public static PolicyStatement WithActions(this PolicyStatement statement, params string[] actions)
        public XRayStack(Construct parent, string id) : base(parent, id)
            var table = new Table(this, "Table", new TableProps()
                TableName    = "MysfitsQuestionsTable",
                PartitionKey = new Attribute
                    Name = "QuestionId",
                    Type = AttributeType.STRING
                Stream = StreamViewType.NEW_IMAGE

            var postQuestionLambdaFunctionPolicyStmDDB = new PolicyStatement();


            var LambdaFunctionPolicyStmXRay = new PolicyStatement();

                //  Allows the Lambda function to interact with X-Ray

            var mysfitsPostQuestion = new Function(this, "PostQuestionFunction", new FunctionProps
                Handler     = "mysfitsPostQuestion.postQuestion",
                Runtime     = Runtime.PYTHON_3_6,
                Description =
                    "A microservice Lambda function that receives a new question submitted to the MythicalMysfits website from a user and inserts it into a DynamoDB database table.",
                MemorySize    = 128,
                Code          = Code.FromAsset("../../lambda-questions/PostQuestionsService"),
                Timeout       = Duration.Seconds(30),
                InitialPolicy = new[]
                Tracing = Tracing.ACTIVE

            var topic = new Topic(this, "Topic", new TopicProps
                DisplayName = "MythicalMysfitsQuestionsTopic",
                TopicName   = "MythicalMysfitsQuestionsTopic"

            topic.AddSubscription(new EmailSubscription("REPLACE@EMAIL_ADDRESS"));

            var postQuestionLambdaFunctionPolicyStmSNS = new PolicyStatement();


            var mysfitsProcessQuestionStream = new Function(this, "ProcessQuestionStreamFunction", new FunctionProps
                Handler     = "mysfitsProcessStream.processStream",
                Runtime     = Runtime.PYTHON_3_6,
                Description =
                    "An AWS Lambda function that will process all new questions posted to mythical mysfits" +
                    " and notify the site administrator of the question that was asked.",
                MemorySize    = 128,
                Code          = Code.FromAsset("../../lambda-questions/ProcessQuestionsStream"),
                Timeout       = Duration.Seconds(30),
                InitialPolicy = new[]
                Tracing     = Tracing.ACTIVE,
                Environment = new Dictionary <string, string>()
                    { "SNS_TOPIC_ARN", topic.TopicArn }
                Events = new IEventSource[]
                    new DynamoEventSource(table, new DynamoEventSourceProps
                        StartingPosition = StartingPosition.TRIM_HORIZON,
                        BatchSize        = 1

            var questionsApiRole = new Role(this, "QuestionsApiRole", new RoleProps
                AssumedBy = new ServicePrincipal("")

            var apiPolicy = new PolicyStatement();

            new Policy(this, "QuestionsApiPolicy", new PolicyProps
                PolicyName = "questions_api_policy",
                Statements = new[]
                Roles = new IRole[]

            var questionsIntegration = new LambdaIntegration(mysfitsPostQuestion, new LambdaIntegrationOptions
                CredentialsRole      = questionsApiRole,
                IntegrationResponses = new IntegrationResponse[]
                    new IntegrationResponse()
                        StatusCode        = "200",
                        ResponseTemplates = new Dictionary <string, string>
                            { "application/json", "{\"status\":\"OK\"}" }

            var api = new LambdaRestApi(this, "APIEndpoint", new LambdaRestApiProps
                Handler       = mysfitsPostQuestion,
                RestApiName   = "Questions API Service",
                DeployOptions = new StageOptions
                    TracingEnabled = true
                Proxy = false

            var questionsMethod = api.Root.AddResource("questions");

            questionsMethod.AddMethod("POST", questionsIntegration, new MethodOptions
                MethodResponses = new MethodResponse[]
                    new MethodResponse
                        StatusCode         = "200",
                        ResponseParameters = new Dictionary <string, bool>()
                            { "method.response.header.Access-Control-Allow-Headers", true },
                            { "method.response.header.Access-Control-Allow-Methods", true },
                            { "method.response.header.Access-Control-Allow-Origin", true },
                AuthorizationType = AuthorizationType.NONE

            questionsMethod.AddMethod("OPTIONS", new MockIntegration(new IntegrationOptions
                IntegrationResponses = new IntegrationResponse[]
                    new IntegrationResponse
                        StatusCode         = "200",
                        ResponseParameters = new Dictionary <string, string>
                            { "method.response.header.Access-Control-Allow-Origin", "'*'" },
                            { "method.response.header.Access-Control-Allow-Credentials", "'false'" },
                            { "method.response.header.Access-Control-Allow-Methods", "'OPTIONS,GET,PUT,POST,DELETE'" }
                PassthroughBehavior = PassthroughBehavior.NEVER,
                RequestTemplates    = new Dictionary <string, string>
                    { "application/json", "{\"statusCode\": 200}" }
                                      new MethodOptions
                MethodResponses = new MethodResponse[]
                    new MethodResponse
                        StatusCode         = "200",
                        ResponseParameters = new Dictionary <string, bool>
                            { "method.response.header.Access-Control-Allow-Headers", true },
                            { "method.response.header.Access-Control-Allow-Methods", true },
                            { "method.response.header.Access-Control-Allow-Credentials", true },
                            { "method.response.header.Access-Control-Allow-Origin", true }
        public EcsStack(Construct parent, string id, EcsStackProps props) : base(parent, id)
            this.ecsCluster = new Cluster(this, "Cluster", new ClusterProps
                Vpc = props.Vpc,
            this.ecsService = new NetworkLoadBalancedFargateService(this, "Service", new NetworkLoadBalancedFargateServiceProps()
                Cluster            = this.ecsCluster,
                DesiredCount       = 1,
                PublicLoadBalancer = true,
                TaskImageOptions   = new NetworkLoadBalancedTaskImageOptions
                    EnableLogging = true,
                    ContainerPort = 8080,
                    Image         = ContainerImage.FromEcrRepository(props.ecrRepository),
            this.ecsService.Service.Connections.AllowFrom(Peer.Ipv4(props.Vpc.VpcCidrBlock), Port.Tcp(8080));

            var taskDefinitionPolicy = new PolicyStatement();

                // Rules which allow ECS to attach network interfaces to instances
                // on your behalf in order for awsvpc networking mode to work right

                // Rules which allow ECS to update load balancers on your behalf
                //  with the information sabout how to send traffic to your containers

                //  Rules which allow ECS to run tasks that have IAM roles assigned to them.

                //  Rules that let ECS create and push logs to CloudWatch.


            var taskRolePolicy = new PolicyStatement();

                // Allow the ECS Tasks to download images from ECR
                // Allow the ECS tasks to upload logs to CloudWatch

Exemple #4
        public SpaStack(Construct scope, string id, SpaStackProps props) : base(scope, id, props)
            //s3 bucket
            var bucket = new Bucket(this, $"{props.ServiceName}-bucket", new BucketProps
                WebsiteIndexDocument = "index.html",
                Versioned            = true,
                BucketName           = props.ServiceName,
                RemovalPolicy        = RemovalPolicy.DESTROY

            //cloudfront distribution
            var cloudFrontOai = new OriginAccessIdentity(this, $"{props.ServiceName}-oai", new OriginAccessIdentityProps
                Comment = $"OAI for {props.ServiceName}."

            var cloudfrontDist = new CloudFrontWebDistribution(this, $"{props.ServiceName}-cfd", new CloudFrontWebDistributionProps
                ViewerCertificate = ViewerCertificate.FromAcmCertificate(
                    new ViewerCertificateOptions
                    Aliases   = new [] { $"{props.SubDomain}.{props.HostedZoneName}" },
                    SslMethod = SSLMethod.SNI
                OriginConfigs = new ISourceConfiguration[]
                    new SourceConfiguration
                        S3OriginSource = new S3OriginConfig
                            S3BucketSource       = bucket,
                            OriginAccessIdentity = cloudFrontOai
                        Behaviors = new IBehavior[]
                            new Behavior
                                IsDefaultBehavior = true,

            var cnameRecord = new CnameRecord(this, $"{props.ServiceName}CloudFrontCname", new CnameRecordProps
                Zone = HostedZone.FromHostedZoneAttributes(this, "HostedZone", new HostedZoneAttributes
                    ZoneName     = props.HostedZoneName,
                    HostedZoneId = props.HostedZoneId
                RecordName = props.SubDomain,
                DomainName = cloudfrontDist.DistributionDomainName

            var cloudfrontS3Access = new PolicyStatement();

            cloudfrontS3Access.AddActions("s3:GetBucket*", "s3:GetObject*", "s3:List*");


            //codebuild project

            var codeBuildProject = new Project(this, $"{props.ServiceName}-codeBuild-project", new ProjectProps
                Vpc         = props.Vpc,
                ProjectName = props.ServiceName,
                Environment = new BuildEnvironment
                    BuildImage = LinuxBuildImage.STANDARD_4_0,
                Source               = Source.GitHub(props.GitHubSourceProps),
                BuildSpec            = BuildSpec.FromSourceFilename(props.BuildSpecFile),
                EnvironmentVariables = new Dictionary <string, IBuildEnvironmentVariable>
                    { "SPA_DIRECTORY", new BuildEnvironmentVariable {
                          Value = props.SpaDirectory
                      } },
                    { "S3_BUCKET", new BuildEnvironmentVariable {
                          Value = bucket.BucketName
                      } },
                    { "CLOUDFRONT_ID", new BuildEnvironmentVariable {
                          Value = cloudfrontDist.DistributionId
                      } },
                    { "API_URL", new BuildEnvironmentVariable {
                          Value = props.ApiUrl
                      } }

            // iam policy to push your build to S3
                new PolicyStatement(new PolicyStatementProps
                Effect    = Effect.ALLOW,
                Resources = new[] { bucket.BucketArn, $"{bucket.BucketArn}/*" },
                Actions   = new[]

                new PolicyStatement(new PolicyStatementProps
                Effect    = Effect.ALLOW,
                Resources = new [] { "*" },
                Actions   = new []

Exemple #5
        public KinesisFirehoseStack(Construct parent, string id, KinesisFirehoseStackProps props) : base(parent, id,
            var clicksDestinationBucket = new Bucket(this, "Bucket", new BucketProps
                Versioned = true

            var firehoseDeliveryRole = new Role(this, "FirehoseDeliveryRole", new RoleProps
                RoleName    = "FirehoseDeliveryRole",
                AssumedBy   = new ServicePrincipal(""),
                ExternalIds = new string[]

            var firehoseDeliveryPolicyS3Stm = new PolicyStatement();


            var lambdaFunctionPolicy = new PolicyStatement();

            var LambdaFunctionPolicyStmXRay = new PolicyStatement();

                //  Allows the Lambda function to interact with X-Ray
            var mysfitsClicksProcessor = new Function(this, "Function", new FunctionProps
                Handler     = "streaming_lambda::streaming_lambda.function::FunctionHandlerAsync",
                Runtime     = Runtime.DOTNET_CORE_2_1,
                Description = "An Amazon Kinesis Firehose stream processor that enriches click records" +
                              " to not just include a mysfitId, but also other attributes that can be analyzed later.",
                MemorySize    = 128,
                Code          = Code.FromAsset("../lambda/stream/bin/Debug/netcoreapp2.1/Publish"),
                Timeout       = Duration.Seconds(30),
                Tracing       = Tracing.ACTIVE,
                InitialPolicy = new PolicyStatement[]
                Environment = new Dictionary <string, string>()

            var firehoseDeliveryPolicyLambdaStm = new PolicyStatement();


            var mysfitsFireHoseToS3 = new CfnDeliveryStream(this, "DeliveryStream", new CfnDeliveryStreamProps
                ExtendedS3DestinationConfiguration = new CfnDeliveryStream.ExtendedS3DestinationConfigurationProperty()
                    BucketArn      = clicksDestinationBucket.BucketArn,
                    BufferingHints = new CfnDeliveryStream.BufferingHintsProperty
                        IntervalInSeconds = 60,
                        SizeInMBs         = 50
                    CompressionFormat       = "UNCOMPRESSED",
                    Prefix                  = "firehose/",
                    RoleArn                 = firehoseDeliveryRole.RoleArn,
                    ProcessingConfiguration = new CfnDeliveryStream.ProcessingConfigurationProperty
                        Enabled    = true,
                        Processors = new CfnDeliveryStream.ProcessorProperty[]
                            new CfnDeliveryStream.ProcessorProperty()
                                Type       = "Lambda",
                                Parameters = new CfnDeliveryStream.ProcessorParameterProperty
                                    ParameterName  = "LambdaArn",
                                    ParameterValue = mysfitsClicksProcessor.FunctionArn

            new CfnPermission(this, "Permission", new CfnPermissionProps
                Action        = "lambda:InvokeFunction",
                FunctionName  = mysfitsClicksProcessor.FunctionArn,
                Principal     = "",
                SourceAccount = Amazon.CDK.Aws.ACCOUNT_ID,
                SourceArn     = mysfitsFireHoseToS3.AttrArn

            var clickProcessingApiRole = new Role(this, "ClickProcessingApiRole", new RoleProps
                AssumedBy = new ServicePrincipal("")

            var apiPolicy = new PolicyStatement();

            new Policy(this, "ClickProcessingApiPolicy", new PolicyProps
                PolicyName = "api_gateway_firehose_proxy_role",
                Statements = new PolicyStatement[]
                Roles = new[] { clickProcessingApiRole }

            var api = new RestApi(this, "APIEndpoint", new RestApiProps
                RestApiName    = "ClickProcessing API Service",
                CloudWatchRole = false,
                EndpointTypes  = new EndpointType[]

            var clicks = api.Root.AddResource("clicks");

            clicks.AddMethod("PUT", new AwsIntegration(new AwsIntegrationProps
                Service = "firehose",
                IntegrationHttpMethod = "POST",
                Action  = "PutRecord",
                Options = new IntegrationOptions
                    ConnectionType       = ConnectionType.INTERNET,
                    CredentialsRole      = clickProcessingApiRole,
                    IntegrationResponses = new IntegrationResponse[]
                        new IntegrationResponse()
                            StatusCode        = "200",
                            ResponseTemplates =
                                { "application/json", "{\"status\":\"OK\"}" }
                            ResponseParameters =
                                { "method.response.header.Access-Control-Allow-Headers", "'Content-Type'" },
                                { "method.response.header.Access-Control-Allow-Methods", "'OPTIONS,PUT'"  },
                                { "method.response.header.Access-Control-Allow-Origin",  "'*'"            }
                    RequestParameters =
                        { "integration.request.header.Content-Type", "'application/x-amz-json-1.1'" }
                    RequestTemplates =
                            "{\"DeliveryStreamName\":\"" + mysfitsFireHoseToS3.Ref +
                            "\", \"Record\": { \"Data\": \"$util.base64Encode($input.json('$'))\"}"
                             new MethodOptions
                MethodResponses = new MethodResponse[]
                    new MethodResponse
                        StatusCode         = "200",
                        ResponseParameters =
                            { "method.response.header.Access-Control-Allow-Headers", true },
                            { "method.response.header.Access-Control-Allow-Methods", true },
                            { "method.response.header.Access-Control-Allow-Origin",  true }

            clicks.AddMethod("OPTIONS", new MockIntegration(new IntegrationOptions
                IntegrationResponses = new IntegrationResponse[]
                    new IntegrationResponse
                        StatusCode         = "200",
                        ResponseParameters = new Dictionary <string, string>
                            { "method.response.header.Access-Control-Allow-Origin", "'*'" },
                            { "method.response.header.Access-Control-Allow-Credentials", "'false'" },
                            { "method.response.header.Access-Control-Allow-Methods", "'OPTIONS,GET,PUT,POST,DELETE'" }
                PassthroughBehavior = PassthroughBehavior.NEVER,
                RequestTemplates    = new Dictionary <string, string>
                    { "application/json", "{\"statusCode\": 200}" }
                             new MethodOptions
                MethodResponses = new MethodResponse[]
                    new MethodResponse
                        StatusCode         = "200",
                        ResponseParameters = new Dictionary <string, bool>
                            { "method.response.header.Access-Control-Allow-Headers", true },
                            { "method.response.header.Access-Control-Allow-Methods", true },
                            { "method.response.header.Access-Control-Allow-Credentials", true },
                            { "method.response.header.Access-Control-Allow-Origin", true }
Exemple #6
        public CiCdStack(Construct parent, string id, CiCdStackProps props) : base(parent, id, props)
            var apiRepository =
                Amazon.CDK.AWS.CodeCommit.Repository.FromRepositoryArn(this, "Repository", props.apiRepositoryArn);
            var environmentVariables = new Dictionary <string, IBuildEnvironmentVariable>();

            environmentVariables.Add("AWS_ACCOUNT_ID", new BuildEnvironmentVariable()
                Type  = BuildEnvironmentVariableType.PLAINTEXT,
                Value = Aws.ACCOUNT_ID
            environmentVariables.Add("AWS_DEFAULT_REGION", new BuildEnvironmentVariable()
                Type  = BuildEnvironmentVariableType.PLAINTEXT,
                Value = Aws.REGION
            var codebuildProject = new PipelineProject(this, "BuildProject", new PipelineProjectProps
                Environment = new BuildEnvironment
                    ComputeType          = ComputeType.SMALL,
                    BuildImage           = LinuxBuildImage.UBUNTU_14_04_PYTHON_3_5_2,
                    Privileged           = true,
                    EnvironmentVariables = environmentVariables
            var codeBuildPolicy = new PolicyStatement();


            var sourceOutput = new Artifact_();
            var sourceAction = new Amazon.CDK.AWS.CodePipeline.Actions.CodeCommitSourceAction(
                new Amazon.CDK.AWS.CodePipeline.Actions.CodeCommitSourceActionProps
                ActionName = "CodeCommit-Source",
                Branch     = "master",
                Trigger    = CodeCommitTrigger.POLL,
                Repository = apiRepository,
                Output     = sourceOutput

            var buildOutput = new Artifact_();
            var buildAction = new CodeBuildAction(new CodeBuildActionProps
                ActionName = "Build",
                Input      = sourceOutput,
                Outputs    = new Artifact_[]
                Project = codebuildProject

            var deployAction = new EcsDeployAction(new EcsDeployActionProps
                ActionName = "DeployAction",
                Input      = buildOutput,
                Service    = props.ecsService,

            var pipeline = new Pipeline(this, "Pipeline");

            pipeline.AddStage(new StageOptions
                StageName = "Source",
                Actions   = new Action[] { sourceAction }
            pipeline.AddStage(new StageOptions
                StageName = "Build",
                Actions   = new Action[] { buildAction }
            pipeline.AddStage(new StageOptions
                StageName = "Deploy",
                Actions   = new Action[] { deployAction }
        public ServerlessTodoListPipelineCdkStack(Construct parent, string id, IStackProps props) : base(parent, id, props)
            var frontendBuild = new PipelineProject(this, "CodeBuild", new PipelineProjectProps
                BuildSpec   = BuildSpec.FromSourceFilename("./Application/Final/ServerlessTODOList.Frontend/buildspec.yml"),
                Environment = new BuildEnvironment
                    BuildImage = LinuxBuildImage.STANDARD_2_0

            var s3PolicyStatement = new PolicyStatement();

            s3PolicyStatement.Effect = Effect.ALLOW;
            s3PolicyStatement.AddResources("arn:aws:s3:::normj-east1/", "arn:aws:s3:::normj-east1/*");

            var sourceOutput = new Artifact_();
            var buildOutput  = new Artifact_("BuildOutput");

            var pipeline = new Pipeline(this, "Pipeline", new PipelineProps
                Stages = new StageProps[]
                    new StageProps
                        StageName = "Source",
                        Actions   = new IAction[]
                            new GitHubSourceAction(new GitHubSourceActionProps
                                ActionName = "GitHubSource",
                                Branch     = "master",
                                Repo       = "ServerlessTODOListTutorial",
                                Owner      = "normj",
                                OauthToken = SecretValue.PlainText(FetchGitHubPersonalAuthToken()),
                                Output     = sourceOutput
                    new StageProps
                        StageName = "Build",
                        Actions   = new IAction[]
                            new CodeBuildAction(new CodeBuildActionProps
                                ActionName = "BuildServerlessTODOListFrontend",
                                Project    = frontendBuild,
                                Input      = sourceOutput,
                                Outputs    = new Artifact_[] { buildOutput }
                    new StageProps
                        StageName = "Deploy",
                        Actions   = new IAction[]
                            new CloudFormationCreateUpdateStackAction(new CloudFormationCreateUpdateStackActionProps
                                ActionName       = "DeployFrontend",
                                Capabilities     = new CloudFormationCapabilities[] { CloudFormationCapabilities.ANONYMOUS_IAM, CloudFormationCapabilities.AUTO_EXPAND },
                                TemplatePath     = ArtifactPath_.ArtifactPath("BuildOutput", "updated.template"),
                                StackName        = "ServerlessFrontendCdk",
                                AdminPermissions = true
        /// <summary>
        /// Constructor.
        /// </summary>
        /// <param name="scope"></param>
        /// <param name="id"></param>
        /// <param name="props"></param>
        public LogAggregator(Construct scope, string id, LogAggregatorProps props)
            : base(scope, id)
            // The Kinesis stream that will receive all lambda logs.
            var kinesisStream = new Amazon.CDK.AWS.Kinesis.Stream(this, "Stream", props.KinesisStreamProps);

            // Forward all records from kinesis to the log shipper.
            props.LogShipper.AddEventSource(new KinesisEventSource(kinesisStream,
                                                                   new KinesisEventSourceProps {
                BatchSize         = props.KinesisBatchSize,
                MaxBatchingWindow = props.KinesisMaxBatchingWindow,
                StartingPosition  = StartingPosition.TRIM_HORIZON,

            // Create a role (containing a policy) that can be assumed by CloudWatch logs to put records in Kinesis.
            var statement = new PolicyStatement();

            statement.AddActions(new[] { "kinesis:PutRecords", "kinesis:PutRecord" });
            statement.AddResources(new[] { kinesisStream.StreamArn });

            var cloudWatchLogsToKinesisRole = new Role(this, "CloudWatchLogsToKinesis", new RoleProps
                AssumedBy = new ServicePrincipal("")

            cloudWatchLogsToKinesisRole.AttachInlinePolicy(new Policy(this, "CanPutRecordsInKinesis", new PolicyProps
                Statements = new[] { statement }

            // This CloudWatch rule will trigger whenever a new LogGroup is created. This assumes
            // that CloudTrail is enabled.
            var createLogGroupEventRule = new Rule(this, "CreateLogGroupEvent", new RuleProps {
                Description  = "Fires whenever CloudTrail detects that a log group is created",
                EventPattern = new EventPattern {
                    Source     = new[] { "aws.logs" },
                    DetailType = new[] { "AWS API Call via CloudTrail" },
                    Detail     = new Dictionary <string, object>
                        { "eventSource", new string[] { "" } },
                        { "eventName", new string[] { "CreateLogGroup" } },

            if (props.CloudWatchLogRetentionInDays.HasValue)
                var setLogGroupExpirationLambda = new Function(this, "SetLogGroupExpiration", new FunctionProps
                    Runtime     = Runtime.NODEJS_10_X,
                    Handler     = "index.handler",
                    Description = $"Sets the log retention policy to {props.CloudWatchLogRetentionInDays} days when a log group is created.",
                    MemorySize  = 128,
                    Environment = new Dictionary <string, string>
                        { "retention_days", props.CloudWatchLogRetentionInDays.Value.ToString() },
                        { "prefix", props.LogGroupsPrefix },
                    Code = Code.FromInline(EmbeddedResourceReader.Read("Resources.SetExpiry.js"))

                // This lambda must be able to change the logs retention policy.
                setLogGroupExpirationLambda.AddToRolePolicy(new PolicyStatement(new PolicyStatementProps
                    Effect    = Effect.ALLOW,
                    Actions   = new[] { "logs:PutRetentionPolicy" },
                    Resources = new[] { "*" },

                // This lambda should be invoked automatically when a log group is created.
                createLogGroupEventRule.AddTarget(new LambdaFunction(setLogGroupExpirationLambda));

            var excludedLogGroups = props.LogShipper == null ? "" : $"/aws/lambda/{props.LogShipper.FunctionName}";

            // This function will be invoked whenever a CloudWatch log group is created. It will
            // subscribe the log group to our Kinesis Data Stream so that all logs end up in the
            // DataStream.
            var subscribeLogGroupsToKinesisLambda = new Function(this, "SubscribeLogGroupsToKinesis", new FunctionProps
                Runtime     = Runtime.NODEJS_10_X,
                Handler     = "index.handler",
                Description = "Subscribe logs to the Kinesis stream",
                MemorySize  = 128,
                Environment = new Dictionary <string, string>
                    { "arn", kinesisStream.StreamArn },
                    { "role_arn", cloudWatchLogsToKinesisRole.RoleArn },
                    { "prefix", props.LogGroupsPrefix },
                    { "excluded_log_groups", excludedLogGroups },
                    { "filter_pattern", props.CloudWatchLogsFilterPattern.ToString() },
                Code = Code.FromInline(EmbeddedResourceReader.Read("Resources.SubscribeLogGroupsToKinesis.js"))

            subscribeLogGroupsToKinesisLambda.AddToRolePolicy(new PolicyStatement(new PolicyStatementProps
                Effect    = Effect.ALLOW,
                Actions   = new [] { "logs:PutSubscriptionFilter" },
                Resources = new[] { "*" },

            subscribeLogGroupsToKinesisLambda.AddToRolePolicy(new PolicyStatement(new PolicyStatementProps
                Effect    = Effect.ALLOW,
                Actions   = new[] { "iam:PassRole" },
                Resources = new[] { "*" },

            createLogGroupEventRule.AddTarget(new LambdaFunction(subscribeLogGroupsToKinesisLambda));
Exemple #9
        internal StepFunctionDemoStack(Construct scope, string id, IStackProps props = null) : base(scope, id, props)
            Bucket stepFunctionDemoBucket = new Bucket(this, "StepFunctionDemoBucket", new BucketProps
                Encryption    = BucketEncryption.S3_MANAGED,
                RemovalPolicy = RemovalPolicy.RETAIN

            Table stepFunctionDemoTable = new Table(this, "StepFunctionDemoTable", new TableProps {
                BillingMode  = BillingMode.PROVISIONED,
                PartitionKey = new Amazon.CDK.AWS.DynamoDB.Attribute
                    Name = "Id",
                    Type = AttributeType.STRING
                RemovalPolicy = RemovalPolicy.DESTROY

            //Step Function invoking Lambda function
            Function invokeOddEvenStepFunction = new Function(this, "InvokeOddEvenStepFunction", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::InvokeOddEvenStepFunction",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Lambda Function that invokes the Demo Step Function",

            //Function to calculate Odd or Even
            Function oddOrEvenFunction = new Function(this, "OddOrEvenFunction", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::OddOrEvenFunction",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Lambda Function that calculates odd or even",

            //Demo Lambda to perform Process 1
            Function process1Function = new Function(this, "Process1Function", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::Process1Function",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that runs process1",

            Function processAFunction = new Function(this, "ProcessAFunction", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::Process1Function",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that runs process1",

            //Demo Lambda to perform Process 2
            Function process2Function = new Function(this, "Process2Function", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::Process2Function",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that runs process2",

            //Demo Lambda to perform Process 1
            Function process11Function = new Function(this, "Process11Function", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::Process11Function",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that runs job process1",

            //Demo Lambda to perform Process 2
            Function process12Function = new Function(this, "Process12Function", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::Process12Function",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that runs job process2",

            Function taskTokenExecutorFunction = new Function(this, "TaskTokenExecutorFunction", new FunctionProps
                Runtime     = Runtime.DOTNET_CORE_3_1,
                Code        = Code.FromAsset("src/Demo.Services.Lambda/bin/Release/netcoreapp3.1/"),
                Handler     = "Demo.Services.Lambda::Demo.Services.Lambda.Functions::TaskTokenExecutor",
                Timeout     = Duration.Minutes(5),
                MemorySize  = 512,
                Description = "Demo Lambda Function that executes Task Token Step",
                Environment = new Dictionary <string, string>()
                    ["STEP_FUNCTION_DEMO_BUCKET"] = stepFunctionDemoBucket.BucketName


            var oddEvenFunction = new Task(this, "OddEvenFunction", new TaskProps
                Task = new InvokeFunction(oddOrEvenFunction.LatestVersion)

            var process1 = new Task(this, "Process1", new TaskProps
                Task = new InvokeFunction(process1Function.LatestVersion)

            var processA = new Task(this, "ProcessA", new TaskProps
                Task = new InvokeFunction(processAFunction.LatestVersion)

            var process2 = new Task(this, "Process2", new TaskProps
                Task = new InvokeFunction(process2Function.LatestVersion)

            var process11 = new Task(this, "Process11", new TaskProps
                Task       = new InvokeFunction(process11Function.LatestVersion),
                ResultPath = "$.Resolved"

            var process12 = new Task(this, "Process12", new TaskProps
                Task = new InvokeFunction(process12Function.LatestVersion)

            var taskTokenExecutor = new Task(this, "TaskTokenExecutor", new TaskProps
                Task = new RunLambdaTask(taskTokenExecutorFunction.LatestVersion, new RunLambdaTaskProps()
                    IntegrationPattern = ServiceIntegrationPattern.WAIT_FOR_TASK_TOKEN,
                    Payload            = TaskInput.FromContextAt("$$.Task.Token")
                Parameters = new Dictionary <string, object>
                    ["Payload"] = new Dictionary <string, object>
                        ["TaskToken.$"] = "$$.Task.Token",
                        ["State.$"]     = "$"

            //Choice to go to Process 1 or Process 2 based on input number is odd or even.
            var isEven = new Choice(this, "Is the number Even?");
            var isResolvedOrOverriden = new Choice(this, "Is Resolved Or Overriden?");

            //var chain1 = Chain.Start(oddEvenFunction)
            //    .Next(isEven
            //            .When(
            //                Condition.StringEquals("$.Result", "Even"),
            //                Chain.Start(process1)
            //                    .Next(process11)
            //                    .Next(isResolvedOrOverriden
            //                        .When(
            //                            Condition.Or(
            //                                new[]
            //                                {
            //                                    Condition.BooleanEquals("$.Resolved", true),
            //                                    Condition.BooleanEquals("$.Override", true)
            //                                }), process12)
            //                        .Otherwise(process2)))
            //            .When(Condition.StringEquals("$.Result", "Odd"), process2));

            var chain1 = Chain.Start(oddEvenFunction)
                                   Condition.StringEquals("$.Result", "Even"),
                Condition.BooleanEquals("$.Resolved", true),
                Condition.BooleanEquals("$.Override", true)
            }), process12)
                               .When(Condition.StringEquals("$.Result", "Odd"), process2));

            //State Machine

            var stateMachine = new StateMachine(this, "JobDemoStateMachine", new StateMachineProps
                StateMachineName = "JobDemoStateMachine",
                Timeout          = Duration.Minutes(5),
                Definition       = chain1

            stateMachine.Role?.AddManagedPolicy(ManagedPolicy.FromManagedPolicyArn(this, "DynamoDBFullAccessForStepFunction", "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"));

            stateMachine.Role?.AddManagedPolicy(ManagedPolicy.FromManagedPolicyArn(this, "LambdaFullAccessForStepFunction", "arn:aws:iam::aws:policy/AWSLambdaFullAccess"));

            var demofargateTask1 = new FargateTaskDefinition(this,
                                                             "demoECSTask1Definition", new FargateTaskDefinitionProps
                MemoryLimitMiB = 4096,
                Cpu            = 2048
            var demofargateTask2 = new FargateTaskDefinition(this,
                                                             "demoECSTask2Definition", new FargateTaskDefinitionProps
                MemoryLimitMiB = 4096,
                Cpu            = 2048


            IVpc publicVpc = Vpc.FromLookup(this, "PublicVPC", new VpcLookupOptions
                Tags = new Dictionary <string, string>
                    ["Paces:VpcType"] = "Public"
            var cluster = Cluster.FromClusterAttributes(this, "PublicCluster", new ClusterAttributes
                ClusterName    = "OHC-PACES",
                Vpc            = publicVpc,
                SecurityGroups = new[]
                { SecurityGroup.FromSecurityGroupId(this, "SecurityGroup", "sg-0a1bab8166d8fb715") }

            var container1 = demofargateTask1.AddContainer("app", new ContainerDefinitionOptions
                Image = ContainerImage.FromAsset(".", new AssetImageProps
                    File = "Dockerfile"
                Logging = LogDriver.AwsLogs(new AwsLogDriverProps
                    LogGroup = new LogGroup(this, "demoECSTask1LogGroup", new LogGroupProps
                        LogGroupName = "/ecs/demoECSTask1-" + RandomString.Generate(10, StackId),
                    StreamPrefix = "logs"

            var container2 = demofargateTask2.AddContainer("app", new ContainerDefinitionOptions
                Image = ContainerImage.FromAsset(".", new AssetImageProps
                    File = "Dockerfile.1"
                Environment = new Dictionary <string, string>
                    ["STEP_FUNCTION_DEMO_BUCKET"] = stepFunctionDemoBucket.BucketName
                Logging = LogDriver.AwsLogs(new AwsLogDriverProps
                    LogGroup = new LogGroup(this, "demoECSTask2LogGroup", new LogGroupProps
                        LogGroupName = $"/ecs/demoECSTask2-{RandomString.Generate(10, StackId)}",
                    StreamPrefix = "logs"

            Rule rule = new Rule(this, "DemoJobRule", new RuleProps
                Schedule = Schedule.Cron(new CronOptions
                    Day    = "*",
                    Hour   = "*",
                    Minute = "1",
                    Month  = "*",
                    Year   = "*"
                Description = "Runs demo job fargate task",
                Targets     = new IRuleTarget[]
                    new EcsTask(
                        new EcsTaskProps
                        Cluster         = cluster,
                        TaskDefinition  = demofargateTask2,
                        SubnetSelection = new SubnetSelection
                            OnePerAz = true

            //var ecsTask1 = new Task(this, "ecsTask1", new TaskProps
            //    InputPath = "$",
            //    Task = new CustomTask(new RunEcsFargateTaskProps
            //    {

            //        Cluster = Cluster.FromClusterAttributes(this, "PublicCluster", new ClusterAttributes
            //        {
            //            ClusterName = "OHC-PACES",
            //            Vpc = publicVpc,
            //            SecurityGroups = new[] { SecurityGroup.FromSecurityGroupId(this, "SecurityGroup", "sg-0a1bab8166d8fb715") }
            //        }),
            //        TaskDefinition = fargateTask1,

            //        ContainerOverrides = new[]
            //        {
            //            new ContainerOverride
            //            {
            //               ContainerDefinition = container,
            //               Command = new []{"$.Data"}
            //            },

            //        }
            //    })

            var ecsTask1 = new Task(this, "EcsTask1", new TaskProps
                InputPath = "$",
                Task      = new RunEcsFargateTask(new RunEcsFargateTaskProps
                    Cluster        = cluster,
                    TaskDefinition = demofargateTask1,

                    //ContainerOverrides = new[]
                    //    new ContainerOverride
                    //    {
                    //        ContainerDefinition = container,
                    //    },

                Parameters = new Dictionary <string, object>
                    ["Overrides"] = new Dictionary <string, object>
                        ["ContainerOverrides"] = new Dictionary <string, string>[]
                            new Dictionary <string, string> {
                                ["Name"]      = "app",
                                ["Command.$"] = "$.ECSPayload"

            var chain2 = Chain.Start(processA).Next(ecsTask1);

            var stateMachineWithTask = new StateMachine(this, "JobDemoStateMachine-1", new StateMachineProps
                StateMachineName = "JobDemoStateMachine-1",
                Timeout          = Duration.Minutes(15),
                Definition       = chain2,
                Role             = Role.FromRoleArn(this, "StateMachineWithTaskRole",

            //All Policies
            // 1. Invoke function policies

            invokeOddEvenStepFunction.Role?.AddManagedPolicy(ManagedPolicy.FromManagedPolicyArn(this, "InvokeLambdaPolicy", "arn:aws:iam::aws:policy/AWSLambdaFullAccess"));

            var policyStatement = new PolicyStatement
                Sid    = "CanInvokeStepFunctions",
                Effect = Effect.ALLOW

            policyStatement.AddActions(new[] { "states:StartExecution" });

            invokeOddEvenStepFunction.AddEnvironment(Functions.StateMachineArnKey, stateMachine.StateMachineArn);

            process12Function.AddEnvironment(Functions.StepFunctionDemoBucketKey, stepFunctionDemoBucket.BucketName);


            var policyStatementDemofargateTask2 = new PolicyStatement
                Sid    = "CanNotifyStepFunction",
                Effect = Effect.ALLOW

            policyStatementDemofargateTask2.AddActions(new[] { "states:SendTask*" });

Exemple #10
        public DynamoDbStack(Construct parent, string id, DynamoDbStackProps props) : base(parent, id, props)
            var dynamoDbEndpoint = props.Vpc.AddGatewayEndpoint("DynamoDbEndpoint", new GatewayVpcEndpointOptions
                Service = GatewayVpcEndpointAwsService.DYNAMODB

            var dynamoDbPolicy = new PolicyStatement();


            this.table = new Table(this, "Table", new TableProps
                TableName    = "MysfitsTable",
                PartitionKey = new Attribute
                    Name = "MysfitId",
                    Type = AttributeType.STRING
            this.table.AddGlobalSecondaryIndex(new GlobalSecondaryIndexProps
                IndexName    = "LawChaosIndex",
                PartitionKey = new Attribute
                    Name = "LawChaos",
                    Type = AttributeType.STRING
                SortKey = new Attribute
                    Name = "MysfitId",
                    Type = AttributeType.STRING
                ReadCapacity   = 5,
                WriteCapacity  = 5,
                ProjectionType = ProjectionType.ALL
            this.table.AddGlobalSecondaryIndex(new GlobalSecondaryIndexProps
                IndexName    = "GoodEvilIndex",
                PartitionKey = new Attribute
                    Name = "GoodEvil",
                    Type = AttributeType.STRING
                SortKey = new Attribute
                    Name = "MysfitId",
                    Type = AttributeType.STRING
                ReadCapacity   = 5,
                WriteCapacity  = 5,
                ProjectionType = ProjectionType.ALL

            var fargatePolicy = new PolicyStatement();

                //  Allows the ECS tasks to interact with only the MysfitsTable in DynamoDB