remove code duplication

Author: anthony-nhs

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

@@ -1,14 +1,11 @@
 import {Construct} from "constructs"
-import {Duration, Fn, RemovalPolicy} from "aws-cdk-lib"
+import {Duration, RemovalPolicy} from "aws-cdk-lib"
 import {
   ManagedPolicy,
   PolicyStatement,
   Role,
-  ServicePrincipal,
   IManagedPolicy
 } from "aws-cdk-lib/aws-iam"
-import {Key} from "aws-cdk-lib/aws-kms"
-import {Stream} from "aws-cdk-lib/aws-kinesis"
 import {
   Architecture,
   CfnFunction,
@@ -18,9 +15,8 @@ import {
   Code,
   ILayerVersion
 } from "aws-cdk-lib/aws-lambda"
-import {CfnLogGroup, CfnSubscriptionFilter, LogGroup} from "aws-cdk-lib/aws-logs"
 import {join} from "path"
-import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+import {createSharedLambdaResources} from "./lambdaSharedResources"
 
 export interface PythonLambdaFunctionProps {
   /**
@@ -173,85 +169,14 @@ export class PythonLambdaFunction extends Construct {
       architecture = Architecture.X86_64
     } = props
 
-    // Import shared cloud resources from cross-stack references
-    const cloudWatchLogsKmsKey = Key.fromKeyArn(
-      this, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"))
-
-    const cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
-      this, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"))
-
-    const splunkDeliveryStream = Stream.fromStreamArn(
-      this, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
-
-    const splunkSubscriptionFilterRole = Role.fromRoleArn(
-      this, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole"))
-
-    const lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
-      this, "lambdaInsightsLogGroupPolicy", Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"))
-
-    const insightsLambdaLayerArn = architecture === Architecture.ARM_64
-      ? LAMBDA_INSIGHTS_LAYER_ARNS.arm64
-      : LAMBDA_INSIGHTS_LAYER_ARNS.x64
-    const insightsLambdaLayer = LayerVersion.fromLayerVersionArn(
-      this, "LayerFromArn", insightsLambdaLayerArn)
-
-    // Log group with encryption and retention
-    const logGroup = new LogGroup(this, "LambdaLogGroup", {
-      encryptionKey: cloudWatchLogsKmsKey,
-      logGroupName: `/aws/lambda/${functionName}`,
-      retention: logRetentionInDays,
-      removalPolicy: RemovalPolicy.DESTROY
-    })
-
-    // Suppress CFN guard rules for log group
-    const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-    cfnlogGroup.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-        ]
-      }
-    }
-
-    // Send logs to Splunk
-    new CfnSubscriptionFilter(this, "LambdaLogsSplunkSubscriptionFilter", {
-      destinationArn: splunkDeliveryStream.streamArn,
-      filterPattern: "",
-      logGroupName: logGroup.logGroupName,
-      roleArn: splunkSubscriptionFilterRole.roleArn
-    })
-
-    // Create managed policy for Lambda CloudWatch logs access
-    const putLogsManagedPolicy = new ManagedPolicy(this, "LambdaPutLogsManagedPolicy", {
-      description: `write to ${functionName} logs`,
-      statements: [
-        new PolicyStatement({
-          actions: [
-            "logs:CreateLogStream",
-            "logs:PutLogEvents"
-          ],
-          resources: [
-            logGroup.logGroupArn,
-            `${logGroup.logGroupArn}:log-stream:*`
-          ]
-        })
-      ]
-    })
-
-    // Aggregate all required policies for Lambda execution
-    const requiredPolicies: Array<IManagedPolicy> = [
-      putLogsManagedPolicy,
-      lambdaInsightsLogGroupPolicy,
-      cloudwatchEncryptionKMSPolicy,
-      ...(additionalPolicies ?? [])
-    ]
-
-    const role = new Role(this, "LambdaRole", {
-      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-      managedPolicies: requiredPolicies
+    const {logGroup, role, insightsLayer} = createSharedLambdaResources(this, {
+      functionName,
+      logRetentionInDays,
+      additionalPolicies,
+      architecture
     })
 
-    const layersToAdd = [insightsLambdaLayer]
+    const layersToAdd = [insightsLayer]
     if (dependencyLocation) {
       const dependencyLayer = new LayerVersion(this, "DependencyLayer", {
         removalPolicy: RemovalPolicy.DESTROY,

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

@@ -1,26 +1,20 @@
-import {Duration, Fn, RemovalPolicy} from "aws-cdk-lib"
+import {Duration} from "aws-cdk-lib"
 import {
   IManagedPolicy,
   ManagedPolicy,
   PolicyStatement,
-  Role,
-  ServicePrincipal
+  Role
 } from "aws-cdk-lib/aws-iam"
-import {Stream} from "aws-cdk-lib/aws-kinesis"
-import {Key} from "aws-cdk-lib/aws-kms"
 import {
   Architecture,
   CfnFunction,
   ILayerVersion,
-  LayerVersion,
   Runtime
 } from "aws-cdk-lib/aws-lambda"
 import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs"
-import {CfnLogGroup, CfnSubscriptionFilter, LogGroup} from "aws-cdk-lib/aws-logs"
 import {Construct} from "constructs"
 import {join} from "node:path"
-import {NagSuppressions} from "cdk-nag"
-import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+import {createSharedLambdaResources} from "./lambdaSharedResources"
 
 export interface TypescriptLambdaFunctionProps {
   /**
@@ -210,83 +204,11 @@ export class TypescriptLambdaFunction extends Construct {
       architecture = Architecture.X86_64
     } = props
 
-    // Imports
-    const cloudWatchLogsKmsKey = Key.fromKeyArn(
-      this, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"))
-
-    const splunkDeliveryStream = Stream.fromStreamArn(
-      this, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
-
-    const splunkSubscriptionFilterRole = Role.fromRoleArn(
-      this, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole"))
-
-    const lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
-      this, "lambdaInsightsLogGroupPolicy", Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"))
-
-    const cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
-      this, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"))
-
-    const insightsLambdaLayerArn = architecture === Architecture.ARM_64
-      ? LAMBDA_INSIGHTS_LAYER_ARNS.arm64
-      : LAMBDA_INSIGHTS_LAYER_ARNS.x64
-    const insightsLambdaLayer = LayerVersion.fromLayerVersionArn(
-      this, "LayerFromArn", insightsLambdaLayerArn)
-
-    // Resources
-    const logGroup = new LogGroup(this, "LambdaLogGroup", {
-      encryptionKey: cloudWatchLogsKmsKey,
-      logGroupName: `/aws/lambda/${functionName}`,
-      retention: logRetentionInDays,
-      removalPolicy: RemovalPolicy.DESTROY
-    })
-
-    const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-    cfnlogGroup.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-        ]
-      }
-    }
-
-    new CfnSubscriptionFilter(this, "LambdaLogsSplunkSubscriptionFilter", {
-      destinationArn: splunkDeliveryStream.streamArn,
-      filterPattern: "",
-      logGroupName: logGroup.logGroupName,
-      roleArn: splunkSubscriptionFilterRole.roleArn
-
-    })
-
-    const putLogsManagedPolicy = new ManagedPolicy(this, "LambdaPutLogsManagedPolicy", {
-      description: `write to ${functionName} logs`,
-      statements: [
-        new PolicyStatement({
-          actions: [
-            "logs:CreateLogStream",
-            "logs:PutLogEvents"
-          ],
-          resources: [
-            logGroup.logGroupArn,
-            `${logGroup.logGroupArn}:log-stream:*`
-          ]
-        })]
-    })
-    NagSuppressions.addResourceSuppressions(putLogsManagedPolicy, [
-      {
-        id: "AwsSolutions-IAM5",
-        // eslint-disable-next-line max-len
-        reason: "Suppress error for not having wildcards in permissions. This is a fine as we need to have permissions on all log streams under path"
-      }
-    ])
-
-    const role = new Role(this, "LambdaRole", {
-      assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
-      managedPolicies: [
-        putLogsManagedPolicy,
-        lambdaInsightsLogGroupPolicy,
-        cloudwatchEncryptionKMSPolicy,
-        ...(additionalPolicies)
-      ]
+    const {logGroup, role, insightsLayer} = createSharedLambdaResources(this, {
+      functionName,
+      logRetentionInDays,
+      additionalPolicies,
+      architecture
     })
 
     const lambdaFunction = new NodejsFunction(this, functionName, {
@@ -303,7 +225,7 @@ export class TypescriptLambdaFunction extends Construct {
       },
       logGroup,
       layers: [
-        insightsLambdaLayer,
+        insightsLayer,
         ...layers
       ]
     })

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -0,0 +1,122 @@
+import {Construct} from "constructs"
+import {Fn, RemovalPolicy} from "aws-cdk-lib"
+import {Architecture, ILayerVersion, LayerVersion} from "aws-cdk-lib/aws-lambda"
+import {Key} from "aws-cdk-lib/aws-kms"
+import {Stream} from "aws-cdk-lib/aws-kinesis"
+import {CfnLogGroup, CfnSubscriptionFilter, LogGroup} from "aws-cdk-lib/aws-logs"
+import {
+  IManagedPolicy,
+  ManagedPolicy,
+  PolicyStatement,
+  Role,
+  ServicePrincipal
+} from "aws-cdk-lib/aws-iam"
+import {NagSuppressions} from "cdk-nag"
+import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+
+export interface SharedLambdaResourceProps {
+  readonly functionName: string
+  readonly logRetentionInDays: number
+  readonly additionalPolicies: Array<IManagedPolicy>
+  readonly architecture: Architecture
+}
+
+export interface SharedLambdaResources {
+  readonly logGroup: LogGroup
+  readonly role: Role
+  readonly insightsLayer: ILayerVersion
+}
+
+export const createSharedLambdaResources = (
+  scope: Construct,
+  {
+    functionName,
+    logRetentionInDays,
+    additionalPolicies,
+    architecture
+  }: SharedLambdaResourceProps
+): SharedLambdaResources => {
+  const cloudWatchLogsKmsKey = Key.fromKeyArn(
+    scope, "cloudWatchLogsKmsKey", Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"))
+
+  const cloudwatchEncryptionKMSPolicy = ManagedPolicy.fromManagedPolicyArn(
+    scope, "cloudwatchEncryptionKMSPolicyArn", Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"))
+
+  const splunkDeliveryStream = Stream.fromStreamArn(
+    scope, "SplunkDeliveryStream", Fn.importValue("lambda-resources:SplunkDeliveryStream"))
+
+  const splunkSubscriptionFilterRole = Role.fromRoleArn(
+    scope, "splunkSubscriptionFilterRole", Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole"))
+
+  const lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
+    scope, "lambdaInsightsLogGroupPolicy", Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"))
+
+  const insightsLambdaLayerArn = architecture === Architecture.ARM_64
+    ? LAMBDA_INSIGHTS_LAYER_ARNS.arm64
+    : LAMBDA_INSIGHTS_LAYER_ARNS.x64
+  const insightsLambdaLayer = LayerVersion.fromLayerVersionArn(
+    scope, "LayerFromArn", insightsLambdaLayerArn)
+
+  const logGroup = new LogGroup(scope, "LambdaLogGroup", {
+    encryptionKey: cloudWatchLogsKmsKey,
+    logGroupName: `/aws/lambda/${functionName}`,
+    retention: logRetentionInDays,
+    removalPolicy: RemovalPolicy.DESTROY
+  })
+
+  const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
+  cfnlogGroup.cfnOptions.metadata = {
+    guard: {
+      SuppressedRules: [
+        "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
+      ]
+    }
+  }
+
+  new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
+    destinationArn: splunkDeliveryStream.streamArn,
+    filterPattern: "",
+    logGroupName: logGroup.logGroupName,
+    roleArn: splunkSubscriptionFilterRole.roleArn
+  })
+
+  const putLogsManagedPolicy = new ManagedPolicy(scope, "LambdaPutLogsManagedPolicy", {
+    description: `write to ${functionName} logs`,
+    statements: [
+      new PolicyStatement({
+        actions: [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        resources: [
+          logGroup.logGroupArn,
+          `${logGroup.logGroupArn}:log-stream:*`
+        ]
+      })
+    ]
+  })
+
+  NagSuppressions.addResourceSuppressions(putLogsManagedPolicy, [
+    {
+      id: "AwsSolutions-IAM5",
+      // eslint-disable-next-line max-len
+      reason: "Suppress error for not having wildcards in permissions. This is a fine as we need to have permissions on all log streams under path"
+    }
+  ])
+
+  const role = new Role(scope, "LambdaRole", {
+    assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
+    managedPolicies: [
+      putLogsManagedPolicy,
+      lambdaInsightsLogGroupPolicy,
+      cloudwatchEncryptionKMSPolicy,
+      ...additionalPolicies
+    ]
+  })
+
+  return {
+    logGroup,
+    role,
+    insightsLayer: insightsLambdaLayer
+  }
+}