feat(lambda): code signing config

packages/@aws-cdk/aws-lambda/lib/code-signing-config.ts

@@ -0,0 +1,54 @@
+import { IResource, Resource } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnCodeSigningConfig } from './lambda.generated';
+import { SigningProfile } from '@aws-cdk/aws-signer';
+
+export enum UntrustedArtifactOnDeployment {
+  ENFORCE = 'enforce',
+  WARN = 'warn',
+}
+
+export interface ICodeSigningConfig extends IResource {
+  /**
+   * The ARN of Code Signing Config
+   * @Attribute CodeSigningConfigArn
+   */
+  readonly codeSigningConfigArn: string;
+
+  /**
+   * The id of Code Signing Config
+   * @Attribute CodeSigningConfigId
+   */
+  readonly codeSigningConfigId: string;
+}
+
+export interface CodeSigningConfigProps {
+  signingProfile: SigningProfile,
+  untrustedArtifactOnDeployment?: UntrustedArtifactOnDeployment,
+  description?: string
+}
+
+export class CodeSigningConfig extends Resource implements ICodeSigningConfig{
+  readonly codeSigningConfigArn: string;
+  readonly codeSigningConfigId: string;
+
+  constructor(scope: Construct, id: string, props: CodeSigningConfigProps) {
+    super(scope, id);
+
+    if (props.signingProfile.length > 20) {
+      throw new Error('Signing profile version arn is up to 20');
+    }
+
+    const resource: CfnCodeSigningConfig = new CfnCodeSigningConfig(this, 'Resource', {
+      allowedPublishers: {
+        signingProfileVersionArns: props.signingProfile.signingProfileVersionArn,
+      },
+      codeSigningPolicies: {
+        untrustedArtifactOnDeployment: props.untrustedArtifactOnDeployment
+      },
+      description: props.description
+    });
+    this.codeSigningConfigArn = resource.attrCodeSigningConfigArn;
+    this.codeSigningConfigId = resource.attrCodeSigningConfigId;
+  }
+}

packages/@aws-cdk/aws-lambda/lib/function.ts

@@ -19,6 +19,7 @@ import { CfnFunction } from './lambda.generated';
 import { ILayerVersion } from './layers';
 import { LogRetentionRetryOptions } from './log-retention';
 import { Runtime } from './runtime';
+import { CodeSigningConfig } from 'aws-lambda/lib/code-signing-config';
 
 /**
  * X-Ray Tracing Modes (https://docs.aws.amazon.com/lambda/latest/dg/API_TracingConfig.html)
@@ -290,6 +291,8 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    * @default - AWS Lambda creates and uses an AWS managed customer master key (CMK).
    */
   readonly environmentEncryption?: kms.IKey;
+
+  readonly codeSigningConfig?: CodeSigningConfig;
 }
 
 export interface FunctionProps extends FunctionOptions {
@@ -526,6 +529,8 @@ export class Function extends FunctionBase {
 
   private _logGroup?: logs.ILogGroup;
 
+  private readonly codeSigningConfig?: CodeSigningConfig;
+
   /**
    * Environment variables for this function
    */
@@ -641,6 +646,7 @@ export class Function extends FunctionBase {
       }),
       kmsKeyArn: props.environmentEncryption?.keyArn,
       fileSystemConfigs,
+      codeSigningConfigArn: props.codeSigningConfig.codeSigningConfigArn
     });
 
     resource.node.addDependency(this.role);

packages/@aws-cdk/aws-signer/lib/signer-profile.ts

@@ -0,0 +1,85 @@
+import { Construct, IResource, Resource } from '@aws-cdk/core';
+import { CfnSigningProfile } from './signer.generated';
+
+export interface ISigningProfile extends IResource {
+  /**
+   * The ARN of the signing profile.
+   * @Attribute
+   */
+  readonly signingProfileArn: string;
+
+  /**
+   * The name of signing profile.
+   * @Attribute
+   */
+  readonly signingProfileName: string;
+
+  /**
+   * The version of signing profile.
+   * @Attribute
+   */
+  readonly signingProfileVersion: string;
+
+  /**
+   * The ARN of signing profile version.
+   * @Attribute
+   */
+  readonly signingProfileVersionArn: string;
+}
+
+export enum SignatureValidityPeriodTypes {
+  DAYS = 'DAYS',
+  MONTHS = 'MONTHS',
+  YEARS = 'YEARS',
+}
+
+class SignatureValidityPeriodProperty {
+  readonly type: SignatureValidityPeriodTypes;
+  readonly value: number;
+
+  constructor( type: SignatureValidityPeriodTypes, value: number ) {
+    this.type = type;
+    this.value = value;
+  }
+}
+
+abstract class SigningProfileBase extends Resource implements ISigningProfile {
+  public abstract readonly signingProfileArn: string;
+  public abstract readonly signingProfileName: string;
+  public abstract readonly signingProfileVersion: string;
+  public abstract readonly signingProfileVersionArn: string;
+}
+
+export interface SigningProfileProps {
+  /*
+   * The ID of a platform that is available for use by a signing profile.
+   */
+  readonly platformId: string;
+
+  /*
+   * The validity period override for any signature generated using
+   * this signing profile. If unspecified, the default is 135 months.
+   */
+  readonly signatureValidityPeriod?: SignatureValidityPeriodProperty;
+}
+
+export class SigningProfile extends SigningProfileBase {
+  public readonly signingProfileArn: string;
+  public readonly signingProfileName: string;
+  public readonly signingProfileVersion: string;
+  public readonly signingProfileVersionArn: string;
+
+  constructor(scope: Construct, id: string, props: SigningProfileProps) {
+    super(scope, id);
+
+    const resource = new CfnSigningProfile( this, 'Resource', {
+      platformId: props.platformId,
+      signatureValidityPeriod: props.signatureValidityPeriod,
+    } );
+
+    this.signingProfileArn = resource.attrArn;
+    this.signingProfileName = resource.attrProfileName;
+    this.signingProfileVersion = resource.attrProfileVersion;
+    this.signingProfileVersionArn = resource.attrProfileVersionArn;
+  }
+}