ProviderProps

class aws_cdk.custom_resources.ProviderProps(*, on_event_handler, disable_waiter_state_machine_logging=None, framework_complete_and_timeout_role=None, framework_on_event_role=None, is_complete_handler=None, log_group=None, log_retention=None, provider_function_env_encryption=None, provider_function_name=None, query_interval=None, role=None, security_groups=None, total_timeout=None, vpc=None, vpc_subnets=None, waiter_state_machine_log_options=None)

Bases: object

Initialization properties for the Provider construct.

Parameters:

  • on_event_handler (IFunction) – The AWS Lambda function to invoke for all resource lifecycle operations (CREATE/UPDATE/DELETE). This function is responsible to begin the requested resource operation (CREATE/UPDATE/DELETE) and return any additional properties to add to the event, which will later be passed to isComplete. The PhysicalResourceId property must be included in the response.

  • disable_waiter_state_machine_logging (Optional[bool]) – Whether logging for the waiter state machine is disabled. Default: - false

  • framework_complete_and_timeout_role (Optional[IRole]) – Lambda execution role for provider framework’s isComplete/onTimeout Lambda function. Note that this role must be assumed by the ‘lambda.amazonaws.com’ service principal. To prevent circular dependency problem in the provider framework, please ensure you specify a different IAM Role for ‘frameworkCompleteAndTimeoutRole’ from ‘frameworkOnEventRole’. This property cannot be used with ‘role’ property Default: - A default role will be created.

  • framework_on_event_role (Optional[IRole]) – Lambda execution role for provider framework’s onEvent Lambda function. Note that this role must be assumed by the ‘lambda.amazonaws.com’ service principal. This property cannot be used with ‘role’ property Default: - A default role will be created.

  • is_complete_handler (Optional[IFunction]) – The AWS Lambda function to invoke in order to determine if the operation is complete. This function will be called immediately after onEvent and then periodically based on the configured query interval as long as it returns false. If the function still returns false and the alloted timeout has passed, the operation will fail. Default: - provider is synchronous. This means that the onEvent handler is expected to finish all lifecycle operations within the initial invocation.

  • log_group (Optional[ILogGroup]) – The Log Group used for logging of events emitted by the custom resource’s lambda function. Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first. Default: - a default log group created by AWS Lambda

  • log_retention (Optional[RetentionDays]) – The number of days framework log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn’t remove the log retention policy. To remove the retention policy, set the value to INFINITE. This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it. Default: logs.RetentionDays.INFINITE

  • provider_function_env_encryption (Optional[IKey]) – AWS KMS key used to encrypt provider lambda’s environment variables. Default: - AWS Lambda creates and uses an AWS managed customer master key (CMK)

  • provider_function_name (Optional[str]) – Provider Lambda name. The provider lambda function name. Default: - CloudFormation default name from unique physical ID

  • query_interval (Optional[Duration]) – Time between calls to the isComplete handler which determines if the resource has been stabilized. The first isComplete will be called immediately after handler and then every queryInterval seconds, and until timeout has been reached or until isComplete returns true. Default: Duration.seconds(5)

  • role (Optional[IRole]) – (deprecated) AWS Lambda execution role. The role is shared by provider framework’s onEvent, isComplete lambda, and onTimeout Lambda functions. This role will be assumed by the AWS Lambda, so it must be assumable by the ‘lambda.amazonaws.com’ service principal. Default: - A default role will be created.

  • security_groups (Optional[Sequence[ISecurityGroup]]) – Security groups to attach to the provider functions. Only used if ‘vpc’ is supplied Default: - If vpc is not supplied, no security groups are attached. Otherwise, a dedicated security group is created for each function.

  • total_timeout (Optional[Duration]) – Total timeout for the entire operation. The maximum timeout is 1 hour (yes, it can exceed the AWS Lambda 15 minutes) Default: Duration.minutes(30)

  • vpc (Optional[IVpc]) – The vpc to provision the lambda functions in. Default: - functions are not provisioned inside a vpc.

  • vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Which subnets from the VPC to place the lambda functions in. Only used if ‘vpc’ is supplied. Note: internet access for Lambdas requires a NAT gateway, so picking Public subnets is not allowed. Default: - the Vpc default strategy if not specified

  • waiter_state_machine_log_options (Union[LogOptions, Dict[str, Any], None]) – Defines what execution history events of the waiter state machine are logged and where they are logged. Default: - A default log group will be created if logging for the waiter state machine is enabled.

ExampleMetadata:

infused

Example:

# Create custom resource handler entrypoint
handler = lambda_.Function(self, "my-handler",
    runtime=lambda_.Runtime.NODEJS_20_X,
    handler="index.handler",
    code=lambda_.Code.from_inline("""
          exports.handler = async (event, context) => {
            return {
              PhysicalResourceId: '1234',
              NoEcho: true,
              Data: {
                mySecret: 'secret-value',
                hello: 'world',
                ghToken: 'gho_xxxxxxx',
              },
            };
          };""")
)

# Provision a custom resource provider framework
provider = cr.Provider(self, "my-provider",
    on_event_handler=handler
)

CustomResource(self, "my-cr",
    service_token=provider.service_token
)

Attributes

disable_waiter_state_machine_logging

Whether logging for the waiter state machine is disabled.

Default:

  • false

framework_complete_and_timeout_role

Lambda execution role for provider framework’s isComplete/onTimeout Lambda function.

Note that this role must be assumed by the ‘lambda.amazonaws.com’ service principal. To prevent circular dependency problem in the provider framework, please ensure you specify a different IAM Role for ‘frameworkCompleteAndTimeoutRole’ from ‘frameworkOnEventRole’.

This property cannot be used with ‘role’ property

Default:

  • A default role will be created.

framework_on_event_role

Lambda execution role for provider framework’s onEvent Lambda function.

Note that this role must be assumed by the ‘lambda.amazonaws.com’ service principal.

This property cannot be used with ‘role’ property

Default:

  • A default role will be created.

is_complete_handler

The AWS Lambda function to invoke in order to determine if the operation is complete.

This function will be called immediately after onEvent and then periodically based on the configured query interval as long as it returns false. If the function still returns false and the alloted timeout has passed, the operation will fail.

Default:

  • provider is synchronous. This means that the onEvent handler

is expected to finish all lifecycle operations within the initial invocation.

log_group

The Log Group used for logging of events emitted by the custom resource’s lambda function.

Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first.

Default:

  • a default log group created by AWS Lambda

log_retention

The number of days framework log events are kept in CloudWatch Logs.

When updating this property, unsetting it doesn’t remove the log retention policy. To remove the retention policy, set the value to INFINITE.

This is a legacy API and we strongly recommend you migrate to logGroup if you can. logGroup allows you to create a fully customizable log group and instruct the Lambda function to send logs to it.

Default:

logs.RetentionDays.INFINITE

on_event_handler

The AWS Lambda function to invoke for all resource lifecycle operations (CREATE/UPDATE/DELETE).

This function is responsible to begin the requested resource operation (CREATE/UPDATE/DELETE) and return any additional properties to add to the event, which will later be passed to isComplete. The PhysicalResourceId property must be included in the response.

provider_function_env_encryption

AWS KMS key used to encrypt provider lambda’s environment variables.

Default:

  • AWS Lambda creates and uses an AWS managed customer master key (CMK)

provider_function_name

Provider Lambda name.

The provider lambda function name.

Default:

  • CloudFormation default name from unique physical ID

query_interval

Time between calls to the isComplete handler which determines if the resource has been stabilized.

The first isComplete will be called immediately after handler and then every queryInterval seconds, and until timeout has been reached or until isComplete returns true.

Default:

Duration.seconds(5)

role

(deprecated) AWS Lambda execution role.

The role is shared by provider framework’s onEvent, isComplete lambda, and onTimeout Lambda functions. This role will be assumed by the AWS Lambda, so it must be assumable by the ‘lambda.amazonaws.com’ service principal.

Default:

  • A default role will be created.

Deprecated:

  • Use frameworkOnEventLambdaRole, frameworkIsCompleteLambdaRole, frameworkOnTimeoutLambdaRole

Stability:

deprecated

security_groups

Security groups to attach to the provider functions.

Only used if ‘vpc’ is supplied

Default:

  • If vpc is not supplied, no security groups are attached. Otherwise, a dedicated security

group is created for each function.

total_timeout

Total timeout for the entire operation.

The maximum timeout is 1 hour (yes, it can exceed the AWS Lambda 15 minutes)

Default:

Duration.minutes(30)

vpc

The vpc to provision the lambda functions in.

Default:

  • functions are not provisioned inside a vpc.

vpc_subnets

Which subnets from the VPC to place the lambda functions in.

Only used if ‘vpc’ is supplied. Note: internet access for Lambdas requires a NAT gateway, so picking Public subnets is not allowed.

Default:

  • the Vpc default strategy if not specified

waiter_state_machine_log_options

Defines what execution history events of the waiter state machine are logged and where they are logged.

Default:

  • A default log group will be created if logging for the waiter state machine is enabled.