eps-cdk-utils/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts at 50be43a64b3044578074a7b752b910cb15b96c6d · NHSDigital/eps-cdk-utils · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
import {Construct} from "constructs"
import {RemovalPolicy} from "aws-cdk-lib"
import {Architecture, ILayerVersion, LayerVersion} from "aws-cdk-lib/aws-lambda"
import {IKey, Key} from "aws-cdk-lib/aws-kms"
import {CfnLogGroup, CfnSubscriptionFilter, LogGroup} from "aws-cdk-lib/aws-logs"
import {
  IManagedPolicy,
  IRole,
  ManagedPolicy,
  PolicyStatement,
  Role,
  ServicePrincipal
} from "aws-cdk-lib/aws-iam"
import {NagSuppressions} from "cdk-nag"
import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants"
import {addSuppressions} from "../utils/helpers"
import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
import {Stream} from "aws-cdk-lib/aws-kinesis"

export interface SharedLambdaResourceProps {
  readonly functionName: string
  readonly logRetentionInDays: number
  readonly additionalPolicies: Array<IManagedPolicy>
  readonly architecture: Architecture
  readonly cloudWatchLogsKmsKey?: IKey
  readonly cloudwatchEncryptionKMSPolicy?: IManagedPolicy
  readonly splunkDeliveryStream?: CfnDeliveryStream
  readonly splunkSubscriptionFilterRole?: IRole
  readonly lambdaInsightsLogGroupPolicy?: IManagedPolicy
  readonly addSplunkSubscriptionFilter?: boolean
}

export interface SharedLambdaResources {
  readonly logGroup: LogGroup
  readonly role: Role
  readonly insightsLayer: ILayerVersion
}

export const createSharedLambdaResources = (
  scope: Construct,
  props: SharedLambdaResourceProps
): SharedLambdaResources => {
  const {
    functionName,
    logRetentionInDays,
    additionalPolicies,
    architecture,
    cloudWatchLogsKmsKey = Key.fromKeyArn(
      scope, "cloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn),
    cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
      scope,
      "cloudwatchEncryptionKMSPolicyArn",
      ACCOUNT_RESOURCES.CloudwatchEncryptionKMSPolicyArn
    ),
    splunkDeliveryStream,
    splunkSubscriptionFilterRole = Role.fromRoleArn(
      scope, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole),
    lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
      scope, "lambdaInsightsLogGroupPolicy", LAMBDA_RESOURCES.LambdaInsightsLogGroupPolicy),
    addSplunkSubscriptionFilter = true
  } = props
  const insightsLambdaLayerArn = architecture === Architecture.ARM_64
    ? LAMBDA_INSIGHTS_LAYER_ARNS.arm64
    : LAMBDA_INSIGHTS_LAYER_ARNS.x64
  const insightsLambdaLayer = LayerVersion.fromLayerVersionArn(
    scope, "LayerFromArn", insightsLambdaLayerArn)

  const logGroup = new LogGroup(scope, "LambdaLogGroup", {
    encryptionKey: cloudWatchLogsKmsKey,
    logGroupName: `/aws/lambda/${functionName}`,
    retention: logRetentionInDays,
    removalPolicy: RemovalPolicy.DESTROY
  })

  const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
  addSuppressions([cfnlogGroup], [CFN_GUARD_RULES.LogGroupRetentionPeriodCheck])

  if (addSplunkSubscriptionFilter) {
    // This is in an if statement to ensure correct value is used
    // importing and coercing to cfnDeliveryStream causes issues
    if (splunkDeliveryStream) {
      new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
        destinationArn: splunkDeliveryStream.attrArn,
        filterPattern: "",
        logGroupName: logGroup.logGroupName,
        roleArn: splunkSubscriptionFilterRole.roleArn
      })
    } else {
      const splunkDeliveryStreamImport = Stream.fromStreamArn(
        scope, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream)
      new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
        destinationArn: splunkDeliveryStreamImport.streamArn,
        filterPattern: "",
        logGroupName: logGroup.logGroupName,
        roleArn: splunkSubscriptionFilterRole.roleArn
      })
    }
  }

  const putLogsManagedPolicy = new ManagedPolicy(scope, "LambdaPutLogsManagedPolicy", {
    description: `write to ${functionName} logs`,
    statements: [
      new PolicyStatement({
        actions: [
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        resources: [
          logGroup.logGroupArn,
          `${logGroup.logGroupArn}:log-stream:*`
        ]
      })
    ]
  })

  NagSuppressions.addResourceSuppressions(putLogsManagedPolicy, [
    {
      id: "AwsSolutions-IAM5",
      // eslint-disable-next-line max-len
      reason: "Suppress error for not having wildcards in permissions. This is a fine as we need to have permissions on all log streams under path"
    }
  ])

  const role = new Role(scope, "LambdaRole", {
    assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
    managedPolicies: [
      putLogsManagedPolicy,
      lambdaInsightsLogGroupPolicy,
      cloudwatchEncryptionKMSPolicy,
      ...additionalPolicies
    ]
  })

  return {
    logGroup,
    role,
    insightsLayer: insightsLambdaLayer
  }
}