How to get the AWS IoT custom endpoint in CDK? - amazon-web-services

I want to pass the IoT custom endpoint as an env var to a lambda declared in CDK.
I'm talking about the IoT custom endpoint that lives here:
How do I get it in context of CDK?

You can ref AWS sample code:
https://github.com/aws-samples/aws-iot-cqrs-example/blob/master/lib/querycommandcontainers.ts
const getIoTEndpoint = new customResource.AwsCustomResource(this, 'IoTEndpoint', {
onCreate: {
service: 'Iot',
action: 'describeEndpoint',
physicalResourceId: customResource.PhysicalResourceId.fromResponse('endpointAddress'),
parameters: {
"endpointType": "iot:Data-ATS"
}
},
policy: customResource.AwsCustomResourcePolicy.fromSdkCalls({resources: customResource.AwsCustomResourcePolicy.ANY_RESOURCE})
});
const IOT_ENDPOINT = getIoTEndpoint.getResponseField('endpointAddress')

AFAIK the only way to recover is by using Custom Resources (Lambda), for example (IoTThing): https://aws.amazon.com/blogs/iot/automating-aws-iot-greengrass-setup-with-aws-cloudformation/

Related

Direct traffic to Lambda function with API Gateway in CDK

I am trying to create a REST API to return data to my front-end using a Lambda function all done in CDK.
Basically my api-gateway would route traffic from /uploads to my Lambda function. However, I'm having a bit of difficulty incorporating this.
const s3UploaderUrlLambda = new lambda.Function(
//defined my Lambda function
);
const api = new apigateway.LambdaRestApi(this, 's3uploader', {
handler: s3UploaderUrlLambda, //I believe this handler means that it will target this
//Lambda for every single route but I only want it for /uploads
proxy: false
});
const uploads = api.root.addResource('uploads');
uploads.addMethod('GET')
Can anyone help?
Define default integration for resource:
const uploads = api.root.addResource('uploads', {
defaultIntegration: new apigateway.LambdaIntegration(
s3UploaderUrlLambda
)
});
or directly for method:
uploads.addMethod(
'GET',
new apigateway.LambdaIntegration(
s3UploaderUrlLambda
)
);

How to Reuse the api gate TokenAuthorizer

I want to reuse the TokenAuthorizer which I have created in another stack. If a do the below it gives an error that it already exists, and if I change the authorizerName it creates a new one.
Is there a way I can reuse this resource?
const authzHandler = lambda.Function.fromFunctionName(this, 'AuthHandlerLookup', 'auth-handler');
const authorizer = new apigateway.TokenAuthorizer(this, 'WebApiTokenAuthorizer', {
handler: authzHandler,
resultsCacheTtl: Duration.seconds(600),
authorizerName: 'test-Authorizer',
assumeRole: lambdaExecutionRole
});
test.addMethod('GET', new apigateway.LambdaIntegration(TestLambda , { proxy: true }),
{
authorizer
}
i am able to get the authorizer information in cli , but now sure how to do the same using cdk
aws apigateway get-authorizer --rest-api-id wrrt25mzme0m --authorizer-id vffawds

AWS CDK - compile-time programmatic extraction of account ID from ARN string

I have the ARN of a downstream resource of an external AWS account. My infrastructure code is in AWS CDK. In my code, I want to extract the accountId from the ARN. How do I do that?
It can be elegantly done using the core cdk library. Here's the solution:
import { Arn } from 'monocdk';
import arn = require("monocdk/lib/core/lib/arn");
private static getAccountIdFromArn(arn: string): string {
const arnComponents = Arn.parse(arn)
if(undefined === arnComponents.account) {
throw new Error(`account id not present in the arn #{arn}!`)
}
return arnComponents.account
}

How can I associate an IAM OIDC Identity Provider with an EKS cluster with CDK?

I can't figure out how to replicate the functionality of the "Associate Identity Provider" button on AWS console screen pictured below with CDK.
You actually don't need to specify it, it is made automatically
exemple of Go CDK code
func SetKubernetesCluster(stack constructs.Construct) *awseks.Cluster {
cluster := awseks.NewCluster(stack, jsii.String("nft"), &awseks.ClusterProps{
ClusterName: jsii.String("nft"),
Version: awseks.KubernetesVersion_V1_21(),
OutputClusterName: jsii.Bool(true),
OutputConfigCommand: jsii.Bool(true),
})
awscdk.NewCfnOutput(stack, jsii.String("OIDC-issuer"), &awscdk.CfnOutputProps{
Value: cluster.ClusterOpenIdConnectIssuer(),
})
awscdk.NewCfnOutput(stack, jsii.String("OIDC-endpoint-url"), &awscdk.CfnOutputProps{
Value: cluster.ClusterOpenIdConnectIssuerUrl(),
})
return &cluster
}

AWS CDK: enabling access logging for classical load balancer

We are using Classical load balancer in our Infra deployed via CDK. For deploying Load balancer we are using level 2 Constructs. The code is like this:
const lb = new elb.LoadBalancer(this, 'LB', {
vpc: vpcRef,
internetFacing: true,
healthCheck: {
port: 80
},
});
lb.addListener({
externalPort: 80,
});
}
We are not able to find any property using which we can enable the access logging. Someone suggested me to use AccessLoggingPolicyProperty. I checked that and found that this property can be used with Level 1 constructs only. Can some please guide me on how we can enable the access logs via CDK on a classical load balancer using Level 2 constructs.
As per the documentation you need S3 bucket with right permissions configured. With that you can follow aws-cdk documentation on how to get access to L1 Construct.
It is going to look roughly like the following code
const lbLogs = new Bucket(this, 'LB Logs');
const elbAccountId = 'TODO: find right account for you region in docs';
lbLogs.grantPut(new AccountPrincipal(elbAccountId));
lbLogs.grantPut(
new ServicePrincipal('delivery.logs.amazonaws.com', {
conditions: {
StringEquals: {
's3:x-amz-acl': 'bucket-owner-full-control',
},
},
})
);
lbLogs.grantRead(new ServicePrincipal('delivery.logs.amazonaws.com'));
const cfnLoadBalancer = lb.node.defaultChild as CfnLoadBalancer;
cfnLoadBalancer.accessLoggingPolicy = {
enabled: true,
s3BucketName: lbLogs.bucketName,
};