AssetCode

class aws_cdk.aws_lambda.AssetCode(path, *, deploy_time=None, readers=None, source_kms_key=None, asset_hash=None, asset_hash_type=None, bundling=None, exclude=None, follow_symlinks=None, ignore_mode=None)

Bases: Code

Lambda code from a local directory.

ExampleMetadata:

infused

Example:

# Lambda function containing logic that evaluates compliance with the rule.
eval_compliance_fn = lambda_.Function(self, "CustomFunction",
    code=lambda_.AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
    handler="index.handler",
    runtime=lambda_.Runtime.NODEJS_18_X
)

# A custom rule that runs on configuration changes of EC2 instances
custom_rule = config.CustomRule(self, "Custom",
    configuration_changes=True,
    lambda_function=eval_compliance_fn,
    rule_scope=config.RuleScope.from_resource(config.ResourceType.EC2_INSTANCE)
)

# A rule to detect stack drifts
drift_rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")

# Topic to which compliance notification events will be published
compliance_topic = sns.Topic(self, "ComplianceTopic")

# Send notification on compliance change events
drift_rule.on_compliance_change("ComplianceChange",
    target=targets.SnsTopic(compliance_topic)
)
Parameters:
  • path (str) – The path to the asset file or directory.

  • deploy_time (Optional[bool]) – Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false

  • readers (Optional[Sequence[IGrantable]]) – A list of principals that should be able to read this asset from S3. You can use asset.grantRead(principal) to grant read permissions later. Default: - No principals that can read file asset.

  • source_kms_key (Optional[IKey]) – The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.

  • asset_hash (Optional[str]) – Specify a custom hash for this asset. If assetHashType is set it must be set to AssetHashType.CUSTOM. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on assetHashType

  • asset_hash_type (Optional[AssetHashType]) – Specifies the type of hash to calculate for this asset. If assetHash is configured, this option must be undefined or AssetHashType.CUSTOM. Default: - the default is AssetHashType.SOURCE, but if assetHash is explicitly specified this value defaults to AssetHashType.CUSTOM.

  • bundling (Union[BundlingOptions, Dict[str, Any], None]) – Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at /asset-input. The Docker container is responsible for putting content at /asset-output. The content at /asset-output will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise

  • exclude (Optional[Sequence[str]]) – File paths matching the patterns will be excluded. See ignoreMode to set the matching behavior. Has no effect on Assets bundled using the bundling property. Default: - nothing is excluded

  • follow_symlinks (Optional[SymlinkFollowMode]) – A strategy for how to handle symlinks. Default: SymlinkFollowMode.NEVER

  • ignore_mode (Optional[IgnoreMode]) – The ignore behavior to use for exclude patterns. Default: IgnoreMode.GLOB

Methods

bind(scope)

Called when the lambda or layer is initialized to allow this object to bind to the stack, add resources and have fun.

Parameters:

scope (Construct) –

Return type:

CodeConfig

bind_to_resource(resource, *, resource_property=None)

Called after the CFN function resource has been created to allow the code class to bind to it.

Specifically it’s required to allow assets to add metadata for tooling like SAM CLI to be able to find their origins.

Parameters:
  • resource (CfnResource) –

  • resource_property (Optional[str]) – The name of the CloudFormation property to annotate with asset metadata. Default: Code

Return type:

None

Attributes

is_inline

Determines whether this Code is inline code or not.

path

The path to the asset file or directory.

Static Methods

classmethod from_asset(path, *, deploy_time=None, readers=None, source_kms_key=None, asset_hash=None, asset_hash_type=None, bundling=None, exclude=None, follow_symlinks=None, ignore_mode=None)

Loads the function code from a local disk path.

Parameters:
  • path (str) – Either a directory with the Lambda code bundle or a .zip file.

  • deploy_time (Optional[bool]) – Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false

  • readers (Optional[Sequence[IGrantable]]) – A list of principals that should be able to read this asset from S3. You can use asset.grantRead(principal) to grant read permissions later. Default: - No principals that can read file asset.

  • source_kms_key (Optional[IKey]) – The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.

  • asset_hash (Optional[str]) – Specify a custom hash for this asset. If assetHashType is set it must be set to AssetHashType.CUSTOM. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on assetHashType

  • asset_hash_type (Optional[AssetHashType]) – Specifies the type of hash to calculate for this asset. If assetHash is configured, this option must be undefined or AssetHashType.CUSTOM. Default: - the default is AssetHashType.SOURCE, but if assetHash is explicitly specified this value defaults to AssetHashType.CUSTOM.

  • bundling (Union[BundlingOptions, Dict[str, Any], None]) – Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at /asset-input. The Docker container is responsible for putting content at /asset-output. The content at /asset-output will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise

  • exclude (Optional[Sequence[str]]) – File paths matching the patterns will be excluded. See ignoreMode to set the matching behavior. Has no effect on Assets bundled using the bundling property. Default: - nothing is excluded

  • follow_symlinks (Optional[SymlinkFollowMode]) – A strategy for how to handle symlinks. Default: SymlinkFollowMode.NEVER

  • ignore_mode (Optional[IgnoreMode]) – The ignore behavior to use for exclude patterns. Default: IgnoreMode.GLOB

Return type:

AssetCode

classmethod from_asset_image(directory, *, cmd=None, entrypoint=None, working_directory=None, asset_name=None, build_args=None, build_secrets=None, build_ssh=None, cache_disabled=None, cache_from=None, cache_to=None, file=None, invalidation=None, network_mode=None, outputs=None, platform=None, target=None, extra_hash=None, exclude=None, follow_symlinks=None, ignore_mode=None)

Create an ECR image from the specified asset and bind it as the Lambda code.

Parameters:
  • directory (str) – the directory from which the asset must be created.

  • cmd (Optional[Sequence[str]]) – Specify or override the CMD on the specified Docker image or Dockerfile. This needs to be in the ‘exec form’, viz., [ 'executable', 'param1', 'param2' ]. Default: - use the CMD specified in the docker image or Dockerfile.

  • entrypoint (Optional[Sequence[str]]) – Specify or override the ENTRYPOINT on the specified Docker image or Dockerfile. An ENTRYPOINT allows you to configure a container that will run as an executable. This needs to be in the ‘exec form’, viz., [ 'executable', 'param1', 'param2' ]. Default: - use the ENTRYPOINT in the docker image or Dockerfile.

  • working_directory (Optional[str]) – Specify or override the WORKDIR on the specified Docker image or Dockerfile. A WORKDIR allows you to configure the working directory the container will use. Default: - use the WORKDIR in the docker image or Dockerfile.

  • asset_name (Optional[str]) – Unique identifier of the docker image asset and its potential revisions. Required if using AppScopedStagingSynthesizer. Default: - no asset name

  • build_args (Optional[Mapping[str, str]]) – Build args to pass to the docker build command. Since Docker build arguments are resolved before deployment, keys and values cannot refer to unresolved tokens (such as lambda.functionArn or queue.queueUrl). Default: - no build args are passed

  • build_secrets (Optional[Mapping[str, str]]) – Build secrets. Docker BuildKit must be enabled to use build secrets. Default: - no build secrets

  • build_ssh (Optional[str]) – SSH agent socket or keys to pass to the docker build command. Docker BuildKit must be enabled to use the ssh flag Default: - no –ssh flag

  • cache_disabled (Optional[bool]) – Disable the cache and pass --no-cache to the docker build command. Default: - cache is used

  • cache_from (Optional[Sequence[Union[DockerCacheOption, Dict[str, Any]]]]) – Cache from options to pass to the docker build command. Default: - no cache from options are passed to the build command

  • cache_to (Union[DockerCacheOption, Dict[str, Any], None]) – Cache to options to pass to the docker build command. Default: - no cache to options are passed to the build command

  • file (Optional[str]) – Path to the Dockerfile (relative to the directory). Default: ‘Dockerfile’

  • invalidation (Union[DockerImageAssetInvalidationOptions, Dict[str, Any], None]) – Options to control which parameters are used to invalidate the asset hash. Default: - hash all parameters

  • network_mode (Optional[NetworkMode]) – Networking mode for the RUN commands during build. Support docker API 1.25+. Default: - no networking mode specified (the default networking mode NetworkMode.DEFAULT will be used)

  • outputs (Optional[Sequence[str]]) – Outputs to pass to the docker build command. Default: - no outputs are passed to the build command (default outputs are used)

  • platform (Optional[Platform]) – Platform to build for. Requires Docker Buildx. Default: - no platform specified (the current machine architecture will be used)

  • target (Optional[str]) – Docker target to build to. Default: - no target

  • extra_hash (Optional[str]) – Extra information to encode into the fingerprint (e.g. build instructions and other inputs). Default: - hash is only based on source content

  • exclude (Optional[Sequence[str]]) – File paths matching the patterns will be excluded. See ignoreMode to set the matching behavior. Has no effect on Assets bundled using the bundling property. Default: - nothing is excluded

  • follow_symlinks (Optional[SymlinkFollowMode]) – A strategy for how to handle symlinks. Default: SymlinkFollowMode.NEVER

  • ignore_mode (Optional[IgnoreMode]) – The ignore behavior to use for exclude patterns. Default: IgnoreMode.GLOB

Return type:

AssetImageCode

classmethod from_bucket(bucket, key, object_version=None)

Lambda handler code as an S3 object.

Parameters:
  • bucket (IBucket) – The S3 bucket.

  • key (str) – The object key.

  • object_version (Optional[str]) – Optional S3 object version.

Return type:

S3Code

classmethod from_bucket_v2(bucket, key, *, object_version=None, source_kms_key=None)

Lambda handler code as an S3 object.

Parameters:
  • bucket (IBucket) – The S3 bucket.

  • key (str) – The object key.

  • object_version (Optional[str]) – Optional S3 object version.

  • source_kms_key (Optional[IKey]) – The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.

Return type:

S3CodeV2

classmethod from_cfn_parameters(*, bucket_name_param=None, object_key_param=None, source_kms_key=None)

Creates a new Lambda source defined using CloudFormation parameters.

Parameters:
  • bucket_name_param (Optional[CfnParameter]) – The CloudFormation parameter that represents the name of the S3 Bucket where the Lambda code will be located in. Must be of type ‘String’. Default: a new parameter will be created

  • object_key_param (Optional[CfnParameter]) – The CloudFormation parameter that represents the path inside the S3 Bucket where the Lambda code will be located at. Must be of type ‘String’. Default: a new parameter will be created

  • source_kms_key (Optional[IKey]) – The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.

Return type:

CfnParametersCode

Returns:

a new instance of CfnParametersCode

classmethod from_custom_command(output, command, *, command_options=None, deploy_time=None, readers=None, source_kms_key=None, asset_hash=None, asset_hash_type=None, bundling=None, exclude=None, follow_symlinks=None, ignore_mode=None)

Runs a command to build the code asset that will be used.

Parameters:
  • output (str) – Where the output of the command will be directed, either a directory or a .zip file with the output Lambda code bundle * For example, if you use the command to run a build script (e.g., [ ‘node’, ‘bundle_code.js’ ]), and the build script generates a directory /my/lambda/code containing code that should be ran in a Lambda function, then output should be set to /my/lambda/code.

  • command (Sequence[str]) – The command which will be executed to generate the output, for example, [ ‘node’, ‘bundle_code.js’ ].

  • command_options (Optional[Mapping[str, Any]]) – options that are passed to the spawned process, which determine the characteristics of the spawned process. Default: : see child_process.SpawnSyncOptions (https://nodejs.org/api/child_process.html#child_processspawnsynccommand-args-options).

  • deploy_time (Optional[bool]) – Whether or not the asset needs to exist beyond deployment time; i.e. are copied over to a different location and not needed afterwards. Setting this property to true has an impact on the lifecycle of the asset, because we will assume that it is safe to delete after the CloudFormation deployment succeeds. For example, Lambda Function assets are copied over to Lambda during deployment. Therefore, it is not necessary to store the asset in S3, so we consider those deployTime assets. Default: false

  • readers (Optional[Sequence[IGrantable]]) – A list of principals that should be able to read this asset from S3. You can use asset.grantRead(principal) to grant read permissions later. Default: - No principals that can read file asset.

  • source_kms_key (Optional[IKey]) – The ARN of the KMS key used to encrypt the handler code. Default: - the default server-side encryption with Amazon S3 managed keys(SSE-S3) key will be used.

  • asset_hash (Optional[str]) – Specify a custom hash for this asset. If assetHashType is set it must be set to AssetHashType.CUSTOM. For consistency, this custom hash will be SHA256 hashed and encoded as hex. The resulting hash will be the asset hash. NOTE: the hash is used in order to identify a specific revision of the asset, and used for optimizing and caching deployment activities related to this asset such as packaging, uploading to Amazon S3, etc. If you chose to customize the hash, you will need to make sure it is updated every time the asset changes, or otherwise it is possible that some deployments will not be invalidated. Default: - based on assetHashType

  • asset_hash_type (Optional[AssetHashType]) – Specifies the type of hash to calculate for this asset. If assetHash is configured, this option must be undefined or AssetHashType.CUSTOM. Default: - the default is AssetHashType.SOURCE, but if assetHash is explicitly specified this value defaults to AssetHashType.CUSTOM.

  • bundling (Union[BundlingOptions, Dict[str, Any], None]) – Bundle the asset by executing a command in a Docker container or a custom bundling provider. The asset path will be mounted at /asset-input. The Docker container is responsible for putting content at /asset-output. The content at /asset-output will be zipped and used as the final asset. Default: - uploaded as-is to S3 if the asset is a regular file or a .zip file, archived into a .zip file and uploaded to S3 otherwise

  • exclude (Optional[Sequence[str]]) – File paths matching the patterns will be excluded. See ignoreMode to set the matching behavior. Has no effect on Assets bundled using the bundling property. Default: - nothing is excluded

  • follow_symlinks (Optional[SymlinkFollowMode]) – A strategy for how to handle symlinks. Default: SymlinkFollowMode.NEVER

  • ignore_mode (Optional[IgnoreMode]) – The ignore behavior to use for exclude patterns. Default: IgnoreMode.GLOB

Return type:

AssetCode

classmethod from_docker_build(path, *, image_path=None, output_path=None, build_args=None, cache_disabled=None, cache_from=None, cache_to=None, file=None, platform=None, target_stage=None)

Loads the function code from an asset created by a Docker build.

By default, the asset is expected to be located at /asset in the image.

Parameters:
  • path (str) – The path to the directory containing the Docker file.

  • image_path (Optional[str]) – The path in the Docker image where the asset is located after the build operation. Default: /asset

  • output_path (Optional[str]) – The path on the local filesystem where the asset will be copied using docker cp. Default: - a unique temporary directory in the system temp directory

  • build_args (Optional[Mapping[str, str]]) – Build args. Default: - no build args

  • cache_disabled (Optional[bool]) – Disable the cache and pass --no-cache to the docker build command. Default: - cache is used

  • cache_from (Optional[Sequence[Union[DockerCacheOption, Dict[str, Any]]]]) – Cache from options to pass to the docker build command. Default: - no cache from args are passed

  • cache_to (Union[DockerCacheOption, Dict[str, Any], None]) – Cache to options to pass to the docker build command. Default: - no cache to args are passed

  • file (Optional[str]) – Name of the Dockerfile, must relative to the docker build path. Default: Dockerfile

  • platform (Optional[str]) – Set platform if server is multi-platform capable. Requires Docker Engine API v1.38+. Example value: linux/amd64 Default: - no platform specified

  • target_stage (Optional[str]) – Set build target for multi-stage container builds. Any stage defined afterwards will be ignored. Example value: build-env Default: - Build all stages defined in the Dockerfile

Return type:

AssetCode

classmethod from_ecr_image(repository, *, cmd=None, entrypoint=None, tag=None, tag_or_digest=None, working_directory=None)

Use an existing ECR image as the Lambda code.

Parameters:
  • repository (IRepository) – the ECR repository that the image is in.

  • cmd (Optional[Sequence[str]]) – Specify or override the CMD on the specified Docker image or Dockerfile. This needs to be in the ‘exec form’, viz., [ 'executable', 'param1', 'param2' ]. Default: - use the CMD specified in the docker image or Dockerfile.

  • entrypoint (Optional[Sequence[str]]) – Specify or override the ENTRYPOINT on the specified Docker image or Dockerfile. An ENTRYPOINT allows you to configure a container that will run as an executable. This needs to be in the ‘exec form’, viz., [ 'executable', 'param1', 'param2' ]. Default: - use the ENTRYPOINT in the docker image or Dockerfile.

  • tag (Optional[str]) – (deprecated) The image tag to use when pulling the image from ECR. Default: ‘latest’

  • tag_or_digest (Optional[str]) – The image tag or digest to use when pulling the image from ECR (digests must start with sha256:). Default: ‘latest’

  • working_directory (Optional[str]) – Specify or override the WORKDIR on the specified Docker image or Dockerfile. A WORKDIR allows you to configure the working directory the container will use. Default: - use the WORKDIR in the docker image or Dockerfile.

Return type:

EcrImageCode

classmethod from_inline(code)

Inline code for Lambda handler.

Parameters:

code (str) – The actual handler code (limited to 4KiB).

Return type:

InlineCode

Returns:

LambdaInlineCode with inline code.