Resource
The Resource
declaration is used to create new resources and/or specify access for the Lambda function in the module to existing resources.
Syntax
Resource: String
Description: String
Scope: ScopeDefinition
If: Condition
Type: String
Allow: AllowDefinition
DefaultAttribute: String
Pragmas:
- PragmaDefinition
Properties:
ResourceProperties
DeletionPolicy: String
Value: Expression
DependsOn:
- String
Properties
Allow
-
The
Allow
attribute can be either a comma-separated, single string value, or a list of string values. String values that contain a colon (:
) are interpreted as IAM permission and used as is (e.g.dynamodb:GetItem
,s3:GetObject*
, etc.). Otherwise, the value is interpreted as a LambdaSharp shorthand (see LambdaSharp Shorthand by Resource Type). Both notations can be used simultaneously within a singleAllow
section. Duplicate IAM permissions, after LambdaSharp shorthand resolution, are removed.Required: No
Type: Either String or List of String
DefaultAttribute
-
The
DefaultAttribute
attribute specifies the resource attribute to use when exporting the resource from the module or to a Lambda function. By default, the LambdaSharp CLI automatically selects theArn
attribute when available. Otherwise, it uses the return value of a!Ref
expressions. This behavior can be overwritten by specifying aDefaultAttribute
attribute.Required: No. Not valid when the resource is explicitly referenced by the
Value
attribute.Type: String
DeletionPolicy
-
The
DeletionPolicy
attribute specifies what to do with the resource when the stack is deleted. The value must be one of:Retain
orSnapshot
.Required: No
Type: String
DependsOn
-
The
DependsOn
attribute identifies items that must be created prior. For additional information, see CloudFormation DependsOn Attribute.Required: No. Not valid when the resource is explicitly referenced by the
Value
attribute.Type: List of String
Description
-
The
Description
attribute specifies the variable description.Required: No
Type: String
If
-
The
If
attribute specifies a condition that must be met for the Lambda function to be included in the deployment. The condition can either the name of aCondition
item or a logical expression.Required: No. Not valid when the resource is explicitly referenced by the
Value
attribute.Type: String or Expression
Pragmas
-
The
Pragmas
section specifies directives that change the default compiler behavior.Required: No. Not valid when the resource is explicitly referenced by the
Value
attribute.Type: List of Pragma Definition
Properties
-
The
Properties
section specifies additional options that can be specified for a new resource. This section is copied verbatim into the CloudFormation template and can use CloudFormation intrinsic functions (e.g.!Ref
,!Join
,!Sub
, etc.) for referencing other resources.The
Properties
section cannot be specified for referenced resources. For a list of all additional options, see AWS Resource Types Reference.Required: No. Not valid when the resource is explicitly referenced by the
Value
attribute.Type: Map
Resource
-
The
Resource
attribute specifies the item name. The name must start with a letter and followed only by letters or digits. Punctuation marks are not allowed. All names are case-sensitive.Required: Yes
Type: String
Scope
-
The
Scope
attribute specifies which functions need to have access to this item. TheScope
attribute can be a comma-separated list or a YAML list of function names. If all functions need the item, thenall
can be used as a wildcard. In addition,public
can be used to export the item from the module. Alternatively,stack
can be used to make the item available only in a nested stack.Required: No
Type: Comma-delimited String or List of String
Type
-
The
Type
attribute identifies the AWS resource type that is being created or referenced. For example,AWS::SNS::Topic
declares an SNS topic. For a list of all resource types, see AWS Resource Types Reference.Required: Conditional. The
Type
attribute is required for new resources and when using the LambdaSharp shorthand notation in theAllow
attribute. TheType
attribute can be omitted for referenced resources that only list native IAM permissions in theirAllow
attribute.Type: String
Value
-
The
Value
attribute specifies the value for the parameter. If theValue
attribute is a list of resource names, the IAM permissions are requested for all of them.Required: Conditional. The
Value
attribute is required for referenced resources. Otherwise, it must be omitted.Type: String
Examples
Create an SNS topic
- Resource: MyTopic
Type: AWS::SNS::Topic
Allow: Publish
Create a DynamoDB Table
- Resource: MyDynamoDBTable
Scope: all
Type: AWS::DynamoDB::Table
Allow: Subscribe
Properties:
BillingMode: PAY_PER_REQUEST
AttributeDefinitions:
- AttributeName: MessageId
AttributeType: S
KeySchema:
- AttributeName: MessageId
KeyType: HASH
Create a DynamoDB Table configured by module parameters
- Parameter: DynamoReadCapacity
Type: Number
Default: 1
- Parameter: DynamoWriteCapacity
Type: Number
Default: 1
- Resource: MyDynamoDBTable
Scope: all
Type: AWS::DynamoDB::Table
Allow: Subscribe
Properties:
AttributeDefinitions:
- AttributeName: MessageId
AttributeType: S
KeySchema:
- AttributeName: MessageId
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: !Ref DynamoReadCapacity
WriteCapacityUnits: !Ref DynamoWriteCapacity
Request full access to all S3 buckets
- Resource: GrantBucketAccess
Type: AWS::S3::Bucket
Allow: Full
Value:
- arn:aws:s3:::*
- arn:aws:s3:::*/*
Request access to AWS Rekognition
- Resource: RekognitionService
Description: Permissions required for using AWS Rekognition
Value: "*"
Allow:
- "rekognition:DetectFaces"
- "rekognition:IndexFaces"
- "rekognition:SearchFacesByImage"