Forem: Andreas Brunner The latest articles on Forem by Andreas Brunner (@baartch). https://forem.com/baartch https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F671364%2Fe875c807-de0b-4f49-b878-eb1c0be5996c.jpeg Forem: Andreas Brunner https://forem.com/baartch en Antivirus on AWS Andreas Brunner Tue, 09 Dec 2025 07:44:04 +0000 https://forem.com/cloudxs/antivirus-on-aws-5e67 https://forem.com/cloudxs/antivirus-on-aws-5e67 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8aze189loz0o0rog5zsi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8aze189loz0o0rog5zsi.png" alt=" " width="800" height="533"></a>How can files on AWS be scanned for viruses? There is no built-in solution. But we can build our own using Lambda Functions and Layers.</p> <p>Our solution involves packing the open-source antivirus engine <a href="https://www.clamav.net/" rel="noopener noreferrer">ClamAV</a> into a Lambda Layer and running the scan command from a Lambda Function.</p> <p>This article only covers how to package ClamAV into a Lambda layer for use in Lambda functions.</p> <h2> Get the required ClamAV files </h2> <p>The first step in building the Lambda Layer is to obtain the necessary files from the RPM package in the Amazon Linux repository. To achieve this, we run a Dockerfile with the <code>amazonlinux</code> image and install ClamAV, then extract the files.</p> <p>First, let's create a config file for ClamAV called <code>freshclam.conf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DatabaseMirror db.de.clamav.net database.clamav.net CompressLocalDatabase no ScriptedUpdates no LogVerbose yes </code></pre> </div> <p>Next, create a file called <code>dockerfile</code>.</p> <p><em>Although <a href="https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.9.20251014.html#release-summary-2023.9.20251014" rel="noopener noreferrer">AWS states</a> that the package name <code>clamav</code> should point to the latest ClamAV version, it only does when you run <code>dnf install</code>. When calling the <code>dnf download</code> command still points to the outdated version 0.103.12. Thats why we download explicitly <code>clamav1.4</code>.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># © 2025 cloudxs GmbH. All rights reserved. / dockerfile </span> <span class="k">FROM</span><span class="s"> amazonlinux:2023</span> <span class="k">WORKDIR</span><span class="s"> /home/build</span> <span class="k">RUN </span><span class="nb">set</span> <span class="nt">-e</span> <span class="k">RUN </span><span class="nb">echo</span> <span class="s2">"Prepping ClamAV"</span> <span class="k">RUN </span><span class="nb">rm</span> <span class="nt">-rf</span> bin <span class="k">RUN </span><span class="nb">rm</span> <span class="nt">-rf</span> lib <span class="k">RUN </span>dnf update <span class="nt">-y</span> <span class="k">RUN </span>dnf <span class="nb">install</span> <span class="nt">-y</span> cpio <span class="se">\ </span> dnf-plugins-core <span class="se">\ </span> zip <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 clamav1.4 <span class="k">RUN </span>rpm2cpio clamav1.4-1<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 clamav1.4-lib <span class="k">RUN </span>rpm2cpio clamav1.4-lib<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 clamav1.4-update <span class="k">RUN </span>rpm2cpio clamav1.4-freshclam<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 json-c <span class="k">RUN </span>rpm2cpio json-c<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 pcre2 <span class="k">RUN </span>rpm2cpio pcre<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 libtool-ltdl <span class="k">RUN </span>rpm2cpio libtool-ltdl<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 libxml2 <span class="k">RUN </span>rpm2cpio libxml2<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 bzip2-libs <span class="k">RUN </span>rpm2cpio bzip2-libs<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 xz-libs <span class="k">RUN </span>rpm2cpio xz-libs<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 gnutls <span class="k">RUN </span>rpm2cpio gnutls<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 nettle <span class="k">RUN </span>rpm2cpio nettle<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 openldap <span class="k">RUN </span>rpm2cpio openldap<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 pcre <span class="k">RUN </span>rpm2cpio pcre<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 nss <span class="k">RUN </span>rpm2cpio nss<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span>dnf download <span class="nt">--arch</span> x86_64 libssh2 <span class="k">RUN </span>rpm2cpio libssh2<span class="k">*</span>.rpm | cpio <span class="nt">-vimd</span> <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> bin <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> lib <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> var/lib/clamav <span class="k">RUN </span><span class="nb">chmod</span> <span class="nt">-R</span> 777 var/lib/clamav <span class="k">COPY</span><span class="s"> ./freshclam.conf .</span> <span class="k">RUN </span><span class="nb">cp </span>usr/bin/clamscan usr/bin/freshclam bin/. <span class="k">RUN </span><span class="nb">cp</span> <span class="nt">-R</span> usr/lib64/<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp </span>freshclam.conf bin/freshclam.conf <span class="c"># Copy some libraries separately</span> <span class="k">RUN </span><span class="nb">cp</span> /lib64/libcurl<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libcrypt<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libnss<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libunistring<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libgcrypt<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libssl<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> ./usr/lib64/libssh2<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libidn2<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> /lib64/libnghttp2<span class="k">*</span> lib/. <span class="k">RUN </span><span class="nb">cp</span> ./usr/lib64/libsmime3<span class="k">*</span> lib/. <span class="k">RUN </span>yum <span class="nb">install </span>shadow-utils.x86_64 <span class="nt">-y</span> <span class="k">RUN </span>groupadd clamav <span class="k">RUN </span>useradd <span class="nt">-g</span> clamav <span class="nt">-s</span> /bin/false <span class="nt">-c</span> <span class="s2">"Clam Antivirus"</span> clamav <span class="k">RUN </span>useradd <span class="nt">-g</span> clamav <span class="nt">-s</span> /bin/false <span class="nt">-c</span> <span class="s2">"Clam Antivirus"</span> clamupdate <span class="k">RUN </span><span class="nv">LD_LIBRARY_PATH</span><span class="o">=</span>./lib ./bin/freshclam <span class="nt">--config-file</span><span class="o">=</span>bin/freshclam.conf <span class="k">RUN </span>zip <span class="nt">-r9</span> clamav_lambda_layer.zip bin <span class="k">RUN </span>zip <span class="nt">-r9</span> clamav_lambda_layer.zip lib <span class="k">RUN </span>zip <span class="nt">-r9</span> clamav_lambda_layer.zip var <span class="k">RUN </span>zip <span class="nt">-r9</span> clamav_lambda_layer.zip etc </code></pre> </div> <p>The Dockerfile above creates a new container with ClamAV and all its required libraries in a ZIP archive within the container. This means we need to extract it. For this, we have a bash script called <code>build.sh</code> that builds the container, runs it, copy the layer.zip and extract into a directory called <code>layer</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># © 2025 cloudxs GmbH. All rights reserved. / build.sh </span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">rm</span> <span class="nt">-rf</span> ./layer <span class="nb">mkdir </span>layer docker build <span class="nt">-t</span> clamav <span class="nt">-f</span> Dockerfile <span class="nt">--progress</span><span class="o">=</span>plain <span class="nb">.</span> docker run <span class="nt">--name</span> clamav clamav docker <span class="nb">cp </span>clamav:/home/build/clamav_lambda_layer.zip <span class="nb">.</span> docker <span class="nb">rm </span>clamav <span class="nb">mv </span>clamav_lambda_layer.zip ./layer <span class="nb">pushd </span>layer unzip <span class="nt">-n</span> clamav_lambda_layer.zip <span class="nb">rm </span>clamav_lambda_layer.zip <span class="nb">popd</span> </code></pre> </div> <p>Now, all the files we need to run ClamAV in a Lambda function are in the directory called <code>layer</code>.</p> <h2> Create the Lambda Layer </h2> <p>Of course, deploying Lambda Functions and Lambda Layers depend a lot on the IAC tool you use. We use <a href="https://sst.dev/" rel="noopener noreferrer">SST</a>, which is <a href="https://www.pulumi.com/" rel="noopener noreferrer">Pulumi</a> under the hood.</p> <p>To create a Lambda Layer with SST or Pulumi, all you need to do is package the <code>layer</code> directory from the previous step. Our deployment looks similar to this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">avLayerOutputDir</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">workspaces/antivirus/lambda/clamav_bin/layer</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">layerAvBinaries</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">lambda</span><span class="p">.</span><span class="nc">LayerVersion</span><span class="p">(</span> <span class="s2">`clamav-bin-</span><span class="p">${</span><span class="nx">$app</span><span class="p">.</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">layerName</span><span class="p">:</span> <span class="s2">`clamav-bin-</span><span class="p">${</span><span class="nx">$app</span><span class="p">.</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nf">$asset</span><span class="p">(</span><span class="nx">avLayerOutputDir</span><span class="p">),</span> <span class="na">compatibleRuntimes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">nodejs20.x</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">nodejs22.x</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <h2> CI/CD pipeline </h2> <p>We build and deploy the Lambda Layer in an Azure DevOps pipeline. To improve pipeline speed, we implemented a caching step. In order to make proper use of the caching, we need to know the most current ClamAV version. The following fragment is the build stage of our pipeline.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">variables</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CACHE_HIT_LAMBDA_LAYER</span> <span class="na">value</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">vmImage</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job</span><span class="pi">:</span> <span class="s">build_lambda_layer</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s">Build Lambda Layer</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">bash</span><span class="pi">:</span> <span class="s">bash getClamavVersion.sh</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s">Get ClamAV version</span> <span class="na">workingDirectory</span><span class="pi">:</span> <span class="s">$(System.DefaultWorkingDirectory)/workspaces/antivirus/lambda/clamav_bin</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">Cache@2</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s">Cache lambda layer</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">amazonlinux</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">"$(Agent.OS)"</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">"Clamav</span><span class="nv"> </span><span class="s">$(clamav_version)"'</span> <span class="na">path</span><span class="pi">:</span> <span class="s">$(System.DefaultWorkingDirectory)/workspaces/antivirus/lambda/clamav_bin/layer</span> <span class="na">cacheHitVar</span><span class="pi">:</span> <span class="s">CACHE_HIT_LAMBDA_LAYER</span> <span class="pi">-</span> <span class="na">bash</span><span class="pi">:</span> <span class="s">bash build.sh</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s">Build lambda layer</span> <span class="na">workingDirectory</span><span class="pi">:</span> <span class="s">$(System.DefaultWorkingDirectory)/workspaces/antivirus/lambda/clamav_bin</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">ne(variables.CACHE_HIT_LAMBDA_LAYER, 'true')</span> <span class="pi">-</span> <span class="na">script</span><span class="pi">:</span> <span class="s">ls -lisah</span> <span class="na">displayName</span><span class="pi">:</span> <span class="s">List files in the working directory</span> <span class="na">workingDirectory</span><span class="pi">:</span> <span class="s">$(System.DefaultWorkingDirectory)/workspaces/antivirus/lambda/clamav_bin/layer</span> <span class="pi">-</span> <span class="na">publish</span><span class="pi">:</span> <span class="s">$(System.DefaultWorkingDirectory)/workspaces/antivirus/lambda/clamav_bin/layer</span> <span class="na">artifact</span><span class="pi">:</span> <span class="s">layer</span> </code></pre> </div> <p>The first step in the build job calls the script <code>getClamavVersion.sh</code>. This script runs the amazonlinux container, gets the latest clamav version and writes it into an pipeline variable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># © 2025 cloudxs GmbH. All rights reserved. / getClamavVersion.sh </span> <span class="nv">AZLINUX_IMAGE</span><span class="o">=</span><span class="s2">"amazonlinux:2023"</span> <span class="nv">CLAMAV_PKG</span><span class="o">=</span><span class="s2">"clamav1.4"</span> docker run <span class="nt">--rm</span> <span class="nv">$AZLINUX_IMAGE</span> bash <span class="nt">-c</span> <span class="s2">"CAVERSION=</span><span class="se">\$</span><span class="s2">(dnf info </span><span class="nv">$CLAMAV_PKG</span><span class="s2"> | grep Version | awk -F: '{print </span><span class="nv">$2</span><span class="s2">}'); echo </span><span class="se">\"</span><span class="s2">##vso[task.setvariable variable=clamav_version]</span><span class="se">\$</span><span class="s2">CAVERSION</span><span class="se">\"</span><span class="s2">"</span> </code></pre> </div> <h2> How to use </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh62888n5nk1r4zjwos6q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh62888n5nk1r4zjwos6q.png" alt=" " width="800" height="308"></a><br> We use a separate scheduled Lambda function to download the new Antivirus definitions every three hours and upload them to S3. Afterwards a second Lambda gets triggered, that moves the AV Definitions to EFS. Since Lambda has a limit of 500MB storage, we need the EFS anyway to handle larger files.</p> <p>The EFS is mounted as well to the Scanning Lambda function, so that we have the definitions available. The Scanning Lambda function gets triggered by S3 PutObject events. Due to the memory limits of AWS Lambda, we only scan files up to 2GB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">PATH_TO_FRESHCLAM</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">freshclam</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">PATH_TO_CLAMAV</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">clamscan</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">FRESHCLAM_CONFIG</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/opt/bin/freshclam.conf</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">FRESHCLAM_WORK_DIR</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FRESHCLAM_WORK_DIR</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/tmp</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TMP_AVDEFINITION_DIR</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/tmp/avdefinitions</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/** * Updates the definitions using freshclam. * * It will download the definitions to the current work dir. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">updateAVDefinitonsWithFreshclam</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">execSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">ls -lisah /opt</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">executionResult</span> <span class="o">=</span> <span class="nf">execSync</span><span class="p">(</span> <span class="s2">`</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">PATH_TO_FRESHCLAM</span><span class="p">}</span><span class="s2"> --config-file=</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">FRESHCLAM_CONFIG</span><span class="p">}</span><span class="s2"> --datadir=</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">TMP_AVDEFINITION_DIR</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">cwd</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/opt</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="dl">'</span><span class="s1">Update message</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">executionResult</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">executionResult</span><span class="p">.</span><span class="nx">stderr</span><span class="p">)</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="dl">'</span><span class="s1">stderr</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">executionResult</span><span class="p">.</span><span class="nx">stderr</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/** * Function to scan the given file. This function requires ClamAV and the definitions to be available. * This function does not download the file so the file should also be accessible. * * Three possible case can happen: * - The file is clean, the clamAV command returns 0 and the function return "CLEAN" * - The file is infected, the clamAV command returns 1 and this function will return "INFECTED" * - Any other error and the function will return null; (falsey) * * @param pathToFile Path in the filesystem where the file is stored. */</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">scanLocalFile</span><span class="p">(</span><span class="nx">pathToFile</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">execSync</span><span class="p">(</span> <span class="s2">`</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">PATH_TO_CLAMAV</span><span class="p">}</span><span class="s2"> -v -a --stdout --database=</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">EFS_AVDEFINITION_DIR</span><span class="p">}</span><span class="s2">/ '</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">FRESHCLAM_WORK_DIR</span><span class="p">}</span><span class="s2">/tmp/</span><span class="p">${</span><span class="nx">pathToFile</span><span class="p">}</span><span class="s2">'`</span> <span class="p">);</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="dl">'</span><span class="s1">SUCCESSFUL SCAN, FILE CLEAN</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">constants</span><span class="p">.</span><span class="nx">STATUS_CLEAN_FILE</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Error status 1 means that the file is infected.</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="dl">'</span><span class="s1">SUCCESSFUL SCAN, FILE INFECTED</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">constants</span><span class="p">.</span><span class="nx">STATUS_INFECTED_FILE</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="dl">'</span><span class="s1">-- SCAN FAILED --</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">return</span> <span class="nx">constants</span><span class="p">.</span><span class="nx">STATUS_ERROR_PROCESSING_FILE</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/** * Uploads the AV definitions to S3 bucket. */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">uploadAVDefinitions</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">uploadPromises</span> <span class="o">=</span> <span class="nx">constants</span><span class="p">.</span><span class="nx">CLAMAV_DEFINITIONS_FILES</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">filenameToUpload</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="s2">`Upload updated definitions for file </span><span class="p">${</span><span class="nx">filenameToUpload</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Bucket</span><span class="p">:</span> <span class="nx">constants</span><span class="p">.</span><span class="nx">CLAMAV_BUCKET_NAME</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">constants</span><span class="p">.</span><span class="nx">PATH_TO_AV_DEFINITIONS</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">filenameToUpload</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">createReadStream</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">constants</span><span class="p">.</span><span class="nx">TMP_AVDEFINITION_DIR</span><span class="p">,</span> <span class="nx">filenameToUpload</span><span class="p">)),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">client</span> <span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">PutObjectCommand</span><span class="p">(</span><span class="nx">options</span><span class="p">))</span> <span class="p">.</span><span class="nf">then</span><span class="p">((</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="s2">`Upload finished </span><span class="p">${</span><span class="nx">filenameToUpload</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">})</span> <span class="p">.</span><span class="k">catch</span><span class="p">((</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">generateSystemMessage</span><span class="p">(</span><span class="s2">`Error uploading </span><span class="p">${</span><span class="nx">filenameToUpload</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">});</span> <span class="k">return</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span><span class="nx">uploadPromises</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>We hope this article helps anyone who is facing the challenges of packaging the ClamAV antivirus in a Lambda Layer.</p> <p>Sincerely, Andy from cloudxs GmbH</p> aws antivirus clamav lambda Intune appends «/qn ALLUSERS=1» Andreas Brunner Fri, 11 Nov 2022 09:31:23 +0000 https://forem.com/baartch/intune-appends--25b2 https://forem.com/baartch/intune-appends--25b2 <p>Are you trying to run a Powershell script as an Intune install command and you have the string <code>.msi</code> in it and realized that your command fails, because Intune automatically modifies it? Here is the thing. As soon as Intune finds <code>.msi</code> in your install command, it appends <code>/qn ALLUSERS=1</code> on its own. Even if they had good intentions to implement this, when we want to run a powershell script, they break our command.</p> <p>Here is our install command in the Intune Administration GUI.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--zU56qcxS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hxka8mdf7oktirtaevpb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--zU56qcxS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hxka8mdf7oktirtaevpb.png" alt="Install command in GUI" width="703" height="325"></a></p> <p>And here you see what is executed on the client.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--mftJDUX0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/axevh1ibhqahk6dzrkx1.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--mftJDUX0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/axevh1ibhqahk6dzrkx1.png" alt="Install command in log file" width="880" height="102"></a></p> <p>If you have named arguments in your Powershell script, the command will break. Powershell will throw an error because it does not know any parameter «/qn» or «ALLUSERS=1».</p> <p>Here is an example. If you have the following Install command, you will get an error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>powershell -executionpolicy bypass -file .\installer.ps1 -myMSI "https://domain.com/myMsiPackage.msi" </code></pre> </div> <p>The trick is to use <strong>unnamed arguments</strong> in your script. In the following example, we removed <code>-myMSI</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>powershell -executionpolicy bypass -file .\installer.ps1 "https://domain.com/myMsiPackage.msi" </code></pre> </div> <p>Now, at the top of your script, don’t catch the parameters with a <code>param()</code> block. Catch them with the <code>$args</code> array. The <code>installer.ps1</code> would start with the following line.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$myMSI = $args[0] # $myMSI will contain -&gt; https://domain.com/myMsiPackage.msi # the rest can be ignored # $args[1] will contain -&gt; /qn # $args[2] will contain -&gt; ALLUSERS=1 </code></pre> </div> <p>Very easy if you know how.</p> powershell intune msi Create a Rest API with AWS API Gateway, a Lambda function and a RDS Aurora Cluster deployed by CDK Andreas Brunner Mon, 02 Aug 2021 08:41:31 +0000 https://forem.com/cloudxs/create-a-rest-api-with-aws-api-gateway-a-lambda-function-and-a-rds-aurora-cluster-deployed-by-cdk-4amc https://forem.com/cloudxs/create-a-rest-api-with-aws-api-gateway-a-lambda-function-and-a-rds-aurora-cluster-deployed-by-cdk-4amc <p>Alright, I admit, the title of this blog post is rather long. But hey, the advantage is that you already know exactly what we're going to cover in this article. Since we believe that <a href="https://aws.amazon.com/cdk/">AWS CDK</a> is one of the most advanced tools available today for implementing <em>infrastructure as code</em> on AWS, this article contains only CDK code fragments.</p> <p>Please note, this is not a complete step-by-step guide. We only want to document the code fragments required to create and connect the AWS resources needed for a Rest API that talks to a RDS database. We assume that you are already familiar with CDK and know how to implement the following fragments into your CDK stacks. And, just to mention that, in our real-world application, we divide resources among different stacks (e.g. a network stack, a database stack, etc.). However, for the sake of simplicity, this will be excluded here.</p> <p>Ready? Let's dive into it.</p> <h2> VPC </h2> <p>Our database has to be connected to a <a href="https://aws.amazon.com/vpc/">VPC</a>. That's why we first create VPC and add the needed <a href="https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html">VPC Interface Endpoints</a> to it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* nodejs modules */</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="p">......</span> <span class="cm">/* create a vpc */</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">vpc</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span> <span class="p">});</span> <span class="cm">/* Secrets Manager Endpoint */</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">sm</span><span class="dl">'</span><span class="p">,{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">SECRETS_MANAGER</span> <span class="p">});</span> <span class="cm">/* RDS Data API Endpoint */</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">rds_data</span><span class="dl">'</span><span class="p">,{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">RDS_DATA</span> <span class="p">});</span> </code></pre> </div> <h2> Database </h2> <p>Next, we add the construct to create our database cluster. Please note, the following example creates a cluster that meets our own specific needs. You will probably need to adjust the cluster properties.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* nodejs modules */</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">SubnetType</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-cdk/aws-ec2</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">rds</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-rds</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/* RDS - Aurora - database */</span> <span class="kd">const</span> <span class="nx">dbCluster</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">ServerlessCluster</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">database</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">engine</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseClusterEngine</span><span class="p">.</span><span class="nx">auroraPostgres</span><span class="p">({</span><span class="na">version</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">AuroraPostgresEngineVersion</span><span class="p">.</span><span class="nx">VER_10_12</span><span class="p">}),</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">SubnetType</span><span class="p">.</span><span class="nx">ISOLATED</span> <span class="p">},</span> <span class="na">defaultDatabaseName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mydatabase</span><span class="dl">'</span><span class="p">,</span> <span class="na">enableDataApi</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="cm">/* this is important ! */</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">RETAIN</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>If we create a database cluster with this high level construct, the admin account for accessing the database is created automatically and the credentials are stored in the <a href="https://aws.amazon.com/secrets-manager/">Secrets Manager</a>.</p> <p>Here's a little side note. For our application we needed to add cross-region secret replication to the automatically generated secret. It took us some efforts to achieve it, but finally we made it. The first line grabs the CloudFormation node of the secret from the clusters child nodes. Once we have that, the <code>addReplicationRegion</code> can easily be called.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">node</span><span class="p">.</span><span class="nx">children</span><span class="p">.</span><span class="nx">filter</span><span class="p">((</span><span class="nx">child</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">child</span> <span class="k">instanceof</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseSecret</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="k">as</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseSecret</span><span class="p">;</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">addReplicaRegion</span><span class="p">(</span><span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Alright. What's next?</p> <h2> Lambda function </h2> <p>Let us create a Lambda function that is capable of talking to our database. Our Lambda function will be connected to the same VPC as the database, it will get two environment variables (ARN of the database cluster and ARN of the secret) and we extend the timeout by a few seconds.</p> <p>Now check out the last line in the following fragment. That's why we love CDK. One single line of code and all the IAM permissions for the Lambda function needed to be able to connect to the database are set exactly as we need it, including the permissions to grab the admin credentials from Secrets Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* nodejs modules */</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">lambda</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-lambda</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">lambdaHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nb">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">myLambdaFunction</span><span class="dl">'</span><span class="p">,{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_14_X</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Code</span><span class="p">.</span><span class="nx">fromAsset</span><span class="p">(</span><span class="dl">'</span><span class="s1">./lib/lambda/myLambdaFunction</span><span class="dl">'</span><span class="p">),</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">index.handleApiRequest</span><span class="dl">'</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">dbClusterArn</span><span class="dl">'</span><span class="p">:</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">clusterArn</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secretArn</span><span class="dl">'</span><span class="p">:</span> <span class="nx">secret</span><span class="p">.</span><span class="nx">secretArn</span> <span class="p">},</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nx">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">});</span> <span class="cm">/* grant permissions to access the RDS Data API */</span> <span class="nx">dbCluster</span><span class="p">.</span><span class="nx">grantDataApiAccess</span><span class="p">(</span><span class="nx">lambdaHandler</span><span class="p">);</span> </code></pre> </div> <p>Now we provide you with some sample content of the Lambda function itself (<code>./lib/lambda/myLambdaFunction/index.ts</code>). Please note that this code is not suitable for production! It is just a demo to show you how to run a simple SQL command on a database and return the result.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">,</span> <span class="nx">APIGatewayProxyResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">AWS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handleApiRequest</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">APIGatewayProxyEvent</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">APIGatewayProxyResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// prepare SQL command</span> <span class="kd">const</span> <span class="nx">sqlParams</span> <span class="o">=</span> <span class="p">{</span> <span class="na">secretArn</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">secretArn</span><span class="p">,</span> <span class="na">resourceArn</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">dbClusterArn</span><span class="p">,</span> <span class="na">sql</span><span class="p">:</span> <span class="dl">'</span><span class="s1">select * from myDemoTable;</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mydatabase</span><span class="dl">'</span><span class="p">,</span> <span class="na">includeResultMetadata</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">as</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">RDSDataService</span><span class="p">.</span><span class="nx">ExecuteStatementRequest</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">rdsData</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">RDSDataService</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">rdsData</span><span class="p">.</span><span class="nx">executeStatement</span><span class="p">(</span><span class="nx">sqlParams</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">err</span><span class="p">){</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="p">}).</span><span class="nx">promise</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">command completed successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">result</span><span class="p">:</span> <span class="nx">result</span><span class="p">,</span> <span class="na">event</span><span class="p">:</span> <span class="nx">event</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>If you run a test on this Lambda function you should already be able to run SQL commands and get the result back.</p> <h2> API Gateway </h2> <p>Now there is only one piece missing, our Rest API. You may won't believe how easy we can create our API with CDK. Check this out.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* nodejs module */</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">apigw</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-apigateway</span><span class="dl">'</span><span class="p">;</span> <span class="cm">/* create an API */</span> <span class="kd">const</span> <span class="nx">apiDemo</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigw</span><span class="p">.</span><span class="nx">RestApi</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">demoApi</span><span class="dl">'</span><span class="p">);</span> <span class="cm">/* add a resource to the API and a method to the resource */</span> <span class="kd">const</span> <span class="nx">demo</span> <span class="o">=</span> <span class="nx">apiDemo</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">addResource</span><span class="p">(</span><span class="dl">'</span><span class="s1">demo</span><span class="dl">'</span><span class="p">);</span> <span class="nx">demo</span><span class="p">.</span><span class="nx">addMethod</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nx">apigw</span><span class="p">.</span><span class="nx">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaHandler</span><span class="p">));</span> </code></pre> </div> <p>Three lines of code and we have an API with a <code>/demo</code> resource and a <code>GET</code> method and a Lambda function attached to it. And what about the permissions for invoking the Lambda? Everything is set up automatically. Isn't it awesome?</p> <p>If you want to add one or more request parameters to a method, have a look at the following PUT sample. This was tricky to figure out and hidden very well <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-apigateway.MethodOptions.html#requestparameters">in the documentation</a>. In addition, we can add a <code>RequestValidator</code> that already checks at the API Gateway whether the request parameter was passed correctly. This has the advantage that we don't have to implement such a check in the Lambda function and it prevents unnecessary Lambda invocations.</p> <p>Of course, you can also validate the payload of the requests. Check out the great <a href="https://dev.to/dvddpl/reduce-lambda-invocations-and-code-boilerplate-by-adding-a-json-schema-validator-to-your-api-gateway-15af">post</a> by Davide de Paolis.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">stringParamValidator</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigw</span><span class="p">.</span><span class="nx">RequestValidator</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">stringParamValidator</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">restApi</span><span class="p">:</span> <span class="nx">apiDemo</span><span class="p">,</span> <span class="na">requestValidatorName</span><span class="p">:</span> <span class="s2">`stringParamValidator`</span><span class="p">,</span> <span class="na">validateRequestParameters</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">demo</span><span class="p">.</span><span class="nx">addMethod</span><span class="p">(</span><span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nx">apigw</span><span class="p">.</span><span class="nx">LambdaIntegration</span><span class="p">(</span><span class="nx">lambdaHandler</span><span class="p">),</span> <span class="p">{</span> <span class="na">requestParameters</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">method.request.querystring.myparameter</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="na">requestValidator</span><span class="p">:</span> <span class="nx">stringParamValidator</span> <span class="p">});</span> </code></pre> </div> <p>Again a side note. The <code>aws-apigateway</code> module has another class that could make it even easier to create Lambda backed Rest APIs. You may want to <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-apigateway-readme.html#aws-lambda-backed-apis">read about it here</a>.</p> <p>And here is another addition to the API Gateway topic. In our real-world application, we needed a private Rest API. If you are curious about how to create a private Rest API, one that is accessable only within a VPC, here is our API construct with a policy attached.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/* API Gateway endpoint, only for private Rest APIs needed */</span> <span class="kd">const</span> <span class="nx">apigwEndpoint</span> <span class="o">=</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">addInterfaceEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">apiGw</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">service</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InterfaceVpcEndpointAwsService</span><span class="p">.</span><span class="nx">APIGATEWAY</span> <span class="p">});</span> <span class="cm">/* private API Gateway */</span> <span class="kd">const</span> <span class="nx">api</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">apigw</span><span class="p">.</span><span class="nx">RestApi</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">demoApi</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">endpointConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">types</span><span class="p">:</span> <span class="p">[</span><span class="nx">apigw</span><span class="p">.</span><span class="nx">EndpointType</span><span class="p">.</span><span class="nx">PRIVATE</span><span class="p">],</span> <span class="na">vpcEndpoints</span><span class="p">:</span> <span class="p">[</span><span class="nx">apigwEndpoint</span><span class="p">]</span> <span class="p">},</span> <span class="na">policy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyDocument</span><span class="p">({</span> <span class="na">statements</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">ALLOW</span><span class="p">,</span> <span class="na">principals</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">AnyPrincipal</span><span class="p">()],</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">execute-api:Invoke</span><span class="dl">"</span><span class="p">],</span> <span class="c1">//the following creates a reference to the RestAPI itself</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">cdk</span><span class="p">.</span><span class="nx">Fn</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">''</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">execute-api:/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">])]</span> <span class="p">}),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">PolicyStatement</span><span class="p">({</span> <span class="na">effect</span><span class="p">:</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">Effect</span><span class="p">.</span><span class="nx">DENY</span><span class="p">,</span> <span class="na">principals</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">AnyPrincipal</span><span class="p">()],</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">execute-api:Invoke</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">cdk</span><span class="p">.</span><span class="nx">Fn</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">''</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">execute-api:/</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">])],</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">StringNotEquals</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">aws:sourceVpc</span><span class="dl">"</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <h2> Summary </h2> <p>Since it took us a couple of hours to figure this all out, we hope that with this article we can help you get your CDK application up and running faster.</p> <p>As the fragments are copied out of a much more complex application, we cannot guarantee that an error has not crept in. If something is not working properly or you have any additions, we would appreciate it if you let us know.</p> <p>Best regards and happy coding.</p> <p>Andy / cloudxs</p> aws cdk apigateway rds