I have a manual action configured for codepipeline using CDK.
const manualApprovalAction = new codepipeline_actions.ManualApprovalAction({
actionName: 'Approval',
notificationTopic: topic,
additionalInformation: 'some value',
externalEntityLink: 'abc'
})
Is there a way to access the property externalEntityLink as variable? In other words, do manual approval actions expose action properties? I couldn't find any supporting document related to that.
for example ( just for the reference)
const externalEntityLinkvar = manualApprovalAction.something.externalEntityLink
Related
Based on what's described here and on other pages, I created via CDK a Cognito User Pool and an Identity Pool, and, after manually mapping the custom attributes,
access is granted based on the custom attributes in the User Pool.
Now I'm trying to do everything in CDK, but I can't figure how to do the mapping of the custom attributes. The only thing I found that knows
about attribute mapping is UserPoolIdentityProvider
/ CfnUserPoolIdentityProvider,
but that is of the wrong type, and I cannot use it with
a CfnIdentityPool in cognitoIdentityProviders.
I saw some unanswered posts about the same issue (this,
or this), but
hope dies last, so I thought maybe there will be an answer this time.
I was under the impression that everything is doable via CloudFormation, but this seems mistaken, as
this post and others
suggest.
So can the attribute mapping be done with CDK, or I need to use custom resources and Lambdas (or perhaps something else) if I want to automate this?
Credits to original creator. Found this useful and solves the problem with Custom Resources.
https://github.com/aws-samples/amazon-cognito-abac-authorization-with-react-example/blob/main/lib/cognito_identity_pool_sample-stack.ts
new cognito.CfnIdentityPoolRoleAttachment(this, "defaultRoles", {
identityPoolId: identityPool.ref,
roles: {
'authenticated': authRole.attrArn
}
})
const createParameters = {
"IdentityPoolId": identityPool.ref,
"IdentityProviderName": userPool.userPoolProviderName,
"PrincipalTags": {
"department": "department"
},
"UseDefaults": false
}
const setPrincipalTagAction = {
action: "setPrincipalTagAttributeMap",
service: "CognitoIdentity",
parameters: createParameters,
physicalResourceId: customResources.PhysicalResourceId.of(identityPool.ref)
}
const { region, account } = Stack.of(this)
const identityPoolArn = `arn:aws:cognito-identity:${region}:${account}:identitypool/${identityPool.ref}`
// Creates a Custom resource (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html)
// This is necessary to attach Principal Tag mappings to the Identity Pool after it has been created.
// This uses the SDK, rather than CDK code, as attaching Principal Tags through CDK is currently not supported yet
new customResources.AwsCustomResource(this, 'CustomResourcePrincipalTags', {
onCreate: setPrincipalTagAction,
onUpdate: setPrincipalTagAction,
policy: customResources.AwsCustomResourcePolicy.fromSdkCalls({
resources: [identityPoolArn],
}),
})
Currently working implementing web and mobile analytics via AWS Amplify and Pinpoint.
I've noticed that analytics section of the Amplify docs for JS differs from the related section for iOS and Android, specifically in the extra parameters/keys/values that an event object can include.
JS docs specify an attributes property, while the iOS and Android versions both specify something referred to as properties. See snippets below:
JavaScript
Analytics.record({
name: 'albumVisit',
// Attribute values must be strings
attributes: { genre: '', artist: '' }
});
iOS
func recordEvents() {
let properties: AnalyticsProperties = [
"eventPropertyStringKey": "eventPropertyStringValue",
"eventPropertyIntKey": 123,
"eventPropertyDoubleKey": 12.34,
"eventPropertyBoolKey": true
]
let event = BasicAnalyticsEvent(name: "eventName", properties: properties)
Amplify.Analytics.record(event: event)
}
Android
val event = AnalyticsEvent.builder()
.name("PasswordReset")
.addProperty("Channel", "SMS")
.addProperty("Successful", true)
.addProperty("ProcessDuration", 792)
.addProperty("UserAge", 120.3)
.build()
Amplify.Analytics.recordEvent(event)
Are attributes and properties interchangeable? I'm going to be using Amazon QuickSight to build out analytics dashboards, ultimately the collected event data will end up on S3, and queried using Athena. I'll need to define a schema for the table in Athena and I'm uncertain, based on the above, what format I can expect the data attributes/properties to be in. It seems like Amazon intended for attributes and properties to contain the same type of event-related information. But I'm confused as to why the naming convention differs between platforms.
On iOS & Android, Amplify Analytics' String & Boolean properties are mapped to Pinpoint attributes. Double & Integer properties are mapped to Pinpoint metrics.
Or, expresssed as a table:
Amplify property type (in)
Pinpoint type (out)
String
Attribute
Boolean
Attribute
Integer
Metric
Double
Metric
(Refer to Amplify's Android code, iOS code.)
On the off chance someone else notices the lack of explanation around this in their doc's... any property added via the mobile SDKs will appear within the attributes object in the record event payload.
I wan to verify an email address from my CDK itself so that when my stack is deployed tto some other regions this verification is automatically triggered, rather than going to AWS console and doing it manually.
You can either do that using AwsCustomResource from #aws-cdk/custom-resources and it looks similar to the example that you can find here for validating a domain: Custom Resource Examples.
Verify email using TypeScript
I'm adjusting the example here for your use case:
const verifyDomainIdentity = new AwsCustomResource(this, 'VerifyDomainIdentity', {
onCreate: {
service: 'SES',
action: 'verifyEmailIdentity',
parameters: {
EmailAddress: 'your#example.com'
},
physicalResourceId: PhysicalResourceId.of('verify-email-address')
},
policy: AwsCustomResourcePolicy.fromSdkCalls({resources: AwsCustomResourcePolicy.ANY_RESOURCE}) // This does not work somehow with SES or maybe I did something wrong :-(
});
Unfortunately this does not work out of the box because somehow the generated policy includes an email: prefix instead of ses: and you need to provide your own policy. But there's an alternative below.
Using an existing CDK Construct with TypeScript
The other alternative is to use a CDK Construct which is already doing that for you. I recently ran into the same problem like you and I've published a CDK Construct for that: ses-verify-identities. You can then do it like this:
new VerifySesEmailAddress(this, 'SesEmailVerification', {
emailAddress: 'hello#example.org'
});
You can find the source code of the CDK construct here in case you are interested. The same is possible for verifying domains.
Context
I have created a AWS Logs SubscriptionFilter using CDK. I am now trying to create a metric/alarm for some of the metrics for this resource.
Problem
All the metrics I am interested in (see ForwardedLogEvents, DeliveryErrors, DeliveryThrottling in the Monitoring AWS Logs with CloudWatch Metrics docs) requires these dimensions to be specified:
LogGroupName
DestinationType
FilterName
The first two are easy to specify since the LogGroupName is also required while creating the construct and DestinationType in my case is just Lambda. However, I see no way to get FilterName using CDK.
Using CloudWatch, I see that the FilterName is like MyStackName-MyLogicalID29669D87-GCMA0Q4KKALH. So I can't directly specify it using a Fn.ref (since I don't know the logical id). Using CloudFormation, I could have directly done Ref: LogicalId.
I also don't see any properties on the SubscriptionFilter object that will return this (unlike most other CDK constructs this one seems pretty bare and returns absolutely no information about the resource).
There are also no metric* methods on SubscriptionFilter object (unlike other standard constructs like Lambda functions, S3 buckets etc.), so I have to manually specify the Metric object. See for example: CDK metric objects docs.
The CDK construct (and the underlying CloudFormation resource: AWS::Logs::SubscriptionFilter) does not let me specify the FilterName - so I can't use a variable to specify it also and the name is dynamically generated.
Example code that is very close to what I need:
const metric = new Metric({
namespace: 'AWS/Logs',
metricName: 'ForwardedLogEvents',
dimensions: {
DestinationType: 'Lambda',
// I know this value since I specified it while creating the SubscriptionFilter
LogGroupName: 'MyLogGroupName',
FilterName: Fn.ref('logical-id-wont-work-since-it-is-dynamic-in-CDK')
}
})
Question
How can I figure out how to acquire the FilterName property to construct the Metric object?
Or otherwise, is there another way to go about this?
I was able to work around this by using Stack#getLogicalId method.
Example code
In Kotlin, as an extension function for any Construct):
fun Construct.getLogicalId() = Stack.of(this).getLogicalId(this.node.defaultChild as CfnElement)
... and then use it with any Construct:
val metric = Metric.Builder.create()
.namespace("AWS/Logs")
.metricName("ForwardedLogEvents")
.dimensions(mapOf(
"DestinationType" to "Lambda",
"LogGroupName" to myLogGroup.logGroupName,
"FilterName" to mySubscriptionFilter.getLogicalId()
))
.statistic("sum")
.build()
I am using CDK to set up code pipelines in AWS. The pipeline stage needs to download the source code from github so uses an oauth token to authenticate the request. I would like to be able to access the token from AWS Parameter Store and NOT from AWS Secret Manager when setting the value in the stage of the pipeline.
There are plenty of examples using Secret Manager to do this. However there are no examples using the Parameter Store or hardcoding the token in plain text within the CDK project.
We are using typescript with CDK 1.3.0.
I have tried storing the token in the Parameter Store. When storing as a secure String you need to additionally specify the version when retrieving the value. However I cannot then cast to a SecretValue that is required to set oauthToken property in the pipeline stage.
Get the value from the Parameter Store ..
// get the secureString
const secureString = ssm.StringParameter.fromSecureStringParameterAttributes(construct,'MySecretParameter', {
parameterName: 'my-secure-parameter-name',
version: 1,
});
I need to cast the secretString to a CDK.SecretValue to then use it to set the oauthToken. I cannot see how to do this.
const sourceAction = new codepipelineactions.GitHubSourceAction({
actionName: 'Source',
owner: owner,
repo: repository,
oauthToken: githubOAuthAccessToken,
output: sourceOutput,
branch: branch,
trigger: codepipelineactions.GitHubTrigger.WEBHOOK,
});
The CDK documentation says that is is advisable to store tokens in Secret Manager.
"It is recommended to use a Secret Manager SecretString to obtain the token"
It does not say that tokens cannot be retrieved from other sources and used. I would be grateful if the situation could be clarified and if anyone stores tokens outside Secrets Manager and is still able to use them to set the Token in the source stage of a pipeline.
You can use cdk.SecretValue.ssmSecure or cdk.SecretValue.plainText:
oauthToken: cdk.SecretValue.ssmSecure('param-name', 'version');
// OR
oauthToken: cdk.SecretValue.plainText('oauth-token-here');
From the doc for plainText:
Do not use this method for any secrets that you care about. The only reasonable use case for using this method is when you are testing.
The previous answer by #jogold does partially work. However, at the time of this writing SecretValue.ssmSecure is not supported by Cloudformation and you will get an error such as: FAILED, SSM Secure reference is not supported in: .
There is an open issue on the CDK roadmap: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/227. The plaintext option is not truly viable as the secret will be exposed in CFN template.