Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
// Invoke Lambda via SNS Topic
const fn = new lambda.Function(this, 'Function', {
code: lambda.Code.fromInline(fs.readFileSync(path.join(__dirname, 'lambda-source', 'index.py'), { encoding: 'utf-8' })),
handler: 'index.lambda_handler',
runtime: lambda.Runtime.PYTHON_3_6,
// Timeout: some extra margin for additional API calls made by the Lambda,
// up to a maximum of 15 minutes.
timeout: cdk.Duration.seconds(Math.min(drainTime.toSeconds() + 10, 900)),
environment: {
CLUSTER: props.cluster.clusterName
}
});
// Hook everything up: ASG -> Topic, Topic -> Lambda
props.autoScalingGroup.addLifecycleHook('DrainHook', {
lifecycleTransition: autoscaling.LifecycleTransition.INSTANCE_TERMINATING,
defaultResult: autoscaling.DefaultResult.CONTINUE,
notificationTarget: new hooks.FunctionHook(fn),
heartbeatTimeout: drainTime,
});
// Describe actions cannot be restricted and restrict the CompleteLifecycleAction to the ASG arn
// https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html
fn.addToRolePolicy(new iam.PolicyStatement({
actions: [
'ec2:DescribeInstances',
'ec2:DescribeInstanceAttribute',
'ec2:DescribeInstanceStatus',
'ec2:DescribeHosts'
],
resources: ['*']
}));