Releases: timpugh/lambda-powertools-reference
Release list
v3.0.2 — Retry-budget fix for the idempotency DynamoDB writes
v3.0.2 — Retry-budget fix for the idempotency DynamoDB writes
Maintenance release.
Fixed
- Bound the SDK retry budget so the @idempotent layer's TWO sequential
DynamoDB writes (save_inprogress before the handler, save_success after)
stay under the 10s Lambda timeout during a DynamoDB brownout.
total_max_attempts 3 -> 2 (~8s worst case for both writes), preventing a
timeout-induced API Gateway 502 that would feed the CodeDeploy canary
rollback alarm. (#116)
Documentation
- Note that the RUM guest identity pool allows direct rum:PutRumEvents calls
and that session_sample_rate (client-side) does NOT bound that cost/abuse
vector — the guardrail is a Budgets / RUM-volume alarm (see TODO.md).
Full changelog: https://github.com/timpugh/lambda-powertools-reference/compare/v3.0.1..v3.0.2
v3.0.1
v3.0.1 — On-demand Scorecard scans, Branch-Protection scoring, Python 3.14 toolchain fix
Maintenance release.
CI/CD
- OpenSSF Scorecard: add a workflow_dispatch trigger for on-demand scans, and
wire an optional SCORECARD_TOKEN so the Branch-Protection check can read and
score classic protection rules — falling back to the default token where the
secret is absent (forks / "Use this template" copies). (#114, #115)
Fixed
- Align the toolchain to Python 3.14 and correct PITR-window wording.
Documentation
- Add a generated codebase knowledge base (AGENTS.md, CONTRIBUTING.md), register
agent SOPs as project skills, add the ship-a-change SOP, and link AGENTS.md
from llms.txt as the canonical agent entry point.
Build
- Bump pytest 9.0.3 -> 9.1.1 (plus routine Dependabot dependency updates).
Full changelog: https://github.com/timpugh/lambda-powertools-reference/compare/v3.0.0..v3.0.1
v3.0.0 — cdk-nag v3 migration + supply-chain hardening
v3.0.0 — cdk-nag v3 migration + supply-chain hardening
BREAKING (for forks): cdk-nag upgraded 2.x -> 3.0.1, an engine rewrite
from per-stack IAspects to CDK policy-validation plugins. A fork that
customized suppressions must migrate NagSuppressions.add_* calls to the
acknowledge_rules adapter (Validations.of().acknowledge()); granular
IAM4/IAM5 findings are now matched individually. The gate itself moved:
CDK signals validation failure via the Node process exit code, which is
jsii's throwaway kernel for a Python app, so neither app.synth() nor
cdk synth fails natively — scripts/check_validation_report.py is the
new hard gate (make cdk-synth + CI), paired with in-process report
parsing and a non-vacuousness canary test.
Also in this release:
- Supply-chain: transitive cryptography 49 and pydantic-settings 2.14.2
moved past known CVEs; deps-merge no longer silently reverts
lockfile-only Dependabot bumps; the weekly audit now covers the npm
side independently of pip-audit. - Toolchain: aws-cdk-lib 2.261.0, actions/checkout v7.
Verified end to end on a live account: deploy -> functional + telemetry
(logs, EMF metrics, X-Ray, WAF, Athena, AppConfig flag rollout,
CloudTrail) -> destroy, with zero errors and zero dangling resources;
deployed templates carry the v3 cdk_nag metadata audit trail.
v2.1.0 — tenant-aware telemetry + Well-Architected remediation pass
v2.1.0 — tenant-aware telemetry + Well-Architected remediation pass
Tenant context is now a first-class observability signal: every request
tags structured logs, EMF metric records (as metadata, preserving the
{service} metric identity), and X-Ray traces with tenant_id, so a fork
that adds authentication gets per-tenant observability without a
retrofit.
A full Well-Architected review pass (new /wa-review skill) remediated
eleven findings, including: the EMF telemetry contract between the
handler and the FeatureFlagEvaluationFailure rollback alarm /
GreetingRequests KPI widget; a botocore retry budget that exceeded the
Lambda timeout (with the max_attempts off-by-one documented); a
direct-caller rate rule on the regional WAF ACL closing a shared-fate
throttling DoS on the execute-api bypass path; exact-ARN scoping of the
CloudTrail CMK grant; strict context-flag parsing so a retain_data typo
fails synth instead of silently dropping retention; nag-gate coverage
for the retain_data shape and an aspects-attached assertion so the
compliance gate can no longer pass vacuously; and npm-side coverage in
the weekly dependency audit.
Three live deploy -> test -> destroy cycles then verified the system
end to end (API, frontend, logs, metrics, traces, WAF, Athena,
AppConfig rollout, CloudTrail, teardown sweeps) and fixed the two
defects found: WAF Athena partition projection now uses day granularity
with a lifecycle-matched NOW-90DAYS range and pruning predicates
(queries went from 6+ minutes to under a second), and the ineffective
GuardDuty service-principal CMK grant was removed after CloudTrail
proved it dead policy. The final cycle completed with zero fixes.
v2.0.3 — portable CDK snapshot tests
v2.0.3 — portable CDK snapshot tests
Patch release following up v2.0.2.
- fix: normalize the Lambda version logical-id hash in the CDK snapshot
tests so they're deterministic across build environments (the backend
snapshot failed in CI though it passed locally, because the asset-derived
version hash differs between a local run and CI's fresh checkout)
v2.0.2 — layered Lambda, snapshot tests, expanded fork docs
v2.0.2 — layered Lambda, snapshot tests, expanded fork docs
- refactor: split the Lambda handler into handler/service/model layers
(behavior unchanged; the generated OpenAPI spec is byte-identical) - test: add CloudFormation template snapshot tests across all five stacks
(asset hashes normalized; regenerate with UPDATE_SNAPSHOTS=1 make test-cdk) - docs: expand the README for forkers — consolidated cost overview, the
testing approaches used and not used, Secrets-Manager-vs-SSM and
configuration guidance, and scaling pointers (async/event-driven,
multi-tenant/SaaS, API surface conventions, privacy/compliance)
v2.0.1 — dependency maintenance
v2.0.1 — dependency maintenance
Patch release on top of v2.0.0. No functional or infrastructure changes — only
dependency updates, landed via Dependabot and merged through the make deps-merge
flow (rebase onto main, regenerate uv.lock + lambda/requirements.txt, CI-gated
auto-merge):
- linting group: ruff / mypy / pylint / etc. (#78)
- patches groups: transitive + tooling pins (#72, #84)
See the [2.0.1] section of CHANGELOG.md.
v2.0.0 — De-branded "ServerlessApp" reference architecture
v2.0.0 — De-branded "ServerlessApp" reference architecture
Major release. The headline change is a full de-brand from the "HelloWorld"
placeholder to role-based names — breaking for anyone who forked an earlier tag.
BREAKING CHANGES
- CDK package renamed: hello_world/ -> infrastructure/ (imports change).
- Stack names renamed: HelloWorld{,Data,Frontend,Waf,Audit}-{region} ->
ServerlessApp{Backend,Data,Frontend,Waf,Audit}-{region}. Deploying v2.0.0 does
NOT update a v1.x stack set in place — CloudFormation matches by name, so new
stacks are created; destroy the old set (or migrate state) when upgrading. - API route renamed: GET /hello -> GET /greeting.
- Distribution/package name: hello-world -> serverless-app.
- Classes (HelloWorldApp -> BackendApp, HelloWorldStack -> BackendStack, etc.),
construct IDs, metric namespace (HelloWorld -> ServerlessApp), and service name
(hello-world -> serverless-app) all de-branded. The greeting payload value
"hello world" is intentionally unchanged.
HIGHLIGHTS SINCE v1.1.0
- Two stateful stacks behind one retain_data switch: DataStack (DynamoDB + CMK)
and AuditStack (CloudTrail object-level S3 data-event trail + bucket + CMK). - Progressive delivery: CodeDeploy canary on the Lambda alias, plus an opt-in
AppConfig gradual rollout with alarm-driven rollback. - WAF logs to S3 (aws-waf-logs-*) with partition-projected Athena/Glue tables; a
regional WAF on API Gateway closes the execute-api CloudFront-bypass window. - TemplateConventionChecks validation Aspect; committed + CI-gated OpenAPI spec;
a PR CloudFormation-diff job; in-house coverage badge; env/region stack dimension. - Verified end-to-end on a live deploy + destroy-clean teardown.
Full changelog: see the [2.0.0] section of CHANGELOG.md.
v1.1.0 — security hardening, audit fixes, and teardown safety
v1.1.0 — security hardening, audit fixes, and teardown safety
-
API Gateway regional WAF, throttling, reserved concurrency, HSTS/CSP headers
-
Add make destroy-clean and tighten tooling config
-
Concurrency control, job timeouts, pinned CDK CLI, full-group audit
-
Document the release-cutting workflow
-
Document doctor + clean-venvs targets and venv strategy
-
Add CLAUDE.md for future Claude Code sessions
-
Document cdk-* make targets and --trace tip
-
Add gitignore.io to Resources
-
Document cdk-revert-drift and a future drift-as-CI-signal step
-
Reconcile README/TODO/diagram with shipped code; document teardown race
-
Add cleanup CR for RUM's auto-created log group
-
Suppress AwsSolutions-IAM5 on the RUM cleanup CR
-
Revert .bandit exclude_dirs anchoring that broke the tests exclusion
-
Add doctor + clean-venvs targets, expand venv-location preamble
-
Add cdk-diff/drift/diagnose/gc/rollback/ls targets
-
Bump idna 3.13->3.16 and pymdown-extensions 10.21.2->10.21.3
-
Add cdk-revert-drift target for drift remediation
-
Strengthen CDK/unit/integration assertions and add regression guards
v1.0.1 — Documentation patch
v1.0.1 — Documentation patch
Documentation-only release. No code or infrastructure changes.
Highlights:
- AWS architecture diagram embedded at the top of the README, generated
via the deploy-on-aws Claude Code plugin's aws-architecture-diagram
skill. Source committed at docs/architecture.drawio; rendered PNG at
docs/architecture.png. Covers the request path, Lambda's config/state
dependencies, the audit + access-log analytics pipeline, and the
auxiliary observability layer. Ten numbered steps + right-side legend. - CHANGELOG.md auto-generated from conventional-commit history via
git-cliff (cliff.toml). Dependabot bumps and merge commits filtered
out so the changelog reflects feature/fix/docs/CI history rather than
dependency churn. - README "Commit message convention" section documents the git-cliff
workflow and mentions Commitizen as an optional author-time enforcer
for forks that want it. - "Worth flagging if forked for a real workload" section adds ggshield
(full-history secret scanning), a pointer to Renovate's post-upgrade
tasks feature, and CloudEvents (event-format spec to adopt up front
if a fork ever introduces async event sources).