Merge branch 'develop' into develop

Author: vicheey

.cfnlintrc.yaml

@@ -107,6 +107,9 @@ ignore_templates:
   - tests/translator/output/**/function_with_snapstart.json # Snapstart intentionally not attached to a lambda version which causes lint issues
   - tests/translator/output/**/managed_policies_everything.json # intentionally contains wrong arns
   - tests/translator/output/**/function_with_metrics_config.json
+  - tests/translator/output/**/function_with_self_managed_kafka_and_schema_registry.json # cfnlint is not updated to recognize the SchemaRegistryConfig property
+  - tests/translator/output/**/function_with_msk_with_schema_registry_config.json # cfnlint is not updated to recognize the SchemaRegistryConfig property
+  - tests/translator/output/**/function_with_logging_config.json # cfnlint is not updated to recognize the LoggingConfig property
   - tests/translator/output/aws-*/*capacity_provider*.json # Ignore Capacity Provider test format in non-aws partitions
 
 ignore_checks:

Makefile

@@ -68,7 +68,8 @@ fetch-schema-data:
 	# aws-cdk updated where they store the cfn doc json files. See https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/cfnspec/README.md
 	bin/git_lfs_download.sh "https://raw.githubusercontent.com/cdklabs/awscdk-service-spec/main/sources/CloudFormationDocumentation/CloudFormationDocumentation.json"
 
-	curl -o .tmp/cloudformation.schema.json https://raw.githubusercontent.com/awslabs/goformation/master/schema/cloudformation.schema.json
+	# Generate fresh CloudFormation schema using Python generator
+	python3 schema_source/cfn_schema_generator.py
 
 update-schema-data:
 	# Parse docs

docs/globals.rst

@@ -98,6 +98,7 @@ Currently, the following resources and properties are being supported:
       TracingEnabled:
       OpenApiVersion:
       Domain:
+      SecurityPolicy:
 
     HttpApi:
       # Properties of AWS::Serverless::HttpApi

integration/combination/test_custom_http_api_domains_test.py

@@ -1,7 +1,7 @@
 from unittest.case import skipIf
 
 from integration.config.service_names import CUSTOM_DOMAIN
-from integration.helpers.base_internal_test import BaseInternalTest
+from integration.helpers.base_internal_test import CUSTOM_DOMAIN_TOP_LEVEL, BaseInternalTest
 from integration.helpers.base_test import nonblocking
 from integration.helpers.resource import current_region_not_included
 
@@ -26,7 +26,7 @@ def test_custom_http_api_domains_regional(self):
         if "FeatureToggle" in self.pipeline_prefix:
             self.assertEqual("httpapi.ftl.sam-gamma-regional.com", result["DomainName"])
         else:
-            self.assertEqual("httpapi.sam-gamma-regional.com", result["DomainName"])
+            self.assertEqual(f"httpapi-sam-gamma-regional.{CUSTOM_DOMAIN_TOP_LEVEL}", result["DomainName"])
 
         mtls_auth_config = result["MutualTlsAuthentication"]
         self.assertEqual(self.file_to_s3_uri_map["MTLSCert.pem"]["uri"], mtls_auth_config["TruststoreUri"])

integration/combination/test_custom_rest_api_domains.py

@@ -1,7 +1,7 @@
 from unittest.case import skipIf
 
 from integration.config.service_names import CUSTOM_DOMAIN
-from integration.helpers.base_internal_test import BaseInternalTest
+from integration.helpers.base_internal_test import CUSTOM_DOMAIN_TOP_LEVEL, BaseInternalTest
 from integration.helpers.base_test import nonblocking
 from integration.helpers.resource import current_region_not_included
 
@@ -25,7 +25,7 @@ def test_custom_rest_api_domains_edge(self):
         if "FeatureToggle" in self.pipeline_prefix:
             self.assertEqual("ftl.sam-gamma-edge.com", result["domainName"])
         else:
-            self.assertEqual("sam-gamma-edge.com", result["domainName"])
+            self.assertEqual(f"sam-gamma-edge.{CUSTOM_DOMAIN_TOP_LEVEL}", result["domainName"])
 
         end_point_config = result["endpointConfiguration"]
         end_point_types = end_point_config["types"]
@@ -46,7 +46,7 @@ def test_custom_rest_api_domains_regional(self):
         if "FeatureToggle" in self.pipeline_prefix:
             self.assertEqual("ftl.sam-gamma-regional.com", result["domainName"])
         else:
-            self.assertEqual("sam-gamma-regional.com", result["domainName"])
+            self.assertEqual(f"sam-gamma-regional.{CUSTOM_DOMAIN_TOP_LEVEL}", result["domainName"])
 
         self.assertEqual("TLS_1_2", result["securityPolicy"])
 

integration/combination/test_function_with_capacity_provider.py

@@ -0,0 +1,211 @@
+from unittest.case import skipIf
+
+import pytest
+
+from integration.config.service_names import LAMBDA_MANAGED_INSTANCES
+from integration.helpers.base_test import BaseTest
+from integration.helpers.resource import current_region_does_not_support
+
+
+@skipIf(
+    current_region_does_not_support([LAMBDA_MANAGED_INSTANCES]),
+    "LambdaManagedInstance is not supported in this testing region",
+)
+class TestFunctionWithCapacityProvider(BaseTest):
+    @pytest.fixture(autouse=True)
+    def companion_stack_outputs(self, get_companion_stack_outputs):
+        self.companion_stack_outputs = get_companion_stack_outputs
+
+    def generate_lmi_parameters(self):
+        return [
+            self.generate_parameter("SubnetId", self.companion_stack_outputs["LMISubnetId"]),
+            self.generate_parameter("SecurityGroup", self.companion_stack_outputs["LMISecurityGroupId"]),
+            self.generate_parameter("KMSKeyArn", self.companion_stack_outputs["LMIKMSKeyArn"]),
+        ]
+
+    def verify_capacity_provider_basic_config(self, cp_config, cp_name):
+        """Verify basic capacity provider configuration (state, existence) and return ARN."""
+        self.assertIsNotNone(cp_config, f"{cp_name} should have configuration")
+        self.assertEqual(cp_config["State"], "Active", f"{cp_name} should be in Active state")
+        capacity_provider_arn = cp_config.get("CapacityProviderArn")
+        self.assertIsNotNone(capacity_provider_arn, f"{cp_name} should have a capacity provider ARN")
+        return capacity_provider_arn
+
+    def verify_capacity_provider_vpc_config(self, cp_config, cp_name):
+        """Verify capacity provider VPC configuration matches companion stack outputs."""
+        vpc_config = cp_config.get("VpcConfig")
+        self.assertIsNotNone(vpc_config, f"{cp_name} should have VPC configuration")
+        self.assertIn(
+            self.companion_stack_outputs["LMISubnetId"],
+            vpc_config["SubnetIds"],
+            f"{cp_name} should use the correct subnet",
+        )
+        self.assertIn(
+            self.companion_stack_outputs["LMISecurityGroupId"],
+            vpc_config["SecurityGroupIds"],
+            f"{cp_name} should use the correct security group",
+        )
+
+    def verify_capacity_provider_permissions_config(self, cp_config, cp_name):
+        """Verify capacity provider has permissions configuration with operator role."""
+        permissions_config = cp_config.get("PermissionsConfig")
+        self.assertIsNotNone(permissions_config, f"{cp_name} should have permissions configuration")
+        operator_role_arn = permissions_config.get("CapacityProviderOperatorRoleArn")
+        self.assertIsNotNone(operator_role_arn, f"{cp_name} should have operator role ARN")
+        return operator_role_arn
+
+    def verify_function_capacity_provider_config(self, function_capacity_provider_config):
+        """Verify and extract capacity provider ARN from function configuration."""
+        self.assertIsNotNone(function_capacity_provider_config, "Function should have capacity provider configuration")
+        self.assertIn(
+            "LambdaManagedInstancesCapacityProviderConfig",
+            function_capacity_provider_config,
+            "Function LambdaManagedInstancesCapacityProviderConfig should have LambdaManagedInstancesCapacityProviderConfig",
+        )
+
+        lmi_config = function_capacity_provider_config["LambdaManagedInstancesCapacityProviderConfig"]
+        function_capacity_provider_arn = lmi_config.get("CapacityProviderArn")
+        self.assertIsNotNone(
+            function_capacity_provider_arn, "Function capacity provider config should have a capacity provider ARN"
+        )
+        return function_capacity_provider_arn
+
+    def verify_capacity_provider_arn_match(self, function_capacity_provider_arn, capacity_provider_arn):
+        """Verify that the function references the correct capacity provider ARN."""
+        self.assertEqual(
+            function_capacity_provider_arn,
+            capacity_provider_arn,
+            "Function should reference the correct capacity provider ARN",
+        )
+
+    def test_function_with_capacity_provider_custom_role(self):
+        """Test Lambda function with CapacityProviderConfig using custom operator role."""
+        parameters = self.generate_lmi_parameters()
+        self.create_and_verify_stack("combination/function_lmi_custom", parameters)
+
+        lambda_resources = self.get_stack_resources("AWS::Lambda::Function")
+        self.assertEqual(len(lambda_resources), 1, "Should create exactly one Lambda function")
+
+        capacity_provider_resources = self.get_stack_resources("AWS::Lambda::CapacityProvider")
+        self.assertEqual(len(capacity_provider_resources), 1, "Should create exactly one CapacityProvider")
+
+        lambda_function = lambda_resources[0]
+        function_capacity_provider_config = self.get_function_capacity_provider_config(
+            lambda_function["PhysicalResourceId"]
+        )
+        function_capacity_provider_arn = self.verify_function_capacity_provider_config(
+            function_capacity_provider_config
+        )
+
+        capacity_provider_config = self.get_lambda_capacity_provider_config("MyCapacityProvider")
+        actual_capacity_provider_arn = self.verify_capacity_provider_basic_config(
+            capacity_provider_config, "MyCapacityProvider"
+        )
+        self.verify_capacity_provider_arn_match(function_capacity_provider_arn, actual_capacity_provider_arn)
+
+        capacity_provider_operator_role_arn = self.verify_capacity_provider_permissions_config(
+            capacity_provider_config, "MyCapacityProvider"
+        )
+
+        custom_operator_role_physical_id = self.get_physical_id_by_logical_id("MyCapacityProviderCustomRole")
+        self.assertIsNotNone(custom_operator_role_physical_id, "MyCapacityProviderCustomRole should exist in the stack")
+
+        self.assertIn(
+            custom_operator_role_physical_id,
+            capacity_provider_operator_role_arn,
+            f"Capacity provider should use the custom operator role with physical ID {custom_operator_role_physical_id}",
+        )
+
+    def test_function_with_capacity_provider_default_role(self):
+        """Test Lambda function with CapacityProviderConfig using default operator role."""
+        parameters = self.generate_lmi_parameters()
+        self.create_and_verify_stack("combination/function_lmi_default", parameters)
+
+        lambda_resources = self.get_stack_resources("AWS::Lambda::Function")
+        self.assertEqual(len(lambda_resources), 1, "Should create exactly one Lambda function")
+
+        capacity_provider_resources = self.get_stack_resources("AWS::Lambda::CapacityProvider")
+        self.assertEqual(len(capacity_provider_resources), 2, "Should create exactly two CapacityProviders")
+
+        my_function = lambda_resources[0]
+        function_config = self.get_function_capacity_provider_config(my_function["PhysicalResourceId"])
+        function_capacity_provider_arn = self.verify_function_capacity_provider_config(function_config)
+
+        simple_cp_config = self.get_lambda_capacity_provider_config("SimpleCapacityProvider")
+        simple_cp_arn = self.verify_capacity_provider_basic_config(simple_cp_config, "SimpleCapacityProvider")
+        self.verify_capacity_provider_arn_match(function_capacity_provider_arn, simple_cp_arn)
+
+        self.verify_capacity_provider_vpc_config(simple_cp_config, "SimpleCapacityProvider")
+        self.verify_capacity_provider_permissions_config(simple_cp_config, "SimpleCapacityProvider")
+
+        advanced_cp_config = self.get_lambda_capacity_provider_config("AdvancedCapacityProvider")
+        self.verify_capacity_provider_basic_config(advanced_cp_config, "AdvancedCapacityProvider")
+        self.verify_capacity_provider_vpc_config(advanced_cp_config, "AdvancedCapacityProvider")
+        self.verify_capacity_provider_permissions_config(advanced_cp_config, "AdvancedCapacityProvider")
+
+        instance_requirements = advanced_cp_config.get("InstanceRequirements")
+        self.assertIsNotNone(instance_requirements, "AdvancedCapacityProvider should have instance requirements")
+        self.assertIn(
+            "x86_64",
+            instance_requirements.get("Architectures", []),
+            "AdvancedCapacityProvider should have x86_64 architecture",
+        )
+        allowed_types = instance_requirements.get("AllowedInstanceTypes", [])
+        self.assertIn("m5.large", allowed_types, "AdvancedCapacityProvider should allow m5.large")
+        self.assertIn("m5.xlarge", allowed_types, "AdvancedCapacityProvider should allow m5.xlarge")
+        self.assertIn("m5.2xlarge", allowed_types, "AdvancedCapacityProvider should allow m5.2xlarge")
+
+        scaling_config = advanced_cp_config.get("CapacityProviderScalingConfig")
+        self.assertIsNotNone(scaling_config, "AdvancedCapacityProvider should have scaling configuration")
+        self.assertEqual(
+            scaling_config.get("MaxVCpuCount"), 64, "AdvancedCapacityProvider should have MaxVCpuCount of 64"
+        )
+        scaling_policies = scaling_config.get("ScalingPolicies", [])
+        self.assertTrue(len(scaling_policies) > 0, "AdvancedCapacityProvider should have scaling policies")
+        cpu_policy = next(
+            (
+                p
+                for p in scaling_policies
+                if p.get("PredefinedMetricType") == "LambdaCapacityProviderAverageCPUUtilization"
+            ),
+            None,
+        )
+        self.assertIsNotNone(cpu_policy, "AdvancedCapacityProvider should have CPU utilization scaling policy")
+        self.assertEqual(
+            cpu_policy.get("TargetValue"), 70.0, "AdvancedCapacityProvider should have CPU utilization target of 70"
+        )
+
+        self.assertEqual(
+            advanced_cp_config.get("KmsKeyArn"),
+            self.companion_stack_outputs["LMIKMSKeyArn"],
+            "AdvancedCapacityProvider should use the correct KMS key",
+        )
+
+    def get_function_capacity_provider_config(self, function_name, alias_name=None):
+        lambda_client = self.client_provider.lambda_client
+
+        try:
+            # Build the function identifier - include alias if provided
+            function_identifier = f"{function_name}:{alias_name}" if alias_name else function_name
+            # Get the function configuration
+            response = lambda_client.get_function_configuration(FunctionName=function_identifier)
+            # Return the CapacityProviderConfig if it exists
+            return response.get("CapacityProviderConfig")
+        except Exception as e:
+            # Log the error and return None for graceful handling
+            print(f"Error getting function capacity provider config: {e}")
+            return None
+
+    def get_lambda_capacity_provider_config(self, capacity_provider_logical_id):
+        lambda_client = self.client_provider.lambda_client
+
+        try:
+            # Get the physical ID from the logical ID
+            capacity_provider_name = self.get_physical_id_by_logical_id(capacity_provider_logical_id)
+            # Get the capacity provider configuration
+            response = lambda_client.get_capacity_provider(CapacityProviderName=capacity_provider_name)
+            return response.get("CapacityProvider")
+        except Exception as e:
+            # Log the error and return None for graceful handling
+            print(f"Error getting capacity provider config for {capacity_provider_logical_id}: {e}")
+            return None

integration/config/service_names.py

@@ -30,6 +30,7 @@
 STATE_MACHINE_CWE_CWS = "StateMachineCweCws"
 STATE_MACHINE_WITH_APIS = "StateMachineWithApis"
 LAMBDA_URL = "LambdaUrl"
+LAMBDA_MANAGED_INSTANCES = "LambdaManagedInstances"
 LAMBDA_ENV_VARS = "LambdaEnvVars"
 EVENT_INVOKE_CONFIG = "EventInvokeConfig"
 API_KEY = "ApiKey"

integration/helpers/base_internal_test.py

@@ -4,6 +4,8 @@
 
 from integration.helpers.base_test import BaseTest
 
+CUSTOM_DOMAIN_TOP_LEVEL = "tooling.lambda.aws.dev"
+
 
 class BaseInternalTest(BaseTest):
     """

integration/resources/expected/combination/api_with_custom_domains_edge.json

@@ -1,14 +1,14 @@
 [
   {
-    "LogicalResourceId": "RecordSetGroup1b7eeb359e",
+    "LogicalResourceId": "RecordSetGroup303b65d470",
     "ResourceType": "AWS::Route53::RecordSetGroup"
   },
   {
     "LogicalResourceId": "MyApiDeployment",
     "ResourceType": "AWS::ApiGateway::Deployment"
   },
   {
-    "LogicalResourceId": "ApiGatewayDomainName1101a94567",
+    "LogicalResourceId": "ApiGatewayDomainNameed93f7bdb0",
     "ResourceType": "AWS::ApiGateway::DomainName"
   },
   {

integration/resources/expected/combination/api_with_custom_domains_regional.json

@@ -16,7 +16,7 @@
     "ResourceType": "AWS::ApiGateway::RestApi"
   },
   {
-    "LogicalResourceId": "RecordSetGroupddfc299be2",
+    "LogicalResourceId": "RecordSetGroup303b65d470",
     "ResourceType": "AWS::Route53::RecordSetGroup"
   },
   {
@@ -28,7 +28,7 @@
     "ResourceType": "AWS::ApiGateway::BasePathMapping"
   },
   {
-    "LogicalResourceId": "ApiGatewayDomainName7898169271",
+    "LogicalResourceId": "ApiGatewayDomainNamec65e226806",
     "ResourceType": "AWS::ApiGateway::DomainName"
   },
   {