# CDK Enterprise IaC Utilities for using CDK within enterprise constraints. ## Install Typescript ```zsh npm install @cdklabs/cdk-enterprise-iac ``` Python ```zsh pip install cdklabs.cdk-enterprise-iac ``` ## Who this project is for Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS. This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached". This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.) Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver. This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive. ## Usage There are many tools available, all detailed in [`API.md`](./API.md). A few examples of these tools below: ### Adding permissions boundaries to all generated IAM roles Example for `AddPermissionBoundary` in Typescript project. ```ts import * as cdk from 'aws-cdk-lib'; import { MyStack } from '../lib/my-project-stack'; import { Aspects } from 'aws-cdk-lib'; import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac'; const app = new cdk.App(); new MyStack(app, 'MyStack'); Aspects.of(app).add( new AddPermissionBoundary({ permissionsBoundaryPolicyName: 'MyPermissionBoundaryName', instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to '' policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to '' rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to '' }) ); ``` Example for `AddPermissionBoundary` in Python project. ```python import aws_cdk as cdk from cdklabs.cdk_enterprise_iac import AddPermissionBoundary from test_py.test_py_stack import TestPyStack app = cdk.App() TestPyStack(app, "TestPyStack") cdk.Aspects.of(app).add(AddPermissionBoundary( permissions_boundary_policy_name="MyPermissionBoundaryName", instance_profile_prefix="MY_PREFIX_", # optional, Defaults to "" policy_prefix="MY_POLICY_PREFIX_", # optional, Defaults to "" role_prefix="MY_ROLE_PREFIX_" # optional, Defaults to "" )) app.synth() ``` ### Resource extraction :warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found [here](https://github.com/cdklabs/cdk-enterprise-iac/). In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications. For example there might be a networking team with permissions to deploy `AWS::EC2::SecurityGroup` and `AWS::EC2::EIP`, or a security team with permissions to deploy `AWS::IAM::Role` and `AWS::IAM::Policy`, but the developers deploying the CDK don't have those permissions. When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an `AWS::IAM::Role` which is foundational to any project deployed into AWS. An enterprise should _allow_ builders to deploy these resources via CDK for [many reasons](https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide#allowing-creation-of-iam-roles-without-privilege-escalation), and can use [Permissions Boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the `ResourceExtractor` can make it easier for builders to write good CDK while complying with enterprise policies. Using the `ResourceExtractor` Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf. Take the following example stack: ```ts import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Bucket } from 'aws-cdk-lib/aws-s3'; const app = new App(); const appStack = new Stack(app, 'MyAppStack'); const func = new Function(appStack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); const bucket = new Bucket(appStack, 'TestBucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, }); bucket.grantReadWrite(func); app.synth() ``` The synthesized Cloudformation would include _all_ AWS resources required, including resources a developer might not have permissions to deploy The above example would include the following snippet in the synthesized Cloudformation ```yaml TestLambdaServiceRoleC28C2D9C: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: 'sts:AssumeRole' Effect: Allow Principal: Service: lambda.amazonaws.com Version: 2012-10-17 # excluding remaining properties TestLambda2F70C45E: Type: 'AWS::Lambda::Function' Properties: Role: !GetAtt - TestLambdaServiceRoleC28C2D9C - Arn # excluding remaining properties ``` While including `bucket.grantReadWrite(func)` in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer. Using the `ResourceExtractor`, we can pull out an arbitrary list of Cloudformation resources that a developer _doesn't_ have permissions to provision, and create a separate stack that can be sent to a security team. ```ts import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Bucket } from 'aws-cdk-lib/aws-s3'; // Import ResourceExtractor import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac'; const app = new App(); const appStack = new Stack(app, 'MyAppStack'); // Set up a destination stack to extract resources to const extractedStack = new Stack(app, 'ExtractedStack'); const func = new Function(appStack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); const bucket = new Bucket(appStack, 'TestBucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, }); bucket.grantReadWrite(func); // Capture the output of app.synth() const synthedApp = app.synth(); // Apply the ResourceExtractor Aspect Aspects.of(app).add( new ResourceExtractor({ // synthesized stacks to examine stackArtifacts: synthedApp.stacks, // Array of Cloudformation resources to extract resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], // Destination stack for extracted resources extractDestinationStack: extractedStack, }) ); // Resynthing since ResourceExtractor has modified the app app.synth({ force: true }); ``` In the example above, _all_ resources are created in the `appStack`, and an empty `extractedStack` is also created. We apply the `ResourceExtractor` Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions. Now when we list stacks in the CDK project, we can see an added stack ```zsh $ cdk ls MyAppStack ExtractedStack ``` Taking a look at these synthesized stacks, in the `ExtractedStack` we'll find: ```yaml Resources: TestLambdaServiceRoleC28C2D9C: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: 'sts:AssumeRole' Effect: Allow Principal: Service: lambda.amazonaws.com Version: 2012-10-17 # excluding remaining properties Outputs: ExportAppStackTestLambdaServiceRoleC28C2D9C: Value: 'Fn::GetAtt': - TestLambdaServiceRoleC28C2D9C - Arn Export: Name: 'AppStack:TestLambdaServiceRoleC28C2D9C' # Exported name ``` And inside the synthesized `MyAppStack` template: ```yaml Resources: TestLambda2F70C45E: Type: 'AWS::Lambda::Function' Properties: Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C' # Using ImportValue instrinsic function to use pre-created IAM role # excluding remaining properties ``` In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the `ExtractedStack`. Once deployed, a developer can run `cdk deploy MyAppStack` without errors due to insufficient IAM privileges #### Value Sharing methods When resources are extracted from a stack, there must be a method to reference the resources that have been extracted. There are three methods (see `ResourceExtractorShareMethod` enum) - `CFN_OUTPUT` - `SSM_PARAMETER` - `API_LOOKUP` ##### `CFN_OUTPUT` The default sharing method is `CFN_OUTPUT`, which uses Cloudformation Export/Import to Export values in the extracted stack (see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html)), and use the [Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html) intrinsic function to reference those values. This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure. ##### `SSM_PARAMETER` In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using [`aws_ssm.StringParameter.valueFromLookup()`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html#static-valuewbrfromwbrlookupscope-parametername) at synthesis time. Example on using this method: ```ts import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac'; Aspects.of(app).add( new ResourceExtractor({ stackArtifacts: synthedApp.stacks, resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], extractDestinationStack: extractedStack, valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER, // Specify SSM_PARAMETER Method }); ); ``` ##### `API_LOOKUP` The `API_LOOKUP` sharing method is a work in progress, and not yet supported #### Resource Partials Some resources that get extracted might reference resources that aren't yet created. In our example CDK application we include the line ```ts bucket.grantReadWrite(func); ``` This creates an `AWS::IAM::Policy` that includes the necessary Actions scoped down to the S3 bucket. When the `AWS::IAM::Policy` is extracted, it's unable to use `Ref` or `Fn::GetAtt` to reference the S3 bucket since the S3 bucket wasn't extracted. In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket. There are multiple resource types supported out of the box (found in [`createDefaultTransforms`](src/patches/resource-extractor/resourceTransformer.ts)). In the event you have a resource not yet supported, you'll receive a `MissingTransformError`. In this case you can either open an [issue](https://github.com/cdklabs/cdk-enterprise-iac/issues) with the resource in question, or you can include the `additionalTransforms` property. Consider the following: ```ts const vpc = new Vpc(stack, 'TestVpc'); const db = new DatabaseInstance(stack, 'TestDb', { vpc, engine: DatabaseInstanceEngine.POSTGRES, }) const func = new Function(stack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); db.secret?.grantRead(func) const synthedApp = app.synth(); Aspects.of(app).add( new ResourceExtractor({ extractDestinationStack: extractedStack, stackArtifacts: synthedApp.stacks, valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT, resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'], additionalTransforms: { 'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`, }, }); ); app.synth({ force: true }); ``` In this case, there is a `AWS::SecretsManager::SecretTargetAttachment` generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret. In the context of extracting the IAM policy, we want to tell the `ResourceExtractor` how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently. In this case rather than using a `Ref: LogicalIdForTheSecretTargetAttachment` we construct the ARN we want to use. Details in [API.md](API.md) ## Generated API.md --- Generated API.md below:

Expand to view API docs

# CDK Enterprise IaC Utilities for using CDK within enterprise constraints. ## Install Typescript ```zsh npm install @cdklabs/cdk-enterprise-iac ``` Python ```zsh pip install cdklabs.cdk-enterprise-iac ``` ## Who this project is for Within large enterprises, builders can come up against enterprise imposed constraints when deploying on AWS. This could be simple things such as "All IAM roles must have a specific Permissions Boundary attached". This could also be more restrictive such as strict separation of duties, only allowing certain teams the ability to deploy specific AWS resources (e.g. Networking team can deploy VPCs, Subnets, and route tables. Security team can deploy IAM resources. Developers can deploy Compute. DBAs can deploy Databases, etc.) Enterprises with very restrictive environments like these would benefit from taking a closer look at their policies to see how they can allow builders to safely deploy resources with less friction. However in many enterprises this is easier said than done, and builders are still expected to deliver. This project is meant to reduce friction for builders working within these enterprise constraints while the enterprise determines what policies make the most sense for their organization, and is in no way prescriptive. ## Usage There are many tools available, all detailed in [`API.md`](./API.md). A few examples of these tools below: ### Adding permissions boundaries to all generated IAM roles Example for `AddPermissionBoundary` in Typescript project. ```ts import * as cdk from 'aws-cdk-lib'; import { MyStack } from '../lib/my-project-stack'; import { Aspects } from 'aws-cdk-lib'; import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac'; const app = new cdk.App(); new MyStack(app, 'MyStack'); Aspects.of(app).add( new AddPermissionBoundary({ permissionsBoundaryPolicyName: 'MyPermissionBoundaryName', instanceProfilePrefix: 'MY_PREFIX_', // optional, Defaults to '' policyPrefix: 'MY_POLICY_PREFIX_', // optional, Defaults to '' rolePrefix: 'MY_ROLE_PREFIX_', // optional, Defaults to '' }) ); ``` Example for `AddPermissionBoundary` in Python project. ```python import aws_cdk as cdk from cdklabs.cdk_enterprise_iac import AddPermissionBoundary from test_py.test_py_stack import TestPyStack app = cdk.App() TestPyStack(app, "TestPyStack") cdk.Aspects.of(app).add(AddPermissionBoundary( permissions_boundary_policy_name="MyPermissionBoundaryName", instance_profile_prefix="MY_PREFIX_", # optional, Defaults to "" policy_prefix="MY_POLICY_PREFIX_", # optional, Defaults to "" role_prefix="MY_ROLE_PREFIX_" # optional, Defaults to "" )) app.synth() ``` ### Resource extraction :warning: Resource extraction is in an experimental phase. Test and validate before using in production. Please open any issues found [here](https://github.com/cdklabs/cdk-enterprise-iac/). In many enterprises, there are separate teams with different IAM permissions than developers deploying CDK applications. For example there might be a networking team with permissions to deploy `AWS::EC2::SecurityGroup` and `AWS::EC2::EIP`, or a security team with permissions to deploy `AWS::IAM::Role` and `AWS::IAM::Policy`, but the developers deploying the CDK don't have those permissions. When a developer doesn't have permissions to deploy necessary resources in their CDK application, writing good code becomes difficult to manage when a cdk deploy will quickly error due to not being able to deploy something like an `AWS::IAM::Role` which is foundational to any project deployed into AWS. An enterprise should _allow_ builders to deploy these resources via CDK for [many reasons](https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide#allowing-creation-of-iam-roles-without-privilege-escalation), and can use [Permissions Boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to prevent privilege escalation. For enterprises that haven't yet utilized Permissions Boundaries, the `ResourceExtractor` can make it easier for builders to write good CDK while complying with enterprise policies. Using the `ResourceExtractor` Aspect, developers can write their CDK code as though they had sufficient IAM permissions, but extract those resources into a separate stack for an external team to deploy on their behalf. Take the following example stack: ```ts import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Bucket } from 'aws-cdk-lib/aws-s3'; const app = new App(); const appStack = new Stack(app, 'MyAppStack'); const func = new Function(appStack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); const bucket = new Bucket(appStack, 'TestBucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, }); bucket.grantReadWrite(func); app.synth() ``` The synthesized Cloudformation would include _all_ AWS resources required, including resources a developer might not have permissions to deploy The above example would include the following snippet in the synthesized Cloudformation ```yaml TestLambdaServiceRoleC28C2D9C: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: 'sts:AssumeRole' Effect: Allow Principal: Service: lambda.amazonaws.com Version: 2012-10-17 # excluding remaining properties TestLambda2F70C45E: Type: 'AWS::Lambda::Function' Properties: Role: !GetAtt - TestLambdaServiceRoleC28C2D9C - Arn # excluding remaining properties ``` While including `bucket.grantReadWrite(func)` in the CDK application ensures an IAM role with least privilege IAM policies for the application, the creation of IAM resources such as Roles and Policies may be restricted to a security team, resulting in the synthesized Cloudformation template not being deployable by a developer. Using the `ResourceExtractor`, we can pull out an arbitrary list of Cloudformation resources that a developer _doesn't_ have permissions to provision, and create a separate stack that can be sent to a security team. ```ts import { App, Aspects, RemovalPolicy, Stack } from 'aws-cdk-lib'; import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda'; import { Bucket } from 'aws-cdk-lib/aws-s3'; // Import ResourceExtractor import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac'; const app = new App(); const appStack = new Stack(app, 'MyAppStack'); // Set up a destination stack to extract resources to const extractedStack = new Stack(app, 'ExtractedStack'); const func = new Function(appStack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); const bucket = new Bucket(appStack, 'TestBucket', { autoDeleteObjects: true, removalPolicy: RemovalPolicy.DESTROY, }); bucket.grantReadWrite(func); // Capture the output of app.synth() const synthedApp = app.synth(); // Apply the ResourceExtractor Aspect Aspects.of(app).add( new ResourceExtractor({ // synthesized stacks to examine stackArtifacts: synthedApp.stacks, // Array of Cloudformation resources to extract resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], // Destination stack for extracted resources extractDestinationStack: extractedStack, }) ); // Resynthing since ResourceExtractor has modified the app app.synth({ force: true }); ``` In the example above, _all_ resources are created in the `appStack`, and an empty `extractedStack` is also created. We apply the `ResourceExtractor` Aspect, specifying the Cloudformation resource types the developer is unable to deploy due to insufficient IAM permissions. Now when we list stacks in the CDK project, we can see an added stack ```zsh $ cdk ls MyAppStack ExtractedStack ``` Taking a look at these synthesized stacks, in the `ExtractedStack` we'll find: ```yaml Resources: TestLambdaServiceRoleC28C2D9C: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Statement: - Action: 'sts:AssumeRole' Effect: Allow Principal: Service: lambda.amazonaws.com Version: 2012-10-17 # excluding remaining properties Outputs: ExportAppStackTestLambdaServiceRoleC28C2D9C: Value: 'Fn::GetAtt': - TestLambdaServiceRoleC28C2D9C - Arn Export: Name: 'AppStack:TestLambdaServiceRoleC28C2D9C' # Exported name ``` And inside the synthesized `MyAppStack` template: ```yaml Resources: TestLambda2F70C45E: Type: 'AWS::Lambda::Function' Properties: Role: !ImportValue 'AppStack:TestLambdaServiceRoleC28C2D9C' # Using ImportValue instrinsic function to use pre-created IAM role # excluding remaining properties ``` In this scenario, a developer is able to provide an external security team with sufficient IAM privileges to deploy the `ExtractedStack`. Once deployed, a developer can run `cdk deploy MyAppStack` without errors due to insufficient IAM privileges #### Value Sharing methods When resources are extracted from a stack, there must be a method to reference the resources that have been extracted. There are three methods (see `ResourceExtractorShareMethod` enum) - `CFN_OUTPUT` - `SSM_PARAMETER` - `API_LOOKUP` ##### `CFN_OUTPUT` The default sharing method is `CFN_OUTPUT`, which uses Cloudformation Export/Import to Export values in the extracted stack (see [Outputs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html)), and use the [Fn::ImportValue](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html) intrinsic function to reference those values. This works fine, but some teams may prefer a looser coupling between the extracted stack deployed by an external team and the rest of the CDK infrastructure. ##### `SSM_PARAMETER` In this method, the extracted stack generates Parameters in AWS Systems Manager Parameter Store, and modifies the CDK application to look up the generated parameter using [`aws_ssm.StringParameter.valueFromLookup()`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm.StringParameter.html#static-valuewbrfromwbrlookupscope-parametername) at synthesis time. Example on using this method: ```ts import { ResourceExtractor, ResourceExtractorShareMethod } from '@cdklabs/cdk-enterprise-iac'; Aspects.of(app).add( new ResourceExtractor({ stackArtifacts: synthedApp.stacks, resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], extractDestinationStack: extractedStack, valueShareMethod: ResourceExtractorShareMethod.SSM_PARAMETER, // Specify SSM_PARAMETER Method }); ); ``` ##### `API_LOOKUP` The `API_LOOKUP` sharing method is a work in progress, and not yet supported #### Resource Partials Some resources that get extracted might reference resources that aren't yet created. In our example CDK application we include the line ```ts bucket.grantReadWrite(func); ``` This creates an `AWS::IAM::Policy` that includes the necessary Actions scoped down to the S3 bucket. When the `AWS::IAM::Policy` is extracted, it's unable to use `Ref` or `Fn::GetAtt` to reference the S3 bucket since the S3 bucket wasn't extracted. In this case we substitute the reference with a "partial ARN" that makes a best effort to scope the resources in the IAM policy statement to the ARN of the yet-to-be created S3 bucket. There are multiple resource types supported out of the box (found in [`createDefaultTransforms`](src/patches/resource-extractor/resourceTransformer.ts)). In the event you have a resource not yet supported, you'll receive a `MissingTransformError`. In this case you can either open an [issue](https://github.com/cdklabs/cdk-enterprise-iac/issues) with the resource in question, or you can include the `additionalTransforms` property. Consider the following: ```ts const vpc = new Vpc(stack, 'TestVpc'); const db = new DatabaseInstance(stack, 'TestDb', { vpc, engine: DatabaseInstanceEngine.POSTGRES, }) const func = new Function(stack, 'TestLambda', { code: Code.fromAsset(path.join(__dirname, 'lambda-handler')), handler: 'index.handler', runtime: Runtime.PYTHON_3_9, }); db.secret?.grantRead(func) const synthedApp = app.synth(); Aspects.of(app).add( new ResourceExtractor({ extractDestinationStack: extractedStack, stackArtifacts: synthedApp.stacks, valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT, resourceTypesToExtract: ['AWS::IAM::Role', 'AWS::IAM::Policy'], additionalTransforms: { 'AWS::SecretsManager::SecretTargetAttachment': `arn:${Aws.PARTITION}:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:some-expected-value*`, }, }); ); app.synth({ force: true }); ``` In this case, there is a `AWS::SecretsManager::SecretTargetAttachment` generated to complete the final link between a Secrets Manager secret and the associated database by adding the database connection information to the secret JSON, which returns the ARN of the generated secret. In the context of extracting the IAM policy, we want to tell the `ResourceExtractor` how to handle the resource section of the IAM policy statement so that it is scoped down sufficiently. In this case rather than using a `Ref: LogicalIdForTheSecretTargetAttachment` we construct the ARN we want to use. Details in [API.md](API.md) ## Generated API.md --- Generated API.md below:

Expand to view API docs

# API Reference ## Constructs ### EcsIsoServiceAutoscaler Creates a EcsIsoServiceAutoscaler construct. This construct allows you to scale an ECS service in an ISO region where classic ECS Autoscaling may not be available. #### Initializers ```typescript import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac' new EcsIsoServiceAutoscaler(scope: Construct, id: string, props: EcsIsoServiceAutoscalerProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | EcsIsoServiceAutoscalerProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* EcsIsoServiceAutoscalerProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac' EcsIsoServiceAutoscaler.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | ecsScalingManagerFunction | aws-cdk-lib.aws_lambda.Function | *No description.* | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `ecsScalingManagerFunction`^Required ```typescript public readonly ecsScalingManagerFunction: Function; ``` - *Type:* aws-cdk-lib.aws_lambda.Function --- ### PopulateWithConfig Populate a provided VPC with subnets based on a provided configuration. *Example* ```typescript const mySubnetConfig: SubnetConfig[] = [ { groupName: 'app', cidrRange: '172.31.0.0/27', availabilityZone: 'a', subnetType: subnetType.PUBLIC, }, { groupName: 'app', cidrRange: '172.31.0.32/27', availabilityZone: 'b', subnetType: subnetType.PUBLIC, }, { groupName: 'db', cidrRange: '172.31.0.64/27', availabilityZone: 'a', subnetType: subnetType.PRIVATE_WITH_EGRESS, }, { groupName: 'db', cidrRange: '172.31.0.96/27', availabilityZone: 'b', subnetType: subnetType.PRIVATE_WITH_EGRESS, }, { groupName: 'iso', cidrRange: '172.31.0.128/26', availabilityZone: 'a', subnetType: subnetType.PRIVATE_ISOLATED, }, { groupName: 'iso', cidrRange: '172.31.0.196/26', availabilityZone: 'b', subnetType: subnetType.PRIVATE_ISOLATED, }, ]; new PopulateWithConfig(this, "vpcPopulater", { vpcId: 'vpc-abcdefg1234567', privateRouteTableId: 'rt-abcdefg123456', localRouteTableId: 'rt-123456abcdefg', subnetConfig: mySubnetConfig, }) ``` #### Initializers ```typescript import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac' new PopulateWithConfig(scope: Construct, id: string, props: PopulateWithConfigProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | PopulateWithConfigProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* PopulateWithConfigProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac' PopulateWithConfig.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ### SplitVpcEvenly Splits a VPC evenly between a provided number of AZs (3 if not defined), and attaches a provided route table to each, and labels. *Example* ```typescript // with more specific properties new SplitVpcEvenly(this, 'evenSplitVpc', { vpcId: 'vpc-abcdefg123456', vpcCidr: '172.16.0.0/16', routeTableId: 'rt-abcdefgh123456', cidrBits: '10', numberOfAzs: 4, subnetType: subnetType.PRIVATE_ISOLATED, }); ``` #### Initializers ```typescript import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac' new SplitVpcEvenly(scope: Construct, id: string, props: SplitVpcEvenlyProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SplitVpcEvenlyProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* SplitVpcEvenlyProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac' SplitVpcEvenly.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ## Structs ### AddCfnInitProxyProps Properties for the proxy server to use with cfn helper commands. #### Initializer ```typescript import { AddCfnInitProxyProps } from '@cdklabs/cdk-enterprise-iac' const addCfnInitProxyProps: AddCfnInitProxyProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | proxyHost | string | host of your proxy. | | proxyPort | number | proxy port. | | proxyCredentials | aws-cdk-lib.aws_secretsmanager.ISecret | JSON secret containing `user` and `password` properties to use if your proxy requires credentials `http://user:password@host:port` could contain sensitive data, so using a Secret. | | proxyType | ProxyType | Proxy Type. | --- ##### `proxyHost`^Required ```typescript public readonly proxyHost: string; ``` - *Type:* string host of your proxy. --- *Example* ```typescript example.com ``` ##### `proxyPort`^Required ```typescript public readonly proxyPort: number; ``` - *Type:* number proxy port. --- *Example* ```typescript 8080 ``` ##### `proxyCredentials`^Optional ```typescript public readonly proxyCredentials: ISecret; ``` - *Type:* aws-cdk-lib.aws_secretsmanager.ISecret JSON secret containing `user` and `password` properties to use if your proxy requires credentials `http://user:password@host:port` could contain sensitive data, so using a Secret. Note that while the `user` and `password` won't be visible in the cloudformation template they **will** be in plain text inside your `UserData` --- *Example* ```typescript const secret = new Secret(stack, 'TestSecret', { secretObjectValue: { user: SecretValue, password: SecretValue, }, }); ``` ##### `proxyType`^Optional ```typescript public readonly proxyType: ProxyType; ``` - *Type:* ProxyType - *Default:* ProxyType.HTTP Proxy Type. --- *Example* ```typescript ProxyType.HTTPS ``` ### AddPermissionBoundaryProps Properties to pass to the AddPermissionBoundary. #### Initializer ```typescript import { AddPermissionBoundaryProps } from '@cdklabs/cdk-enterprise-iac' const addPermissionBoundaryProps: AddPermissionBoundaryProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | permissionsBoundaryPolicyName | string | Name of Permissions Boundary Policy to add to all IAM roles. | | instanceProfilePrefix | string | A prefix to prepend to the name of the IAM InstanceProfiles (Default: ''). | | policyPrefix | string | A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: ''). | | rolePrefix | string | A prefix to prepend to the name of IAM Roles (Default: ''). | --- ##### `permissionsBoundaryPolicyName`^Required ```typescript public readonly permissionsBoundaryPolicyName: string; ``` - *Type:* string Name of Permissions Boundary Policy to add to all IAM roles. --- ##### `instanceProfilePrefix`^Optional ```typescript public readonly instanceProfilePrefix: string; ``` - *Type:* string A prefix to prepend to the name of the IAM InstanceProfiles (Default: ''). --- ##### `policyPrefix`^Optional ```typescript public readonly policyPrefix: string; ``` - *Type:* string A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: ''). --- ##### `rolePrefix`^Optional ```typescript public readonly rolePrefix: string; ``` - *Type:* string A prefix to prepend to the name of IAM Roles (Default: ''). --- ### EcsIsoServiceAutoscalerProps #### Initializer ```typescript import { EcsIsoServiceAutoscalerProps } from '@cdklabs/cdk-enterprise-iac' const ecsIsoServiceAutoscalerProps: EcsIsoServiceAutoscalerProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | ecsCluster | aws-cdk-lib.aws_ecs.Cluster | The cluster the service you wish to scale resides in. | | ecsService | aws-cdk-lib.aws_ecs.IService | The ECS service you wish to scale. | | scaleAlarm | aws-cdk-lib.aws_cloudwatch.AlarmBase | The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions. | | maximumTaskCount | number | The maximum number of tasks that the service will scale out to. | | minimumTaskCount | number | The minimum number of tasks the service will have. | | role | aws-cdk-lib.aws_iam.IRole | Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service. | | scaleInCooldown | aws-cdk-lib.Duration | How long will the application wait before performing another scale in action. | | scaleInIncrement | number | The number of tasks that will scale in on scale in alarm status. | | scaleOutCooldown | aws-cdk-lib.Duration | How long will a the application wait before performing another scale out action. | | scaleOutIncrement | number | The number of tasks that will scale out on scale out alarm status. | --- ##### `ecsCluster`^Required ```typescript public readonly ecsCluster: Cluster; ``` - *Type:* aws-cdk-lib.aws_ecs.Cluster The cluster the service you wish to scale resides in. --- ##### `ecsService`^Required ```typescript public readonly ecsService: IService; ``` - *Type:* aws-cdk-lib.aws_ecs.IService The ECS service you wish to scale. --- ##### `scaleAlarm`^Required ```typescript public readonly scaleAlarm: AlarmBase; ``` - *Type:* aws-cdk-lib.aws_cloudwatch.AlarmBase The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions. Note: composite alarms can not be generated with CFN in all regions, while this allows you to pass in a composite alarm alarm creation is outside the scope of this construct --- ##### `maximumTaskCount`^Optional ```typescript public readonly maximumTaskCount: number; ``` - *Type:* number - *Default:* 10 The maximum number of tasks that the service will scale out to. Note: This does not provide any protection from scaling out above the maximum allowed in your account, set this variable and manage account quotas appropriately. --- ##### `minimumTaskCount`^Optional ```typescript public readonly minimumTaskCount: number; ``` - *Type:* number - *Default:* 1 The minimum number of tasks the service will have. --- ##### `role`^Optional ```typescript public readonly role: IRole; ``` - *Type:* aws-cdk-lib.aws_iam.IRole - *Default:* A role is created for you with least privilege IAM policy Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service. Ensure this role has appropriate privileges. Example IAM policy statements: ```json { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:DescribeAlarms", "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Condition": { "StringEquals": { "ecs:cluster": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}" } }, "Effect": "Allow", "Resource": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}" } ], "Version": "2012-10-17" } } ``` --- ##### `scaleInCooldown`^Optional ```typescript public readonly scaleInCooldown: Duration; ``` - *Type:* aws-cdk-lib.Duration - *Default:* 60 seconds How long will the application wait before performing another scale in action. --- ##### `scaleInIncrement`^Optional ```typescript public readonly scaleInIncrement: number; ``` - *Type:* number - *Default:* 1 The number of tasks that will scale in on scale in alarm status. --- ##### `scaleOutCooldown`^Optional ```typescript public readonly scaleOutCooldown: Duration; ``` - *Type:* aws-cdk-lib.Duration - *Default:* 60 seconds How long will a the application wait before performing another scale out action. --- ##### `scaleOutIncrement`^Optional ```typescript public readonly scaleOutIncrement: number; ``` - *Type:* number - *Default:* 1 The number of tasks that will scale out on scale out alarm status. --- ### PopulateWithConfigProps #### Initializer ```typescript import { PopulateWithConfigProps } from '@cdklabs/cdk-enterprise-iac' const populateWithConfigProps: PopulateWithConfigProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | localRouteTableId | string | Local route table ID, with routes only to local VPC. | | privateRouteTableId | string | Route table ID for a provided route table with routes to enterprise network. | | subnetConfig | SubnetConfig[] | List of Subnet configs to provision to provision. | | vpcId | string | ID of the VPC provided that needs to be populated. | --- ##### `localRouteTableId`^Required ```typescript public readonly localRouteTableId: string; ``` - *Type:* string Local route table ID, with routes only to local VPC. --- ##### `privateRouteTableId`^Required ```typescript public readonly privateRouteTableId: string; ``` - *Type:* string Route table ID for a provided route table with routes to enterprise network. Both subnetType.PUBLIC and subnetType.PRIVATE_WITH_EGRESS will use this property --- ##### `subnetConfig`^Required ```typescript public readonly subnetConfig: SubnetConfig[]; ``` - *Type:* SubnetConfig[] List of Subnet configs to provision to provision. --- ##### `vpcId`^Required ```typescript public readonly vpcId: string; ``` - *Type:* string ID of the VPC provided that needs to be populated. --- ### RemoveTagsProps #### Initializer ```typescript import { RemoveTagsProps } from '@cdklabs/cdk-enterprise-iac' const removeTagsProps: RemoveTagsProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudformationResource | string | Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function'). | | tagPropertyName | string | Name of the tag property to remove from the resource. | --- ##### `cloudformationResource`^Required ```typescript public readonly cloudformationResource: string; ``` - *Type:* string Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function'). --- ##### `tagPropertyName`^Optional ```typescript public readonly tagPropertyName: string; ``` - *Type:* string - *Default:* Tags Name of the tag property to remove from the resource. --- ### ResourceExtractorProps #### Initializer ```typescript import { ResourceExtractorProps } from '@cdklabs/cdk-enterprise-iac' const resourceExtractorProps: ResourceExtractorProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | extractDestinationStack | aws-cdk-lib.Stack | Stack to move found extracted resources into. | | resourceTypesToExtract | string[] | List of resource types to extract, ex: `AWS::IAM::Role`. | | stackArtifacts | aws-cdk-lib.cx_api.CloudFormationStackArtifact[] | Synthed stack artifacts from your CDK app. | | additionalTransforms | {[ key: string ]: string} | Additional resource transformations. | | valueShareMethod | ResourceExtractorShareMethod | The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s). | --- ##### `extractDestinationStack`^Required ```typescript public readonly extractDestinationStack: Stack; ``` - *Type:* aws-cdk-lib.Stack Stack to move found extracted resources into. --- ##### `resourceTypesToExtract`^Required ```typescript public readonly resourceTypesToExtract: string[]; ``` - *Type:* string[] List of resource types to extract, ex: `AWS::IAM::Role`. --- ##### `stackArtifacts`^Required ```typescript public readonly stackArtifacts: CloudFormationStackArtifact[]; ``` - *Type:* aws-cdk-lib.cx_api.CloudFormationStackArtifact[] Synthed stack artifacts from your CDK app. --- ##### `additionalTransforms`^Optional ```typescript public readonly additionalTransforms: {[ key: string ]: string}; ``` - *Type:* {[ key: string ]: string} Additional resource transformations. --- ##### `valueShareMethod`^Optional ```typescript public readonly valueShareMethod: ResourceExtractorShareMethod; ``` - *Type:* ResourceExtractorShareMethod The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s). --- ### SetApiGatewayEndpointConfigurationProps #### Initializer ```typescript import { SetApiGatewayEndpointConfigurationProps } from '@cdklabs/cdk-enterprise-iac' const setApiGatewayEndpointConfigurationProps: SetApiGatewayEndpointConfigurationProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | endpointType | aws-cdk-lib.aws_apigateway.EndpointType | API Gateway endpoint type to override to. | --- ##### `endpointType`^Optional ```typescript public readonly endpointType: EndpointType; ``` - *Type:* aws-cdk-lib.aws_apigateway.EndpointType - *Default:* EndpointType.REGIONAL API Gateway endpoint type to override to. Defaults to EndpointType.REGIONAL --- ### SplitVpcEvenlyProps #### Initializer ```typescript import { SplitVpcEvenlyProps } from '@cdklabs/cdk-enterprise-iac' const splitVpcEvenlyProps: SplitVpcEvenlyProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | routeTableId | string | Route Table ID that will be attached to each subnet created. | | vpcCidr | string | CIDR range of the VPC you're populating. | | vpcId | string | ID of the existing VPC you're trying to populate. | | cidrBits | string | `cidrBits` argument for the [`Fn::Cidr`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html) Cloudformation intrinsic function. | | numberOfAzs | number | Number of AZs to evenly split into. | | subnetType | aws-cdk-lib.aws_ec2.SubnetType | *No description.* | --- ##### `routeTableId`^Required ```typescript public readonly routeTableId: string; ``` - *Type:* string Route Table ID that will be attached to each subnet created. --- ##### `vpcCidr`^Required ```typescript public readonly vpcCidr: string; ``` - *Type:* string CIDR range of the VPC you're populating. --- ##### `vpcId`^Required ```typescript public readonly vpcId: string; ``` - *Type:* string ID of the existing VPC you're trying to populate. --- ##### `cidrBits`^Optional ```typescript public readonly cidrBits: string; ``` - *Type:* string - *Default:* '6' `cidrBits` argument for the [`Fn::Cidr`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html) Cloudformation intrinsic function. --- ##### `numberOfAzs`^Optional ```typescript public readonly numberOfAzs: number; ``` - *Type:* number - *Default:* 3 Number of AZs to evenly split into. --- ##### `subnetType`^Optional ```typescript public readonly subnetType: SubnetType; ``` - *Type:* aws-cdk-lib.aws_ec2.SubnetType - *Default:* subnetType.PRIVATE --- ### SubnetConfig #### Initializer ```typescript import { SubnetConfig } from '@cdklabs/cdk-enterprise-iac' const subnetConfig: SubnetConfig = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | availabilityZone | string | Which availability zone the subnet should be in. | | cidrRange | string | Cidr range of the subnet to create. | | groupName | string | Logical group name of a subnet. | | subnetType | aws-cdk-lib.aws_ec2.SubnetType | What [SubnetType](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SubnetType.html) to use. | --- ##### `availabilityZone`^Required ```typescript public readonly availabilityZone: string; ``` - *Type:* string Which availability zone the subnet should be in. --- ##### `cidrRange`^Required ```typescript public readonly cidrRange: string; ``` - *Type:* string Cidr range of the subnet to create. --- ##### `groupName`^Required ```typescript public readonly groupName: string; ``` - *Type:* string Logical group name of a subnet. --- *Example* ```typescript db ``` ##### `subnetType`^Required ```typescript public readonly subnetType: SubnetType; ``` - *Type:* aws-cdk-lib.aws_ec2.SubnetType What [SubnetType](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SubnetType.html) to use. This will govern the `aws-cdk:subnet-type` tag on the subnet SubnetType | `aws-cdk:subnet-type` tag value --- | --- `PRIVATE_ISOLATED` | 'Isolated' `PRIVATE_WITH_EGRESS` | 'Private' `PUBLIC` | 'Public' --- ## Classes ### AddCfnInitProxy - *Implements:* aws-cdk-lib.IAspect Add proxy configuration to Cloudformation helper functions. #### Initializers ```typescript import { AddCfnInitProxy } from '@cdklabs/cdk-enterprise-iac' new AddCfnInitProxy(props: AddCfnInitProxyProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | AddCfnInitProxyProps | *No description.* | --- ##### `props`^Required - *Type:* AddCfnInitProxyProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### AddLambdaEnvironmentVariables - *Implements:* aws-cdk-lib.IAspect Add one or more environment variables to _all_ lambda functions within a scope. #### Initializers ```typescript import { AddLambdaEnvironmentVariables } from '@cdklabs/cdk-enterprise-iac' new AddLambdaEnvironmentVariables(props: {[ key: string ]: string}) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | {[ key: string ]: string} | : string} props - Key Value pair(s) for environment variables to add to all lambda functions. | --- ##### `props`^Required - *Type:* {[ key: string ]: string} : string} props - Key Value pair(s) for environment variables to add to all lambda functions. --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### AddPermissionBoundary - *Implements:* aws-cdk-lib.IAspect A patch for Adding Permissions Boundaries to all IAM roles. Additional options for adding prefixes to IAM role, policy and instance profile names Can account for non commercial partitions (e.g. aws-gov, aws-cn) #### Initializers ```typescript import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac' new AddPermissionBoundary(props: AddPermissionBoundaryProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | AddPermissionBoundaryProps | *No description.* | --- ##### `props`^Required - *Type:* AddPermissionBoundaryProps --- #### Methods | **Name** | **Description** | | --- | --- | | checkAndOverride | *No description.* | | visit | All aspects can visit an IConstruct. | --- ##### `checkAndOverride` ```typescript public checkAndOverride(node: CfnResource, prefix: string, length: number, cfnProp: string, cdkProp?: string): void ``` ###### `node`^Required - *Type:* aws-cdk-lib.CfnResource --- ###### `prefix`^Required - *Type:* string --- ###### `length`^Required - *Type:* number --- ###### `cfnProp`^Required - *Type:* string --- ###### `cdkProp`^Optional - *Type:* string --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### ConvertInlinePoliciesToManaged - *Implements:* aws-cdk-lib.IAspect Patch for turning all Policies into ConvertInlinePoliciesToManaged. Some users have policies in place that make it impossible to create inline policies. Instead, they must use managed policies. Note that order matters with this aspect. Specifically, it should generally be added first. This is because other aspects may add overrides that would be lost if applied before this aspect since the original aspect is removed and replaced. *Example* ```typescript // Replace all AWS::IAM::Policy resources with equivalent AWS::IAM::ManagedPolicy Aspects.of(stack).add(new ConvertInlinePoliciesToManaged()) ``` #### Initializers ```typescript import { ConvertInlinePoliciesToManaged } from '@cdklabs/cdk-enterprise-iac' new ConvertInlinePoliciesToManaged() ``` | **Name** | **Type** | **Description** | | --- | --- | --- | --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### RemovePublicAccessBlockConfiguration - *Implements:* aws-cdk-lib.IAspect Looks for S3 Buckets, and removes the `PublicAccessBlockConfiguration` property. For use in regions where Cloudformation doesn't support this property #### Initializers ```typescript import { RemovePublicAccessBlockConfiguration } from '@cdklabs/cdk-enterprise-iac' new RemovePublicAccessBlockConfiguration() ``` | **Name** | **Type** | **Description** | | --- | --- | --- | --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### RemoveTags - *Implements:* aws-cdk-lib.IAspect Patch for removing tags from a specific Cloudformation Resource. In some regions, the 'Tags' property isn't supported in Cloudformation. This patch makes it easy to remove *Example* ```typescript // Remove tags on a resource Aspects.of(stack).add(new RemoveTags({ cloudformationResource: 'AWS::ECS::Cluster', })); // Remove tags without the standard 'Tags' name Aspects.of(stack).add(new RemoveTags({ cloudformationResource: 'AWS::Backup::BackupPlan', tagPropertyName: 'BackupPlanTags', })); ``` #### Initializers ```typescript import { RemoveTags } from '@cdklabs/cdk-enterprise-iac' new RemoveTags(props: RemoveTagsProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | RemoveTagsProps | *No description.* | --- ##### `props`^Required - *Type:* RemoveTagsProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### ResourceExtractor - *Implements:* aws-cdk-lib.IAspect This Aspect takes a CDK application, all synthesized CloudFormationStackArtifact, a value share method, and a list of Cloudformation resources that should be pulled out of the main CDK application, which should be synthesized to a cloudformation template that an external team (e.g. security team) to deploy, and adjusting the CDK application to reference pre-created resources already pulled out. *Example* ```typescript const app = App() const stack = new Stack(app, 'MyStack'); extractedStack = new Stack(app, 'ExtractedStack'); const synthedApp = app.synth(); Aspects.of(app).add(new ResourceExtractor({ extractDestinationStack: extractedStack, stackArtifacts: synthedApp.stacks, valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT, resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], }); app.synth({ force: true }); ``` #### Initializers ```typescript import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac' new ResourceExtractor(props: ResourceExtractorProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | ResourceExtractorProps | *No description.* | --- ##### `props`^Required - *Type:* ResourceExtractorProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | Entrypoint. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` Entrypoint. ###### `node`^Required - *Type:* constructs.IConstruct --- ### SetApiGatewayEndpointConfiguration - *Implements:* aws-cdk-lib.IAspect Override RestApis to use a set endpoint configuration. Some regions don't support EDGE endpoints, and some enterprises require specific endpoint types for RestApis #### Initializers ```typescript import { SetApiGatewayEndpointConfiguration } from '@cdklabs/cdk-enterprise-iac' new SetApiGatewayEndpointConfiguration(props?: SetApiGatewayEndpointConfigurationProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | SetApiGatewayEndpointConfigurationProps | *No description.* | --- ##### `props`^Optional - *Type:* SetApiGatewayEndpointConfigurationProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ## Enums ### ProxyType Whether an http-proxy or https-proxy. #### Members | **Name** | **Description** | | --- | --- | | HTTP | --http-proxy. | | HTTPS | --https-proxy. | --- ##### `HTTP` -http-proxy. --- ##### `HTTPS` -https-proxy. --- ### ResourceExtractorShareMethod The available value sharing methods to pass values from the extracted stack onto the original stack(s). #### Members | **Name** | **Description** | | --- | --- | | CFN_OUTPUT | *No description.* | | SSM_PARAMETER | *No description.* | | API_LOOKUP | *No description.* | --- ##### `CFN_OUTPUT` --- ##### `SSM_PARAMETER` --- ##### `API_LOOKUP` --- ### ResourceTransform #### Members | **Name** | **Description** | | --- | --- | | STACK_NAME | *No description.* | | LOGICAL_ID | *No description.* | --- ##### `STACK_NAME` --- ##### `LOGICAL_ID` ---

# API Reference ## Constructs ### EcsIsoServiceAutoscaler Creates a EcsIsoServiceAutoscaler construct. This construct allows you to scale an ECS service in an ISO region where classic ECS Autoscaling may not be available. #### Initializers ```typescript import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac' new EcsIsoServiceAutoscaler(scope: Construct, id: string, props: EcsIsoServiceAutoscalerProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | EcsIsoServiceAutoscalerProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* EcsIsoServiceAutoscalerProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { EcsIsoServiceAutoscaler } from '@cdklabs/cdk-enterprise-iac' EcsIsoServiceAutoscaler.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | | ecsScalingManagerFunction | aws-cdk-lib.aws_lambda.Function | *No description.* | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ##### `ecsScalingManagerFunction`^Required ```typescript public readonly ecsScalingManagerFunction: Function; ``` - *Type:* aws-cdk-lib.aws_lambda.Function --- ### PopulateWithConfig Populate a provided VPC with subnets based on a provided configuration. *Example* ```typescript const mySubnetConfig: SubnetConfig[] = [ { groupName: 'app', cidrRange: '172.31.0.0/27', availabilityZone: 'a', subnetType: subnetType.PUBLIC, }, { groupName: 'app', cidrRange: '172.31.0.32/27', availabilityZone: 'b', subnetType: subnetType.PUBLIC, }, { groupName: 'db', cidrRange: '172.31.0.64/27', availabilityZone: 'a', subnetType: subnetType.PRIVATE_WITH_EGRESS, }, { groupName: 'db', cidrRange: '172.31.0.96/27', availabilityZone: 'b', subnetType: subnetType.PRIVATE_WITH_EGRESS, }, { groupName: 'iso', cidrRange: '172.31.0.128/26', availabilityZone: 'a', subnetType: subnetType.PRIVATE_ISOLATED, }, { groupName: 'iso', cidrRange: '172.31.0.196/26', availabilityZone: 'b', subnetType: subnetType.PRIVATE_ISOLATED, }, ]; new PopulateWithConfig(this, "vpcPopulater", { vpcId: 'vpc-abcdefg1234567', privateRouteTableId: 'rt-abcdefg123456', localRouteTableId: 'rt-123456abcdefg', subnetConfig: mySubnetConfig, }) ``` #### Initializers ```typescript import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac' new PopulateWithConfig(scope: Construct, id: string, props: PopulateWithConfigProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | PopulateWithConfigProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* PopulateWithConfigProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { PopulateWithConfig } from '@cdklabs/cdk-enterprise-iac' PopulateWithConfig.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ### SplitVpcEvenly Splits a VPC evenly between a provided number of AZs (3 if not defined), and attaches a provided route table to each, and labels. *Example* ```typescript // with more specific properties new SplitVpcEvenly(this, 'evenSplitVpc', { vpcId: 'vpc-abcdefg123456', vpcCidr: '172.16.0.0/16', routeTableId: 'rt-abcdefgh123456', cidrBits: '10', numberOfAzs: 4, subnetType: subnetType.PRIVATE_ISOLATED, }); ``` #### Initializers ```typescript import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac' new SplitVpcEvenly(scope: Construct, id: string, props: SplitVpcEvenlyProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | scope | constructs.Construct | *No description.* | | id | string | *No description.* | | props | SplitVpcEvenlyProps | *No description.* | --- ##### `scope`^Required - *Type:* constructs.Construct --- ##### `id`^Required - *Type:* string --- ##### `props`^Required - *Type:* SplitVpcEvenlyProps --- #### Methods | **Name** | **Description** | | --- | --- | | toString | Returns a string representation of this construct. | --- ##### `toString` ```typescript public toString(): string ``` Returns a string representation of this construct. #### Static Functions | **Name** | **Description** | | --- | --- | | isConstruct | Checks if `x` is a construct. | --- ##### ~~`isConstruct`~~ ```typescript import { SplitVpcEvenly } from '@cdklabs/cdk-enterprise-iac' SplitVpcEvenly.isConstruct(x: any) ``` Checks if `x` is a construct. ###### `x`^Required - *Type:* any Any object. --- #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | node | constructs.Node | The tree node. | --- ##### `node`^Required ```typescript public readonly node: Node; ``` - *Type:* constructs.Node The tree node. --- ## Structs ### AddCfnInitProxyProps Properties for the proxy server to use with cfn helper commands. #### Initializer ```typescript import { AddCfnInitProxyProps } from '@cdklabs/cdk-enterprise-iac' const addCfnInitProxyProps: AddCfnInitProxyProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | proxyHost | string | host of your proxy. | | proxyPort | number | proxy port. | | proxyCredentials | aws-cdk-lib.aws_secretsmanager.ISecret | JSON secret containing `user` and `password` properties to use if your proxy requires credentials `http://user:password@host:port` could contain sensitive data, so using a Secret. | | proxyType | ProxyType | Proxy Type. | --- ##### `proxyHost`^Required ```typescript public readonly proxyHost: string; ``` - *Type:* string host of your proxy. --- *Example* ```typescript example.com ``` ##### `proxyPort`^Required ```typescript public readonly proxyPort: number; ``` - *Type:* number proxy port. --- *Example* ```typescript 8080 ``` ##### `proxyCredentials`^Optional ```typescript public readonly proxyCredentials: ISecret; ``` - *Type:* aws-cdk-lib.aws_secretsmanager.ISecret JSON secret containing `user` and `password` properties to use if your proxy requires credentials `http://user:password@host:port` could contain sensitive data, so using a Secret. Note that while the `user` and `password` won't be visible in the cloudformation template they **will** be in plain text inside your `UserData` --- *Example* ```typescript const secret = new Secret(stack, 'TestSecret', { secretObjectValue: { user: SecretValue, password: SecretValue, }, }); ``` ##### `proxyType`^Optional ```typescript public readonly proxyType: ProxyType; ``` - *Type:* ProxyType - *Default:* ProxyType.HTTP Proxy Type. --- *Example* ```typescript ProxyType.HTTPS ``` ### AddPermissionBoundaryProps Properties to pass to the AddPermissionBoundary. #### Initializer ```typescript import { AddPermissionBoundaryProps } from '@cdklabs/cdk-enterprise-iac' const addPermissionBoundaryProps: AddPermissionBoundaryProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | permissionsBoundaryPolicyName | string | Name of Permissions Boundary Policy to add to all IAM roles. | | instanceProfilePrefix | string | A prefix to prepend to the name of the IAM InstanceProfiles (Default: ''). | | policyPrefix | string | A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: ''). | | rolePrefix | string | A prefix to prepend to the name of IAM Roles (Default: ''). | --- ##### `permissionsBoundaryPolicyName`^Required ```typescript public readonly permissionsBoundaryPolicyName: string; ``` - *Type:* string Name of Permissions Boundary Policy to add to all IAM roles. --- ##### `instanceProfilePrefix`^Optional ```typescript public readonly instanceProfilePrefix: string; ``` - *Type:* string A prefix to prepend to the name of the IAM InstanceProfiles (Default: ''). --- ##### `policyPrefix`^Optional ```typescript public readonly policyPrefix: string; ``` - *Type:* string A prefix to prepend to the name of the IAM Policies and ManagedPolicies (Default: ''). --- ##### `rolePrefix`^Optional ```typescript public readonly rolePrefix: string; ``` - *Type:* string A prefix to prepend to the name of IAM Roles (Default: ''). --- ### EcsIsoServiceAutoscalerProps #### Initializer ```typescript import { EcsIsoServiceAutoscalerProps } from '@cdklabs/cdk-enterprise-iac' const ecsIsoServiceAutoscalerProps: EcsIsoServiceAutoscalerProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | ecsCluster | aws-cdk-lib.aws_ecs.Cluster | The cluster the service you wish to scale resides in. | | ecsService | aws-cdk-lib.aws_ecs.IService | The ECS service you wish to scale. | | scaleAlarm | aws-cdk-lib.aws_cloudwatch.AlarmBase | The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions. | | maximumTaskCount | number | The maximum number of tasks that the service will scale out to. | | minimumTaskCount | number | The minimum number of tasks the service will have. | | role | aws-cdk-lib.aws_iam.IRole | Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service. | | scaleInCooldown | aws-cdk-lib.Duration | How long will the application wait before performing another scale in action. | | scaleInIncrement | number | The number of tasks that will scale in on scale in alarm status. | | scaleOutCooldown | aws-cdk-lib.Duration | How long will a the application wait before performing another scale out action. | | scaleOutIncrement | number | The number of tasks that will scale out on scale out alarm status. | --- ##### `ecsCluster`^Required ```typescript public readonly ecsCluster: Cluster; ``` - *Type:* aws-cdk-lib.aws_ecs.Cluster The cluster the service you wish to scale resides in. --- ##### `ecsService`^Required ```typescript public readonly ecsService: IService; ``` - *Type:* aws-cdk-lib.aws_ecs.IService The ECS service you wish to scale. --- ##### `scaleAlarm`^Required ```typescript public readonly scaleAlarm: AlarmBase; ``` - *Type:* aws-cdk-lib.aws_cloudwatch.AlarmBase The Cloudwatch Alarm that will cause scaling actions to be invoked, whether it's in or not in alarm will determine scale up and down actions. Note: composite alarms can not be generated with CFN in all regions, while this allows you to pass in a composite alarm alarm creation is outside the scope of this construct --- ##### `maximumTaskCount`^Optional ```typescript public readonly maximumTaskCount: number; ``` - *Type:* number - *Default:* 10 The maximum number of tasks that the service will scale out to. Note: This does not provide any protection from scaling out above the maximum allowed in your account, set this variable and manage account quotas appropriately. --- ##### `minimumTaskCount`^Optional ```typescript public readonly minimumTaskCount: number; ``` - *Type:* number - *Default:* 1 The minimum number of tasks the service will have. --- ##### `role`^Optional ```typescript public readonly role: IRole; ``` - *Type:* aws-cdk-lib.aws_iam.IRole - *Default:* A role is created for you with least privilege IAM policy Optional IAM role to attach to the created lambda to adjust the desired count on the ECS Service. Ensure this role has appropriate privileges. Example IAM policy statements: ```json { "PolicyDocument": { "Statement": [ { "Action": "cloudwatch:DescribeAlarms", "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Condition": { "StringEquals": { "ecs:cluster": "arn:${Partition}:ecs:${Region}:${Account}:cluster/${ClusterName}" } }, "Effect": "Allow", "Resource": "arn:${Partition}:ecs:${Region}:${Account}:service/${ClusterName}/${ServiceName}" } ], "Version": "2012-10-17" } } ``` --- ##### `scaleInCooldown`^Optional ```typescript public readonly scaleInCooldown: Duration; ``` - *Type:* aws-cdk-lib.Duration - *Default:* 60 seconds How long will the application wait before performing another scale in action. --- ##### `scaleInIncrement`^Optional ```typescript public readonly scaleInIncrement: number; ``` - *Type:* number - *Default:* 1 The number of tasks that will scale in on scale in alarm status. --- ##### `scaleOutCooldown`^Optional ```typescript public readonly scaleOutCooldown: Duration; ``` - *Type:* aws-cdk-lib.Duration - *Default:* 60 seconds How long will a the application wait before performing another scale out action. --- ##### `scaleOutIncrement`^Optional ```typescript public readonly scaleOutIncrement: number; ``` - *Type:* number - *Default:* 1 The number of tasks that will scale out on scale out alarm status. --- ### PopulateWithConfigProps #### Initializer ```typescript import { PopulateWithConfigProps } from '@cdklabs/cdk-enterprise-iac' const populateWithConfigProps: PopulateWithConfigProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | localRouteTableId | string | Local route table ID, with routes only to local VPC. | | privateRouteTableId | string | Route table ID for a provided route table with routes to enterprise network. | | subnetConfig | SubnetConfig[] | List of Subnet configs to provision to provision. | | vpcId | string | ID of the VPC provided that needs to be populated. | --- ##### `localRouteTableId`^Required ```typescript public readonly localRouteTableId: string; ``` - *Type:* string Local route table ID, with routes only to local VPC. --- ##### `privateRouteTableId`^Required ```typescript public readonly privateRouteTableId: string; ``` - *Type:* string Route table ID for a provided route table with routes to enterprise network. Both subnetType.PUBLIC and subnetType.PRIVATE_WITH_EGRESS will use this property --- ##### `subnetConfig`^Required ```typescript public readonly subnetConfig: SubnetConfig[]; ``` - *Type:* SubnetConfig[] List of Subnet configs to provision to provision. --- ##### `vpcId`^Required ```typescript public readonly vpcId: string; ``` - *Type:* string ID of the VPC provided that needs to be populated. --- ### RemoveTagsProps #### Initializer ```typescript import { RemoveTagsProps } from '@cdklabs/cdk-enterprise-iac' const removeTagsProps: RemoveTagsProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | cloudformationResource | string | Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function'). | | tagPropertyName | string | Name of the tag property to remove from the resource. | --- ##### `cloudformationResource`^Required ```typescript public readonly cloudformationResource: string; ``` - *Type:* string Name of Cloudformation resource Type (e.g. 'AWS::Lambda::Function'). --- ##### `tagPropertyName`^Optional ```typescript public readonly tagPropertyName: string; ``` - *Type:* string - *Default:* Tags Name of the tag property to remove from the resource. --- ### ResourceExtractorProps #### Initializer ```typescript import { ResourceExtractorProps } from '@cdklabs/cdk-enterprise-iac' const resourceExtractorProps: ResourceExtractorProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | extractDestinationStack | aws-cdk-lib.Stack | Stack to move found extracted resources into. | | resourceTypesToExtract | string[] | List of resource types to extract, ex: `AWS::IAM::Role`. | | stackArtifacts | aws-cdk-lib.cx_api.CloudFormationStackArtifact[] | Synthed stack artifacts from your CDK app. | | additionalTransforms | {[ key: string ]: string} | Additional resource transformations. | | valueShareMethod | ResourceExtractorShareMethod | The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s). | --- ##### `extractDestinationStack`^Required ```typescript public readonly extractDestinationStack: Stack; ``` - *Type:* aws-cdk-lib.Stack Stack to move found extracted resources into. --- ##### `resourceTypesToExtract`^Required ```typescript public readonly resourceTypesToExtract: string[]; ``` - *Type:* string[] List of resource types to extract, ex: `AWS::IAM::Role`. --- ##### `stackArtifacts`^Required ```typescript public readonly stackArtifacts: CloudFormationStackArtifact[]; ``` - *Type:* aws-cdk-lib.cx_api.CloudFormationStackArtifact[] Synthed stack artifacts from your CDK app. --- ##### `additionalTransforms`^Optional ```typescript public readonly additionalTransforms: {[ key: string ]: string}; ``` - *Type:* {[ key: string ]: string} Additional resource transformations. --- ##### `valueShareMethod`^Optional ```typescript public readonly valueShareMethod: ResourceExtractorShareMethod; ``` - *Type:* ResourceExtractorShareMethod The sharing method to use when passing exported resources from the "Extracted Stack" into the original stack(s). --- ### SetApiGatewayEndpointConfigurationProps #### Initializer ```typescript import { SetApiGatewayEndpointConfigurationProps } from '@cdklabs/cdk-enterprise-iac' const setApiGatewayEndpointConfigurationProps: SetApiGatewayEndpointConfigurationProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | endpointType | aws-cdk-lib.aws_apigateway.EndpointType | API Gateway endpoint type to override to. | --- ##### `endpointType`^Optional ```typescript public readonly endpointType: EndpointType; ``` - *Type:* aws-cdk-lib.aws_apigateway.EndpointType - *Default:* EndpointType.REGIONAL API Gateway endpoint type to override to. Defaults to EndpointType.REGIONAL --- ### SplitVpcEvenlyProps #### Initializer ```typescript import { SplitVpcEvenlyProps } from '@cdklabs/cdk-enterprise-iac' const splitVpcEvenlyProps: SplitVpcEvenlyProps = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | routeTableId | string | Route Table ID that will be attached to each subnet created. | | vpcCidr | string | CIDR range of the VPC you're populating. | | vpcId | string | ID of the existing VPC you're trying to populate. | | cidrBits | string | `cidrBits` argument for the [`Fn::Cidr`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html) Cloudformation intrinsic function. | | numberOfAzs | number | Number of AZs to evenly split into. | | subnetType | aws-cdk-lib.aws_ec2.SubnetType | *No description.* | --- ##### `routeTableId`^Required ```typescript public readonly routeTableId: string; ``` - *Type:* string Route Table ID that will be attached to each subnet created. --- ##### `vpcCidr`^Required ```typescript public readonly vpcCidr: string; ``` - *Type:* string CIDR range of the VPC you're populating. --- ##### `vpcId`^Required ```typescript public readonly vpcId: string; ``` - *Type:* string ID of the existing VPC you're trying to populate. --- ##### `cidrBits`^Optional ```typescript public readonly cidrBits: string; ``` - *Type:* string - *Default:* '6' `cidrBits` argument for the [`Fn::Cidr`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html) Cloudformation intrinsic function. --- ##### `numberOfAzs`^Optional ```typescript public readonly numberOfAzs: number; ``` - *Type:* number - *Default:* 3 Number of AZs to evenly split into. --- ##### `subnetType`^Optional ```typescript public readonly subnetType: SubnetType; ``` - *Type:* aws-cdk-lib.aws_ec2.SubnetType - *Default:* subnetType.PRIVATE --- ### SubnetConfig #### Initializer ```typescript import { SubnetConfig } from '@cdklabs/cdk-enterprise-iac' const subnetConfig: SubnetConfig = { ... } ``` #### Properties | **Name** | **Type** | **Description** | | --- | --- | --- | | availabilityZone | string | Which availability zone the subnet should be in. | | cidrRange | string | Cidr range of the subnet to create. | | groupName | string | Logical group name of a subnet. | | subnetType | aws-cdk-lib.aws_ec2.SubnetType | What [SubnetType](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SubnetType.html) to use. | --- ##### `availabilityZone`^Required ```typescript public readonly availabilityZone: string; ``` - *Type:* string Which availability zone the subnet should be in. --- ##### `cidrRange`^Required ```typescript public readonly cidrRange: string; ``` - *Type:* string Cidr range of the subnet to create. --- ##### `groupName`^Required ```typescript public readonly groupName: string; ``` - *Type:* string Logical group name of a subnet. --- *Example* ```typescript db ``` ##### `subnetType`^Required ```typescript public readonly subnetType: SubnetType; ``` - *Type:* aws-cdk-lib.aws_ec2.SubnetType What [SubnetType](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SubnetType.html) to use. This will govern the `aws-cdk:subnet-type` tag on the subnet SubnetType | `aws-cdk:subnet-type` tag value --- | --- `PRIVATE_ISOLATED` | 'Isolated' `PRIVATE_WITH_EGRESS` | 'Private' `PUBLIC` | 'Public' --- ## Classes ### AddCfnInitProxy - *Implements:* aws-cdk-lib.IAspect Add proxy configuration to Cloudformation helper functions. #### Initializers ```typescript import { AddCfnInitProxy } from '@cdklabs/cdk-enterprise-iac' new AddCfnInitProxy(props: AddCfnInitProxyProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | AddCfnInitProxyProps | *No description.* | --- ##### `props`^Required - *Type:* AddCfnInitProxyProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### AddLambdaEnvironmentVariables - *Implements:* aws-cdk-lib.IAspect Add one or more environment variables to _all_ lambda functions within a scope. #### Initializers ```typescript import { AddLambdaEnvironmentVariables } from '@cdklabs/cdk-enterprise-iac' new AddLambdaEnvironmentVariables(props: {[ key: string ]: string}) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | {[ key: string ]: string} | : string} props - Key Value pair(s) for environment variables to add to all lambda functions. | --- ##### `props`^Required - *Type:* {[ key: string ]: string} : string} props - Key Value pair(s) for environment variables to add to all lambda functions. --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### AddPermissionBoundary - *Implements:* aws-cdk-lib.IAspect A patch for Adding Permissions Boundaries to all IAM roles. Additional options for adding prefixes to IAM role, policy and instance profile names Can account for non commercial partitions (e.g. aws-gov, aws-cn) #### Initializers ```typescript import { AddPermissionBoundary } from '@cdklabs/cdk-enterprise-iac' new AddPermissionBoundary(props: AddPermissionBoundaryProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | AddPermissionBoundaryProps | *No description.* | --- ##### `props`^Required - *Type:* AddPermissionBoundaryProps --- #### Methods | **Name** | **Description** | | --- | --- | | checkAndOverride | *No description.* | | visit | All aspects can visit an IConstruct. | --- ##### `checkAndOverride` ```typescript public checkAndOverride(node: CfnResource, prefix: string, length: number, cfnProp: string, cdkProp?: string): void ``` ###### `node`^Required - *Type:* aws-cdk-lib.CfnResource --- ###### `prefix`^Required - *Type:* string --- ###### `length`^Required - *Type:* number --- ###### `cfnProp`^Required - *Type:* string --- ###### `cdkProp`^Optional - *Type:* string --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### ConvertInlinePoliciesToManaged - *Implements:* aws-cdk-lib.IAspect Patch for turning all Policies into ConvertInlinePoliciesToManaged. Some users have policies in place that make it impossible to create inline policies. Instead, they must use managed policies. Note that order matters with this aspect. Specifically, it should generally be added first. This is because other aspects may add overrides that would be lost if applied before this aspect since the original aspect is removed and replaced. *Example* ```typescript // Replace all AWS::IAM::Policy resources with equivalent AWS::IAM::ManagedPolicy Aspects.of(stack).add(new ConvertInlinePoliciesToManaged()) ``` #### Initializers ```typescript import { ConvertInlinePoliciesToManaged } from '@cdklabs/cdk-enterprise-iac' new ConvertInlinePoliciesToManaged() ``` | **Name** | **Type** | **Description** | | --- | --- | --- | --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### RemovePublicAccessBlockConfiguration - *Implements:* aws-cdk-lib.IAspect Looks for S3 Buckets, and removes the `PublicAccessBlockConfiguration` property. For use in regions where Cloudformation doesn't support this property #### Initializers ```typescript import { RemovePublicAccessBlockConfiguration } from '@cdklabs/cdk-enterprise-iac' new RemovePublicAccessBlockConfiguration() ``` | **Name** | **Type** | **Description** | | --- | --- | --- | --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### RemoveTags - *Implements:* aws-cdk-lib.IAspect Patch for removing tags from a specific Cloudformation Resource. In some regions, the 'Tags' property isn't supported in Cloudformation. This patch makes it easy to remove *Example* ```typescript // Remove tags on a resource Aspects.of(stack).add(new RemoveTags({ cloudformationResource: 'AWS::ECS::Cluster', })); // Remove tags without the standard 'Tags' name Aspects.of(stack).add(new RemoveTags({ cloudformationResource: 'AWS::Backup::BackupPlan', tagPropertyName: 'BackupPlanTags', })); ``` #### Initializers ```typescript import { RemoveTags } from '@cdklabs/cdk-enterprise-iac' new RemoveTags(props: RemoveTagsProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | RemoveTagsProps | *No description.* | --- ##### `props`^Required - *Type:* RemoveTagsProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ### ResourceExtractor - *Implements:* aws-cdk-lib.IAspect This Aspect takes a CDK application, all synthesized CloudFormationStackArtifact, a value share method, and a list of Cloudformation resources that should be pulled out of the main CDK application, which should be synthesized to a cloudformation template that an external team (e.g. security team) to deploy, and adjusting the CDK application to reference pre-created resources already pulled out. *Example* ```typescript const app = App() const stack = new Stack(app, 'MyStack'); extractedStack = new Stack(app, 'ExtractedStack'); const synthedApp = app.synth(); Aspects.of(app).add(new ResourceExtractor({ extractDestinationStack: extractedStack, stackArtifacts: synthedApp.stacks, valueShareMethod: ResourceExtractorShareMethod.CFN_OUTPUT, resourceTypesToExtract: [ 'AWS::IAM::Role', 'AWS::IAM::Policy', 'AWS::IAM::ManagedPolicy', 'AWS::IAM::InstanceProfile', ], }); app.synth({ force: true }); ``` #### Initializers ```typescript import { ResourceExtractor } from '@cdklabs/cdk-enterprise-iac' new ResourceExtractor(props: ResourceExtractorProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | ResourceExtractorProps | *No description.* | --- ##### `props`^Required - *Type:* ResourceExtractorProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | Entrypoint. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` Entrypoint. ###### `node`^Required - *Type:* constructs.IConstruct --- ### SetApiGatewayEndpointConfiguration - *Implements:* aws-cdk-lib.IAspect Override RestApis to use a set endpoint configuration. Some regions don't support EDGE endpoints, and some enterprises require specific endpoint types for RestApis #### Initializers ```typescript import { SetApiGatewayEndpointConfiguration } from '@cdklabs/cdk-enterprise-iac' new SetApiGatewayEndpointConfiguration(props?: SetApiGatewayEndpointConfigurationProps) ``` | **Name** | **Type** | **Description** | | --- | --- | --- | | props | SetApiGatewayEndpointConfigurationProps | *No description.* | --- ##### `props`^Optional - *Type:* SetApiGatewayEndpointConfigurationProps --- #### Methods | **Name** | **Description** | | --- | --- | | visit | All aspects can visit an IConstruct. | --- ##### `visit` ```typescript public visit(node: IConstruct): void ``` All aspects can visit an IConstruct. ###### `node`^Required - *Type:* constructs.IConstruct --- ## Enums ### ProxyType Whether an http-proxy or https-proxy. #### Members | **Name** | **Description** | | --- | --- | | HTTP | --http-proxy. | | HTTPS | --https-proxy. | --- ##### `HTTP` -http-proxy. --- ##### `HTTPS` -https-proxy. --- ### ResourceExtractorShareMethod The available value sharing methods to pass values from the extracted stack onto the original stack(s). #### Members | **Name** | **Description** | | --- | --- | | CFN_OUTPUT | *No description.* | | SSM_PARAMETER | *No description.* | | API_LOOKUP | *No description.* | --- ##### `CFN_OUTPUT` --- ##### `SSM_PARAMETER` --- ##### `API_LOOKUP` --- ### ResourceTransform #### Members | **Name** | **Description** | | --- | --- | | STACK_NAME | *No description.* | | LOGICAL_ID | *No description.* | --- ##### `STACK_NAME` --- ##### `LOGICAL_ID` ---