Skip to content

Releases: timpugh/lambda-powertools-reference

v3.0.2 — Retry-budget fix for the idempotency DynamoDB writes

Choose a tag to compare

@github-actions github-actions released this 07 Jul 23:44

v3.0.2 — Retry-budget fix for the idempotency DynamoDB writes

Maintenance release.

Fixed

  • Bound the SDK retry budget so the @idempotent layer's TWO sequential
    DynamoDB writes (save_inprogress before the handler, save_success after)
    stay under the 10s Lambda timeout during a DynamoDB brownout.
    total_max_attempts 3 -> 2 (~8s worst case for both writes), preventing a
    timeout-induced API Gateway 502 that would feed the CodeDeploy canary
    rollback alarm. (#116)

Documentation

  • Note that the RUM guest identity pool allows direct rum:PutRumEvents calls
    and that session_sample_rate (client-side) does NOT bound that cost/abuse
    vector — the guardrail is a Budgets / RUM-volume alarm (see TODO.md).

Full changelog: https://github.com/timpugh/lambda-powertools-reference/compare/v3.0.1..v3.0.2

v3.0.1

Choose a tag to compare

@github-actions github-actions released this 07 Jul 23:07

v3.0.1 — On-demand Scorecard scans, Branch-Protection scoring, Python 3.14 toolchain fix

Maintenance release.

CI/CD

  • OpenSSF Scorecard: add a workflow_dispatch trigger for on-demand scans, and
    wire an optional SCORECARD_TOKEN so the Branch-Protection check can read and
    score classic protection rules — falling back to the default token where the
    secret is absent (forks / "Use this template" copies). (#114, #115)

Fixed

  • Align the toolchain to Python 3.14 and correct PITR-window wording.

Documentation

  • Add a generated codebase knowledge base (AGENTS.md, CONTRIBUTING.md), register
    agent SOPs as project skills, add the ship-a-change SOP, and link AGENTS.md
    from llms.txt as the canonical agent entry point.

Build

  • Bump pytest 9.0.3 -> 9.1.1 (plus routine Dependabot dependency updates).

Full changelog: https://github.com/timpugh/lambda-powertools-reference/compare/v3.0.0..v3.0.1

v3.0.0 — cdk-nag v3 migration + supply-chain hardening

Choose a tag to compare

@github-actions github-actions released this 03 Jul 18:20

v3.0.0 — cdk-nag v3 migration + supply-chain hardening

BREAKING (for forks): cdk-nag upgraded 2.x -> 3.0.1, an engine rewrite
from per-stack IAspects to CDK policy-validation plugins. A fork that
customized suppressions must migrate NagSuppressions.add_* calls to the
acknowledge_rules adapter (Validations.of().acknowledge()); granular
IAM4/IAM5 findings are now matched individually. The gate itself moved:
CDK signals validation failure via the Node process exit code, which is
jsii's throwaway kernel for a Python app, so neither app.synth() nor
cdk synth fails natively — scripts/check_validation_report.py is the
new hard gate (make cdk-synth + CI), paired with in-process report
parsing and a non-vacuousness canary test.

Also in this release:

  • Supply-chain: transitive cryptography 49 and pydantic-settings 2.14.2
    moved past known CVEs; deps-merge no longer silently reverts
    lockfile-only Dependabot bumps; the weekly audit now covers the npm
    side independently of pip-audit.
  • Toolchain: aws-cdk-lib 2.261.0, actions/checkout v7.

Verified end to end on a live account: deploy -> functional + telemetry
(logs, EMF metrics, X-Ray, WAF, Athena, AppConfig flag rollout,
CloudTrail) -> destroy, with zero errors and zero dangling resources;
deployed templates carry the v3 cdk_nag metadata audit trail.

v2.1.0 — tenant-aware telemetry + Well-Architected remediation pass

Choose a tag to compare

@github-actions github-actions released this 03 Jul 01:21

v2.1.0 — tenant-aware telemetry + Well-Architected remediation pass

Tenant context is now a first-class observability signal: every request
tags structured logs, EMF metric records (as metadata, preserving the
{service} metric identity), and X-Ray traces with tenant_id, so a fork
that adds authentication gets per-tenant observability without a
retrofit.

A full Well-Architected review pass (new /wa-review skill) remediated
eleven findings, including: the EMF telemetry contract between the
handler and the FeatureFlagEvaluationFailure rollback alarm /
GreetingRequests KPI widget; a botocore retry budget that exceeded the
Lambda timeout (with the max_attempts off-by-one documented); a
direct-caller rate rule on the regional WAF ACL closing a shared-fate
throttling DoS on the execute-api bypass path; exact-ARN scoping of the
CloudTrail CMK grant; strict context-flag parsing so a retain_data typo
fails synth instead of silently dropping retention; nag-gate coverage
for the retain_data shape and an aspects-attached assertion so the
compliance gate can no longer pass vacuously; and npm-side coverage in
the weekly dependency audit.

Three live deploy -> test -> destroy cycles then verified the system
end to end (API, frontend, logs, metrics, traces, WAF, Athena,
AppConfig rollout, CloudTrail, teardown sweeps) and fixed the two
defects found: WAF Athena partition projection now uses day granularity
with a lifecycle-matched NOW-90DAYS range and pruning predicates
(queries went from 6+ minutes to under a second), and the ineffective
GuardDuty service-principal CMK grant was removed after CloudTrail
proved it dead policy. The final cycle completed with zero fixes.

v2.0.3 — portable CDK snapshot tests

Choose a tag to compare

@github-actions github-actions released this 19 Jun 03:26

v2.0.3 — portable CDK snapshot tests

Patch release following up v2.0.2.

  • fix: normalize the Lambda version logical-id hash in the CDK snapshot
    tests so they're deterministic across build environments (the backend
    snapshot failed in CI though it passed locally, because the asset-derived
    version hash differs between a local run and CI's fresh checkout)

v2.0.2 — layered Lambda, snapshot tests, expanded fork docs

Choose a tag to compare

@github-actions github-actions released this 18 Jun 21:27

v2.0.2 — layered Lambda, snapshot tests, expanded fork docs

  • refactor: split the Lambda handler into handler/service/model layers
    (behavior unchanged; the generated OpenAPI spec is byte-identical)
  • test: add CloudFormation template snapshot tests across all five stacks
    (asset hashes normalized; regenerate with UPDATE_SNAPSHOTS=1 make test-cdk)
  • docs: expand the README for forkers — consolidated cost overview, the
    testing approaches used and not used, Secrets-Manager-vs-SSM and
    configuration guidance, and scaling pointers (async/event-driven,
    multi-tenant/SaaS, API surface conventions, privacy/compliance)

v2.0.1 — dependency maintenance

Choose a tag to compare

@github-actions github-actions released this 17 Jun 03:36

v2.0.1 — dependency maintenance

Patch release on top of v2.0.0. No functional or infrastructure changes — only
dependency updates, landed via Dependabot and merged through the make deps-merge
flow (rebase onto main, regenerate uv.lock + lambda/requirements.txt, CI-gated
auto-merge):

  • linting group: ruff / mypy / pylint / etc. (#78)
  • patches groups: transitive + tooling pins (#72, #84)

See the [2.0.1] section of CHANGELOG.md.

v2.0.0 — De-branded "ServerlessApp" reference architecture

Choose a tag to compare

@github-actions github-actions released this 16 Jun 23:49

v2.0.0 — De-branded "ServerlessApp" reference architecture

Major release. The headline change is a full de-brand from the "HelloWorld"
placeholder to role-based names — breaking for anyone who forked an earlier tag.

BREAKING CHANGES

  • CDK package renamed: hello_world/ -> infrastructure/ (imports change).
  • Stack names renamed: HelloWorld{,Data,Frontend,Waf,Audit}-{region} ->
    ServerlessApp{Backend,Data,Frontend,Waf,Audit}-{region}. Deploying v2.0.0 does
    NOT update a v1.x stack set in place — CloudFormation matches by name, so new
    stacks are created; destroy the old set (or migrate state) when upgrading.
  • API route renamed: GET /hello -> GET /greeting.
  • Distribution/package name: hello-world -> serverless-app.
  • Classes (HelloWorldApp -> BackendApp, HelloWorldStack -> BackendStack, etc.),
    construct IDs, metric namespace (HelloWorld -> ServerlessApp), and service name
    (hello-world -> serverless-app) all de-branded. The greeting payload value
    "hello world" is intentionally unchanged.

HIGHLIGHTS SINCE v1.1.0

  • Two stateful stacks behind one retain_data switch: DataStack (DynamoDB + CMK)
    and AuditStack (CloudTrail object-level S3 data-event trail + bucket + CMK).
  • Progressive delivery: CodeDeploy canary on the Lambda alias, plus an opt-in
    AppConfig gradual rollout with alarm-driven rollback.
  • WAF logs to S3 (aws-waf-logs-*) with partition-projected Athena/Glue tables; a
    regional WAF on API Gateway closes the execute-api CloudFront-bypass window.
  • TemplateConventionChecks validation Aspect; committed + CI-gated OpenAPI spec;
    a PR CloudFormation-diff job; in-house coverage badge; env/region stack dimension.
  • Verified end-to-end on a live deploy + destroy-clean teardown.

Full changelog: see the [2.0.0] section of CHANGELOG.md.

v1.1.0 — security hardening, audit fixes, and teardown safety

Choose a tag to compare

@timpugh timpugh released this 09 Jun 05:16
83645c8

v1.1.0 — security hardening, audit fixes, and teardown safety

  • API Gateway regional WAF, throttling, reserved concurrency, HSTS/CSP headers

  • Add make destroy-clean and tighten tooling config

  • Concurrency control, job timeouts, pinned CDK CLI, full-group audit

  • Document the release-cutting workflow

  • Document doctor + clean-venvs targets and venv strategy

  • Add CLAUDE.md for future Claude Code sessions

  • Document cdk-* make targets and --trace tip

  • Add gitignore.io to Resources

  • Document cdk-revert-drift and a future drift-as-CI-signal step

  • Reconcile README/TODO/diagram with shipped code; document teardown race

  • Add cleanup CR for RUM's auto-created log group

  • Suppress AwsSolutions-IAM5 on the RUM cleanup CR

  • Revert .bandit exclude_dirs anchoring that broke the tests exclusion

  • Add doctor + clean-venvs targets, expand venv-location preamble

  • Add cdk-diff/drift/diagnose/gc/rollback/ls targets

  • Bump idna 3.13->3.16 and pymdown-extensions 10.21.2->10.21.3

  • Add cdk-revert-drift target for drift remediation

  • Strengthen CDK/unit/integration assertions and add regression guards

v1.0.1 — Documentation patch

Choose a tag to compare

@timpugh timpugh released this 13 May 00:38

v1.0.1 — Documentation patch

Documentation-only release. No code or infrastructure changes.

Highlights:

  • AWS architecture diagram embedded at the top of the README, generated
    via the deploy-on-aws Claude Code plugin's aws-architecture-diagram
    skill. Source committed at docs/architecture.drawio; rendered PNG at
    docs/architecture.png. Covers the request path, Lambda's config/state
    dependencies, the audit + access-log analytics pipeline, and the
    auxiliary observability layer. Ten numbered steps + right-side legend.
  • CHANGELOG.md auto-generated from conventional-commit history via
    git-cliff (cliff.toml). Dependabot bumps and merge commits filtered
    out so the changelog reflects feature/fix/docs/CI history rather than
    dependency churn.
  • README "Commit message convention" section documents the git-cliff
    workflow and mentions Commitizen as an optional author-time enforcer
    for forks that want it.
  • "Worth flagging if forked for a real workload" section adds ggshield
    (full-history secret scanning), a pointer to Renovate's post-upgrade
    tasks feature, and CloudEvents (event-format spec to adopt up front
    if a fork ever introduces async event sources).