From 572fe0a68f18724f5b43460c1858634b5aff45e5 Mon Sep 17 00:00:00 2001 From: Xia Zhao Date: Mon, 19 Aug 2024 15:04:57 -0700 Subject: [PATCH 1/2] feat(lambda): support Recursive Loop Protection property --- ...efaultTestDeployAssert68FA1353.assets.json | 19 + ...aultTestDeployAssert68FA1353.template.json | 36 ++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 143 ++++++ .../stack.assets.json | 19 + .../stack.template.json | 190 ++++++++ .../tree.json | 376 +++++++++++++++ .../test/integ.lambda-recursive-loop.ts | 32 ++ packages/aws-cdk-lib/aws-lambda/README.md | 23 +- .../aws-cdk-lib/aws-lambda/lib/function.ts | 20 + .../aws-lambda/test/function.test.ts | 61 +++ packages/aws-cdk-lib/awslint.json | 1 + .../aws-lambda-function-recursive-loop.json | 444 ++++++++++++++++++ 14 files changed, 1375 insertions(+), 2 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.ts create mode 100644 tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-function-recursive-loop.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets.json new file mode 100644 index 0000000000000..999d9745a41a9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/cdk.out new file mode 100644 index 0000000000000..1f0068d32659a --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/integ.json new file mode 100644 index 0000000000000..ca98342bc5471 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "36.0.0", + "testCases": { + "LambdaRecursiveLoopTest/DefaultTest": { + "stacks": [ + "stack" + ], + "assertionStack": "LambdaRecursiveLoopTest/DefaultTest/DeployAssert", + "assertionStackName": "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/manifest.json new file mode 100644 index 0000000000000..2437f1f312db8 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/manifest.json @@ -0,0 +1,143 @@ +{ + "version": "36.0.0", + "artifacts": { + "stack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "stack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "stack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "stack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/172104e0bf6268b5c63ccdf9a63b9db49e4eeeebac2376b303304501c16dc959.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "stack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "stack.assets" + ], + "metadata": { + "/stack/LambdaWithRecursionLoopProtection/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithRecursionLoopProtectionServiceRoleA7B94605" + } + ], + "/stack/LambdaWithRecursionLoopProtection/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithRecursionLoopProtectionA3FC83DA" + } + ], + "/stack/LambdaWithoutRecursionLoopProtection/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03" + } + ], + "/stack/LambdaWithoutRecursionLoopProtection/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithoutRecursionLoopProtectionB8E30B60" + } + ], + "/stack/LambdaWithDefaultRecursionLoopProtection/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB" + } + ], + "/stack/LambdaWithDefaultRecursionLoopProtection/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "LambdaWithDefaultRecursionLoopProtectionAAC84758" + } + ], + "/stack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/stack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "stack" + }, + "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "LambdaRecursiveLoopTestDefaultTestDeployAssert68FA1353.assets" + ], + "metadata": { + "/LambdaRecursiveLoopTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/LambdaRecursiveLoopTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "LambdaRecursiveLoopTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.assets.json new file mode 100644 index 0000000000000..76223051bde7f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "36.0.0", + "files": { + "172104e0bf6268b5c63ccdf9a63b9db49e4eeeebac2376b303304501c16dc959": { + "source": { + "path": "stack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "172104e0bf6268b5c63ccdf9a63b9db49e4eeeebac2376b303304501c16dc959.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.template.json new file mode 100644 index 0000000000000..122f311ac6156 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.template.json @@ -0,0 +1,190 @@ +{ + "Resources": { + "LambdaWithRecursionLoopProtectionServiceRoleA7B94605": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "LambdaWithRecursionLoopProtectionA3FC83DA": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "foo" + }, + "Handler": "index.handler", + "RecursiveLoop": "Terminate", + "Role": { + "Fn::GetAtt": [ + "LambdaWithRecursionLoopProtectionServiceRoleA7B94605", + "Arn" + ] + }, + "Runtime": "python3.9" + }, + "DependsOn": [ + "LambdaWithRecursionLoopProtectionServiceRoleA7B94605" + ] + }, + "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "LambdaWithoutRecursionLoopProtectionB8E30B60": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "foo" + }, + "Handler": "index.handler", + "RecursiveLoop": "Allow", + "Role": { + "Fn::GetAtt": [ + "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03", + "Arn" + ] + }, + "Runtime": "python3.9" + }, + "DependsOn": [ + "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03" + ] + }, + "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "LambdaWithDefaultRecursionLoopProtectionAAC84758": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "foo" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB", + "Arn" + ] + }, + "Runtime": "python3.9" + }, + "DependsOn": [ + "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB" + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/tree.json new file mode 100644 index 0000000000000..2544f88bba827 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/tree.json @@ -0,0 +1,376 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "stack": { + "id": "stack", + "path": "stack", + "children": { + "LambdaWithRecursionLoopProtection": { + "id": "LambdaWithRecursionLoopProtection", + "path": "stack/LambdaWithRecursionLoopProtection", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "stack/LambdaWithRecursionLoopProtection/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "stack/LambdaWithRecursionLoopProtection/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithRecursionLoopProtection/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithRecursionLoopProtection/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "foo" + }, + "handler": "index.handler", + "recursiveLoop": "Terminate", + "role": { + "Fn::GetAtt": [ + "LambdaWithRecursionLoopProtectionServiceRoleA7B94605", + "Arn" + ] + }, + "runtime": "python3.9" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "LambdaWithoutRecursionLoopProtection": { + "id": "LambdaWithoutRecursionLoopProtection", + "path": "stack/LambdaWithoutRecursionLoopProtection", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "stack/LambdaWithoutRecursionLoopProtection/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "stack/LambdaWithoutRecursionLoopProtection/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithoutRecursionLoopProtection/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithoutRecursionLoopProtection/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "foo" + }, + "handler": "index.handler", + "recursiveLoop": "Allow", + "role": { + "Fn::GetAtt": [ + "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03", + "Arn" + ] + }, + "runtime": "python3.9" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "LambdaWithDefaultRecursionLoopProtection": { + "id": "LambdaWithDefaultRecursionLoopProtection", + "path": "stack/LambdaWithDefaultRecursionLoopProtection", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "stack/LambdaWithDefaultRecursionLoopProtection/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "stack/LambdaWithDefaultRecursionLoopProtection/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithDefaultRecursionLoopProtection/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "stack/LambdaWithDefaultRecursionLoopProtection/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::Lambda::Function", + "aws:cdk:cloudformation:props": { + "code": { + "zipFile": "foo" + }, + "handler": "index.handler", + "role": { + "Fn::GetAtt": [ + "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB", + "Arn" + ] + }, + "runtime": "python3.9" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.CfnFunction", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_lambda.Function", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "stack/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "stack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "LambdaRecursiveLoopTest": { + "id": "LambdaRecursiveLoopTest", + "path": "LambdaRecursiveLoopTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "LambdaRecursiveLoopTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "LambdaRecursiveLoopTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "LambdaRecursiveLoopTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "LambdaRecursiveLoopTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "LambdaRecursiveLoopTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.ts new file mode 100644 index 0000000000000..7e55408e8bf63 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.ts @@ -0,0 +1,32 @@ +import * as cdk from 'aws-cdk-lib'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import { InlineCode, Runtime } from 'aws-cdk-lib/aws-lambda'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'stack'); + +new lambda.Function(stack, 'LambdaWithRecursionLoopProtection', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: new InlineCode('foo'), + recursiveLoop: lambda.RecursiveLoop.TERMINATE, +}); + +new lambda.Function(stack, 'LambdaWithoutRecursionLoopProtection', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: new InlineCode('foo'), + recursiveLoop: lambda.RecursiveLoop.ALLOW, +}); + +new lambda.Function(stack, 'LambdaWithDefaultRecursionLoopProtection', { + runtime: Runtime.PYTHON_3_9, + handler: 'index.handler', + code: new InlineCode('foo'), +}); + +new IntegTest(app, 'LambdaRecursiveLoopTest', { + testCases: [stack], +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md index 160f9296c6242..3a10e7aa3c369 100644 --- a/packages/aws-cdk-lib/aws-lambda/README.md +++ b/packages/aws-cdk-lib/aws-lambda/README.md @@ -1009,8 +1009,7 @@ const fn = new lambda.Function(this, 'MyFunction', { }); ``` -See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html) -managing concurrency. +https://docs.aws.amazon.com/lambda/latest/dg/invocation-recursion.html ## Lambda with SnapStart @@ -1086,6 +1085,26 @@ new lambda.Function(this, 'Lambda', { Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16. If you are deploying to another type of region, please check regional availability first. +## Lambda with Recursive Loop protection + +Recursive loop protection is to stop unintended loops. The customers are opted in by default for Lambda to detect and terminate unintended loops between Lambda and other AWS Services. +The property can be assigned two values here, "Allow" and "Terminate". + +The default value is set to "Terminate", which lets the Lambda to detect and terminate the recursive loops. + +When the value is set to "Allow", the customers opt out of recursive loop detection and Lambda does not terminate recursive loops if any. + +See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-recursion.html) to learn more about AWS Lambda Recusrive Loop Detection + +```ts +const fn = new lambda.Function(this, 'MyFunction', { + code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')), + runtime: lambda.Runtime.JAVA_11, + handler: 'example.Handler::handleRequest', + recursiveLoop: lambda.RecursiveLoop.TERMINATE, + }); +``` + ### Legacy Log Retention As an alternative to providing a custom, user controlled log group, the legacy `logRetention` property can be used to set a different expiration period. diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts index 7d15500da259c..9801f192738d0 100644 --- a/packages/aws-cdk-lib/aws-lambda/lib/function.ts +++ b/packages/aws-cdk-lib/aws-lambda/lib/function.ts @@ -140,6 +140,17 @@ export enum LoggingFormat { JSON = 'JSON', } +export enum RecursiveLoop { + /** + * Allows the recursive loop to happen and does not terminate it. + */ + ALLOW = 'Allow', + /** + * Terminates the recursive loop. + */ + TERMINATE = 'Terminate', +} + /** * Non runtime options */ @@ -535,6 +546,14 @@ export interface FunctionOptions extends EventInvokeConfigOptions { */ readonly loggingFormat?: LoggingFormat; + /** + * Sets the Recursive Loop Protection for Lambda Function. + * It lets Lambda detect and terminate unintended recusrive loops. + * + * @default RecursiveLoop.Terminate + */ + readonly recursiveLoop?: RecursiveLoop; + /** * Sets the application log level for the function. * @deprecated Use `applicationLogLevelV2` as a property instead. @@ -1025,6 +1044,7 @@ export class Function extends FunctionBase { runtimeManagementConfig: props.runtimeManagementMode?.runtimeManagementConfig, snapStart: this.configureSnapStart(props), loggingConfig: this.getLoggingConfig(props), + recursiveLoop: props.recursiveLoop, }); if ((props.tracing !== undefined) || (props.adotInstrumentation !== undefined)) { diff --git a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts index c5228bb2cd82c..13e40d01d576a 100644 --- a/packages/aws-cdk-lib/aws-lambda/test/function.test.ts +++ b/packages/aws-cdk-lib/aws-lambda/test/function.test.ts @@ -3489,6 +3489,67 @@ describe('function', () => { }); }); + describe('Recursive Loop', () => { + test('with recursive loop protection', () => { + const stack = new cdk.Stack(); + new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('foo'), + handler: 'bar', + runtime: lambda.Runtime.NODEJS_LATEST, + recursiveLoop: lambda.RecursiveLoop.TERMINATE, + }); + + Template.fromStack(stack).hasResource('AWS::Lambda::Function', { + Properties: + { + Code: { ZipFile: 'foo' }, + Handler: 'bar', + Runtime: lambda.Runtime.NODEJS_LATEST.name, + RecursiveLoop: 'Terminate', + }, + }); + }); + + test('without recursive loop protection', () => { + const stack = new cdk.Stack(); + new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('foo'), + handler: 'bar', + runtime: lambda.Runtime.NODEJS_LATEST, + recursiveLoop: lambda.RecursiveLoop.ALLOW, + }); + + Template.fromStack(stack).hasResource('AWS::Lambda::Function', { + Properties: + { + Code: { ZipFile: 'foo' }, + Handler: 'bar', + Runtime: lambda.Runtime.NODEJS_LATEST.name, + RecursiveLoop: 'Allow', + }, + }); + }); + + test('default recursive loop protection', () => { + const stack = new cdk.Stack(); + new lambda.Function(stack, 'MyLambda', { + code: new lambda.InlineCode('foo'), + handler: 'bar', + runtime: lambda.Runtime.NODEJS_LATEST, + }); + + Template.fromStack(stack).hasResource('AWS::Lambda::Function', { + Properties: + { + Code: { ZipFile: 'foo' }, + Handler: 'bar', + Runtime: lambda.Runtime.NODEJS_LATEST.name, + // for default, if the property is not set up in stack it doesn't show up in the template. + }, + }); + }); + }); + test('called twice for the same service principal but with different conditions', () => { // GIVEN const stack = new cdk.Stack(); diff --git a/packages/aws-cdk-lib/awslint.json b/packages/aws-cdk-lib/awslint.json index 8db48224a89b1..ac8e33cb29dea 100644 --- a/packages/aws-cdk-lib/awslint.json +++ b/packages/aws-cdk-lib/awslint.json @@ -361,6 +361,7 @@ "docs-public-apis:aws-cdk-lib.aws_lambda.RuntimeManagementMode.mode", "docs-public-apis:aws-cdk-lib.aws_lambda.RuntimeManagementMode.arn", "docs-public-apis:aws-cdk-lib.aws_lambda.SnapStartConf", + "docs-public-apis:aws-cdk-lib.aws_lambda.RecursiveLoop", "docs-public-apis:aws-cdk-lib.aws_lambda.SnapStartConf.ON_PUBLISHED_VERSIONS", "docs-public-apis:aws-cdk-lib.aws_lambda.Version.fromVersionAttributes", "docs-public-apis:aws-cdk-lib.aws_lambda_event_sources.ApiEventSource", diff --git a/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-function-recursive-loop.json b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-function-recursive-loop.json new file mode 100644 index 0000000000000..4c2951843f230 --- /dev/null +++ b/tools/@aws-cdk/spec2cdk/temporary-schemas/us-east-1/aws-lambda-function-recursive-loop.json @@ -0,0 +1,444 @@ +{ + "tagging" : { + "taggable" : true, + "tagOnCreate" : true, + "tagUpdatable" : true, + "tagProperty" : "/properties/Tags", + "cloudFormationSystemTags" : true + }, + "handlers" : { + "read" : { + "permissions" : [ "lambda:GetFunction", "lambda:GetFunctionCodeSigningConfig" ] + }, + "create" : { + "permissions" : [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:PutFunctionConcurrency", "iam:PassRole", "s3:GetObject", "s3:GetObjectVersion", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "elasticfilesystem:DescribeMountTargets", "kms:CreateGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "lambda:GetCodeSigningConfig", "lambda:GetFunctionCodeSigningConfig", "lambda:GetLayerVersion", "lambda:GetRuntimeManagementConfig", "lambda:PutRuntimeManagementConfig", "lambda:TagResource" ] + }, + "update" : { + "permissions" : [ "lambda:DeleteFunctionConcurrency", "lambda:GetFunction", "lambda:PutFunctionConcurrency", "lambda:ListTags", "lambda:TagResource", "lambda:UntagResource", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "iam:PassRole", "s3:GetObject", "s3:GetObjectVersion", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "elasticfilesystem:DescribeMountTargets", "kms:CreateGrant", "kms:Decrypt", "kms:GenerateDataKey", "lambda:GetRuntimeManagementConfig", "lambda:PutRuntimeManagementConfig", "lambda:PutFunctionCodeSigningConfig", "lambda:DeleteFunctionCodeSigningConfig", "lambda:GetCodeSigningConfig", "lambda:GetFunctionCodeSigningConfig" ] + }, + "list" : { + "permissions" : [ "lambda:ListFunctions" ] + }, + "delete" : { + "permissions" : [ "lambda:DeleteFunction", "lambda:GetFunction", "ec2:DescribeNetworkInterfaces" ] + } + }, + "typeName" : "AWS::Lambda::Function", + "readOnlyProperties" : [ "/properties/SnapStartResponse", "/properties/SnapStartResponse/ApplyOn", "/properties/SnapStartResponse/OptimizationStatus", "/properties/Arn" ], + "description" : "The ``AWS::Lambda::Function`` resource creates a Lambda function. To create a function, you need a [deployment package](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html) and an [execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html). The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use AWS services, such as Amazon CloudWatch Logs for log streaming and AWS X-Ray for request tracing.\n You set the package type to ``Image`` if the deployment package is a [container image](https://docs.aws.amazon.com/lambda/latest/dg/lambda-images.html). For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties. \n You set the package type to ``Zip`` if the deployment package is a [.zip file archive](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. For a Python example, see [Deploy Python Lambda functions with .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html).\n You can use [code signing](https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html) if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with ``UpdateFunctionCode``, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.\n Note that you configure [provisioned concurrency](https://docs.aws.amazon.com/lambda/latest/dg/provisioned-concurrency.html) on a ``AWS::Lambda::Version`` or a ``AWS::Lambda::Alias``.\n For a complete introduction to Lambda functions, see [What is Lambda?](https://docs.aws.amazon.com/lambda/latest/dg/lambda-welcome.html) in the *Lambda developer guide.*", + "writeOnlyProperties" : [ "/properties/SnapStart", "/properties/SnapStart/ApplyOn", "/properties/Code", "/properties/Code/ImageUri", "/properties/Code/S3Bucket", "/properties/Code/S3Key", "/properties/Code/S3ObjectVersion", "/properties/Code/ZipFile" ], + "createOnlyProperties" : [ "/properties/FunctionName" ], + "additionalProperties" : false, + "primaryIdentifier" : [ "/properties/FunctionName" ], + "definitions" : { + "ImageConfig" : { + "description" : "Configuration values that override the container image Dockerfile settings. For more information, see [Container image settings](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms).", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "WorkingDirectory" : { + "description" : "Specifies the working directory. The length of the directory string cannot exceed 1,000 characters.", + "type" : "string" + }, + "Command" : { + "maxItems" : 1500, + "uniqueItems" : true, + "description" : "Specifies parameters that you want to pass in with ENTRYPOINT. You can specify a maximum of 1,500 parameters in the list.", + "type" : "array", + "items" : { + "type" : "string" + } + }, + "EntryPoint" : { + "maxItems" : 1500, + "uniqueItems" : true, + "description" : "Specifies the entry point to their application, which is typically the location of the runtime executable. You can specify a maximum of 1,500 string entries in the list.", + "type" : "array", + "items" : { + "type" : "string" + } + } + } + }, + "TracingConfig" : { + "description" : "The function's [](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html) tracing configuration. To sample and record incoming requests, set ``Mode`` to ``Active``.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Mode" : { + "description" : "The tracing mode.", + "type" : "string", + "enum" : [ "Active", "PassThrough" ] + } + } + }, + "VpcConfig" : { + "description" : "The VPC security groups and subnets that are attached to a Lambda function. When you connect a function to a VPC, Lambda creates an elastic network interface for each combination of security group and subnet in the function's VPC configuration. The function can only access resources and the internet through that VPC. For more information, see [VPC Settings](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html).\n When you delete a function, CFN monitors the state of its network interfaces and waits for Lambda to delete them before proceeding. If the VPC is defined in the same stack, the network interfaces need to be deleted by Lambda before CFN can delete the VPC's resources.\n To monitor network interfaces, CFN needs the ``ec2:DescribeNetworkInterfaces`` permission. It obtains this from the user or role that modifies the stack. If you don't provide this permission, CFN does not wait for network interfaces to be deleted.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Ipv6AllowedForDualStack" : { + "description" : "Allows outbound IPv6 traffic on VPC functions that are connected to dual-stack subnets.", + "type" : "boolean" + }, + "SecurityGroupIds" : { + "maxItems" : 5, + "uniqueItems" : false, + "description" : "A list of VPC security group IDs.", + "type" : "array", + "items" : { + "type" : "string" + } + }, + "SubnetIds" : { + "maxItems" : 16, + "uniqueItems" : false, + "description" : "A list of VPC subnet IDs.", + "type" : "array", + "items" : { + "type" : "string" + } + } + } + }, + "DeadLetterConfig" : { + "description" : "The [dead-letter queue](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#dlq) for failed asynchronous invocations.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "TargetArn" : { + "pattern" : "^(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()$", + "description" : "The Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic.", + "type" : "string" + } + } + }, + "RuntimeManagementConfig" : { + "description" : "Sets the runtime management configuration for a function's version. For more information, see [Runtime updates](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html).", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "UpdateRuntimeOn" : { + "description" : "Specify the runtime update mode.\n + *Auto (default)* - Automatically update to the most recent and secure runtime version using a [Two-phase runtime version rollout](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-two-phase). This is the best choice for most customers to ensure they always benefit from runtime updates.\n + *FunctionUpdate* - LAM updates the runtime of you function to the most recent and secure runtime version when you update your function. This approach synchronizes runtime updates with function deployments, giving you control over when runtime updates are applied and allowing you to detect and mitigate rare runtime update incompatibilities early. When using this setting, you need to regularly update your functions to keep their runtime up-to-date.\n + *Manual* - You specify a runtime version in your function configuration. The function will use this runtime version indefinitely. In the rare case where a new runtime version is incompatible with an existing function, this allows you to roll back your function to an earlier runtime version. For more information, see [Roll back a runtime version](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-management-rollback).\n \n *Valid Values*: ``Auto`` | ``FunctionUpdate`` | ``Manual``", + "type" : "string", + "enum" : [ "Auto", "FunctionUpdate", "Manual" ] + }, + "RuntimeVersionArn" : { + "description" : "The ARN of the runtime version you want the function to use.\n This is only required if you're using the *Manual* runtime update mode.", + "type" : "string" + } + }, + "required" : [ "UpdateRuntimeOn" ] + }, + "SnapStart" : { + "description" : "The function's [SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) setting.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "ApplyOn" : { + "description" : "Set ``ApplyOn`` to ``PublishedVersions`` to create a snapshot of the initialized execution environment when you publish a function version.", + "type" : "string", + "enum" : [ "PublishedVersions", "None" ] + } + }, + "required" : [ "ApplyOn" ] + }, + "SnapStartResponse" : { + "description" : "The function's [SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) setting.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "OptimizationStatus" : { + "description" : "When you provide a [qualified Amazon Resource Name (ARN)](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using), this response element indicates whether SnapStart is activated for the specified function version.", + "type" : "string", + "enum" : [ "On", "Off" ] + }, + "ApplyOn" : { + "description" : "When set to ``PublishedVersions``, Lambda creates a snapshot of the execution environment when you publish a function version.", + "type" : "string", + "enum" : [ "PublishedVersions", "None" ] + } + } + }, + "Code" : { + "description" : "The [deployment package](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html) for a Lambda function. To deploy a function defined as a container image, you specify the location of a container image in the Amazon ECR registry. For a .zip file deployment package, you can specify the location of an object in Amazon S3. For Node.js and Python functions, you can specify the function code inline in the template.\n Changes to a deployment package in Amazon S3 or a container image in ECR are not detected automatically during stack updates. To update the function code, change the object key or version in the template.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "S3ObjectVersion" : { + "minLength" : 1, + "description" : "For versioned objects, the version of the deployment package object to use.", + "type" : "string", + "maxLength" : 1024 + }, + "S3Bucket" : { + "minLength" : 3, + "pattern" : "^[0-9A-Za-z\\.\\-_]*(?``. To use a different log group, enter an existing log group or enter a new log group name.", + "type" : "string", + "maxLength" : 512 + }, + "SystemLogLevel" : { + "description" : "Set this property to filter the system logs for your function that Lambda sends to CloudWatch. Lambda only sends system logs at the selected level of detail and lower, where ``DEBUG`` is the highest level and ``WARN`` is the lowest.", + "type" : "string", + "enum" : [ "DEBUG", "INFO", "WARN" ] + } + } + }, + "Environment" : { + "description" : "A function's environment variable settings. You can use environment variables to adjust your function's behavior without updating code. An environment variable is a pair of strings that are stored in a function's version-specific configuration.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Variables" : { + "patternProperties" : { + "[a-zA-Z][a-zA-Z0-9_]+" : { + "type" : "string" + } + }, + "description" : "Environment variable key-value pairs. For more information, see [Using Lambda environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html).", + "additionalProperties" : false, + "type" : "object" + } + } + }, + "FileSystemConfig" : { + "description" : "Details about the connection between a Lambda function and an [Amazon EFS file system](https://docs.aws.amazon.com/lambda/latest/dg/configuration-filesystem.html).", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Arn" : { + "pattern" : "^arn:aws[a-zA-Z-]*:elasticfilesystem:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\\d{1}:\\d{12}:access-point/fsap-[a-f0-9]{17}$", + "description" : "The Amazon Resource Name (ARN) of the Amazon EFS access point that provides access to the file system.", + "type" : "string", + "maxLength" : 200 + }, + "LocalMountPath" : { + "pattern" : "^/mnt/[a-zA-Z0-9-_.]+$", + "description" : "The path where the function can access the file system, starting with ``/mnt/``.", + "type" : "string", + "maxLength" : 160 + } + }, + "required" : [ "Arn", "LocalMountPath" ] + }, + "Tag" : { + "description" : "", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Value" : { + "minLength" : 0, + "description" : "", + "type" : "string", + "maxLength" : 256 + }, + "Key" : { + "minLength" : 1, + "description" : "", + "type" : "string", + "maxLength" : 128 + } + }, + "required" : [ "Key" ] + }, + "EphemeralStorage" : { + "description" : "The size of the function's ``/tmp`` directory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB.", + "additionalProperties" : false, + "type" : "object", + "properties" : { + "Size" : { + "description" : "The size of the function's ``/tmp`` directory.", + "maximum" : 10240, + "type" : "integer", + "minimum" : 512 + } + }, + "required" : [ "Size" ] + } + }, + "required" : [ "Code", "Role" ], + "properties" : { + "Description" : { + "description" : "A description of the function.", + "type" : "string", + "maxLength" : 256 + }, + "TracingConfig" : { + "description" : "Set ``Mode`` to ``Active`` to sample and trace a subset of incoming requests with [X-Ray](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html).", + "$ref" : "#/definitions/TracingConfig" + }, + "VpcConfig" : { + "description" : "For network connectivity to AWS resources in a VPC, specify a list of security groups and subnets in the VPC. When you connect a function to a VPC, it can access resources and the internet only through that VPC. For more information, see [Configuring a Lambda function to access resources in a VPC](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html).", + "$ref" : "#/definitions/VpcConfig" + }, + "RuntimeManagementConfig" : { + "description" : "Sets the runtime management configuration for a function's version. For more information, see [Runtime updates](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html).", + "$ref" : "#/definitions/RuntimeManagementConfig" + }, + "ReservedConcurrentExecutions" : { + "description" : "The number of simultaneous executions to reserve for the function.", + "type" : "integer", + "minimum" : 0 + }, + "SnapStart" : { + "description" : "The function's [SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) setting.", + "$ref" : "#/definitions/SnapStart" + }, + "FileSystemConfigs" : { + "maxItems" : 1, + "description" : "Connection settings for an Amazon EFS file system. To connect a function to a file system, a mount target must be available in every Availability Zone that your function connects to. If your template contains an [AWS::EFS::MountTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-mounttarget.html) resource, you must also specify a ``DependsOn`` attribute to ensure that the mount target is created or updated before the function.\n For more information about using the ``DependsOn`` attribute, see [DependsOn Attribute](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html).", + "type" : "array", + "items" : { + "$ref" : "#/definitions/FileSystemConfig" + } + }, + "FunctionName" : { + "minLength" : 1, + "description" : "The name of the Lambda function, up to 64 characters in length. If you don't specify a name, CFN generates one.\n If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.", + "type" : "string" + }, + "Runtime" : { + "description" : "The identifier of the function's [runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). Runtime is required if the deployment package is a .zip file archive. Specifying a runtime results in an error if you're deploying a function using a container image.\n The following list includes deprecated runtimes. Lambda blocks creating new functions and updating existing functions shortly after each runtime is deprecated. For more information, see [Runtime use after deprecation](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-deprecation-levels).\n For a list of all currently supported runtimes, see [Supported runtimes](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtimes-supported).", + "type" : "string" + }, + "KmsKeyArn" : { + "pattern" : "^(arn:(aws[a-zA-Z-]*)?:[a-z0-9-.]+:.*)|()$", + "description" : "The ARN of the KMSlong (KMS) customer managed key that's used to encrypt your function's [environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption). When [Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart-security.html) is activated, Lambda also uses this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). If you don't provide a customer managed key, Lambda uses a default service key.", + "type" : "string" + }, + "PackageType" : { + "description" : "The type of deployment package. Set to ``Image`` for container image and set ``Zip`` for .zip file archive.", + "type" : "string", + "enum" : [ "Image", "Zip" ] + }, + "CodeSigningConfigArn" : { + "pattern" : "arn:(aws[a-zA-Z-]*)?:lambda:[a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\\d{1}:\\d{12}:code-signing-config:csc-[a-z0-9]{17}", + "description" : "To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.", + "type" : "string" + }, + "Layers" : { + "uniqueItems" : false, + "description" : "A list of [function layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) to add to the function's execution environment. Specify each layer by its ARN, including the version.", + "type" : "array", + "items" : { + "type" : "string" + } + }, + "Tags" : { + "uniqueItems" : true, + "description" : "A list of [tags](https://docs.aws.amazon.com/lambda/latest/dg/tagging.html) to apply to the function.", + "insertionOrder" : false, + "type" : "array", + "items" : { + "$ref" : "#/definitions/Tag" + } + }, + "ImageConfig" : { + "description" : "Configuration values that override the container image Dockerfile settings. For more information, see [Container image settings](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html#images-parms).", + "$ref" : "#/definitions/ImageConfig" + }, + "MemorySize" : { + "description" : "The amount of [memory available to the function](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console) at runtime. Increasing the function memory also increases its CPU allocation. The default value is 128 MB. The value can be any multiple of 1 MB. Note that new AWS accounts have reduced concurrency and memory quotas. AWS raises these quotas automatically based on your usage. You can also request a quota increase.", + "type" : "integer" + }, + "DeadLetterConfig" : { + "description" : "A dead-letter queue configuration that specifies the queue or topic where Lambda sends asynchronous events when they fail processing. For more information, see [Dead-letter queues](https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-dlq).", + "$ref" : "#/definitions/DeadLetterConfig" + }, + "Timeout" : { + "description" : "The amount of time (in seconds) that Lambda allows a function to run before stopping it. The default is 3 seconds. The maximum allowed value is 900 seconds. For more information, see [Lambda execution environment](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-context.html).", + "type" : "integer", + "minimum" : 1 + }, + "Handler" : { + "pattern" : "^[^\\s]+$", + "description" : "The name of the method within your code that Lambda calls to run your function. Handler is required if the deployment package is a .zip file archive. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see [Lambda programming model](https://docs.aws.amazon.com/lambda/latest/dg/foundation-progmodel.html).", + "type" : "string", + "maxLength" : 128 + }, + "SnapStartResponse" : { + "description" : "", + "$ref" : "#/definitions/SnapStartResponse" + }, + "Code" : { + "description" : "The code for the function.", + "$ref" : "#/definitions/Code" + }, + "Role" : { + "pattern" : "^arn:(aws[a-zA-Z-]*)?:iam::\\d{12}:role/?[a-zA-Z_0-9+=,.@\\-_/]+$", + "description" : "The Amazon Resource Name (ARN) of the function's execution role.", + "type" : "string" + }, + "LoggingConfig" : { + "description" : "The function's Amazon CloudWatch Logs configuration settings.", + "$ref" : "#/definitions/LoggingConfig" + }, + "Environment" : { + "description" : "Environment variables that are accessible from function code during execution.", + "$ref" : "#/definitions/Environment" + }, + "Arn" : { + "description" : "", + "type" : "string" + }, + "EphemeralStorage" : { + "description" : "The size of the function's ``/tmp`` directory in MB. The default value is 512, but it can be any whole number between 512 and 10,240 MB.", + "$ref" : "#/definitions/EphemeralStorage" + }, + "Architectures" : { + "minItems" : 1, + "maxItems" : 1, + "uniqueItems" : true, + "description" : "The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64). The default value is ``x86_64``.", + "type" : "array", + "items" : { + "type" : "string", + "enum" : [ "x86_64", "arm64" ] + } + }, + "RecursiveLoop" : { + "description" : "This property is set to terminate unintended recursions. If set to ``Terminate``, Lambda detects and terminates unitended recursive loops. If set to ``Allow`` Lambda lets recursions be and does not terminate it.", + "type" : "string", + "enum" : [ "Allow", "Terminate" ] + } + } + } \ No newline at end of file From 0e12e43334db42119414495711a1196e6425d98a Mon Sep 17 00:00:00 2001 From: Xia Zhao Date: Mon, 19 Aug 2024 15:05:38 -0700 Subject: [PATCH 2/2] chore(release): 2.153.0 --- CHANGELOG.v2.alpha.md | 2 ++ CHANGELOG.v2.md | 7 +++++++ version.v2.json | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 47daad06b72ef..5b0f804b1dbbe 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.153.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.152.0-alpha.0...v2.153.0-alpha.0) (2024-08-19) + ## [2.152.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.1-alpha.0...v2.152.0-alpha.0) (2024-08-14) ## [2.151.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.0-alpha.0...v2.151.1-alpha.0) (2024-08-14) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 072c1c8adad4b..0de41a9b36503 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.153.0](https://github.com/aws/aws-cdk/compare/v2.152.0...v2.153.0) (2024-08-19) + + +### Features + +* **lambda:** support Recursive Loop Protection property ([572fe0a](https://github.com/aws/aws-cdk/commit/572fe0a68f18724f5b43460c1858634b5aff45e5)) + ## [2.152.0](https://github.com/aws/aws-cdk/compare/v2.151.1...v2.152.0) (2024-08-14) diff --git a/version.v2.json b/version.v2.json index 21304aecb929a..0166ea92fed72 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.152.0", - "alphaVersion": "2.152.0-alpha.0" + "version": "2.153.0", + "alphaVersion": "2.153.0-alpha.0" } \ No newline at end of file