migrate AWS SDK v2 → v3

[zjawol]

Proposed changes

Migrates all AWS SDK usage from the legacy aws-sdk v2 package to the modular AWS SDK v3 (@aws-sdk/* packages). This is a prerequisite for dropping the v2 dependency and aligns the plugin with the current AWS SDK standard.

Key changes:

• AwsClientFactory — new class (src/aws-client-factory.ts) that lazily initializes and caches SDK v3 clients (AppSync, CloudFormation, CloudWatch Logs, Route53, ACM). ACM client is always pinned to us-east-1 as required by CloudFront.
• src/index.ts — all AWS API calls migrated from v2 SDK classes/types to v3 *Command pattern. AwsClientFactory is instantiated once in the constructor using fromNodeProviderChain() for credentials.
• src/get-stack-value.ts — removed (dead code, functionality covered elsewhere).
• sls appsync evaluate — new CLI command that calls the AppSync EvaluateCode and EvaluateMappingTemplate APIs to test JS resolvers and VTL templates against a context without deploying.
• sls appsync env get/set — new CLI commands to read and update AppSync runtime environment variables on a deployed API without redeploying.
• Documentation — updated README.md and doc/commands.md with quick-reference tables; added doc/testing-resolvers.md covering the evaluate workflow, fixture structure, pipeline chaining, and Jest integration examples. Node.js minimum requirement updated from v16 to v20.

Issue(s)

Closes #685

Steps to test or reproduce

1. Configure AWS credentials in your environment.
2. Deploy an AppSync API using the plugin.
3. Run the migrated commands and verify they work as before:

   sls appsync validate-schema
   sls appsync get-introspection
   sls appsync flush-cache
   sls appsync logs

4. Test the new evaluate command against a JS resolver:

   sls appsync evaluate --type Query --field getUser --function request \
   --context '{"arguments":{"id":"abc-123"}}'

5. Test the new env commands:

   sls appsync env get
   sls appsync env set --key STAGE --value production

6. get-stack-value.ts removal has no runtime impact.

Summary by CodeRabbit

Release Notes

• New Features

  • Added sls appsync evaluate command for resolver evaluation (JavaScript and VTL modes).
  • Added sls appsync env get and env set commands for environment variable management.

• Documentation

  • Expanded CLI reference with complete command table.
  • Added Testing Resolvers guide with examples, best practices, and known limitations.

[sid88in]

please fix merge conflicts and share e2e testing

[sid88in]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 59b57200-d08e-419f-a1e7-a15efb67af63

📥 Commits

Reviewing files that changed from the base of the PR and between 85498de and 66acfdb.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• package.json
• src/__tests__/commands.test.ts
• src/index.ts
• src/types/serverless.d.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/types/serverless.d.ts
• package.json
• src/index.ts

---

📝 Walkthrough

Walkthrough

This PR completes the migration from AWS SDK v2 to v3 by introducing a centralized AwsClientFactory, refactoring all AWS operations to command-based patterns, adding resolver evaluation and environment variable CLI commands, and providing comprehensive test coverage and documentation.

Changes

AWS SDK v3 Migration & Feature Expansion

Layer / File(s)	Summary
AWS Client Factory & Type Infrastructure src/aws-client-factory.ts, src/types/serverless.d.ts	New AwsClientFactory class provides centralized, lazy-loaded AWS SDK v3 clients (AppSync, CloudFormation, CloudWatch Logs, Route53, ACM) configured with region and credentials; AwsCredentials type supports static keys or credential provider functions; ACM client forced to us-east-1 regardless of factory region; Serverless type definitions updated to remove SDK v2 ServiceConfigurationOptions.
Plugin Core Refactoring to SDK v3 src/index.ts	Plugin integrates AwsClientFactory and implements resolveCredentials() to adapt Serverless credentials to AWS SDK v3 provider format; all AWS operations refactored from SDK v2 calls to v3 command-based patterns (client.send(new Command)) across AppSync, CloudFormation, Route53, ACM, and CloudWatch Logs services; introspection schema serialization updated to use Buffer.from().toString(); log tailing advances startTime via last event timestamp.
Resolver Evaluation & Environment Variable Commands src/index.ts	Adds appsync:evaluate command supporting VTL template evaluation via EvaluateMappingTemplateCommand and JS resolver code evaluation via EvaluateCodeCommand with optional esbuild bundling; implements appsync:env get to retrieve all environment variables via GetGraphqlApiEnvironmentVariablesCommand; implements appsync:env set to merge new --key/--value with existing variables and persist via PutGraphqlApiEnvironmentVariablesCommand.
Dependency Updates package.json	Adds fast-check to devDependencies for property-based testing; removes aws-sdk v2 dependency and overrides constraint section; introduces modular AWS SDK v3 client packages (@aws-sdk/client-*) and credential providers at pinned version 3.1039.0.
AWS Client Factory Tests src/__tests__/aws-client-factory.test.ts, src/__tests__/aws-client-factory.pbt.test.ts	Unit tests verify region propagation to all clients except ACM (forced to us-east-1), lazy initialization and instance caching, and credentials forwarding; property-based tests validate region/credential handling across randomized inputs and schema round-trip encoding/decoding.
Error Handling Tests src/__tests__/error-handling.pbt.test.ts	Property-based tests verify getApiAssocStatus maps NotFoundException to associationStatus: NOT_FOUND and preserves non-NotFoundException errors by identity across randomized domain names and error conditions.
Integration & Unit Tests src/__tests__/commands.test.ts	Refactored test infrastructure uses unified mockSend transport with AwsClientFactory; domain management, Route53 record, and resolver evaluation tests assert AWS command sequences via inline snapshots; unit tests cover getApiAssocStatus error handling, evaluateResolver (JS and VTL), and envGet/envSet workflows including confirmation prompts, credential passing, and error propagation.
CLI Reference & Resolver Testing Guide README.md, doc/commands.md, doc/testing-resolvers.md	README expanded with CLI command table and Testing Resolvers link; doc/commands.md documents sls appsync evaluate and sls appsync env commands with options and examples; doc/testing-resolvers.md provides multi-part guide covering unit/pipeline resolver testing, shell script automation, Node.js SDK examples, Jest integration tests, and documented limitations.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

The PR involves heterogeneous changes across multiple systems: a new AWS client factory abstraction with lazy loading and region overrides; wholesale refactoring of AWS operations from SDK v2 to v3 command patterns across six services; new CLI command implementations with esbuild integration; comprehensive property-based and integration test rewrites; and multi-part documentation. Each area requires separate reasoning about contract correctness, command payload construction, error handling semantics, and test coverage validity.

Suggested reviewers

• AlexHladin

Poem

🐰 From v2 to v3, the migration hops,
Factories bundle clients—the bundle-size drops!
Evaluate resolvers, set env without deploy,
Property-based tests give us testing joy,
SDK v3 unlocks features galore,
The plugin evolves to do so much more! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'migrate AWS SDK v2 → v3' directly describes the main objective and primary change in the PR.
Linked Issues check	✅ Passed	The PR successfully implements all core requirements from #685: migrates to AWS SDK v3 clients, creates AwsClientFactory with proper client initialization, replaces v2 API calls with v3 Commands, adds evaluate and env get/set CLI commands, and includes comprehensive documentation and tests.
Out of Scope Changes check	✅ Passed	All changes are directly related to the AWS SDK v2→v3 migration and new CLI features outlined in #685. Documentation updates, test additions, and CLI extensions (evaluate, env get/set) are all within scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/index.ts (1)

674-678: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t suppress all errors in --quiet mode.

src/index.ts currently swallows any Error when --quiet is set in createDomain (674-678), deleteDomain (694-698), and changeRoute53Record (959-963). Limit quiet-mode suppression to idempotency-style failures only—e.g., AppSync DeleteDomainName/GetDomainName: NotFoundException, and Route53 ChangeResourceRecordSets: InvalidChangeBatch—and rethrow auth/throttling/permission/etc.

Also, envSet rejects empty-string values because it uses if (!key || !value); allow value === ''.

For AppSync CreateDomainName when the domain already exists, add the concrete AWS service error name/code from the API/SDK model and use that as the quiet-mode allowlist entry.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/index.ts` around lines 674 - 678, Update error handling so quiet mode
only suppresses idempotency-style AWS errors and rethrows everything else: in
createDomain, deleteDomain, and changeRoute53Record replace the blanket "if
(error instanceof Error && this.options.quiet)" suppression with a check that
inspects the AWS error "name"/"code" (e.g., NotFoundException for AppSync
Get/DeleteDomainName and InvalidChangeBatch for Route53
ChangeResourceRecordSets) and only log+swallow when the error.code/name matches
the allowlist; any other errors (auth, throttling, permissions, etc.) must be
rethrown. For AppSync CreateDomainName add the concrete AWS service error
name/code returned by the SDK to the quiet-mode allowlist so existing-domain
errors are treated as idempotent. Lastly, in envSet change the falsy check "if
(!key || !value)" to allow empty-string values (use a stricter test like value
=== undefined || value === null) so value === '' is permitted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@doc/testing-resolvers.md`:
- Around line 25-27: The three fenced code blocks in doc/testing-resolvers.md
that currently lack language tags should be updated to include a language
identifier (use "text") so markdownlint MD040 passes; specifically add ```text
before the block containing "context  →  request()  →  [data source — not
called]  →  response()  →  result", the larger flow block starting with
"context" and ending with "result", and the file tree block beginning with
"functions/" and "tests/"; ensure you only add the language specifier (e.g.,
change ``` to ```text) for those blocks and leave the block content unchanged.

In `@src/__tests__/commands.test.ts`:
- Line 88: Tests currently use non-null assertions like createCall![0].input
after find()-style lookups which can be undefined; add a small reusable guard
helper (e.g., assertDefined<T>(value: T | undefined, msg?: string) or
getCommandCall(calls, idx)) and call it where the tests currently use `!` so the
value is checked at runtime and the TypeScript non-null assertion is removed.
Replace patterns such as `createCall![0].input` with a guarded form like `const
call = assertDefined(createCall, "createCall not found")[0];` (or
`getCommandCall(createCall, 0).input`) and reuse this helper for all listed
occurrences to keep tests type-safe and lint-clean.

In `@src/index.ts`:
- Around line 1271-1274: The current check in the envSet command uses a falsy
check (if (!key || !value)) which rejects empty-string values; change the
validation to explicitly test for undefined (e.g., key === undefined || value
=== undefined) so that "" is accepted as a valid value; update the condition
around the throw in the envSet handler (the block that throws new
this.serverless.classes.Error('You must specify both --key and --value.')) to
use the undefined check against the key and value variables.

In `@src/utils.ts`:
- Line 20: Prettier complains about the indexed access type formatting for
TimeUnit; update the type declaration so the indexed access applies to the type
of the array by wrapping typeof units in parentheses: change the declaration
referencing TimeUnit to use (typeof units)[number] (referencing the symbols
TimeUnit and units in this file).

---

Outside diff comments:
In `@src/index.ts`:
- Around line 674-678: Update error handling so quiet mode only suppresses
idempotency-style AWS errors and rethrows everything else: in createDomain,
deleteDomain, and changeRoute53Record replace the blanket "if (error instanceof
Error && this.options.quiet)" suppression with a check that inspects the AWS
error "name"/"code" (e.g., NotFoundException for AppSync Get/DeleteDomainName
and InvalidChangeBatch for Route53 ChangeResourceRecordSets) and only
log+swallow when the error.code/name matches the allowlist; any other errors
(auth, throttling, permissions, etc.) must be rethrown. For AppSync
CreateDomainName add the concrete AWS service error name/code returned by the
SDK to the quiet-mode allowlist so existing-domain errors are treated as
idempotent. Lastly, in envSet change the falsy check "if (!key || !value)" to
allow empty-string values (use a stricter test like value === undefined || value
=== null) so value === '' is permitted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4985f395-7d75-49cf-a075-c026646a87a5

📥 Commits

Reviewing files that changed from the base of the PR and between bda9abe and 85498de.

⛔ Files ignored due to path filters (8)

• package-lock.json is excluded by !**/package-lock.json
• src/__tests__/__snapshots__/api.test.ts.snap is excluded by !**/*.snap
• src/__tests__/__snapshots__/dataSources.test.ts.snap is excluded by !**/*.snap
• src/__tests__/__snapshots__/getAppSyncConfig.test.ts.snap is excluded by !**/*.snap
• src/__tests__/__snapshots__/waf.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/auth.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/base.test.ts.snap is excluded by !**/*.snap
• src/__tests__/validation/__snapshots__/resolvers.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (21)

• README.md
• doc/commands.md
• doc/testing-resolvers.md
• package.json
• src/__tests__/api.test.ts
• src/__tests__/aws-client-factory.pbt.test.ts
• src/__tests__/aws-client-factory.test.ts
• src/__tests__/commands.test.ts
• src/__tests__/dataSources.test.ts
• src/__tests__/error-handling.pbt.test.ts
• src/__tests__/getAppSyncConfig.test.ts
• src/__tests__/index.test.ts
• src/__tests__/js-resolvers.test.ts
• src/__tests__/mapping-templates.test.ts
• src/__tests__/resolvers.test.ts
• src/__tests__/schema.test.ts
• src/aws-client-factory.ts
• src/get-stack-value.ts
• src/index.ts
• src/types/serverless.d.ts
• src/utils.ts

💤 Files with no reviewable changes (1)

• src/get-stack-value.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add missing fenced code block languages to satisfy markdownlint (MD040).

Three fenced blocks are missing language identifiers, which can fail docs linting.

Suggested fix

-```
+```text
 context  →  request()  →  [data source — not called]  →  response()  →  result

- +text
context
│
▼
[pipeline request handler] ← optional JS wrapper
│
▼
function 1: request() → [data source — not called] → response()
│ (result stored in ctx.prev.result, stash carried forward)
▼
function 2: request() → [data source — not called] → response()
│
▼
[pipeline response handler] ← optional JS wrapper
│
▼
result

-```
+```text
functions/
  validateInput.js
  savePost.js
tests/
  createPost/
    step1-validateInput-request.ctx.json     ← input context
    step1-validateInput-request.expected.json ← expected output
    step2-validateInput-response.ctx.json
    step2-validateInput-response.expected.json
    step3-savePost-request.ctx.json
    step3-savePost-request.expected.json

</details>


Also applies to: 53-70, 136-148

<details>
<summary>🧰 Tools</summary>

<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

[warning] 25-25: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @doc/testing-resolvers.md around lines 25 - 27, The three fenced code blocks
in doc/testing-resolvers.md that currently lack language tags should be updated
to include a language identifier (use "text") so markdownlint MD040 passes;
specifically add text before the block containing "context → request() → [data source — not called] → response() → result", the larger flow block starting with "context" and ending with "result", and the file tree block beginning with "functions/" and "tests/"; ensure you only add the language specifier (e.g., change to ```text) for those blocks and leave the block
content unchanged.

</details>

<!-- fingerprinting:phantom:triton:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all remaining non-null assertions in this test file after refactor.
rg -nP '!\s*(\[|\.|;|,|\))' src/__tests__/commands.test.ts

Repository: sid88in/serverless-appsync-plugin

Length of output: 1469

---

Remove non-null assertions from command lookup results.

find()-style lookups can yield undefined; this test file still uses ! non-null assertions on command call results at lines 88, 150, 257, 287, 319, 399, 497, 557, 616, 675, 778, 783, 804, 997, 1002, 1023, 1124, 1129, 1150, 1339, 1485, and 1530. Introduce a single guard/helper and reuse it so these assertions stay type-safe and lint-clean.

Proposed refactor pattern

+function requireCommandCall<T>(
+  call: [T] | undefined,
+  commandName: string,
+): [T] {
+  expect(call).toBeDefined();
+  if (!call) throw new Error(`Expected ${commandName} to be sent`);
+  return call;
+}
...
- expect(createCall![0].input).toMatchInlineSnapshot(...)
+ const [createCmd] = requireCommandCall(createCall, 'CreateDomainNameCommand');
+ expect(createCmd.input).toMatchInlineSnapshot(...)

🧰 Tools

🪛 GitHub Check: tests (20)

[warning] 88-88:
Forbidden non-null assertion

🪛 GitHub Check: tests (22)

[warning] 88-88:
Forbidden non-null assertion

🪛 GitHub Check: tests (24)

[warning] 88-88:
Forbidden non-null assertion

🪛 GitHub Check: tests (26)

[warning] 88-88:
Forbidden non-null assertion

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/__tests__/commands.test.ts` at line 88, Tests currently use non-null
assertions like createCall![0].input after find()-style lookups which can be
undefined; add a small reusable guard helper (e.g., assertDefined<T>(value: T |
undefined, msg?: string) or getCommandCall(calls, idx)) and call it where the
tests currently use `!` so the value is checked at runtime and the TypeScript
non-null assertion is removed. Replace patterns such as `createCall![0].input`
with a guarded form like `const call = assertDefined(createCall, "createCall not
found")[0];` (or `getCommandCall(createCall, 0).input`) and reuse this helper
for all listed occurrences to keep tests type-safe and lint-clean.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Allow empty-string env values in envSet.

if (!key || !value) rejects --value "", which can be a valid update. Check for undefined instead of truthiness.

Suggested fix

-    if (!key || !value) {
+    if (key === undefined || value === undefined) {
       throw new this.serverless.classes.Error(
         'You must specify both --key and --value.',
       );
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (!key || !value) {
	throw new this.serverless.classes.Error(
	'You must specify both --key and --value.',
	);
	if (key === undefined || value === undefined) {
	throw new this.serverless.classes.Error(
	'You must specify both --key and --value.',
	);
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/index.ts` around lines 1271 - 1274, The current check in the envSet
command uses a falsy check (if (!key || !value)) which rejects empty-string
values; change the validation to explicitly test for undefined (e.g., key ===
undefined || value === undefined) so that "" is accepted as a valid value;
update the condition around the throw in the envSet handler (the block that
throws new this.serverless.classes.Error('You must specify both --key and
--value.')) to use the undefined check against the key and value variables.

[sid88in]

Thanks for this, @zjawol — the v3 migration is a solid piece of work and it's been on our list for a while. I reviewed it end to end and pushed a few follow-up commits on top; summary below for posterity.

What this PR does
Migrates all AWS SDK usage from the monolithic aws-sdk v2 to the modular @aws-sdk/client-* v3 packages: centralized, lazily-cached clients in AwsClientFactory, the .send(new XxxCommand()) pattern throughout, .promise() removed, v3-style error handling (error.name), and removal of dead code (get-stack-value.ts).

Verified (offline)

• build / lint / 331 unit tests / 68 e2e CFN-synthesis tests all green
• Emitted CloudFormation is unchanged — the e2e suite synthesizes every example fixture and the templates match
• No runtime require('serverless/lib/...') (type-only), so this stays v4-friendly
• aws-sdk v2 fully removed from runtime deps; the v3 packages add zero audit advisories

Follow-up commits added during review

1. Resolve region + credentials from the Serverless provider (getRegion() / getCredentials(), lazily) instead of service.provider.region + a bare fromNodeProviderChain(). Without this the live commands (get-api-keys, domain create-record, etc.) silently ignored --region, --aws-profile, and provider.profile and fell back to the default chain — a regression for profile/multi-account setups.
2. Restore the jest 30 / ts-jest 29 toolchain and the overrides block (incl. the fast-json-patch pin from fix: fast-json-patch dependency #706) that the rebase had reverted, and regenerate snapshots under jest 30.
3. Regenerate package-lock.json from scratch — audit is back to master parity (13 total / 4 production); the earlier inflated count was stale-lockfile drift.
4. Small prettier fix in utils.ts to match master's formatting under prettier 2.8.8.

Non-blocking follow-ups for later: the six @aws-sdk/client-* pins could move to ^3.x so they float in lockstep, and the prettier caret could be pinned exactly to avoid format drift across installs.

CI is green. Thanks again, @zjawol — merging. 🎉

[sid88in]

lgtm