AWS Systems Manager Parameter. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | | stringParameterPermissions | `string` | Optional SSM String parameter permissions to grant to the Lambda function. One of the following may be specified: "Read", "ReadWrite". | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of lambda.Function created by the construct | | stringParameter | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html) | Returns an instance of ssm.StringParameter created by the construct | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SSM\$1STRING\$1PARAMETER\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### Amazon AWS Systems Manager Parameter Store String + Enable read-only access for the associated AWS Lambda Function + Creates a new SSM String parameter with the values provided + Retain the SSM String parameter when deleting the CloudFormation stack ## Architecture ![\[Diagram showing the Lambda function, SSM string parameter, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-ssmstringparameter.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-ssmstringparameter) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-stepfunctions ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdastepfunctions` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to an AWS Step Functions. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToStepfunctions } from '@aws-solutions-constructs/aws-lambda-stepfunctions'; import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const startState = new stepfunctions.Pass(this, 'StartState'); new LambdaToStepfunctions(this, 'LambdaToStepfunctionsPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) }, stateMachineProps: { definition: startState } }); ``` ``` from aws_solutions_constructs.aws_lambda_stepfunctions import LambdaToStepfunctions from aws_cdk import ( aws_lambda as _lambda, aws_stepfunctions as stepfunctions, Stack ) from constructs import Construct start_state = stepfunctions.Pass(self, 'start_state') LambdaToStepfunctions( self, 'test-lambda-stepfunctions-stack', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ), state_machine_props=stepfunctions.StateMachineProps( definition=start_state) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awscdk.services.stepfunctions.*; import software.amazon.awsconstructs.services.lambdastepfunctions.*; final Pass startState = new Pass(this, "StartState"); new LambdaToStepfunctions(this, "test-lambda-stepfunctions-stack", new LambdaToStepfunctionsProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .stateMachineProps(new StateMachineProps.Builder() .definition(startState) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. This or existingStateMachine is required. If you provide a value for logs.destination, it must be an ILogGroup even though the prop type is ILogGroupRef. The CDK change to ILogGroupRef in v2.235.0 is incompatible with our interface without introducing breaking changes, so we still require an ILogGroup (as this implements ILogGroupRef, you can just assign it to logs.destination) | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | | stateMachineEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the state machine. Default: STATE\$1MACHINE\$1ARN | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon Step Functions. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user-provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern: | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | stateMachine | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Returns an instance of StateMachine created by the construct. | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the ILogGroup created by the construct for StateMachine | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of alarms created by the construct. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) STATE\$1MACHINE\$1ARN + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ### AWS Step Functions + Enable CloudWatch logging for API Gateway + Deploy best practices CloudWatch Alarms for the Step Functions ## Architecture ![\[Diagram showing the Lambda function, Step Functions state machine and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-stepfunctions.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to work with Step Functions, here are several examples: [examples](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/stepfunctions). (these examples are in Python, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-lambda-textract ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_textract` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-textract` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdatextract` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to Amazon Textract service. For asynchronous document analysis jobs, the construct can optionally create source and destination S3 buckets with appropriate IAM permissions for the Lambda function to interact with both buckets and Amazon Textract service. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToTextract } from '@aws-solutions-constructs/aws-lambda-textract'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToTextract(this, 'LambdaToTextractPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_textract import LambdaToTextract from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToTextract(self, 'LambdaToTextractPattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdatextract.*; new LambdaToTextract(this, "LambdaToTextractPattern", new LambdaToTextractProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. Function will have these Textract permissions: ['textract:DetectDocumentText', 'textract:AnalyzeDocument', 'textract:AnalyzeExpense', 'textract:AnalyzeID']. When asyncJobs is true, ['textract:Start/GetDocumentTextDetection', 'textract:Start/GetDocumentAnalysis', 'textract:Start/GetDocumentAnalysis', 'textract:Start/GetLendingAnalysis' ] | | asyncJobs? | `boolean` | Whether to enable asynchronous document analysis jobs. When true, source and destination S3 buckets will be created and the Lambda function will be granted permissions to start and get status of document analysis jobs. Default: false | | existingSourceBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for source documents. If this is provided, then also providing sourceBucketProps causes an error. Only valid when asyncJobs is true. | | sourceBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Bucket. Only valid when asyncJobs is true. | | existingDestinationBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for analysis results. If this is provided, then also providing destinationBucketProps causes an error. Only valid when asyncJobs is true. | | destinationBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Bucket. Only valid when asyncJobs is true. | | useSameBucket? | `boolean` | Whether to use the same S3 bucket for both source and destination files. When true, only the source bucket will be created and used for both purposes. Only valid when asyncJobs is true. Default: false | | createCustomerManagedOutputBucket? | `boolean` | Whether to create a bucket to receive the output of Textract batch jobs. If this is yes, the construct will set up an S3 bucket for output, if this is false, then Textract jobs will send their output to an AWS managed S3 bucket. Default: true | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and Interface Endpoints will be created in the VPC for Amazon Textract. If asyncJobs is true, Interface Endpoints for Amazon S3 will also be created. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern. | | sourceBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the source bucket. Only valid when asyncJobs is true. Default: SOURCE\$1BUCKET\$1NAME | | destinationBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the destination bucket. Only valid when asyncJobs is true. Default: DESTINATION\$1BUCKET\$1NAME | | dataAccessRoleArnEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the IAM role used for asynchronous document analysis jobs. Only valid when asyncJobs is true. Default: SNS\$1ROLE\$1ARN | | snsNotificationTopicArnEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the SNS topic used for asynchronous job completion notifications. Only valid when asyncJobs is true. Default: SNS\$1TOPIC\$1ARN | | existingNotificationTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - existing instance of SNS topic object, providing both this and `notificationTopicProps` will cause an error. Only valid when asyncJobs is true. | | existingNotificationTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | If an existing topic is provided in the `existingNotificationTopicObj` property, and that topic is encrypted with a customer managed KMS key, this property must specify that key. Only valid when asyncJobs is true. | | notificationTopicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingNotificationTopicObj` causes an error. Only valid when asyncJobs is true. | | enableNotificationTopicEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: notificationTopicProps.masterKey, notificationTopicEncryptionKey or notificationTopicEncryptionKeyProps. Only valid when asyncJobs is true. | | notificationTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. Only valid when asyncJobs is true. | | notificationTopicEncryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. Only valid when asyncJobs is true. | | sourceLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Logging Bucket. Only valid when asyncJobs is true. | | destinationLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Logging Bucket. Only valid when asyncJobs is true. | | logSourceS3AccessLogs? | boolean | Whether to turn on Access Logging for the source S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. Only valid when asyncJobs is true. default - true | | logDestinationS3AccessLogs? | boolean | Whether to turn on Access Logging for the destination S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. Only valid when asyncJobs is true. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sourceBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the source S3 bucket if it is created by the pattern. | | destinationBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the destination S3 bucket if it is created by the pattern. | | sourceLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the source bucket. | | destinationLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the destination bucket. | | snsNotificationTopic? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created for asynchronous job completion notifications when asyncJobs is true. | | notificationTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | Returns an instance of kms.IKey used for the SNS Topic. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | | sourceBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the source bucket whether created by the pattern or supplied from the client. | | destinationBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the destination bucket whether created by the pattern or supplied from the client. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SOURCE\$1BUCKET\$1NAME (when asyncJobs is true) + (default) DESTINATION\$1BUCKET\$1NAME (when asyncJobs is true) + (default) SNS\$1ROLE\$1ARN (when asyncJobs is true) + (default) SNS\$1TOPIC\$1ARN (when asyncJobs is true) + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) + Grant permissions to use Amazon Textract service (['textract:DetectDocumentText', 'textract:AnalyzeDocument', 'textract:AnalyzeExpense', 'textract:AnalyzeID'] by default) + When asyncJobs is true, grant permissions to start and get status of document analysis jobs (textract:StartDocumentAnalysis, textract:StartDocumentTextDetection, textract:StartExpenseAnalysis, textract:GetDocumentAnalysis, textract:GetDocumentTextDetection, textract:GetExpenseAnalysis), read from source bucket, and read and write to destination bucket ### Amazon S3 Buckets (when asyncJobs is true) + Configure Access logging for both S3 Buckets + Enable server-side encryption for both S3 Buckets using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for both S3 Buckets + Don’t allow public access for both S3 Buckets + Retain the S3 Buckets when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon SNS Topic (when asyncJobs is true) + Configure server-side encryption using AWS managed KMS Key + Create topic for asynchronous job completion notifications ### Amazon Textract Service + Lambda function will have permissions to call ['textract:DetectDocumentText', 'textract:AnalyzeDocument', 'textract:AnalyzeExpense', 'textract:AnalyzeID'] operations **When asyncJobs is true** + Lambda function will add permissions to call [ 'textract:StartDocumentTextDetection', 'textract:GetDocumentTextDetection', 'textract:StartDocumentAnalysis', 'textract:GetDocumentAnalysis', 'textract:StartExpenseAnalysis', 'textract:GetExpenseAnalysis', 'textract:StartLendingAnalysis', 'textract:GetLendingAnalysis' ] + When asyncJobs is true, an SNS topic will be created and the Lambda function is granted permission to call ['sns:Publish'] ### Amazon VPC + If deployVpc is true, a minimal VPC will be created with: + Interface Endpoints for Amazon Textract + Interface Endpoints for Amazon S3 (when asyncJobs is true) + Interface Endpoints for Amazon SNS (when asyncJobs is true) + Private subnets for Lambda function + Appropriate security groups and routing ## Architecture **Default Implementation** ![\[Diagram showing the Lambda function, Amazon Textract service, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-textract.png) **Default Implementation when asyncJobs = true** ![\[Diagram showing the Lambda function, source and destination S3 buckets (when asyncJobs is true), SNS topic, Amazon Textract service, and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-textract-async.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-textract) for this pattern to view the code, read/create issues and pull requests and more. © Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # aws-lambda-transcribe ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_transcribe` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-transcribe` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdatranscribe` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to Amazon S3 buckets for use with Amazon Transcribe. The construct creates a source bucket for audio files and a destination bucket for transcription results, with appropriate IAM permissions for the Lambda function to interact with both buckets and Amazon Transcribe service. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToTranscribe } from '@aws-solutions-constructs/aws-lambda-transcribe'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToTranscribe(this, 'LambdaToTranscribePattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_transcribe import LambdaToTranscribe from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToTranscribe(self, 'LambdaToTranscribePattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdatranscribe.*; new LambdaToTranscribe(this, "LambdaToTranscribePattern", new LambdaToTranscribeProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional user provided props to override the default props for the Lambda function. | | existingSourceBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for source audio files. If this is provided, then also providing sourceBucketProps causes an error. | | sourceBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Bucket. | | existingDestinationBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for transcription results. If this is provided, then also providing destinationBucketProps causes an error. | | destinationBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Bucket. | | useSameBucket? | `boolean` | Whether to use the same S3 bucket for both source and destination files. When true, only the source bucket will be created and used for both purposes. Default: false | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and Interface Endpoints will be created in the VPC for Amazon S3 and Amazon Transcribe. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern. | | sourceBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the source bucket. Default: SOURCE\$1BUCKET\$1NAME | | destinationBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the destination bucket. Default: DESTINATION\$1BUCKET\$1NAME | | sourceLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Logging Bucket. | | destinationLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Logging Bucket. | | logSourceS3AccessLogs? | boolean | Whether to turn on Access Logging for the source S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | logDestinationS3AccessLogs? | boolean | Whether to turn on Access Logging for the destination S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sourceBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the source S3 bucket if it is created by the pattern. | | destinationBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the destination S3 bucket if it is created by the pattern. | | sourceLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the source bucket. | | destinationLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the destination bucket. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | | sourceBucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the source bucket whether created by the pattern or supplied from the client. | | destinationBucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the destination bucket whether created by the pattern or supplied from the client. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SOURCE\$1BUCKET\$1NAME + (default) DESTINATION\$1BUCKET\$1NAME + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) + Grant permissions to use Amazon Transcribe service, write permissions to the source bucket, and read permissions to the destination bucket ### Amazon S3 Buckets + Configure Access logging for both S3 Buckets + Enable server-side encryption for both S3 Buckets using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for both S3 Buckets + Don’t allow public access for both S3 Buckets + Retain the S3 Buckets when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon Transcribe Service + The Transcribe service will have read access to the source bucket and write permissions to the destination bucket + Lambda function will have permissions to start transcription jobs, get job status, and list transcription jobs ### Amazon VPC + If deployVpc is true, a minimal VPC will be created with: + Interface Endpoints for Amazon S3 and Amazon Transcribe + Private subnets for Lambda function + Appropriate security groups and routing ## Architecture ![\[Diagram showing the Lambda function, source and destination S3 buckets, Amazon Transcribe service, and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-transcribe.png) ## Example Lambda Function Implementation While Solutions Constructs does not publish code for the Lambda function to call Transcribe, here is an example of calling Transcribe: ['example'](https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javascriptv3/example_code/transcribe/src/transcribe_create_job.js). (this example is in JavaScript, but examples in other languages can also be found at this site) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-transcribe) for this pattern to view the code, read/create issues and pull requests and more. © Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # aws-lambda-translate ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_lambda_translate` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-lambda-translate` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.lambdatranslate` | ## Overview This AWS Solutions Construct implements an AWS Lambda function connected to Amazon Translate service. For asynchronous translation jobs, the construct can optionally create source and destination S3 buckets with appropriate IAM permissions for the Lambda function to interact with both buckets and Amazon Translate service. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { LambdaToTranslate } from '@aws-solutions-constructs/aws-lambda-translate'; import * as lambda from 'aws-cdk-lib/aws-lambda'; new LambdaToTranslate(this, 'LambdaToTranslatePattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_lambda_translate import LambdaToTranslate from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct LambdaToTranslate(self, 'LambdaToTranslatePattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.lambdatranslate.*; new LambdaToTranslate(this, "LambdaToTranslatePattern", new LambdaToTranslateProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | asyncJobs? | `boolean` | Whether to enable asynchronous translation jobs. When true, source and destination S3 buckets will be created and the Lambda function will be granted permissions to start and stop translation jobs. Default: false | | existingSourceBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for source files. If this is provided, then also providing sourceBucketProps causes an error. Only valid when asyncJobs is true. | | sourceBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Bucket. Only valid when asyncJobs is true. | | existingDestinationBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Existing instance of S3 Bucket object for translation results. If this is provided, then also providing destinationBucketProps causes an error. Only valid when asyncJobs is true. | | destinationBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Bucket. Only valid when asyncJobs is true. | | useSameBucket? | `boolean` | Whether to use the same S3 bucket for both source and destination files. When true, only the source bucket will be created and used for both purposes. Only valid when asyncJobs is true. Default: false | | additionalPermissions? | `string[]` | Optional array of additional IAM permissions to grant to the Lambda function for Amazon Translate. This is intended for use with Translate actions and will assign a resource of '\$1' - permissions for other services with specific resources should add the permssion using Function.addToRolePolicy(). Always added: ['translate:TranslateText', 'translate:TranslateDocument'] | | existingVpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and Interface Endpoints will be created in the VPC for Amazon Translate. If asyncJobs is true, Interface Endpoints for Amazon S3 will also be created. If an existing VPC is provided, the `deployVpc` property cannot be `true`. This uses `ec2.IVpc` to allow clients to supply VPCs that exist outside the stack using the [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html#static-fromwbrlookupscope-id-options) method. | | vpcProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional user provided properties to override the default properties for the new VPC. `enableDnsHostnames`, `enableDnsSupport`, `natGateways` and `subnetConfiguration` are set by the pattern, so any values for those properties supplied here will be overridden. If `deployVpc` is not `true` then this property will be ignored. | | deployVpc? | `boolean` | Whether to create a new VPC based on `vpcProps` into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern. | | sourceBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the source bucket. Only valid when asyncJobs is true. Default: SOURCE\$1BUCKET\$1NAME | | destinationBucketEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the name of the destination bucket. Only valid when asyncJobs is true. Default: DESTINATION\$1BUCKET\$1NAME | | dataAccessRoleArnEnvironmentVariableName? | `string` | Optional Name for the Lambda function environment variable set to the ARN of the IAM role used for asynchronous translation jobs. Only valid when asyncJobs is true. Default: DATA\$1ACCESS\$1ROLE\$1ARN | | sourceLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the source S3 Logging Bucket. Only valid when asyncJobs is true. | | destinationLoggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the destination S3 Logging Bucket. Only valid when asyncJobs is true. | | logSourceS3AccessLogs? | boolean | Whether to turn on Access Logging for the source S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. Only valid when asyncJobs is true. default - true | | logDestinationS3AccessLogs? | boolean | Whether to turn on Access Logging for the destination S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. Only valid when asyncJobs is true. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sourceBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the source S3 bucket if it is created by the pattern. | | destinationBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the destination S3 bucket if it is created by the pattern. | | sourceLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the source bucket. | | destinationLoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the destination bucket. | | vpc? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor. | | sourceBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the source bucket whether created by the pattern or supplied from the client. | | destinationBucketInterface? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an interface of s3.IBucket used by the construct for the destination bucket whether created by the pattern or supplied from the client. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + (default) SOURCE\$1BUCKET\$1NAME (when asyncJobs is true) + (default) DESTINATION\$1BUCKET\$1NAME (when asyncJobs is true) + (default) DATA\$1ACCESS\$1ROLE\$1ARN (when asyncJobs is true) + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) + Grant permissions to use Amazon Translate service (['translate:TranslateText', 'translate:TranslateDocument'] by default) + When asyncJobs is true, grant permissions to start and stop batch translation jobs (translate:StartTextTranslationJob and translate:StopTextTranslationJob), read from source bucket, and read and write to destination bucket ### Amazon S3 Buckets (when asyncJobs is true) + Configure Access logging for both S3 Buckets + Enable server-side encryption for both S3 Buckets using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for both S3 Buckets + Don’t allow public access for both S3 Buckets + Retain the S3 Buckets when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon Translate Service + Lambda function will have permissions to ['translate:TranslateText', 'translate:TranslateDocument'] operations by default + When asyncJobs is true, Lambda function will have permissions to start and stop batch translation jobs + A role granting access to the source and destination buckets will be created to pass to Translate for StartTextTranslationJob calls ### Amazon VPC + If deployVpc is true, a minimal VPC will be created with: + Interface Endpoints for Amazon Translate + Interface Endpoints for Amazon S3 (when asyncJobs is true) + Private subnets for Lambda function + Appropriate security groups and routing ## Architecture **Default Implementation** ![\[Diagram showing the Lambda functionAmazon Translate service, and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-translate.png) **Default Implementation when asyncJobs = true** ![\[Diagram showing the Lambda function, source and destination S3 buckets (when asyncJobs is true), Amazon Translate service, and IAM roles created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-lambda-translate-async.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-lambda-translate) for this pattern to view the code, read/create issues and pull requests and more. © Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # aws-openapigateway-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_openapigateway_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-openapigateway-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.openapigatewaylambda` | ## Overview This AWS Solutions Construct implements an Amazon API Gateway REST API defined by an OpenAPI specification file connected to an AWS Lambda function. Here is a minimal deployable pattern definition. **NOTE** The referenced `openapi/apiDefinition.yaml` openapi definition file and `messages-lambda` lambda package directory for the three code samples below can both be found under this constructs `test` folder (`/source/patterns/@aws-solutions-constructs/aws-openapigateway-lambda/test`) **Example** ``` import { Stack, StackProps } from 'aws-cdk-lib'; import { Construct } from 'constructs'; import { OpenApiGatewayToLambda } from '@aws-solutions-constructs/aws-openapigateway-lambda'; import { Asset } from 'aws-cdk-lib/aws-s3-assets'; import * as path from 'path'; import * as lambda from 'aws-cdk-lib/aws-lambda'; const apiDefinitionAsset = new Asset(this, 'ApiDefinitionAsset', { path: path.join(__dirname, 'openapi/apiDefinition.yaml') }); new OpenApiGatewayToLambda(this, 'OpenApiGatewayToLambda', { apiDefinitionAsset, apiIntegrations: [ { id: 'MessagesHandler', lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`${__dirname}/messages-lambda`), } } ] }); ``` ``` from aws_cdk import ( Stack, aws_s3_assets as s3_assets, aws_lambda as lambda_, ) from constructs import Construct from aws_solutions_constructs.aws_openapigateway_lambda import OpenApiGatewayToLambda, ApiIntegration class TestStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) api_definition_asset = s3_assets.Asset(self, "ApiDefinitionAsset", path="./openapi/apiDefinition.yaml") api_integration = ApiIntegration(id="MessagesHandler", lambda_function_props={ "runtime": lambda_.Runtime.NODEJS_22_X, "handler": "index.handler", "code": lambda_.Code.from_asset("./messages-lambda") }) openapigateway_to_lambda = OpenApiGatewayToLambda(self, id="OpenApiGatewayToLambda", api_integrations=[api_integration], api_definition_asset=api_definition_asset ) ``` ``` import software.amazon.awscdk.services.lambda.Code; import software.amazon.awscdk.services.lambda.FunctionProps; import software.amazon.awscdk.services.s3.assets.Asset; import software.amazon.awscdk.services.s3.assets.AssetProps; import software.amazon.awsconstructs.services.openapigatewaylambda.ApiIntegration; import software.amazon.awsconstructs.services.openapigatewaylambda.OpenApiGatewayToLambda; import software.amazon.awsconstructs.services.openapigatewaylambda.OpenApiGatewayToLambdaProps; import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import java.util.Collections; import static software.amazon.awscdk.services.lambda.Runtime.NODEJS_22_X; final Asset apiDefinitionAsset = new Asset(this, "ApiDefinition", AssetProps.builder().path("openapi/apiDefinition.yaml").build()); final ApiIntegration apiIntegration = ApiIntegration.builder() .id("MessagesHandler") .lambdaFunctionProps(new FunctionProps.Builder() .runtime(NODEJS_22_X) .code(Code.fromAsset("messages-lambda")) .handler("index.handler") .build()) .build(); new OpenApiGatewayToLambda(this, "OpenApiGatewayToLambda", OpenApiGatewayToLambdaProps.builder() .apiDefinitionAsset(apiDefinitionAsset) .apiIntegrations(Collections.singletonList(apiIntegration)) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | apiGatewayProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiBaseProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApiBaseProps.html) | Optional user-provided props to override the default props for the API. | | apiDefinitionBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | S3 Bucket where the OpenAPI spec file is located. When specifying this property, `apiDefinitionKey` must also be specified. | | apiDefinitionKey? | `string` | S3 Object name of the OpenAPI spec file. When specifying this property, `apiDefinitionBucket` must also be specified. | | apiDefinitionAsset? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3_assets.Asset.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3_assets.Asset.html) | Local file asset of the OpenAPI spec file. | | apiDefinitionJson? | any | OpenAPI specification represented in a JSON object to be embedded in the CloudFormation template. IMPORTANT - Including the spec in the template introduces a risk of the template growing too big, but there are some use cases that require an embedded spec. Unless your use case explicitly requires an embedded spec you should pass your spec as an S3 asset. | | apiIntegrations | `ApiIntegration[]` | One or more key-value pairs that contain an id for the api integration and either an existing lambda function or an instance of the LambdaProps. Please see the `Overview of how the OpenAPI file transformation works` section below for more usage details. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | User provided props to override the default props for for the CloudWatchLogs LogGroup. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | apiLambdaFunctions | `ApiLambdaFunction[]` | Returns an array of ApiLambdaFunction objects, where each has an `id` of the `apiIntegration` and the corresponding `lambda.Function` that it maps to. | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.SpecRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.SpecRestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | apiGatewayCloudWatchRole? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | Returns an instance of the iam.Role created by the construct for API Gateway for CloudWatch access. | | apiGatewayLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroup.html) | Returns an instance of the LogGroup created by the construct for API Gateway access logging to CloudWatch. | ## Interfaces defined by this construct `ApiIntegration` Maps a Lambda function to the id string used as a placeholder in the OpenAPI spec. The type has a required property, `id`, and two optional properties `existingLambdaObj`, and `lambdaFunctionProps`. The `id` property is used to map the corresponding lambda function being defined with the placeholder string in the OpenAPI template file, and is not a CDK construct ID. Exactly one of `existingLambdaObj` or `lambdaFunctionProps` must be specified or the construct will throw an error. The `existingLambaObj` property will accept a lambda.Function object OR a lambda.Alias object. The property `ApiIntegrations` is an array of this interface and is a required property when launching this construct. `ApiLambdaFunction` This interface returns the Lambda objects used when launching the construct. The `id` property will always be set, if an existing function was provided in the props or this construct created a new Lambda function, then that function will be in the `lambdaFunction` property. If a Lambda Alias was provided in the props, then that value will be specified in the `functionAlias` property. At no time will `lambdaFunction` and `functionAlias` be set on the same ApiLambdaFunction object. The construct exposes an array of these objects as a property. ## Overview of how the OpenAPI file transformation works This construct automatically transforms an incoming OpenAPI Definition (residing locally or in S3) by auto-populating the `uri` fields of the `x-amazon-apigateway-integration` integrations with the resolved value of the backing lambda functions. It does so by allowing the user to specify the `apiIntegrations` property and then correlates it with the api definition. Looking at an example - a user creates an instantiation of `apiIntegrations` that specifies one integration named `MessagesHandler` that passes in a set of `lambda.FunctionProps` and a second integration named `PhotosHandler` that passes in an existing `lambda.Function`: ``` const apiIntegrations: ApiIntegration[] = [ { id: 'MessagesHandler', lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`${__dirname}/messages-lambda`), } }, { id: 'PhotosHandler', existingLambdaObj: new lambda.Function(this, 'PhotosLambda', { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`${__dirname}/photos-lambda`), }) } ] ``` And a corresponding api definition with `GET` and `POST` methods on a `/messages` resource and a `GET` method on a `/photos` resource. ``` openapi: "3.0.1" info: title: "api" version: "2023-02-20T20:46:08Z" paths: /messages: get: x-amazon-apigateway-integration: httpMethod: "POST" uri: MessagesHandler passthroughBehavior: "when_no_match" type: "aws_proxy" post: x-amazon-apigateway-integration: httpMethod: "POST" uri: MessagesHandler passthroughBehavior: "when_no_match" type: "aws_proxy" /photos: get: x-amazon-apigateway-integration: httpMethod: "POST" uri: PhotosHandler passthroughBehavior: "when_no_match" type: "aws_proxy" ``` When the construct is created or updated, it will overwrite the `MessagesHandler` string with the fully resolved lambda proxy uri of the `MessagesHandlerLambdaFunction`, e.g., `arn:${Aws.PARTITION}:apigateway:${Aws.REGION}:lambda:path/2015-03-31/functions/${messagesLambda.functionArn}/invocations`, and similarly for the `PhotosHandler` string and `PhotosHandlerLambdaFunction`, resulting in a valid OpenAPI spec file that is then passed to the `SpecRestApi` construct. For more information on specifying an API with OpenAPI, please see the [OpenAPI Specification](https://spec.openapis.org/oas/latest.html) ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon API Gateway + Deploy an edge-optimized API endpoint + Enable CloudWatch logging for API Gateway + Configure least privilege access IAM role for API Gateway + Enable X-Ray Tracing ### AWS Lambda Function + Configure limited privilege access IAM roles for Lambda functions + Enable reusing connections with Keep-Alive for NodeJs Lambda functions + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the OpenAPI defnition, API Gateway api and Lambda functions created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-openapigateway-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-openapigateway-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-route53-alb ![\[Stability:Experimental\]](https://img.shields.io/badge/stability-Experimental-important.svg?style=for-the-badge) All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the [Semantic Versioning](https://semver.org/) model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package. | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_route53_alb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-route53-alb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.route53alb` | ## Overview This AWS Solutions Construct implements an Amazon Route53 Hosted Zone routing to an Application Load Balancer Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { Route53ToAlb } from '@aws-solutions-constructs/aws-route53-alb'; // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, 'id', {env: {account: '123456789012', region: 'us-east-1' }}); new Route53ToAlb(this, 'Route53ToAlbPattern', { privateHostedZoneProps: { zoneName: 'www.example.com', }, publicApi: false, }); ``` ``` from aws_solutions_constructs.aws_route53_alb import Route53ToAlb from aws_cdk import ( aws_route53 as route53, Stack ) from constructs import Construct # Note - all alb constructs turn on ELB logging by default, so require that an environment including account # and region be provided when creating the stack # # MyStack(app, 'id', env=cdk.Environment(account='123456789012', region='us-east-1')) Route53ToAlb(self, 'Route53ToAlbPattern', public_api=False, private_hosted_zone_props=route53.HostedZoneProps( zone_name='www.example.com', ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.route53.*; import software.amazon.awsconstructs.services.route53alb.*; // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, "id", StackProps.builder() // .env(Environment.builder() // .account("123456789012") // .region("us-east-1") // .build()); new Route53ToAlb(this, "Route53ToAlbPattern", new Route53ToAlbProps.Builder() .privateHostedZoneProps(new HostedZoneProps.Builder() .zoneName("www.example.com") .build()) .publicApi(false) .build()); ``` ## Pattern Construct Props This construct cannot create a new Public Hosted Zone, if you are creating a public API you must supply an existing Public Hosted Zone that will be reconfigured with a new Alias record. Public Hosted Zones are configured with public domain names and are not well suited to be launched and torn down dynamically, so this construct will only reconfigure existing Public Hosted Zones. This construct can create Private Hosted Zones. If you want a Private Hosted Zone, then you can either provide an existing Private Hosted Zone or a privateHostedZoneProps value with at least the Domain Name defined. | **Name** | **Type** | **Description** | | --- | --- | --- | | privateHostedZoneProps? | [route53.PrivateHostedZoneProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.PrivateHostedZoneProps.html) | Optional custom properties for a new Private Hosted Zone. Cannot be specified for a public API. Cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. Providing both this and existingHostedZoneInterfacecauses an error. | | existingHostedZoneInterface? | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.IHostedZone.html) | Existing Public or Private Hosted Zone (type must match publicApi setting). Specifying both this and privateHostedZoneProps causes an error. If this is a Private Hosted Zone, the associated VPC must be provided as the existingVpc property | | loadBalancerProps? | [elasticloadbalancingv2.ApplicationLoadBalancerProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancerProps.html) | Optional custom properties for a new loadBalancer. Providing both this and existingLoadBalancer causes an error. This cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. | | existingLoadBalancerObj? | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | Existing Application Load Balancer to incorporate into the construct architecture. Providing both this and loadBalancerProps causes an error. The VPC containing this loadBalancer must match the VPC provided in existingVpc. | | vpcProps? | [ec2.VpcProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.VpcProps.html) | Optional custom properties for a VPC the construct will create. This VPC will be used by the new ALB and any Private Hosted Zone the construct creates (that’s why loadBalancerProps and privateHostedZoneProps can’t include a VPC). Providing both this and existingVpc causes an error. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. Providing both this and vpcProps causes an error. If the client provides an existing load balancer and/or existing Private Hosted Zone, those constructs must exist in this VPC. | | logAlbAccessLogs? | boolean | Whether to turn on Access Logs for the Application Load Balancer. Uses an S3 bucket with associated storage costs.Enabling Access Logging is a best practice. default - true | | albLoggingBucketProps? | [s3.BucketProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional properties to customize the bucket used to store the ALB Access Logs. Supplying this and setting logAlbAccessLogs to false is an error. @default - none | ``` publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the Hosted Zone, VPC and ALB. | ``` ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | hostedZone | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.IHostedZone.html) | The hosted zone used by the construct (whether created by the construct or providedb by the client) | | vpc | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct (whether created by the construct or providedb by the client) | | loadBalancer | [elasticloadbalancingv2.ApplicationLoadBalancer](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | The Load Balancer used by the construct (whether created by the construct or providedb by the client) | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Route53 + Adds an ALIAS record to the new or provided Hosted Zone that routes to the construct’s ALB ### Application Load Balancer + Creates an Application Load Balancer with no Listener or target. The construct can incorporate an existing, fully configured ALB if provided. ## Architecture ![\[Diagram showing the Route53 ALIAS record in an existing hosted zone and Application Load Balancer created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-route53-alb.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-route53-alb) for this pattern to view the code, read/create issues and pull requests and more. # aws-route53-apigateway ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_route53_apigateway` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-route53-apigateway` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.route53apigateway` | ## Overview This AWS Solutions Construct implements an Amazon Route 53 connected to a configured Amazon API Gateway REST API. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import * as route53 from "aws-cdk-lib/aws-route53"; import * as acm from "aws-cdk-lib/aws-certificatemanager"; import { Route53ToApiGateway } from '@aws-solutions-constructs/aws-route53-apigateway'; // The construct requires an existing REST API, this can be created in raw CDK or extracted // from a previously instantiated construct that created an API Gateway REST API const existingRestApi = previouslyCreatedApigatewayToLambdaConstruct.apiGateway; // domainName must match existing hosted zone in your account and the existing certificate const ourHostedZone = route53.HostedZone.fromLookup(this, 'HostedZone', { domainName: "example.com", }); const certificate = acm.Certificate.fromCertificateArn( this, "fake-cert", "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ); // This construct can only be attached to a configured API Gateway. new Route53ToApiGateway(this, 'Route53ToApiGatewayPattern', { existingApiGatewayInterface: existingRestApi, existingHostedZoneInterface: ourHostedZone, publicApi: true, existingCertificateInterface: certificate }); ``` ``` from aws_solutions_constructs.aws_route53_apigateway import Route53ToApiGateway from aws_cdk import ( aws_route53 as route53, aws_certificatemanager as acm, Stack ) from constructs import Construct # The construct requires an existing REST API, this can be created in raw CDK or extracted # from a previously instantiated construct that created an API Gateway REST API existingRestApi = previouslyCreatedApigatewayToLambdaConstruct.apiGateway # domain_name must match existing hosted zone in your account and the existing certificate ourHostedZone = route53.HostedZone.from_lookup(self, 'HostedZone', domain_name="example.com", ) # Obtain a pre-existing certificate from your account certificate = acm.Certificate.from_certificate_arn( self, 'existing-cert', "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012" ) # This construct can only be attached to a configured API Gateway. Route53ToApiGateway(self, 'Route53ToApigatewayPattern', existing_api_gateway_interface=existingRestApi, existing_hosted_zone_interface=ourHostedZone, public_api=True, existing_certificate_interface=certificate ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.route53.*; import software.amazon.awscdk.services.apigateway.*; import software.amazon.awscdk.services.certificatemanager.*; import software.amazon.awsconstructs.services.route53apigateway.*; // The construct requires an existing REST API, this can be created in raw CDK // or extracted from a previously instantiated construct that created an API // Gateway REST API final IRestApi existingRestApi = previouslyCreatedApigatewayToLambdaConstruct.getApiGateway(); // domainName must match existing hosted zone in your account and the existing certificate final IHostedZone ourHostedZone = HostedZone.fromLookup(this, "HostedZone", new HostedZoneProviderProps.Builder() .domainName("example.com") .build()); // Obtain a pre-existing certificate from your account final ICertificate certificate = Certificate.fromCertificateArn( this, "existing-cert", "arn:aws:acm:us-east-1:123456789012:certificate/11112222-3333-1234-1234-123456789012"); // This construct can only be attached to a configured API Gateway. new Route53ToApiGateway(this, "Route53ToApiGatewayPattern", new Route53ToApiGatewayProps.Builder() .existingApiGatewayInterface(existingRestApi) .existingHostedZoneInterface(ourHostedZone) .publicApi(true) .existingCertificateInterface(certificate) .build()); ``` ## Pattern Construct Props This construct cannot create a new Public Hosted Zone, if you are creating a public API you must supply an existing Public Hosted Zone that will be reconfigured with a new Alias record. Public Hosted Zones are configured with public domain names and are not well suited to be launched and torn down dynamically, so this construct will only reconfigure existing Public Hosted Zones. This construct can create Private Hosted Zones. If you want a Private Hosted Zone, then you can either provide an existing Private Hosted Zone or a privateHostedZoneProps value with at least the Domain Name defined. If you are using privateHostedZoneProps, an existing wildcard certificate (\$1.example.com) must be issued from a previous domain to be used in the newly created Private Hosted Zone. New certificate creation and validation do not take place in this construct. A private Rest API already exists in a VPC, so that VPC must be provided in the existingVpc prop. There is no scenario where this construct can create a new VPC (since it can’t create a new API), so the vpcProps property is not supported on this construct. | **Name** | **Type** | **Description** | | --- | --- | --- | | publicApi | boolean | Whether the construct is deploying a private or public API. This has implications for the Hosted Zone and VPC. | | privateHostedZoneProps? | [route53.PrivateHostedZoneProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.PrivateHostedZoneProps.html) | Optional custom properties for a new Private Hosted Zone. Cannot be specified for a public API. Cannot specify a VPC, it will use the VPC in existingVpc or the VPC created by the construct. Providing both this and existingHostedZoneInterface causes an error. | | existingHostedZoneInterface? | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.IHostedZone.html) | Existing Public or Private Hosted Zone (type must match publicApi setting). Specifying both this and privateHostedZoneProps causes an error. If this is a Private Hosted Zone, the associated VPC must be provided as the existingVpc property. | | existingVpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | An existing VPC in which to deploy the construct. | | existingApiGatewayInterface | [api.IRestApi](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IRestApi.html) | The existing API Gateway instance that will be connected to the Route 53 hosted zone. *Note that Route 53 can only be connected to a configured API Gateway, so this construct only accepts an existing IRestApi and does not accept apiGatewayProps.* | | existingCertificateInterface | [certificatemanager.ICertificate](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_certificatemanager.ICertificate.html) | An existing AWS Certificate Manager certificate for your custom domain name. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | hostedZone | [route53.IHostedZone](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53.IHostedZone.html) | The hosted zone used by the construct (whether created by the construct or provided by the client) | | vpc? | [ec2.IVpc](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVpc.html) | The VPC used by the construct. | | apiGateway | [api.RestApi](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.RestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | | certificate | [certificatemanager.ICertificate](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_certificatemanager.ICertificate.html) | THe certificate used by the construct (whether create by the construct or provided by the client) | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon Route53 + Adds an ALIAS record to the new or provided Hosted Zone that routes to the construct’s API Gateway ### Amazon API Gateway + User provided API Gateway object is used as-is + Sets up custom domain name mapping to API ## Architecture ![\[Diagram showing the Route53 ALIAS record in an existing hosted zone and API Gateway api created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-route53-apigateway.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-route53-apigateway) for this pattern to view the code, read/create issues and pull requests and more. # aws-s3-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_s3_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-s3-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.s3lambda` | ## Overview This AWS Solutions Construct implements an Amazon S3 bucket connected to an AWS Lambda function. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import * as lambda from "aws-cdk-lib/aws-lambda"; import { S3ToLambdaProps, S3ToLambda } from '@aws-solutions-constructs/aws-s3-lambda'; new S3ToLambda(this, 'test-s3-lambda', { lambdaFunctionProps: { code: lambda.Code.fromAsset(`lambda`), runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler' }, }); ``` ``` from aws_solutions_constructs.aws_s3_lambda import S3ToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct S3ToLambda(self, 'test_s3_lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.s3lambda.*; new S3ToLambda(this, "test-s3-lambda'", new S3ToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Existing instance of Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional user provided props to override the default props for the Lambda function. | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. | | s3EventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.S3EventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.S3EventSourceProps.html) | Optional user provided props to override the default props for S3EventSourceProps | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the lambda.Function created by the construct | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the S3 bucket, Lambda function, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-s3-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-s3-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-s3-sns ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_s3_sns` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-s3-sns` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.s3sns` | ## Overview This AWS Solutions Construct implements an Amazon S3 Bucket that is configured to send S3 event messages to an Amazon SNS topic. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { S3ToSns } from "@aws-solutions-constructs/aws-s3-sns"; new S3ToSns(this, 'S3ToSNSPattern', {}); ``` ``` from aws_solutions_constructs.aws_s3_sns import S3ToSns from aws_cdk import Stack from constructs import Construct S3ToSns(self, 'S3ToSNSPattern') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.s3sns.*; new S3ToSns(this, "S3ToSNSPattern", new S3ToSnsProps.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket. | | s3EventTypes? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.EventType.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.EventType.html) | The S3 event types that will trigger the notification. Defaults to s3.EventType.OBJECT\$1CREATED. | | s3EventFilters? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.NotificationKeyFilter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.NotificationKeyFilter.html) | S3 object key filter rules to determine which objects trigger this event. If not specified no filter rules will be applied. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | `boolean` | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Optional - existing instance of SNS topic object, providing both this and `topicProps` will cause an error. If the SNS Topic is encrypted with a Customer-Managed KMS Key, the key must be specified in the `existingTopicEncryptionKey` property. | | existingTopicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | If an existing topic is provided in the `existingTopicObj` property, and that topic is encrypted with a Customer-Managed KMS key, this property also needs to be set with same key. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS Topic created by the pattern. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns an instance of the kms.Key associated with the SNS Topic | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon S3 Bucket + Configure Access logging for the S3 Bucket + Enable server-side encryption for S3 Bucket using an AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for the S3 Bucket + Don’t allow public access for the S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon SNS Topic + Configure least privilege SNS Topic access policy to allow the S3 Bucket to publish messages to it + Enable server-side encryption for the SNS Topic using an AWS managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the S3 bucket and SNS topic created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-s3-sns.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-s3-sns) for this pattern to view the code, read/create issues and pull requests and more. # aws-s3-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_s3_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-s3-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.s3sqs` | ## Overview This AWS Solutions Construct implements an Amazon S3 Bucket that is configured to send notifications to an Amazon SQS queue. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { S3ToSqs } from "@aws-solutions-constructs/aws-s3-sqs"; new S3ToSqs(this, 'S3ToSQSPattern', {}); ``` ``` from aws_solutions_constructs.aws_s3_sqs import S3ToSqs from aws_cdk import Stack from constructs import Construct S3ToSqs(self, 'S3ToSQSPattern') ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.s3sqs.*; new S3ToSqs(this, "S3ToSQSPattern", new S3ToSqsProps.Builder() .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | s3EventTypes? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.EventType.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.EventType.html) | The S3 event types that will trigger the notification. Defaults to s3.EventType.OBJECT\$1CREATED. | | s3EventFilters? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.NotificationKeyFilter.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.NotificationKeyFilter.html) | S3 object key filter rules to determine which objects trigger this event. If not specified no filter rules will be applied. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. If the SQS queue is encrypted, the KMS key utilized for encryption must be a customer managed CMK. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user provided props to override the default props for the dead letter SQS queue. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to true. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to 15. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead-letter SQS queue created by the pattern. | | encryptionKey | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | Returns an instance of kms.Key used for the SQS queue. | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the s3.Bucket created by the construct | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days ### Amazon SQS Queue + Configure least privilege access permissions for SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue + Enable server-side encryption for SQS Queue using Customer managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the S3 bucket and SQS queue and dlq created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-s3-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-s3-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-s3-stepfunctions ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_s3_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-s3-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.s3stepfunctions` | ## Overview This AWS Solutions Construct implements an Amazon S3 bucket connected to an AWS Step Functions. *Note - This constructs sends S3 Event Notification to EventBridge, then triggers AWS Step Functions State Machine executions from EventBridge.* *An alternative architecture can be built that triggers a Lambda function from S3 Event notifications using aws-s3-lambda and aws-lambda-stepfunctions. Channelling the S3 events through Lambda is less flexible than EventBridge, but is more cost effective and has lower latency.* Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { S3ToStepfunctions, S3ToStepfunctionsProps } from '@aws-solutions-constructs/aws-s3-stepfunctions'; import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions'; const startState = new stepfunctions.Pass(this, 'StartState'); new S3ToStepfunctions(this, 'test-s3-stepfunctions-stack', { stateMachineProps: { definition: startState } }); ``` ``` from aws_solutions_constructs.aws_s3_stepfunctions import S3ToStepfunctions from aws_cdk import ( aws_stepfunctions as stepfunctions, Stack ) from constructs import Construct start_state = stepfunctions.Pass(self, 'start_state') S3ToStepfunctions( self, 'test_s3_stepfunctions_stack', state_machine_props=stepfunctions.StateMachineProps( definition=start_state) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.stepfunctions.*; import software.amazon.awsconstructs.services.s3stepfunctions.*; final Pass startState = new Pass(this, "StartState"); new S3ToStepfunctions(this, "test_s3_stepfunctions_stack", new S3ToStepfunctionsProps.Builder() .stateMachineProps(new StateMachineProps.Builder() .definition(startState) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingBucketObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Optional - existing instance of S3 Bucket. If this is provided, then also providing bucketProps causes an error. **The existing bucket must have [EventBridge enabled](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications-eventbridge.html) for this to work.** | | bucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Bucket, providing both this and `existingBucketObj` will cause an error. | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. This or existingStateMachine is required. If you provide a value for logs.destination, it must be an ILogGroup even though the prop type is ILogGroupRef. The CDK change to ILogGroupRef in v2.235.0 is incompatible with our interface without introducing breaking changes, so we still require an ILogGroup (as this implements ILogGroupRef, you can just assign it to logs.destination) | | eventRuleProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events.RuleProps.html) | Optional user provided eventRuleProps to override the defaults. | | deployCloudTrail? | `boolean` | Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3. Defaults to `true`. **This is now deprecated and ignored because the construct no longer needs CloudTrail since it uses S3 Event Notifications**. | | createCloudWatchAlarms | `boolean` | Whether to create recommended CloudWatch alarms. | | logGroupProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup. | | loggingBucketProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketProps.html) | Optional user provided props to override the default props for the S3 Logging Bucket. | | logS3AccessLogs? | boolean | Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | stateMachine | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Returns an instance of sfn.StateMachine created by the construct. | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the ILogGroup created by the construct for StateMachine. | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of cloudwatch.Alarm created by the construct. | | s3Bucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of the s3.Bucket created by the construct. | | s3LoggingBucket? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html) | Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket. | | s3BucketInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.IBucket.html) | Returns an instance of s3.IBucket created by the construct. | *Note - with the release of Enable EventBridge for Amazon S3, AWS CloudTrail is no longer required to implement this construct. Because of this, the following properties have been removed:* - cloudtrail - cloudtrailBucket - cloudtrailLoggingBucket ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon S3 Bucket + Enable EventBridge to send events from the S3 Bucket + Configure Access logging for S3 Bucket + Enable server-side encryption for S3 Bucket using AWS managed KMS Key + Enforce encryption of data in transit + Turn on the versioning for S3 Bucket + Don’t allow public access for S3 Bucket + Retain the S3 Bucket when deleting the CloudFormation stack + Applies Lifecycle Rule to move noncurrent object versions to Glacier storage after 90 days ### AWS S3 Event Notification + Enable S3 to send events to EventBridge when an object is created. ### Amazon CloudWatch Events Rule + Grant least privilege permissions to CloudWatch Events to trigger the Lambda Function ### AWS Step Functions + Enable CloudWatch logging for API Gateway + Deploy best practices CloudWatch Alarms for the Step Functions ## Architecture ![\[Diagram showing the S3 bucket, EventBridge rule, Step Functions state machine, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-s3-stepfunctions.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-s3-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-sns-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_sns_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-sns-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.snslambda` | ## Overview This AWS Solutions Construct implements an Amazon SNS connected to an AWS Lambda function. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { SnsToLambda, SnsToLambdaProps } from "@aws-solutions-constructs/aws-sns-lambda"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new SnsToLambda(this, 'test-sns-lambda', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_sns_lambda import SnsToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct SnsToLambda(self, 'test_sns_lambda', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.snslambda.*; new SnsToLambda(this, "test-lambda-sqs-stack", new SnsToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and `lambdaFunctionProps` will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - existing instance of SNS topic object, providing both this and `topicProps` will cause an error. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the SNS Topic is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SNS Topic with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SNS Topic with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon SNS Topic + Configure least privilege access permissions for SNS Topic + Enable server-side encryption for SNS Topic using AWS managed KMS Key + Enforce encryption of data in transit ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the SNS topic, Lambda Function, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-sns-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-sns-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-sns-sqs ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_sns_sqs` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-sns-sqs` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.snssqs` | ## Overview This AWS Solutions Construct implements an Amazon SNS topic connected to an Amazon SQS queue. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { SnsToSqs, SnsToSqsProps } from "@aws-solutions-constructs/aws-sns-sqs"; import * as iam from 'aws-cdk-lib/aws-iam'; const snsToSqsStack = new SnsToSqs(this, 'SnsToSqsPattern', {}); // Grant yourself permissions to use the Customer Managed KMS Key const policyStatement = new iam.PolicyStatement({ actions: ["kms:Encrypt", "kms:Decrypt"], effect: iam.Effect.ALLOW, principals: [ new iam.AccountRootPrincipal() ], resources: [ "*" ] }); snsToSqsStack.queueEncryptionKey?.addToResourcePolicy(policyStatement); snsToSqsStack.topicEncryptionKey?.addToResourcePolicy(policyStatement); ``` ``` from aws_solutions_constructs.aws_sns_sqs import SnsToSqs from aws_cdk import ( aws_iam as iam, Stack ) from constructs import Construct construct_stack = SnsToSqs(self, 'SnsToSqsPattern') policy_statement = iam.PolicyStatement( actions=["kms:Encrypt", "kms:Decrypt"], effect=iam.Effect.ALLOW, principals=[iam.AccountRootPrincipal()], resources=["*"] ) construct_stack.queue_encryption_key.add_to_resource_policy(policy_statement) construct_stack.topic_encryption_key.add_to_resource_policy(policy_statement) ``` ``` import software.constructs.Construct; import java.util.List; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.iam.*; import software.amazon.awsconstructs.services.snssqs.*; final SnsToSqs constructStack = new SnsToSqs(this, "SnsToSqsPattern", new SnsToSqsProps.Builder() .build()); // Grant yourself permissions to use the Customer Managed KMS Key final PolicyStatement policyStatement = PolicyStatement.Builder.create() .actions(List.of("kms:Encrypt", "kms:Decrypt")) .effect(Effect.ALLOW) .principals(List.of(new AccountRootPrincipal())) .resources(List.of("*")) .build(); constructStack.getQueueEncryptionKey().addToResourcePolicy(policyStatement); constructStack.getTopicEncryptionKey().addToResourcePolicy(policyStatement); ``` ## New Interface as of v2.58.0 As of Solutions Constructs v2.58.0, we have updated the interface of SnsToSqs. The original implementation shared a KMS customer managed key between the topic and queue. There was a single set of construct props to define this key and a single property to access the single key. The new interface does not share a key, but uses a separate key for each resource and allows clients to control and access these keys independently. In CDK v2.32.0, the CDK introduced an improvement in SNS Subscriptions that narrowed the permissions to access the SQS encryption key to the specific SNS topic (it was formerly the entire SNS service). This feature created a circular reference in SnsToSqs constructs due to the shared KMS keys, but since the improvement was gated behind the feature flag `@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption`, it had no impact on existing applications. Newly generated CDK apps had the feature flag turned on by default, so would have to adjust settings to avoid the circular reference (the minimal deployment code would not work). In addition, attempting to share the key between resources led to odd implementation choices in the construct - the implementation was highly biased towards the topic. For instance, if an existingTopic was provided but a CMK was still created to encrypt the queue that CMK was not available in the `encryptionKey` property. Code using the original, single key props should continue to work - while that portion of the construct interface is deprecated it is not going away any time soon. Any code using any of those props, or with the new feature flag not enabled, will continue to use the old implementation. We wrote many unit tests confirming the old implementation will continue to work the same, warts and all. We do recommend that you migrate to use the new key features to take advantage of the finer grained IAM policy for the key and more control over key behavior within the construct. Any code that references one of the new key properties (or that enables the new feature flag) will use the new functionality. ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingTopicObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Optional - existing instance of SNS topic object, providing both this and `topicProps` will cause an error. | | topicProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.TopicProps.html) | Optional - user provided properties to override the default properties for the SNS topic. Providing both this and `existingTopicObj` causes an error. | | encryptTopicWithCmk | `boolean` | Whether to encrypt the Topic with a customer managed KMS key (CMK). This is the default behavior, and this property defaults to true - if it is explicitly set to false then the Topic is encrypted using SQS\$1MANAGED encryption. NOTE - other constructs with SQS queues default to AWS managed KMS key encryption, but an SNS subscription does not work with that configuration. For a completely unencrypted Topic (not recommended), create the Topic separately from the construct and pass it in using the existingTopicObject. | | topicEncryptionKeyProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | An optional subset of key properties to override the default properties used by constructs (`enableKeyRotation: true`). These properties will be used in constructing the CMK used to encrypt the SNS topic. | | existingTopicEncryptionKey | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional CMK that will be used by the construct to encrypt the new SNS Topic. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | encryptQueueWithCmk | `boolean` | Whether to encrypt the Queue with a customer managed KMS key (CMK). This is the default behavior, and this property defaults to true - if it is explicitly set to false then the Queue is encrypted with an Amazon managed KMS key. For a completely unencrypted Queue (not recommended), create the Queue separately from the construct and pass it in using the existingQueueObject. Since SNS subscriptions do not currently support SQS queues with AWS managed encryption keys, setting this to false will always result in an error from the underlying CDK - we have still included this property for consistency with topics and to be ready if the services one day support this functionality. | | queueEncryptionKeyProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | An optional subset of key properties to override the default properties used by constructs (`enableKeyRotation: true`). These properties will be used in constructing the CMK used to encrypt the SQS queue. | | existingQueueEncryptionKey | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional CMK that will be used by the construct to encrypt the new SQS queue. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to true. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter SQS queue. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to 15. | | sqsSubscriptionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns_subscriptions.SqsSubscriptionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns_subscriptions.SqsSubscriptionProps.html) | Optional user-provided props to override the default props for sqsSubscriptionProps. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | snsTopic | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html) | Returns an instance of the SNS topic created by the pattern. | | topicEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns the KMS key used to encrypt the topic within the construct. Note - this is only set if the construct assigns the key, if the key is passed in topicProps it will not appear here. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | queueEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns the KMS key used to encrypt the queue within the construct. Note - this is only set if the construct assigns the key, if the key is passed in topicProps it will not appear here. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead-letter SQS queue created by the pattern. | ## Deprecated Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: topicProps.masterKey, queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. We recommend you migrate your code to use encryptQueueWithCmk and encryptTopicWithCmk in place of this prop value. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue and SNS Topic with. We recommend you migrate your code to use queueEncryptionKey and topicEncryptionKey in place of this prop value. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS topic and queue with. We recommend you migrate your code to use queueEncryptionKeyProps and topicEncryptionKeyProps in place of this prop value. | ## Deprecated Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | encryptionKey | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | Returns an instance of kms.Key used for the SQS queue, and SNS Topic. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon SNS Topic + Configure least privilege access permissions for SNS Topic + Enable server-side encryption for SNS Topic using Customer managed KMS Key + Enforce encryption of data in transit ### Amazon SQS Queue + Configure least privilege access permissions for SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue + Enable server-side encryption for SQS Queue using Customer managed KMS Key + Enforce encryption of data in transit ## Architecture ![\[Diagram showing the SNS topic, and SQS queue and dlg created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-sns-sqs.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-sns-sqs) for this pattern to view the code, read/create issues and pull requests and more. # aws-sqs-lambda ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_sqs_lambda` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-sqs-lambda` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.sqslambda` | ## Overview This AWS Solutions Construct implements an Amazon SQS queue connected to an AWS Lambda function. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { SqsToLambda, SqsToLambdaProps } from "@aws-solutions-constructs/aws-sqs-lambda"; import * as lambda from 'aws-cdk-lib/aws-lambda'; new SqsToLambda(this, 'SqsToLambdaPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); ``` ``` from aws_solutions_constructs.aws_sqs_lambda import SqsToLambda from aws_cdk import ( aws_lambda as _lambda, Stack ) from constructs import Construct SqsToLambda(self, 'SqsToLambdaPattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset('lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.sqslambda.*; new SqsToLambda(this, "SnsToSqsPattern", new SqsToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLambdaObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - instance of an existing Lambda Function object, providing both this and lambdaFunctionProps will cause an error. | | lambdaFunctionProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.FunctionProps.html) | Optional - user provided props to override the default props for the Lambda function. Providing both this and `existingLambdaObj` causes an error. | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter SQS queue. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to true. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to 15. | | sqsEventSourceProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SqsEventSourceProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda_event_sources.SqsEventSourceProps.html) | Optional user provided properties for the queue event source. | | enableEncryptionWithCustomerManagedKey? | `boolean` | If no key is provided, this flag determines whether the queue is encrypted with a new CMK or an AWS managed key. This flag is ignored if any of the following are defined: queueProps.encryptionMasterKey, encryptionKey or encryptionKeyProps. | | encryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional, imported encryption key to encrypt the SQS Queue with. | | encryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | Optional user provided properties to override the default properties for the KMS encryption key used to encrypt the SQS queue with. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | lambdaFunction | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Returns an instance of the Lambda function created by the pattern. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead-letter SQS queue created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue + Enable server-side encryption for source SQS Queue using AWS Managed KMS Key + Enforce encryption of data in transit ### AWS Lambda Function + Configure limited privilege access IAM role for Lambda function + Enable reusing connections with Keep-Alive for NodeJs Lambda function + Enable X-Ray Tracing + Set Environment Variables + AWS\$1NODEJS\$1CONNECTION\$1REUSE\$1ENABLED (for Node 10.x and higher functions) ## Architecture ![\[Diagram showing the SQS queue, Lambda Function, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-sqs-lambda.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-sqs-lambda) for this pattern to view the code, read/create issues and pull requests and more. # aws-sqs-pipes-stepfunctions ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_sqs_pipes_stepfunctions` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-sqs-pipes-stepfunctions` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.sqspipesstepfunctions` | ## Overview This AWS Solutions Construct implements an AWS SQS queue whose messages are passed to an AWS Step Functions state machine by an Amazon Eventbridge pipe. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import { SqsToPipesToStepfunctions, SqsToPipesToStepfunctionsProps } from "@aws-solutions-constructs/aws-sqs-pipes-stepfunctions"; const startState = new sfn.Pass(this, 'StartState'); new SqsToPipesToStepfunctions(this, 'SqsToPipesToStepfunctionsPattern', { stateMachineProps: { definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(this, 'Pass'))), } }); ``` ``` from constructs import Construct from aws_cdk import ( aws_stepfunctions as _sfn, Stack ) from aws_solutions_constructs import ( aws_sqs_pipes_stepfunctions as sqs_pipes_stepfunctions ) sqs_pipes_stepfunctions.SqsToPipesToStepfunctions( self, 'SqsToPipesToStepfunctions', state_machine_props=_sfn.StateMachineProps( definition_body=_sfn.DefinitionBody.from_chainable(_sfn.Chain.start(_sfn.Pass(self, "pass"))) ) ) ``` ``` package com.myorg; import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.stepfunctions.*; import software.amazon.awsconstructs.services.sqspipesstepfunctions.SqsToPipesToStepfunctions; import software.amazon.awsconstructs.services.sqspipesstepfunctions.SqsToPipesToStepfunctionsProps; new SqsToPipesToStepfunctions(this, "SqsToLambdaToStepfunctionsPattern", SqsToPipesToStepfunctionsProps.builder() .stateMachineProps(StateMachineProps.builder() .definitionBody(DefinitionBody.fromChainable(Chain.start(new Pass(scope, "Pass")))) .build()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingQueueObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | An optional, existing SQS queue to be used instead of the default queue. Providing both this and `queueProps` will cause an error. | | queueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional - user provided properties to override the default properties for the SQS queue. Providing both this and `existingQueueObj` will cause an error. | | encryptQueueWithCmk | `boolean` | Whether to encrypt the Queue with a customer managed KMS key (CMK). This is the default behavior, and this property defaults to true - if it is explicitly set to false then the Queue is encrypted with an Amazon managed KMS key. For a completely unencrypted Queue (not recommended), create the Queue separately from the construct and pass it in using the existingQueueObject. Since SNS subscriptions do not currently support SQS queues with AWS managed encryption keys, setting this to false will always result in an error from the underlying CDK - we have still included this property for consistency with topics and to be ready if the services one day support this functionality. | | queueEncryptionKeyProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html#construct-props) | An optional subset of key properties to override the default properties used by constructs (`enableKeyRotation: true`). These properties will be used in constructing the CMK used to encrypt the SQS queue. | | existingQueueEncryptionKey? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.Key.html) | An optional CMK that will be used by the construct to encrypt the new SQS queue. | | deployDeadLetterQueue? | `boolean` | Whether to create a secondary queue to be used as a dead letter queue. Defaults to true. | | deadLetterQueueProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.QueueProps.html) | Optional user-provided props to override the default props for the dead letter SQS queue. | | maxReceiveCount? | `number` | The number of times a message can be unsuccessfully dequeued before being moved to the dead letter queue. Defaults to 15. | | stateMachineProps | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachineProps.html) | User provided props for the sfn.StateMachine. This or existingStateMachine is required. If you provide a value for logs.destination, it must be an ILogGroup even though the prop type is ILogGroupRef. The CDK change to ILogGroupRef in v2.235.0 is incompatible with our interface without introducing breaking changes, so we still require an ILogGroup (as this implements ILogGroupRef, you can just assign it to logs.destination) | | createCloudWatchAlarms? | `boolean` | Whether to create recommended CloudWatch alarms | | logGroupProps? | [logs.logGroupProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Optional user provided props to override the default props for for the CloudWatchLogs LogGroup for the state machine. | | pipeProps? | [pipes.CfnPipeProps](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_pipes.CfnPipeProps.html) | Optional customer provided settings for the EventBridge pipe. source, target, roleArn and enrichment settings are set by the construct and cannot be overriden here. The construct will generate default sourceParameters, targetParameters and logConfiguration (found [here](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-pipes-pipe.html#cfn-pipes-pipe-logconfiguration)) that can be overriden by populating those values in these props. If the client wants to implement enrichment or a filter, this is where that information can be provided. Any other props can be freely overridden. If a client wants to set values such as batchSize, that can be done here in the sourceParameters property. | | enrichmentFunction? | [lambda.Function](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda.Function.html) | Optional - Lambda function that the construct will configure to be called to enrich the message between source and target. The construct will configure the pipe IAM role to allow invoking the function (but will not affect the IArole assigned to the function). Specifying both this and enrichmentStateMachine causes an error. Default - undefined | | enrichmentStateMachine? | [sfn.StateMachine](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Optional - Step Functions state machine that the construct will configure to be called to enrich the message between source and target. The construct will configure the pipe IAM role to allow executing the state machine (but will not affect the IAM role assigned to the state machine). Specifying both this and enrichmentStateMachine causes an error. Default - undefined | | logLevel? | PipesLogLevel | Threshold for what messages the new pipe sends to the log, PipesLogLevel.OFF, PipesLogLevel.ERROR, PipesLogLevel.INFO, PipesLogLevel.TRACE. The default is INFO. Setting the level to OFF will prevent any log group from being created. Providing pipeProps.logConfiguration will controls all aspects of logging and any construct provided log configuration is disabled. If pipeProps.logConfiguration is provided then specifying this or pipeLogProps causes an error. | | pipeLogProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.LogGroupProps.html) | Default behavior is for this construct to create a new CloudWatch Logs log group for the pipe. These props are used to override defaults set by AWS or this construct. If there are concerns about the cost of log storage, this is where a client can specify a shorter retention duration (in days) | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | stateMachine | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html) | Returns an instance of StateMachine created by the construct. | | stateMachineLogGroup | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.ILogGroup.html) | Returns an instance of the ILogGroup created by the construct for StateMachine | | cloudwatchAlarms? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudwatch.Alarm.html) | Returns a list of alarms created by the construct. | | sqsQueue | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the SQS queue created by the pattern. | | deadLetterQueue? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sqs.Queue.html) | Returns an instance of the dead letter queue created by the pattern, if one is deployed. | | encryptionKey? | [kms.IKey](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kms.IKey.html) | Returns an instance of kms.Key used for the SQS queue if key is customer managed. | | pipe | [pipes.CfnPipe](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_pipes.CfnPipe.html) | The L1 pipe construct created by this Solutions Construct. | | pipeRole | [iam.Role](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.Role.html) | The role created that allows the pipe to access both the source and the target. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### Amazon SQS Queue + Deploy SQS dead-letter queue for the source SQS Queue. + Enable server-side encryption for source SQS Queue using AWS Managed KMS Key. + Enforce encryption of data in transit ### AWS Step Functions State Machine + Deploy Step Functions standard state machine + Create CloudWatch log group with /vendedlogs/ prefix in name + Deploy best practices CloudWatch Alarms for the Step Functions ### AWS EventBridge Pipe + Pipe configured with an SQS queue source and state machine target + A least privilege IAM role assigned to the pipe to access the queue and state machine + CloudWatch logs set up at the "INFO" level + Encrypted with an AWS managed KMS key ## Architecture ![\[Diagram showing the SQS queue, CloudWatch log groups, EventBridge pipe, Step Functions state machine and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-sqs-pipes-stepfunctions.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-sqs-pipes-stepfunctions) for this pattern to view the code, read/create issues and pull requests and more. # aws-wafwebacl-alb ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_wafwebacl_alb` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-wafwebacl-alb` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.wafwebaclalb` | ## Overview This AWS Solutions Construct implements an AWS WAF web ACL connected to an Application Load Balancer. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { WafwebaclToAlbProps, WafwebaclToAlb } from "@aws-solutions-constructs/aws-wafwebacl-alb"; // Use an existing ALB, such as one created by Route53toAlb or AlbToLambda const existingLoadBalancer = previouslyCreatedLoadBalancer // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, 'id', {env: {account: '123456789012', region: 'us-east-1' }}); // // This construct can only be attached to a configured Application Load Balancer. new WafwebaclToAlb(this, 'test-wafwebacl-alb', { existingLoadBalancerObj: existingLoadBalancer }); ``` ``` from aws_solutions_constructs.aws_route53_alb import Route53ToAlb from aws_solutions_constructs.aws_wafwebacl_alb import WafwebaclToAlbProps, WafwebaclToAlb from aws_cdk import ( aws_route53 as route53, Stack ) from constructs import Construct # Use an existing ALB, such as one created by Route53toAlb or AlbToLambda existingLoadBalancer = previouslyCreatedLoadBalancer # Note - all alb constructs turn on ELB logging by default, so require that an environment including account # and region be provided when creating the stack # # MyStack(app, 'id', env=cdk.Environment(account='123456789012', region='us-east-1')) # # This construct can only be attached to a configured Application Load Balancer. WafwebaclToAlb(self, 'test_wafwebacl_alb', existing_load_balancer_obj=existingLoadBalancer ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.route53.*; import software.amazon.awsconstructs.services.wafwebaclalb.*; // Use an existing ALB, such as one created by Route53toAlb or AlbToLambda final existingLoadBalancer = previouslyCreatedLoadBalancer // Note - all alb constructs turn on ELB logging by default, so require that an environment including account // and region be provided when creating the stack // // new MyStack(app, "id", StackProps.builder() // .env(Environment.builder() // .account("123456789012") // .region("us-east-1") // .build()); // // This construct can only be attached to a configured Application Load Balancer. new WafwebaclToAlb(this, "test-wafwebacl-alb", new WafwebaclToAlbProps.Builder() .existingLoadBalancerObj(existingLoadBalancer) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingLoadBalancerObj | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | The existing Application Load Balancer Object that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured Application Load Balancer, so this construct only accepts an existing ApplicationLoadBalancer and does not accept applicationLoadBalancerProps.* | | existingWebaclObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Optional - existing instance of a WAF web ACL, providing both this and `webaclProps` causes an error. | | webaclProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html) | Optional user-provided props to override the default props for the AWS WAF web ACL. To use a different collection of managed rule sets, specify a new rules property. Use our [../core/lib/waf-defaults.ts](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | webacl | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Returns an instance of the waf.CfnWebACL created by the construct. | | loadBalancer | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html) | Returns an instance of the Application Load Balancer Object created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS WAF + Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). + AWSManagedRulesBotControlRuleSet + AWSManagedRulesKnownBadInputsRuleSet + AWSManagedRulesCommonRuleSet + AWSManagedRulesAnonymousIpList + AWSManagedRulesAmazonIpReputationList + AWSManagedRulesAdminProtectionRuleSet + AWSManagedRulesSQLiRuleSet *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* + Send metrics to Amazon CloudWatch ### Application Load Balancer + User provided Application Load Balancer object is used as-is ## Architecture ![\[Diagram showing the WAF ACL, Application Load Balancer, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-wafwebacl-alb.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-wafwebacl-alb) for this pattern to view the code, read/create issues and pull requests and more. # aws-wafwebacl-apigateway ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_wafwebacl_apigateway` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-wafwebacl-apigateway` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.wafwebaclapigateway` | ## Overview This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon API Gateway REST API. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import * as lambda from "aws-cdk-lib/aws-lambda"; import { ApiGatewayToLambda } from '@aws-solutions-constructs/aws-apigateway-lambda'; import { WafwebaclToApiGatewayProps, WafwebaclToApiGateway } from "@aws-solutions-constructs/aws-wafwebacl-apigateway"; const apiGatewayToLambda = new ApiGatewayToLambda(this, 'ApiGatewayToLambdaPattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_22_X, handler: 'index.handler', code: lambda.Code.fromAsset(`lambda`) } }); // This construct can only be attached to a configured API Gateway. new WafwebaclToApiGateway(this, 'test-wafwebacl-apigateway', { existingApiGatewayInterface: apiGatewayToLambda.apiGateway }); ``` ``` from aws_solutions_constructs.aws_apigateway_lambda import ApiGatewayToLambda from aws_solutions_constructs.aws_wafwebacl_apigateway import WafwebaclToApiGatewayProps, WafwebaclToApiGateway from aws_cdk import ( aws_apigateway as api, aws_lambda as _lambda, Stack ) from constructs import Construct api_gateway_to_lambda = ApiGatewayToLambda(self, 'ApiGatewayToLambdaPattern', lambda_function_props=_lambda.FunctionProps( code=_lambda.Code.from_asset( 'lambda'), runtime=_lambda.Runtime.PYTHON_3_14, handler='index.handler' ) ) # This construct can only be attached to a configured API Gateway. WafwebaclToApiGateway(self, 'test_wafwebacl_apigateway', existing_api_gateway_interface=api_gateway_to_lambda.api_gateway ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.apigateway.*; import software.amazon.awscdk.services.lambda.*; import software.amazon.awscdk.services.lambda.Runtime; import software.amazon.awsconstructs.services.apigatewaylambda.*; import software.amazon.awsconstructs.services.wafwebaclapigateway.*; final ApiGatewayToLambda apiGatewayToLambda = new ApiGatewayToLambda(this, "ApiGatewayToLambdaPattern", new ApiGatewayToLambdaProps.Builder() .lambdaFunctionProps(new FunctionProps.Builder() .runtime(Runtime.NODEJS_22_X) .code(Code.fromAsset("lambda")) .handler("index.handler") .build()) .build()); // This construct can only be attached to a configured Application Load // Balancer. new WafwebaclToApiGateway(this, "test-wafwebacl-apigateway", new WafwebaclToApiGatewayProps.Builder() .existingApiGatewayInterface(apiGatewayToLambda.getApiGateway()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingApiGatewayInterface | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IRestApi.html) | The existing API Gateway instance that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured API Gateway, so this construct only accepts an existing IRestApi and does not accept apiGatewayProps.* | | existingWebaclObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Optional - existing instance of a WAF web ACL, providing both this and `webaclProps` causes an error. | | webaclProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html) | Optional user-provided props to override the default props for the AWS WAF web ACL. Providing both this and existingWebaclObj causes an error. To use a different collection of managed rule sets, specify a new rules property. Use our [wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number)](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | webacl | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Returns an instance of the waf.CfnWebACL created by the construct. | | apiGateway | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IRestApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IRestApi.html) | Returns an instance of the API Gateway REST API created by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS WAF + Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). + AWSManagedRulesBotControlRuleSet + AWSManagedRulesKnownBadInputsRuleSet + AWSManagedRulesCommonRuleSet + AWSManagedRulesAnonymousIpList + AWSManagedRulesAmazonIpReputationList + AWSManagedRulesAdminProtectionRuleSet + AWSManagedRulesSQLiRuleSet *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* + Send metrics to Amazon CloudWatch ### Amazon API Gateway + User provided API Gateway object is used as-is ## Architecture ![\[Diagram showing the WAF ACL, API Gateway api, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-wafwebacl-apigateway.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-wafwebacl-apigateway) for this pattern to view the code, read/create issues and pull requests and more. # aws-wafwebacl-appsync ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_wafwebacl_appsync` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-wafwebacl-appsync` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.wafwebaclappsync` | ## Overview This AWS Solutions Construct implements an AWS WAF web ACL connected to an AWS AppSync API. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from "constructs"; import { Stack, StackProps } from "aws-cdk-lib"; import { WafwebaclToAppsyncProps, WafwebaclToAppsync, } from "@aws-solutions-constructs/aws-wafwebacl-appsync"; // Use an existing AppSync GraphQL API const existingGraphQLApi = previouslyCreatedApi; // This construct can only be attached to a configured AWS AppSync API. new WafwebaclToAppsync(this, "test-wafwebacl-appsync", { existingAppsyncApi: existingGraphQLApi, }); ``` ``` from aws_solutions_constructs.aws_wafwebacl_appsync import WafwebaclToAppsyncProps, WafwebaclToAppsync from aws_cdk import ( aws_route53 as route53, Stack ) from constructs import Construct # Use an existing AppSync API existingGraphQLApi = previouslyCreatedApi # This construct can only be attached to a configured AWS AppSync API. WafwebaclToAppsync(self, 'test_wafwebacl_appsync', existing_appsync_api=existingGraphQLApi ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.wafwebaclappsync.*; // Use an existing AppSync API final existingGraphQLApi = previouslyCreatedApi // This construct can only be attached to a configured AWS AppSync API. new WafwebaclToAppsync(this, "test-wafwebacl-appsync", new WafwebaclToAppsyncProps.Builder() .existingAppsyncApi(existingGraphQLApi) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingAppsyncApi | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_appsync.CfnGraphQLApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_appsync.CfnGraphQLApi.html) | The existing Appsync CfnGraphQLApi object that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured AppSync API, so this construct only accepts an existing CfnGraphQLApi and does not accept CfnGraphQLApiProps.* | | existingWebaclObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Optional - existing instance of a WAF web ACL, providing both this and `webaclProps` causes an error. | | webaclProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACLProps.html) | Optional user-provided props to override the default props for the AWS WAF web ACL. Providing both this and existingWebaclObj causes an error. To use a different collection of managed rule sets, specify a new rules property. Use our [wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number)](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | webacl | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_waf.CfnWebACL.html) | Returns an instance of the waf.CfnWebACL created by the construct. | | appsyncApi | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_appsync.CfnGraphQLApi.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_appsync.CfnGraphQLApi.html) | Returns an instance of the CfnGraphQLApi used by the pattern. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS WAF + Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). + AWSManagedRulesBotControlRuleSet + AWSManagedRulesKnownBadInputsRuleSet + AWSManagedRulesCommonRuleSet + AWSManagedRulesAnonymousIpList + AWSManagedRulesAmazonIpReputationList + AWSManagedRulesAdminProtectionRuleSet + AWSManagedRulesSQLiRuleSet *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* + Send metrics to Amazon CloudWatch ### AppSync API + User provided AppSync graphql API object is used as-is ## Architecture ![\[Diagram showing the WAF ACL, AppSync api, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-wafwebacl-appsync.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-wafwebacl-appsync) for this pattern to view the code, read/create issues and pull requests and more. # aws-wafwebacl-cloudfront ![\[Stability:Stable\]](https://img.shields.io/badge/cfn—​resources-stable-success.svg?style=for-the-badge) | | | | --- |--- | | Reference Documentation: | https://docs.aws.amazon.com/solutions/latest/constructs/ | | **Language** | **Package** | | --- | --- | | ![\[Python Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/python32.png) Python | `aws_solutions_constructs.aws_wafwebacl_cloudfront` | | ![\[Typescript Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/typescript32.png) Typescript | `@aws-solutions-constructs/aws-wafwebacl-cloudfront` | | ![\[Java Logo\]](https://docs.aws.amazon.com/images/solutions/latest/constructs/images/java32.png) Java | `software.amazon.awsconstructs.services.wafwebaclcloudfront` | ## Overview This AWS Solutions Construct implements an AWS WAF web ACL connected to Amazon CloudFront. Here is a minimal deployable pattern definition: **Example** ``` import { Construct } from 'constructs'; import { Stack, StackProps } from 'aws-cdk-lib'; import { CloudFrontToS3 } from '@aws-solutions-constructs/aws-cloudfront-s3'; import { WafwebaclToCloudFront } from "@aws-solutions-constructs/aws-wafwebacl-cloudfront"; const cloudfrontToS3 = new CloudFrontToS3(this, 'test-cloudfront-s3', {}); // This construct can only be attached to a configured CloudFront. new WafwebaclToCloudFront(this, 'test-wafwebacl-cloudfront', { existingCloudFrontWebDistribution: cloudfrontToS3.cloudFrontWebDistribution }); ``` ``` from aws_solutions_constructs.aws_cloudfront_s3 import CloudFrontToS3 from aws_solutions_constructs.aws_wafwebacl_cloudfront import WafwebaclToCloudFront from aws_cdk import Stack from constructs import Construct cloudfront_to_s3 = CloudFrontToS3(self, 'test_cloudfront_s3') # This construct can only be attached to a configured CloudFront. WafwebaclToCloudFront(self, 'test_wafwebacl_cloudfront', existing_cloud_front_web_distribution=cloudfront_to_s3.cloud_front_web_distribution ) ``` ``` import software.constructs.Construct; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awsconstructs.services.cloudfronts3.*; import software.amazon.awsconstructs.services.wafwebaclcloudfront.*; final CloudFrontToS3 cloudfrontToS3 = new CloudFrontToS3(this, "test-cloudfront-s3", new CloudFrontToS3Props.Builder() .build()); // This construct can only be attached to a configured CloudFront. new WafwebaclToCloudFront(this, "test-wafwebacl-cloudfront", new WafwebaclToCloudFrontProps.Builder() .existingCloudFrontWebDistribution(cloudfrontToS3.getCloudFrontWebDistribution()) .build()); ``` ## Pattern Construct Props | **Name** | **Type** | **Description** | | --- | --- | --- | | existingCloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | The existing CloudFront instance that will be protected with the WAF web ACL. *Note that a WAF web ACL can only be added to a configured CloudFront, so this construct only accepts an existing Distribution and does not accept cloudfrontProps.* | | existingWebaclObj? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACL.html) | Optional - existing instance of a WAF web ACL, providing both this and `webaclProps` causes an error. | | webaclProps? | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACLProps.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACLProps.html) | Optional user-provided props to override the default props for the AWS WAF web ACL. Providing both this and existingWebaclObj causes an error. To use a different collection of managed rule sets, specify a new rules property. Use our [wrapManagedRuleSet(managedGroupName: string, vendorName: string, priority: number)](../core/lib/waf-defaults.ts) function from core to create an array entry from each desired managed rule set. | ## Pattern Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | webacl | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACL.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_wafv2.CfnWebACL.html) | Returns an instance of the waf.CfnWebACL created by the construct. | | cloudFrontWebDistribution | [https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront.Distribution.html) | Returns an instance of cloudfront.Distribution created by the construct. | ## Default settings Out of the box implementation of the Construct without any override will set the following defaults: ### AWS WAF + Deploy a WAF web ACL with 7 [AWS managed rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html). + AWSManagedRulesBotControlRuleSet + AWSManagedRulesKnownBadInputsRuleSet + AWSManagedRulesCommonRuleSet + AWSManagedRulesAnonymousIpList + AWSManagedRulesAmazonIpReputationList + AWSManagedRulesAdminProtectionRuleSet + AWSManagedRulesSQLiRuleSet *Note that the default rules can be replaced by specifying the rules property of CfnWebACLProps* + Send metrics to Amazon CloudWatch ### Amazon CloudFront + User provided CloudFront object is used as-is ## Architecture ![\[Diagram showing the WAF ACL, CloudFront distribution, CloudWatch log group and IAM role created by the construct\]](http://docs.aws.amazon.com/solutions/latest/constructs/images/aws-wafwebacl-cloudfront.png) ## Github Go to the [Github repo](https://github.com/awslabs/aws-solutions-constructs/tree/main/source/patterns/%40aws-solutions-constructs/aws-wafwebacl-cloudfront) for this pattern to view the code, read/create issues and pull requests and more.