start refactor

Author: anthony-nhs

.devcontainer/devcontainer.json

@@ -32,7 +32,9 @@
         "github.vscode-pull-request-github",
         "streetsidesoftware.code-spell-checker",
         "timonwong.shellcheck",
-        "github.vscode-github-actions"
+        "github.vscode-github-actions",
+        "dbaeumer.vscode-eslint",
+        "vitest.explorer"
       ],
       "settings": {
         "cSpell.words": [

.vscode/eps-cdk-utils.code-workspace

@@ -79,7 +79,10 @@
 			".vscode"
 		],
 		"eslint.useFlatConfig": true,
-		"eslint.format.enable": true
+		"eslint.format.enable": true,
+		"[typescript]": {
+			"editor.defaultFormatter": "dbaeumer.vscode-eslint"
+		}
 	},
 	"extensions": {
 		"recommendations": [

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

@@ -18,6 +18,8 @@ import {
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
 import {addSuppressions} from "../utils/helpers"
+import {Key} from "aws-cdk-lib/aws-kms"
+import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
 
 export interface PythonLambdaFunctionProps {
   /**
@@ -42,7 +44,7 @@ export interface PythonLambdaFunctionProps {
   /**
    * A map of environment variables to set for the lambda function.
    */
-  readonly environmentVariables?: {[key: string]: string}
+  readonly environmentVariables?: { [key: string]: string }
   /**
    * Optional additional IAM policies to attach to role the lambda executes as.
    */
@@ -80,16 +82,45 @@ export interface PythonLambdaFunctionProps {
    * @default Architecture.X86_64
    */
   readonly architecture?: Architecture
-   /**
-   * Any files to exclude from the Lambda asset bundle.
-   * Defaults to these files
-   * "tests",
-   * "pytest.ini",
-   * ".vscode",
-   * "__pycache__",
-   * "*.pyc"
-   */
+  /**
+  * Any files to exclude from the Lambda asset bundle.
+  * Defaults to these files
+  * "tests",
+  * "pytest.ini",
+  * ".vscode",
+  * "__pycache__",
+  * "*.pyc"
+  */
   readonly excludeFromAsset?: Array<string>
+  /**
+   * Optional KMS key for encrypting CloudWatch Logs.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly cloudWatchLogsKmsKey?: Key
+  /**
+   * Optional IAM policy for allowing CloudWatch to use the KMS key for encrypting logs.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly cloudwatchEncryptionKMSPolicy?: ManagedPolicy
+  /**
+   * Optional Kinesis stream for forwarding logs to Splunk.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly splunkDeliveryStream?: CfnDeliveryStream
+  /**
+   * Optional IAM role for the subscription filter that forwards logs to Splunk.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly splunkSubscriptionFilterRole?: Role
+  /**
+   * Optional IAM policy for allowing lambdas to use Lambda Insights log groups and streams.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly lambdaInsightsLogGroupPolicy?: ManagedPolicy
+  /**
+   * Whether to create a subscription filter on the Lambda log group to forward logs to Splunk. Defaults to true.
+   */
+  readonly addSplunkSubscriptionFilter?: boolean
 
 }
 
@@ -185,14 +216,26 @@ export class PythonLambdaFunction extends Construct {
         ".vscode",
         "__pycache__",
         "*.pyc"
-      ]
+      ],
+      cloudWatchLogsKmsKey,
+      cloudwatchEncryptionKMSPolicy,
+      splunkDeliveryStream,
+      splunkSubscriptionFilterRole,
+      lambdaInsightsLogGroupPolicy,
+      addSplunkSubscriptionFilter
     } = props
 
     const {logGroup, role, insightsLayer} = createSharedLambdaResources(this, {
       functionName,
       logRetentionInDays,
       additionalPolicies,
-      architecture
+      architecture,
+      cloudWatchLogsKmsKey,
+      cloudwatchEncryptionKMSPolicy,
+      splunkDeliveryStream,
+      splunkSubscriptionFilterRole,
+      lambdaInsightsLogGroupPolicy,
+      addSplunkSubscriptionFilter
     })
 
     const layersToAdd = [insightsLayer]

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

@@ -16,6 +16,8 @@ import {Construct} from "constructs"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
 import {addSuppressions} from "../utils/helpers"
+import {Key} from "aws-cdk-lib/aws-kms"
+import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
 
 export interface TypescriptLambdaFunctionProps {
   /**
@@ -84,6 +86,35 @@ export interface TypescriptLambdaFunctionProps {
    * @default Architecture.X86_64
    */
   readonly architecture?: Architecture
+  /**
+   * Optional KMS key for encrypting CloudWatch Logs.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly cloudWatchLogsKmsKey?: Key
+  /**
+   * Optional IAM policy for allowing CloudWatch to use the KMS key for encrypting logs.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly cloudwatchEncryptionKMSPolicy?: ManagedPolicy
+  /**
+   * Optional Kinesis stream for forwarding logs to Splunk.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly splunkDeliveryStream?: CfnDeliveryStream
+  /**
+   * Optional IAM role for the subscription filter that forwards logs to Splunk.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly splunkSubscriptionFilterRole?: Role
+  /**
+   * Optional IAM policy for allowing lambdas to use Lambda Insights log groups and streams.
+   * If not provided, the value is imported from account resources export.
+   */
+  readonly lambdaInsightsLogGroupPolicy?: ManagedPolicy
+  /**
+   * Whether to create a subscription filter on the Lambda log group to forward logs to Splunk. Defaults to true.
+   */
+  readonly addSplunkSubscriptionFilter?: boolean
 }
 
 const getDefaultLambdaOptions = (
@@ -202,14 +233,26 @@ export class TypescriptLambdaFunction extends Construct {
       projectBaseDir,
       timeoutInSeconds = 50,
       runtime = Runtime.NODEJS_24_X,
-      architecture = Architecture.X86_64
+      architecture = Architecture.X86_64,
+      cloudWatchLogsKmsKey,
+      cloudwatchEncryptionKMSPolicy,
+      splunkDeliveryStream,
+      splunkSubscriptionFilterRole,
+      lambdaInsightsLogGroupPolicy,
+      addSplunkSubscriptionFilter
     } = props
 
     const {logGroup, role, insightsLayer} = createSharedLambdaResources(this, {
       functionName,
       logRetentionInDays,
       additionalPolicies,
-      architecture
+      architecture,
+      cloudWatchLogsKmsKey,
+      cloudwatchEncryptionKMSPolicy,
+      splunkDeliveryStream,
+      splunkSubscriptionFilterRole,
+      lambdaInsightsLogGroupPolicy,
+      addSplunkSubscriptionFilter
     })
 
     const lambdaFunction = new NodejsFunction(this, functionName, {

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -2,7 +2,6 @@ import {Construct} from "constructs"
 import {Fn, RemovalPolicy} from "aws-cdk-lib"
 import {Architecture, ILayerVersion, LayerVersion} from "aws-cdk-lib/aws-lambda"
 import {Key} from "aws-cdk-lib/aws-kms"
-import {Stream} from "aws-cdk-lib/aws-kinesis"
 import {CfnLogGroup, CfnSubscriptionFilter, LogGroup} from "aws-cdk-lib/aws-logs"
 import {
   IManagedPolicy,
@@ -14,12 +13,19 @@ import {
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
 import {addSuppressions} from "../utils/helpers"
+import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
 
 export interface SharedLambdaResourceProps {
   readonly functionName: string
   readonly logRetentionInDays: number
   readonly additionalPolicies: Array<IManagedPolicy>
   readonly architecture: Architecture
+  readonly cloudWatchLogsKmsKey?: Key
+  readonly cloudwatchEncryptionKMSPolicy?: ManagedPolicy
+  readonly splunkDeliveryStream?: CfnDeliveryStream
+  readonly splunkSubscriptionFilterRole?: Role
+  readonly lambdaInsightsLogGroupPolicy?: ManagedPolicy
+  readonly addSplunkSubscriptionFilter?: boolean
 }
 
 export interface SharedLambdaResources {
@@ -30,28 +36,25 @@ export interface SharedLambdaResources {
 
 export const createSharedLambdaResources = (
   scope: Construct,
-  {
+  props: SharedLambdaResourceProps
+): SharedLambdaResources => {
+  const {
     functionName,
     logRetentionInDays,
     additionalPolicies,
-    architecture
-  }: SharedLambdaResourceProps
-): SharedLambdaResources => {
-  const cloudWatchLogsKmsKey = Key.fromKeyArn(
-    scope, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"))
-
-  const cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
-    scope, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"))
-
-  const splunkDeliveryStream = Stream.fromStreamArn(
-    scope, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
-
-  const splunkSubscriptionFilterRole = Role.fromRoleArn(
-    scope, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole"))
-
-  const lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
-    scope, "lambdaInsightsLogGroupPolicy", Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"))
-
+    architecture,
+    cloudWatchLogsKmsKey = Key.fromKeyArn(
+      scope, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn")),
+    cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
+      scope, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn")),
+    splunkDeliveryStream = CfnDeliveryStream.fromDeliveryStreamArn(
+      scope, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream")),
+    splunkSubscriptionFilterRole = Role.fromRoleArn(
+      scope, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole")),
+    lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
+      scope, "lambdaInsightsLogGroupPolicy", Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy")),
+    addSplunkSubscriptionFilter = true
+  } = props
   const insightsLambdaLayerArn = architecture === Architecture.ARM_64
     ? LAMBDA_INSIGHTS_LAYER_ARNS.arm64
     : LAMBDA_INSIGHTS_LAYER_ARNS.x64
@@ -68,12 +71,14 @@ export const createSharedLambdaResources = (
   const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
   addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
 
-  new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
-    destinationArn: splunkDeliveryStream.streamArn,
-    filterPattern: "",
-    logGroupName: logGroup.logGroupName,
-    roleArn: splunkSubscriptionFilterRole.roleArn
-  })
+  if (addSplunkSubscriptionFilter) {
+    new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
+      destinationArn: splunkDeliveryStream.deliveryStreamRef.deliveryStreamArn,
+      filterPattern: "",
+      logGroupName: logGroup.logGroupName,
+      roleArn: splunkSubscriptionFilterRole.roleArn
+    })
+  }
 
   const putLogsManagedPolicy = new ManagedPolicy(scope, "LambdaPutLogsManagedPolicy", {
     description: `write to ${functionName} logs`,

packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts

@@ -374,3 +374,29 @@ describe("pythonFunctionConstruct works correctly with different architecture",
     })
   })
 })
+
+describe("pythonFunctionConstruct works correctly with addSplunkSubscriptionFilter set to false", () => {
+  let stack: Stack
+  let app: App
+  let template: assertions.Template
+
+  beforeAll(() => {
+    app = new App()
+    stack = new Stack(app, "pythonLambdaConstructStack")
+    new PythonLambdaFunction(stack, "dummyPythonFunction", {
+      functionName: "testPythonLambda",
+      projectBaseDir: resolve(__dirname, "../../../.."),
+      packageBasePath: "packages/cdkConstructs",
+      handler: "index.handler",
+      environmentVariables: {foo: "bar"},
+      logRetentionInDays: 30,
+      logLevel: "DEBUG",
+      addSplunkSubscriptionFilter: false
+    })
+    template = Template.fromStack(stack)
+  })
+
+  test("it does not have a subscription filter", () => {
+    template.resourceCountIs("AWS::Logs::SubscriptionFilter", 0)
+  })
+})