Source code of CDK custom resource
I found the following code in AWS CDK code (TypeScript) in my daily job.
import { custom_resources as customResources } from "aws-cdk-lib";
// The LogGroup class doesn't expose any methods or properties to update
// the tags used by a log group.
new customResources.AwsCustomResource(this, "CwlTagsCustomResource", {
onCreate: {
service: "CloudWatchLogs",
action: "tagLogGroup",
parameters: {
logGroupName: `/aws/rds/cluster/${props.ctx.auroraClusterName}/postgresql`,
tags: props.ctx.commonTags,
},
physicalResourceId: customResources.PhysicalResourceId.of("CwlTagsCustomResource"),
},
policy: customResources.AwsCustomResourcePolicy.fromSdkCalls({
resources: customResources.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});
This customResources
creates a Lambda function.
This Lambda does some operation which cannot be done with just writing AWS CDK code.
The combination of service
and action
corresponds to AWS SDK operation.
Generated CF template
CwlTagsCustomResource0E62E282:
Type: Custom::AWS
Properties:
ServiceToken:
Fn::GetAtt:
- AWS679f53fac002430cb0da5b7982bd22872D164C4C
- Arn
Create: '{"service":"CloudWatchLogs","action":"tagLogGroup","parameters":{"logGroupName":"/aws/rds/cluster/xxx/postgresql","tags":{"owner": "engineering"},"physicalResourceId":{"id":"CwlTagsCustomResource"}}'
InstallLatestAwsSdk: true
DependsOn:
- CwlTagsCustomResourceCustomResourcePolicyD3043FB6
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: xxx-aurora-cluster/CwlTagsCustomResource/Resource/Default
CwlTagsCustomResourceCustomResourcePolicyD3043FB6:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: logs:TagLogGroup
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: CwlTagsCustomResourceCustomResourcePolicyD3043FB6
Roles:
- Ref: AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
Metadata:
aws:cdk:path: xxx-aurora-cluster/CwlTagsCustomResource/CustomResourcePolicy/Resource
AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: "2012-10-17"
ManagedPolicyArns:
- Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Metadata:
aws:cdk:path: xxx-aurora-cluster/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource
AWS679f53fac002430cb0da5b7982bd22872D164C4C:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: <omitted>
S3Key: <omitted>
Role:
Fn::GetAtt:
- AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
- Arn
Handler: index.handler
Runtime: nodejs16.x
Timeout: 120
DependsOn:
- AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2
Metadata:
aws:cdk:path: xxx-aurora-cluster/AWS679f53fac002430cb0da5b7982bd2287/Resource
aws:asset:path: asset.zzzzzzzzzzzzzzzzzzzz
aws:asset:is-bundled: false
aws:asset:property: Code
Timing that Lambda is triggered
You can specify what operations to be trigerred with Lambda on which timing.
physicalResourceId
specified is used to identify and track the resource to detect update/deletion.
- onCreate
- onUpdate
- onDelete
(In the snippet above, it specifies physicalResourceId
to be the custom resource whose id=CwlTagsCustomResource
, which is the custom resrouce itself. I think this does not make sense, but that it causes no problem because cdk code specifies only onCreate
.)
Ref