aws · mergify · Feb 25, 2021 · Jan 22, 2021 · Jan 27, 2021 · Jan 27, 2021
diff --git a/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts b/packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts
@@ -0,0 +1,37 @@
+import { Resource } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnCodeSigningConfig } from './lambda.generated';
+
+export enum UntrustedArtifactOnDeployment {
+  ENFORCE = 'enforce',
+  WARN = 'warn',
+}
+
+export interface CodeSigningConfigOptions {
+  signingProfileVersionArn: string[],
+  untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment,
+  description?: string
+}
+
+export class CodeSigningConfig extends Resource {
+  public readonly codeSigningConfigArn: string;
+
+  constructor(scope: Construct, id: string, props: CodeSigningConfigOptions) {
+    super(scope, id);
+
+    if (props.signingProfileVersionArn.length > 20) {
+      throw new Error('Signing profile version arn is up to 20');
+    }
+
+    const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', {
+      allowedPublishers: {
+        signingProfileVersionArns: props.signingProfileVersionArn,
+      },
+      codeSigningPolicies: {
+        untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment
+      },
+      description: props.description
+    });
+    this.codeSigningConfigArn = resource.ref;
+  }
+}
diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts
@@ -19,6 +19,7 @@ import { CfnFunction } from './lambda.generated';
 import { ILayerVersion } from './layers';
 import { LogRetentionRetryOptions } from './log-retention';
 import { Runtime } from './runtime';
+import { CodeSigningConfig } from 'aws-lambda/lib/code-signing-config';
 
 /**
  * X-Ray Tracing Modes (https://docs.aws.amazon.com/lambda/latest/dg/API_TracingConfig.html)
@@ -290,6 +291,8 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * @default - AWS Lambda creates and uses an AWS managed customer master key (CMK).
    */
   readonly environmentEncryption?: kms.IKey;
+
+  readonly codeSigningConfig?: CodeSigningConfig;
 }
 
 export interface FunctionProps extends FunctionOptions {
@@ -526,6 +529,8 @@ export class Function extends FunctionBase {
 
   private _logGroup?: logs.ILogGroup;
 
+  private readonly codeSigningConfig?: CodeSigningConfig;
+
   /**
    * Environment variables for this function
    */
@@ -641,6 +646,7 @@ export class Function extends FunctionBase {
       }),
       kmsKeyArn: props.environmentEncryption?.keyArn,
       fileSystemConfigs,
+      codeSigningConfigArn: props.codeSigningConfig.codeSigningConfigArn
     });
 
     resource.node.addDependency(this.role);