feat(lambda): code signing config

packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts

@@ -0,0 +1,54 @@
+import { IResource, Resource } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnCodeSigningConfig } from './lambda.generated';
+import { SigningProfile } from '@aws-cdk/aws-signer';
+
+export enum UntrustedArtifactOnDeployment {
+  ENFORCE = 'enforce',
+  WARN = 'warn',
+}
+
+export interface ICodeSigningConfig extends IResource {
+  /**
+   * The ARN of Code Signing Config
+   * @attribute CodeSigningConfigArn
+   */
+  readonly codeSigningConfigArn: string;
+
+  /**
+   * The id of Code Signing Config
+   * @attribute CodeSigningConfigId
+   */
+  readonly codeSigningConfigId: string;
+}
+
+export interface CodeSigningConfigProps {
+  signingProfile: SigningProfile,
+  untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment,
+  description?: string
+}
+
+export class CodeSigningConfig extends Resource implements ICodeSigningConfig{
+  readonly codeSigningConfigArn: string;
+  readonly codeSigningConfigId: string;
+
+  constructor(scope: Construct, id: string, props: CodeSigningConfigProps) {
+    super(scope, id);
+
+    if (props.signingProfile.length > 20) {
+      throw new Error('Signing profile version arn is up to 20');
+    }
+
+    const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', {
+      allowedPublishers: {
+        signingProfileVersionArns: props.signingProfile.signingProfileVersionArn,
+      },
+      codeSigningPolicies: {
+        untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment
+      },
+      description: props.description
+    });
+    this.codeSigningConfigArn = resource.attrCodeSigningConfigArn;
+    this.codeSigningConfigId = resource.attrCodeSigningConfigId;
+  }
+}

packages/@aws-cdk/aws-lambda/lib/function.ts

@@ -19,6 +19,7 @@ import { CfnFunction } from './lambda.generated';
 import { ILayerVersion } from './layers';
 import { LogRetentionRetryOptions } from './log-retention';
 import { Runtime } from './runtime';
+import { CodeSigningConfig } from 'aws-lambda/lib/code-signing-config';
 
 /**
  * X-Ray Tracing Modes (https://docs.aws.amazon.com/lambda/latest/dg/API_TracingConfig.html)
@@ -290,6 +291,8 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * @default - AWS Lambda creates and uses an AWS managed customer master key (CMK).
    */
   readonly environmentEncryption?: kms.IKey;
+
+  readonly codeSigningConfig?: CodeSigningConfig;
 }
 
 export interface FunctionProps extends FunctionOptions {
@@ -526,6 +529,8 @@ export class Function extends FunctionBase {
 
   private _logGroup?: logs.ILogGroup;
 
+  private readonly codeSigningConfig?: CodeSigningConfig;
+
   /**
    * Environment variables for this function
    */
@@ -641,6 +646,7 @@ export class Function extends FunctionBase {
       }),
       kmsKeyArn: props.environmentEncryption?.keyArn,
       fileSystemConfigs,
+      codeSigningConfigArn: props.codeSigningConfig.codeSigningConfigArn
     });
 
     resource.node.addDependency(this.role);

packages/@aws-cdk/aws-lambda/package.json

@@ -99,6 +99,7 @@
     "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
+    "@aws-cdk/aws-signer": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
@@ -119,6 +120,7 @@
     "@aws-cdk/aws-logs": "0.0.0",
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/aws-s3-assets": "0.0.0",
+    "@aws-cdk/aws-signer": "0.0.0",
     "@aws-cdk/aws-sqs": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",

packages/@aws-cdk/aws-signer/README.md

@@ -9,6 +9,14 @@
 >
 > [CFN Resources]: https://docs.aws.amazon.com/cdk/latest/guide/constructs.html#constructs_lib
 
+![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)
+
+> The APIs of higher level constructs in this module are experimental and under active development.
+> They are subject to non-backward compatible changes or removal in any future version. These are
+> not subject to the [Semantic Versioning](https://semver.org/) model and breaking changes will be
+> announced in the release notes. This means that while you may use them, you may need to update
+> your source code when upgrading to a newer version of this package.
+
 ---
 
 <!--END STABILITY BANNER-->

packages/@aws-cdk/aws-signer/lib/index.ts

@@ -1,2 +1,3 @@
 // AWS::Signer CloudFormation Resources:
 export * from './signer.generated';
+export * from './signer-profile';

packages/@aws-cdk/aws-signer/lib/signer-profile.ts

@@ -0,0 +1,78 @@
+import { Construct, IResource, Resource } from '@aws-cdk/core';
+import { CfnSigningProfile } from './signer.generated';
+
+export interface ISigningProfile extends IResource {
+  /**
+   * The ARN of the signing profile.
+   * @attribute
+   */
+  readonly signingProfileArn: string;
+
+  /**
+   * The name of signing profile.
+   * @attribute
+   */
+  readonly signingProfileName: string;
+
+  /**
+   * The version of signing profile.
+   * @attribute
+   */
+  readonly signingProfileVersion: string;
+
+  /**
+   * The ARN of signing profile version.
+   * @attribute
+   */
+  readonly signingProfileVersionArn: string;
+}
+
+export enum SignatureValidityPeriodTypes {
+  DAYS = 'DAYS',
+  MONTHS = 'MONTHS',
+  YEARS = 'YEARS',
+}
+
+class SignatureValidityPeriodProperty {
+  readonly type: SignatureValidityPeriodTypes;
+  readonly value: number;
+
+  constructor(type: SignatureValidityPeriodTypes, value: number) {
+    this.type = type;
+    this.value = value;
+  }
+}
+
+export interface SigningProfileProps {
+  /*
+   * The ID of a platform that is available for use by a signing profile.
+   */
+  readonly platformId: string;
+
+  /*
+   * The validity period override for any signature generated using
+   * this signing profile. If unspecified, the default is 135 months.
+   */
+  readonly signatureValidityPeriod?: SignatureValidityPeriodProperty;
+}
+
+export class SigningProfile extends Resource implements ISigningProfile {
+  public readonly signingProfileArn: string;
+  public readonly signingProfileName: string;
+  public readonly signingProfileVersion: string;
+  public readonly signingProfileVersionArn: string;
+
+  constructor(scope: Construct, id: string, props: SigningProfileProps) {
+    super(scope, id);
+
+    const resource = new CfnSigningProfile( this, 'Resource', {
+      platformId: props.platformId,
+      signatureValidityPeriod: props.signatureValidityPeriod,
+    } );
+
+    this.signingProfileArn = resource.attrArn;
+    this.signingProfileName = resource.attrProfileName;
+    this.signingProfileVersion = resource.attrProfileVersion;
+    this.signingProfileVersionArn = resource.attrProfileVersionArn;
+  }
+}

packages/@aws-cdk/aws-signer/package.json

@@ -79,16 +79,18 @@
     "pkglint": "0.0.0"
   },
   "dependencies": {
-    "@aws-cdk/core": "0.0.0"
+    "@aws-cdk/core": "0.0.0",
+    "constructs": "^3.2.0"
   },
   "peerDependencies": {
-    "@aws-cdk/core": "0.0.0"
+    "@aws-cdk/core": "0.0.0",
+    "constructs": "^3.2.0"
   },
   "engines": {
     "node": ">= 10.13.0 <13 || >=13.7.0"
   },
   "stability": "experimental",
-  "maturity": "cfn-only",
+  "maturity": "experimental",
   "awscdkio": {
     "announce": false
   }

packages/@aws-cdk/aws-signer/test/signer.test.ts

@@ -4,3 +4,5 @@ import {} from '../lib';
 test('No tests are specified for this package', () => {
   expect(true).toBe(true);
 });
+
+// TODO: Implement tests