Resource

The Resource declaration is used to create new resources and/or specify access for the Lambda function in the module to existing resources.

Syntax

Resource: String
Description: String
Scope: ScopeDefinition
If: Condition
Type: String
Allow: AllowDefinition
DefaultAttribute: String
Pragmas:
  - PragmaDefinition
Properties:
  ResourceProperties
DeletionPolicy: String
Value: Expression
DependsOn:
  - String

Properties

Allow

The Allow attribute can be either a comma-separated, single string value, or a list of string values. String values that contain a colon (:) are interpreted as IAM permission and used as is (e.g. dynamodb:GetItem, s3:GetObject*, etc.). Otherwise, the value is interpreted as a LambdaSharp shorthand (see LambdaSharp Shorthand by Resource Type). Both notations can be used simultaneously within a single Allow section. Duplicate IAM permissions, after LambdaSharp shorthand resolution, are removed.

Required: No

Type: Either String or List of String

DefaultAttribute

The DefaultAttribute attribute specifies the resource attribute to use when exporting the resource from the module or to a Lambda function. By default, the LambdaSharp CLI automatically selects the Arn attribute when available. Otherwise, it uses the return value of a !Ref expressions. This behavior can be overwritten by specifying a DefaultAttribute attribute.

Required: No. Not valid when the resource is explicitly referenced by the Value attribute.

Type: String

DeletionPolicy

The DeletionPolicy attribute specifies what to do with the resource when the stack is deleted. The value must be one of: Retain or Snapshot.

Required: No

Type: String

DependsOn

The DependsOn attribute identifies items that must be created prior. For additional information, see CloudFormation DependsOn Attribute.

Required: No. Not valid when the resource is explicitly referenced by the Value attribute.

Type: List of String

Description

The Description attribute specifies the variable description.

Required: No

Type: String

If

The If attribute specifies a condition that must be met for the Lambda function to be included in the deployment. The condition can either the name of a Condition item or a logical expression.

Required: No. Not valid when the resource is explicitly referenced by the Value attribute.

Type: String or Expression

Pragmas

The Pragmas section specifies directives that change the default compiler behavior.

Required: No. Not valid when the resource is explicitly referenced by the Value attribute.

Type: List of Pragma Definition

Properties

The Properties section specifies additional options that can be specified for a new resource. This section is copied verbatim into the CloudFormation template and can use CloudFormation intrinsic functions (e.g. !Ref, !Join, !Sub, etc.) for referencing other resources.

The Properties section cannot be specified for referenced resources. For a list of all additional options, see AWS Resource Types Reference.

Required: No. Not valid when the resource is explicitly referenced by the Value attribute.

Type: Map

Resource

The Resource attribute specifies the item name. The name must start with a letter and followed only by letters or digits. Punctuation marks are not allowed. All names are case-sensitive.

Required: Yes

Type: String

Scope

The Scope attribute specifies which functions need to have access to this item. The Scope attribute can be a comma-separated list or a YAML list of function names. If all functions need the item, then all can be used as a wildcard. In addition, public can be used to export the item from the module. Alternatively, stack can be used to make the item available only in a nested stack.

Required: No

Type: Comma-delimited String or List of String

Type

The Type attribute identifies the AWS resource type that is being created or referenced. For example, AWS::SNS::Topic declares an SNS topic. For a list of all resource types, see AWS Resource Types Reference.

Required: Conditional. The Type attribute is required for new resources and when using the LambdaSharp shorthand notation in the Allow attribute. The Type attribute can be omitted for referenced resources that only list native IAM permissions in their Allow attribute.

Type: String

Value

The Value attribute specifies the value for the parameter. If the Value attribute is a list of resource names, the IAM permissions are requested for all of them.

Required: Conditional. The Value attribute is required for referenced resources. Otherwise, it must be omitted.

Type: String

Examples

Create an SNS topic

- Resource: MyTopic
  Type: AWS::SNS::Topic
  Allow: Publish

Create a DynamoDB Table

- Resource: MyDynamoDBTable
  Scope: all
  Type: AWS::DynamoDB::Table
  Allow: Subscribe
  Properties:
    BillingMode: PAY_PER_REQUEST
    AttributeDefinitions:
      - AttributeName: MessageId
        AttributeType: S
    KeySchema:
      - AttributeName: MessageId
        KeyType: HASH

Create a DynamoDB Table configured by module parameters

- Parameter: DynamoReadCapacity
  Type: Number
  Default: 1

- Parameter: DynamoWriteCapacity
  Type: Number
  Default: 1

- Resource: MyDynamoDBTable
  Scope: all
  Type: AWS::DynamoDB::Table
  Allow: Subscribe
  Properties:
    AttributeDefinitions:
      - AttributeName: MessageId
        AttributeType: S
    KeySchema:
      - AttributeName: MessageId
        KeyType: HASH
    ProvisionedThroughput:
      ReadCapacityUnits: !Ref DynamoReadCapacity
      WriteCapacityUnits: !Ref DynamoWriteCapacity

Request full access to all S3 buckets

- Resource: GrantBucketAccess
  Type: AWS::S3::Bucket
  Allow: Full
  Value:
    - arn:aws:s3:::*
    - arn:aws:s3:::*/*

Request access to AWS Rekognition

- Resource: RekognitionService
  Description: Permissions required for using AWS Rekognition
  Value: "*"
  Allow:
    - "rekognition:DetectFaces"
    - "rekognition:IndexFaces"
    - "rekognition:SearchFacesByImage"