more test

Author: anthony-nhs

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -14,6 +14,7 @@ import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
 import {addSuppressions} from "../utils/helpers"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
+import {Stream} from "aws-cdk-lib/aws-kinesis"
 
 export interface SharedLambdaResourceProps {
   readonly functionName: string
@@ -47,8 +48,7 @@ export const createSharedLambdaResources = (
       scope, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn")),
     cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
       scope, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn")),
-    splunkDeliveryStream = CfnDeliveryStream.fromDeliveryStreamArn(
-      scope, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream")),
+    splunkDeliveryStream,
     splunkSubscriptionFilterRole = Role.fromRoleArn(
       scope, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole")),
     lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
@@ -72,12 +72,23 @@ export const createSharedLambdaResources = (
   addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
 
   if (addSplunkSubscriptionFilter) {
-    new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
-      destinationArn: splunkDeliveryStream.deliveryStreamRef.deliveryStreamArn,
-      filterPattern: "",
-      logGroupName: logGroup.logGroupName,
-      roleArn: splunkSubscriptionFilterRole.roleArn
-    })
+    if (splunkDeliveryStream) {
+      new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
+        destinationArn: splunkDeliveryStream?.attrArn,
+        filterPattern: "",
+        logGroupName: logGroup.logGroupName,
+        roleArn: splunkSubscriptionFilterRole.roleArn
+      })
+    } else {
+      const splunkDeliveryStreamImport = Stream.fromStreamArn(
+        scope, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
+      new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
+        destinationArn: splunkDeliveryStreamImport.streamArn,
+        filterPattern: "",
+        logGroupName: logGroup.logGroupName,
+        roleArn: splunkSubscriptionFilterRole.roleArn
+      })
+    }
   }
 
   const putLogsManagedPolicy = new ManagedPolicy(scope, "LambdaPutLogsManagedPolicy", {

packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts

@@ -1,6 +1,11 @@
 import {App, assertions, Stack} from "aws-cdk-lib"
 import {Template, Match} from "aws-cdk-lib/assertions"
-import {ManagedPolicy, PolicyStatement, Role} from "aws-cdk-lib/aws-iam"
+import {
+  ManagedPolicy,
+  PolicyStatement,
+  Role,
+  ServicePrincipal
+} from "aws-cdk-lib/aws-iam"
 import {LogGroup} from "aws-cdk-lib/aws-logs"
 import {
   Architecture,
@@ -17,6 +22,8 @@ import {
 } from "vitest"
 
 import {PythonLambdaFunction} from "../../src/constructs/PythonLambdaFunction"
+import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
+import {Key} from "aws-cdk-lib/aws-kms"
 
 describe("pythonFunctionConstruct works correctly", () => {
   let stack: Stack
@@ -400,3 +407,124 @@ describe("pythonFunctionConstruct works correctly with addSplunkSubscriptionFilt
     template.resourceCountIs("AWS::Logs::SubscriptionFilter", 0)
   })
 })
+
+describe("pythonFunctionConstruct works correctly when not using imports", () => {
+  let stack: Stack
+  let app: App
+  let template: assertions.Template
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let lambdaLogGroupResource: any
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let cloudWatchLogsKmsKeyResource: any
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let lambdaInsightsLogGroupPolicyResource: any
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let cloudwatchEncryptionKMSPolicyResource: any
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let splunkSubscriptionFilterRoleResource: any
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  let splunkDeliveryStreamResource: any
+
+  beforeAll(() => {
+    app = new App()
+    stack = new Stack(app, "pythonLambdaConstructStack")
+    const cloudWatchLogsKmsKey = new Key(stack, "cloudWatchLogsKmsKey")
+    const cloudwatchEncryptionKMSPolicy = new ManagedPolicy(stack, "cloudwatchEncryptionKMSPolicy", {
+      description: "cloudwatch encryption KMS policy",
+      statements: [
+        new PolicyStatement({
+          actions: [
+            "kms:Decrypt",
+            "kms:Encrypt",
+            "kms:GenerateDataKey*",
+            "kms:ReEncrypt*"
+          ],
+          resources: ["*"]
+        })]
+    })
+    const splunkDeliveryStream = new CfnDeliveryStream(stack, "SplunkDeliveryStream", {
+      deliveryStreamName: "SplunkDeliveryStream",
+      s3DestinationConfiguration: {
+        bucketArn: "arn:aws:s3:::my-bucket",
+        roleArn: "arn:aws:iam::123456789012:role/my-role"
+      }
+    })
+    const splunkSubscriptionFilterRole = new Role(stack, "SplunkSubscriptionFilterRole", {
+      assumedBy: new ServicePrincipal("logs.amazonaws.com")
+    })
+    const lambdaInsightsLogGroupPolicy = new ManagedPolicy(stack, "LambdaInsightsLogGroupPolicy", {
+      description: "permissions to create log group and set retention policy for Lambda Insights",
+      statements: [
+        new PolicyStatement({
+          actions: [
+            "logs:CreateLogStream",
+            "logs:PutLogEvents"
+          ],
+          resources: [
+            "*"
+          ]
+        })
+      ]
+    })
+
+    const functionConstruct = new PythonLambdaFunction(stack, "dummyPythonFunction", {
+      functionName: "testPythonLambda",
+      projectBaseDir: resolve(__dirname, "../../../.."),
+      packageBasePath: "packages/cdkConstructs",
+      handler: "index.handler",
+      environmentVariables: {},
+      logRetentionInDays: 30,
+      logLevel: "INFO",
+      cloudWatchLogsKmsKey: cloudWatchLogsKmsKey,
+      cloudwatchEncryptionKMSPolicy: cloudwatchEncryptionKMSPolicy,
+      splunkDeliveryStream: splunkDeliveryStream,
+      splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
+      lambdaInsightsLogGroupPolicy: lambdaInsightsLogGroupPolicy
+    })
+    template = Template.fromStack(stack)
+    const lambdaLogGroup = functionConstruct.node.tryFindChild("LambdaLogGroup") as LogGroup
+    lambdaLogGroupResource = stack.resolve(lambdaLogGroup.logGroupName)
+    cloudWatchLogsKmsKeyResource = stack.resolve(cloudWatchLogsKmsKey.keyId)
+    lambdaInsightsLogGroupPolicyResource = stack.resolve(lambdaInsightsLogGroupPolicy.managedPolicyArn)
+    cloudwatchEncryptionKMSPolicyResource = stack.resolve(cloudwatchEncryptionKMSPolicy.managedPolicyArn)
+    splunkSubscriptionFilterRoleResource = stack.resolve(splunkSubscriptionFilterRole.roleName)
+    splunkDeliveryStreamResource = stack.resolve(splunkDeliveryStream.ref)
+  })
+
+  test("it has the correct cloudWatchLogsKmsKey", () => {
+    template.hasResourceProperties("AWS::Logs::LogGroup", {
+      LogGroupName: "/aws/lambda/testPythonLambda",
+      KmsKeyId: {"Fn::GetAtt": [cloudWatchLogsKmsKeyResource.Ref, "Arn"]},
+      RetentionInDays: 30
+    })
+  })
+
+  test("it has the correct cloudwatchEncryptionKMSPolicy and lambdaInsightsLogGroupPolicy", () => {
+    template.hasResourceProperties("AWS::IAM::Role", {
+      "AssumeRolePolicyDocument": {
+        "Statement": [
+          {
+            "Action": "sts:AssumeRole",
+            "Effect": "Allow",
+            "Principal": {
+              "Service": "lambda.amazonaws.com"
+            }
+          }
+        ],
+        "Version": "2012-10-17"
+      },
+      "ManagedPolicyArns": Match.arrayWith([
+        {"Ref": lambdaInsightsLogGroupPolicyResource.Ref},
+        {"Ref": cloudwatchEncryptionKMSPolicyResource.Ref}
+      ])
+    })
+  })
+  test("it has the correct subscription filter", () => {
+    template.hasResourceProperties("AWS::Logs::SubscriptionFilter", {
+      LogGroupName: {"Ref": lambdaLogGroupResource.Ref},
+      FilterPattern: "",
+      RoleArn: {"Fn::GetAtt": [splunkSubscriptionFilterRoleResource.Ref, "Arn"]},
+      DestinationArn: {"Fn::GetAtt": [splunkDeliveryStreamResource.Ref, "Arn"]}
+    })
+  })
+})