AwsSdkCall

class aws_cdk.custom_resources.AwsSdkCall(*, action, service, api_version=None, assumed_role_arn=None, external_id=None, ignore_error_codes_matching=None, logging=None, output_paths=None, parameters=None, physical_resource_id=None, region=None)

Bases: object

An AWS SDK call.

Parameters:

  • action (str) – The service action to call. This is the name of an AWS API call, in one of the following forms: - An API call name as found in the API Reference documentation (GetObject) - The API call name starting with a lowercase letter (getObject) - The AWS SDK for JavaScript v3 command class name (GetObjectCommand)

  • service (str) – The service to call. This is the name of an AWS service, in one of the following forms: - An AWS SDK for JavaScript v3 package name (@aws-sdk/client-api-gateway) - An AWS SDK for JavaScript v3 client name (api-gateway) - An AWS SDK for JavaScript v2 constructor name (APIGateway) - A lowercase AWS SDK for JavaScript v2 constructor name (apigateway)

  • api_version (Optional[str]) – API version to use for the service. Default: - use latest available API version

  • assumed_role_arn (Optional[str]) – Used for running the SDK calls in underlying lambda with a different role. Can be used primarily for cross-account requests to for example connect hostedzone with a shared vpc. Region controls where assumeRole call is made. Example for Route53 / associateVPCWithHostedZone Default: - run without assuming role

  • external_id (Optional[str]) – External ID to use when assuming the role for cross-account requests. This is an additional security measure that helps prevent the “confused deputy” problem where an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. The external ID must be provided by the third-party service and should not be generated by you. This value should be unique among the third-party service’s customers. This property is only used when assumedRoleArn is specified. Default: - no external ID

  • ignore_error_codes_matching (Optional[str]) – The regex pattern to use to catch API errors. The code property of the Error object will be tested against this pattern. If there is a match an error will not be thrown. Default: - do not catch errors

  • logging (Optional[Logging]) – A property used to configure logging during lambda function execution. Note: The default Logging configuration is all. This configuration will enable logging on all logged data in the lambda handler. This includes: - The event object that is received by the lambda handler - The response received after making a API call - The response object that the lambda handler will return - SDK versioning information - Caught and uncaught errors Default: Logging.all()

  • output_paths (Optional[Sequence[str]]) – Restrict the data returned by the custom resource to specific paths in the API response. Use this to limit the data returned by the custom resource if working with API calls that could potentially result in custom response objects exceeding the hard limit of 4096 bytes. Example for ECS / updateService: [‘service.deploymentConfiguration.maximumPercent’] Default: - return all data

  • parameters (Any) – The parameters for the service action. Default: - no parameters

  • physical_resource_id (Optional[PhysicalResourceId]) – The physical resource id of the custom resource for this call. Mandatory for onCreate call. In onUpdate, you can omit this to passthrough it from request. Default: - no physical resource id

  • region (Optional[str]) – The region to send service requests to. Note: Cross-region operations are generally considered an anti-pattern. Consider first deploying a stack in that region. Default: - the region where this custom resource is deployed

Example:

cr.AwsCustomResource(self, "GetParameterCustomResource",
    on_update=cr.AwsSdkCall( # will also be called for a CREATE event
        service="SSM",
        action="getParameter",
        parameters={
            "Name": "my-parameter",
            "WithDecryption": True
        },
        physical_resource_id=cr.PhysicalResourceId.from_response("Parameter.ARN")),
    policy=cr.AwsCustomResourcePolicy.from_sdk_calls(
        resources=cr.AwsCustomResourcePolicy.ANY_RESOURCE
    )
)

Attributes

action

The service action to call.

This is the name of an AWS API call, in one of the following forms:

  • An API call name as found in the API Reference documentation (GetObject)

  • The API call name starting with a lowercase letter (getObject)

  • The AWS SDK for JavaScript v3 command class name (GetObjectCommand)

See:

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html

api_version

API version to use for the service.

Default:

  • use latest available API version

See:

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/locking-api-versions.html

assumed_role_arn

Used for running the SDK calls in underlying lambda with a different role.

Can be used primarily for cross-account requests to for example connect hostedzone with a shared vpc. Region controls where assumeRole call is made.

Example for Route53 / associateVPCWithHostedZone

Default:

  • run without assuming role

external_id

External ID to use when assuming the role for cross-account requests.

This is an additional security measure that helps prevent the “confused deputy” problem where an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action.

The external ID must be provided by the third-party service and should not be generated by you. This value should be unique among the third-party service’s customers.

This property is only used when assumedRoleArn is specified.

Default:

  • no external ID

See:

https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html

ignore_error_codes_matching

The regex pattern to use to catch API errors.

The code property of the Error object will be tested against this pattern. If there is a match an error will not be thrown.

Default:

  • do not catch errors

logging

A property used to configure logging during lambda function execution.

Note: The default Logging configuration is all. This configuration will enable logging on all logged data in the lambda handler. This includes:

  • The event object that is received by the lambda handler

  • The response received after making a API call

  • The response object that the lambda handler will return

  • SDK versioning information

  • Caught and uncaught errors

Default:

Logging.all()

output_paths

Restrict the data returned by the custom resource to specific paths in the API response.

Use this to limit the data returned by the custom resource if working with API calls that could potentially result in custom response objects exceeding the hard limit of 4096 bytes.

Example for ECS / updateService: [‘service.deploymentConfiguration.maximumPercent’]

Default:

  • return all data

parameters

The parameters for the service action.

Default:

  • no parameters

See:

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html

physical_resource_id

The physical resource id of the custom resource for this call.

Mandatory for onCreate call. In onUpdate, you can omit this to passthrough it from request.

Default:

  • no physical resource id

region

The region to send service requests to.

Note: Cross-region operations are generally considered an anti-pattern. Consider first deploying a stack in that region.

Default:

  • the region where this custom resource is deployed

service

The service to call.

This is the name of an AWS service, in one of the following forms:

  • An AWS SDK for JavaScript v3 package name (@aws-sdk/client-api-gateway)

  • An AWS SDK for JavaScript v3 client name (api-gateway)

  • An AWS SDK for JavaScript v2 constructor name (APIGateway)

  • A lowercase AWS SDK for JavaScript v2 constructor name (apigateway)

See:

https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/index.html