SAM v1.15.0 Release: Simplified API Gateway Resource Policies and Multiple Event Source Updates
Community Contributors to this Release
@53ningen, @adanilev, @ArendAMZN, @beck3905, @chrisoverzero, @dalumiller, @Jacco, @kennyk, @khamaileon, @MattTunny, @sambattalio, @singledigit, @TDaglis, @tim-pugh, @yuimam
Amazon API Gateway simplified resource policy support
SAM 1.14.0 release added support for adding Amazon API Gateway resource policies, allowing you to specify custom resource policy statements. This release adds a simplified syntax for creating API Gateway resource policies for the common use cases of whitelisting and blacklisting based on AWS Account, IP address range, and source VPC. For more information about Amazon API Gateway resource policies, see the Amazon API Gateway developer guide. (#1077)
Globals:
Api:
OpenApiVersion: "3.0.1"
Auth:
ResourcePolicy:
AwsAccountWhitelist: ['account-id']
AwsAccountBlacklist: ['account-id']
SourceVpcWhitelist: ['vpc-1234']
SourceVpcBlacklist: ['vpce-1234']
IpRangeWhitelist: ['1.2.3.4/24']
IpRangeBlacklist: ['1.2.3.4']
Resources:
MyLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: .
MemorySize: 128
Events:
Api:
Type: Api
Properties:
Path: /apione
Method: anyCognito event type
This release adds support for Cognito as a Lambda function event type. This allows you to easily add Lambda functions for customizing Cognito user pool workflows. For more information on Cognito user pool workflows with Lambda triggers, see the Cognito developer guide. A big thank you to @Jacco for contributing this feature! (#1066)
Resources:
PreSignupLambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: .
Handler: index.handler
MemorySize: 128
Runtime: nodejs8.10
Events:
CognitoUserPoolPreSignup:
Type: Cognito
Properties:
UserPool: !Ref MyUserPool
Trigger: PreSignUp
MyUserPool:
Type: AWS::Cognito::UserPoolSNS event supports SQS Subscription
The SNS event type now supports a SqsSubscription property. When set to true, rather than connecting the Lambda function directly to the provided SNS topic, an SQS queue is created and subscribed to the SNS topic, and the Lambda function is subscribed to the SQS queue. This feature eliminates the CloudFormation boilerplate required to setup this common pattern. For more information about SNS and SQS, see the developer documentation. A big thank you to @53ningen for contributing this feature! (#1065)
Resources:
MyLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: .
MemorySize: 128
Events:
SNSEvent:
Type: SNS
Properties:
Topic:
Ref: MySnsTopic
SqsSubscription: true
MySnsTopic:
Type: AWS::SNS::Topic
MaximumBatchingWindowInSeconds support for stream event sources
This feature adds support for MaximumBatchingWindowInSeconds property for Kinesis and DynamoDb event types. For more information about this property, see the AWS CloudFormation user guide. (#1120)
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: .
Handler: index.handler
Runtime: nodejs8.10
AutoPublishAlias: Live
Events:
KinesisStream:
Type: Kinesis
Properties:
Stream:
Fn::GetAtt: [MyStream, Arn]
BatchSize: 100
MaximumBatchingWindowInSeconds: 20
StartingPosition: TRIM_HORIZON
MyStream:
Type: AWS::Kinesis::Stream
Properties:
ShardCount: 1Api event request parameter customization
This feature allows you to specify API request parameter customizations directly on AWS::Serverless::Function Api events. Previously, you had to manage your own OpenApi document in order to use this feature of Amazon API Gateway. For more information on Request Parameters, see the Amazon API Gateway developer documentation. A big thank you to @beck3905 for contributing this feature! (#953)
Globals:
Api:
CacheClusterEnabled: true
CacheClusterSize: '0.5'
Resources:
MyLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: .
Events:
PostApi:
Type: Api
Properties:
Path: /post
Method: POST
RequestParameters:
- method.request.header.Authorization:
Required: true
Caching: true
- method.request.querystring.typeApi event permissions fix
Before this change, SAM was generating 2 Lambda permissions per Api event. Now, SAM will generate a single Lambda permission per Api event. This change reduces the number of permissions created for Api events by half, reducing the chances of users hitting Lambda policy size limits. (#1119)
Change Log:
- (#1068)(#1090)(#1079)(#1096)(#1114)(#530)(#1121)(#1122)(#1103) (#1059) Documentation and example updates
- (#1084) Add ssm:GetParametersByPath to SSMParameterReadPolicy
- (#1015) Allow setting auth to NONE with AWS_IAM default authorizer
- (#1088) Allow references in NotificationARNs property
- (#1066) Add cognito event sources
- (#1093) Remove extra stage only when OpenApiVersion is set
- (#1065) Add SQS option to SNS event
- (#1101)(#1113) Add code commit policy templates
- (#1105) Use scoped logger instead of root
- (#1104) Openapi version type errors
- (#1035) Randomize logical IDs of API stage and Lambda permission
- (#1120) Add support for aws lambda streaming batch feature
- (#1119) Combine test and prod permissions for api events
- (#1077) Support for resource policy Iam, Vpc and Ip whitelist/blacklist
- (#1072) Add tag related permissions to
S3FullAccessPolicy - (#953) Add
RequestParametersSupport