Skip to content

Resource: awsLambdaCodeSigningConfig

Provides a Lambda Code Signing Config resource. A code signing configuration defines a list of allowed signing profiles and defines the code-signing validation policy (action to be taken if deployment validation checks fail).

For information about Lambda code signing configurations and how to use them, see configuring code signing for Lambda functions

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lambdaCodeSigningConfig.LambdaCodeSigningConfig(this, "new_csc", {
  allowedPublishers: {
    signingProfileVersionArns: [
      "${aws_signer_signing_profile.example1.arn}",
      "${aws_signer_signing_profile.example2.arn}",
    ],
  },
  description: "My awesome code signing config.",
  policies: {
    untrustedArtifactOnDeployment: "Warn",
  },
});

Argument Reference

  • allowedPublishers (Required) A configuration block of allowed publishers as signing profiles for this code signing configuration. Detailed below.
  • policies (Optional) A configuration block of code signing policies that define the actions to take if the validation checks fail. Detailed below.
  • description - (Optional) Descriptive name for this code signing configuration.

The allowedPublishers block supports the following argument:

  • signingProfileVersionArns - (Required) The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.

The policies block supports the following argument:

  • untrustedArtifactOnDeployment - (Required) Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: warn, enforce. Default value: warn.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The Amazon Resource Name (ARN) of the code signing configuration.
  • configId - Unique identifier for the code signing configuration.
  • lastModified - The date and time that the code signing configuration was last modified.

Import

Code Signing Configs can be imported using their ARN, e.g.,

$ terraform import aws_lambda_code_signing_config.imported_csc arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b