Merge pull request #3185 from aws/release-v1.68.0

Release 1.68.0 (to main)
aws · May 25, 2023 · 12a7b02 · 12a7b02
2 parents d100983 + 7222440
commit 12a7b02
Show file tree

Hide file tree

Showing 37 changed files with 4,713 additions and 1,232 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -2,7 +2,7 @@
 name: Bug report
 about: Report a bug concerning the AWS SAM transform
 title: ''
-labels: stage/needs-triage, type/bug
+labels: stage/needs-triage
 assignees: ''
 
 ---

diff --git a/DEVELOPMENT_GUIDE.md b/DEVELOPMENT_GUIDE.md
@@ -129,6 +129,9 @@ each version and flip between them (sourcing the activate script). Typically, we
 one python version locally and then have our ci (appveyor) run all supported versions.
 
 ### Transform tests
+
+Transform tests ensure a SAM template transforms into the expected CloudFormation template.
+
 When adding new transform tests, we have provided a script to help generate the transform test input 
 and output files in the correct directory given a template.yaml file.
 ```bash

diff --git a/integration/combination/test_api_settings.py b/integration/combination/test_api_settings.py
@@ -5,7 +5,7 @@
 from parameterized import parameterized
 
 from integration.config.service_names import REST_API
-from integration.helpers.base_test import BaseTest
+from integration.helpers.base_test import BaseTest, nonblocking
 from integration.helpers.resource import current_region_does_not_support
 
 
@@ -67,6 +67,7 @@ def test_request_models(self, file_name):
             + "  }\n}",
         )
 
+    @nonblocking
     def test_request_parameters_open_api(self):
         self.create_and_verify_stack("combination/api_with_request_parameters_openapi")
 

diff --git a/integration/combination/test_connectors.py b/integration/combination/test_connectors.py
@@ -26,6 +26,7 @@ def tearDown(self):
 
     @parameterized.expand(
         [
+            ("combination/connector_appsync_api_to_lambda",),
             ("combination/connector_appsync_to_lambda",),
             ("combination/connector_appsync_to_table",),
             ("combination/connector_function_to_function",),

diff --git a/integration/helpers/base_test.py b/integration/helpers/base_test.py
@@ -54,6 +54,14 @@
     "api_with_custom_domains_regional_ownership_verification",
 ]
 
+# In general, we should only mark integration tests as @nonblocking if
+#   1. The test succeeded every region (this ensures the transformed output makes sense)
+#   2. The test resources are defined in a single template without Parameters or other
+#      CloudFormation macros (this ensures we can represent transform using a transform test)
+#   3. An identical transform test exists for the integration test template (this ensures we
+#      don't break the working template)
+nonblocking = pytest.mark.xfail
+
 
 class BaseTest(TestCase):
     @pytest.fixture(autouse=True)

diff --git a/integration/resources/expected/combination/connector_appsync_api_to_lambda.json b/integration/resources/expected/combination/connector_appsync_api_to_lambda.json
@@ -0,0 +1,42 @@
+[
+  {
+    "LogicalResourceId": "Api",
+    "ResourceType": "AWS::AppSync::GraphQLApi"
+  },
+  {
+    "LogicalResourceId": "ApiSchema",
+    "ResourceType": "AWS::AppSync::GraphQLSchema"
+  },
+  {
+    "LogicalResourceId": "NoneDataSource",
+    "ResourceType": "AWS::AppSync::DataSource"
+  },
+  {
+    "LogicalResourceId": "SayHelloResolver",
+    "ResourceType": "AWS::AppSync::Resolver"
+  },
+  {
+    "LogicalResourceId": "SayHelloFunc",
+    "ResourceType": "AWS::AppSync::FunctionConfiguration"
+  },
+  {
+    "LogicalResourceId": "Authorizer",
+    "ResourceType": "AWS::Lambda::Function"
+  },
+  {
+    "LogicalResourceId": "AuthorizerRole",
+    "ResourceType": "AWS::IAM::Role"
+  },
+  {
+    "LogicalResourceId": "TriggerFunction",
+    "ResourceType": "AWS::Lambda::Function"
+  },
+  {
+    "LogicalResourceId": "TriggerFunctionRole",
+    "ResourceType": "AWS::IAM::Role"
+  },
+  {
+    "LogicalResourceId": "GraphQlApiToLambdaConnectorWriteLambdaPermission",
+    "ResourceType": "AWS::Lambda::Permission"
+  }
+]
diff --git a/integration/resources/templates/combination/connector_appsync_api_to_lambda.yaml b/integration/resources/templates/combination/connector_appsync_api_to_lambda.yaml
@@ -0,0 +1,169 @@
+Resources:
+  Api:
+    Type: AWS::AppSync::GraphQLApi
+    Properties:
+      Name: Api
+      AuthenticationType: AWS_LAMBDA
+      LambdaAuthorizerConfig:
+        AuthorizerUri: !GetAtt Authorizer.Arn
+
+  ApiSchema:
+    Type: AWS::AppSync::GraphQLSchema
+    Properties:
+      ApiId: !GetAtt Api.ApiId
+      Definition: |
+        type Query {
+          sayHello: String!
+        }
+        schema {
+          query: Query
+        }
+
+  NoneDataSource:
+    Type: AWS::AppSync::DataSource
+    Properties:
+      Type: NONE
+      ApiId: !GetAtt Api.ApiId
+      Name: NoneDataSource
+
+  SayHelloResolver:
+    DependsOn: ApiSchema
+    Type: AWS::AppSync::Resolver
+    Properties:
+      ApiId: !GetAtt Api.ApiId
+      TypeName: Query
+      FieldName: sayHello
+      Kind: PIPELINE
+      PipelineConfig:
+        Functions:
+        - !GetAtt SayHelloFunc.FunctionId
+      Code: |
+        export function request(ctx) {
+            return {};
+        }
+
+        export function response(ctx) {
+            return ctx.prev.result;
+        }
+      Runtime:
+        Name: APPSYNC_JS
+        RuntimeVersion: 1.0.0
+
+  SayHelloFunc:
+    Type: AWS::AppSync::FunctionConfiguration
+    Properties:
+      ApiId: !GetAtt Api.ApiId
+      Name: SayHelloFunc
+      DataSourceName: !GetAtt NoneDataSource.Name
+      Code: |
+        export function request(ctx) {
+          return {};
+        }
+
+        export function response(ctx) {
+          return "Hello World";
+        }
+      Runtime:
+        Name: APPSYNC_JS
+        RuntimeVersion: 1.0.0
+
+  GraphQlApiToLambdaConnector:
+    Type: AWS::Serverless::Connector
+    Properties:
+      Source:
+        Id: Api
+      Destination:
+        Id: Authorizer
+      Permissions:
+      - Write
+
+  Authorizer:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (_) => {
+          return {
+            isAuthorized: true,
+            deniedFields: [],
+          }
+        }
+      PackageType: Zip
+      Runtime: nodejs14.x
+      Handler: index.handler
+
+  TriggerFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Environment:
+        Variables:
+          GRAPHQL_URL: !GetAtt Api.GraphQLUrl
+      Runtime: nodejs14.x
+      Handler: index.handler
+      InlineCode: |
+        const https = require("https");
+
+        exports.handler = async (_) => {
+          const queries = {
+            sayHello: /* GraphQL */ `
+              query {
+                sayHello
+              }
+            `,
+          };
+
+
+          const fetch = async (url, options) =>
+            new Promise((resolve, reject) => {
+              const req = https.request(url, options, (res) => {
+                const body = [];
+                res.on("data", (chunk) => body.push(chunk));
+                res.on("end", () => {
+                  const resString = Buffer.concat(body).toString();
+                  resolve(resString);
+                });
+              });
+
+              req.on("error", (err) => {
+                reject(err);
+              });
+
+              req.on("timeout", () => {
+                req.destroy();
+                reject(new Error("Request time out"));
+              });
+
+              req.write(options.body);
+              req.end();
+            });
+
+
+          const makeRequest = async (queryName) => {
+            const options = {
+              method: "POST",
+              headers: {
+                "Authorization": "n'importe quoi",
+              },
+              body: JSON.stringify({ query: queries[queryName] }),
+              timeout: 10000, // ms
+            };
+
+            const response = await fetch(process.env.GRAPHQL_URL, options);
+            const body = JSON.parse(response);
+            const data = body.data?.[queryName];
+
+            if (body.errors !== undefined) {
+              throw JSON.stringify(body.errors);
+            }
+            
+            if (data !== "Hello World") {
+              throw new Error(`${queryName} error: '${data}' must be 'Hello World'`);
+            }
+
+            return body.data;
+          };
+
+
+          return await makeRequest("sayHello");
+        };
+Metadata:
+  SamTransformTest: true
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -4,7 +4,7 @@ pytest-xdist>=2.5,<4
 pytest-env>=0.6,<1
 pytest-rerunfailures>=9.1,<12
 pyyaml~=6.0
-ruff==0.0.261  # loose the requirement once it is more stable
+ruff==0.0.263  # loose the requirement once it is more stable
 
 # Test requirements
 pytest>=6.2,<8

diff --git a/ruff.toml b/ruff.toml
@@ -22,6 +22,9 @@ select = [
     "UP", # pyupgrade
     "C4", # flake8-comprehensions
     "PTH", # flake8-use-pathlib
+    "G", # flake8-logging-format
+    "INP", # flake8-no-pep420
+    "T20", # flake8-print
 ]
 
 # Mininal python version we support is 3.7
@@ -33,7 +36,16 @@ keep-runtime-typing = true
 
 [per-file-ignores]
 # python scripts in bin/ needs some python path configurations before import
-"bin/*.py" = ["E402"]  # E402: module-import-not-at-top-of-file
+"bin/*.py" = [
+    # E402: module-import-not-at-top-of-file
+    "E402",
+    # S603: `subprocess` call: check for execution of untrusted input
+    # these are dev tools and do not have risks of malicious inputs.
+    "S603",
+    # T201 `print` found
+    # print() is allowed in bin/ as they are dev tools.
+    "T201",
+]
 
 [pylint]
 max-args = 6  # We have many functions reaching 6 args
diff --git a/samtranslator/__init__.py b/samtranslator/__init__.py
@@ -1 +1 @@
-__version__ = "1.67.0"
+__version__ = "1.68.0"
diff --git a/samtranslator/internal/data/aws_managed_policies.json b/samtranslator/internal/data/aws_managed_policies.json
@@ -497,6 +497,7 @@
     "AWSTrustedAdvisorPriorityReadOnlyAccess": "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess",
     "AWSTrustedAdvisorReportingServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy",
     "AWSTrustedAdvisorServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy",
+    "AWSUserNotificationsServiceLinkedRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSUserNotificationsServiceLinkedRolePolicy",
     "AWSVPCS2SVpnServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSVPCS2SVpnServiceRolePolicy",
     "AWSVPCTransitGatewayServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSVPCTransitGatewayServiceRolePolicy",
     "AWSVPCVerifiedAccessServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSVPCVerifiedAccessServiceRolePolicy",
@@ -509,6 +510,7 @@
     "AWSWAFConsoleReadOnlyAccess": "arn:aws:iam::aws:policy/AWSWAFConsoleReadOnlyAccess",
     "AWSWAFFullAccess": "arn:aws:iam::aws:policy/AWSWAFFullAccess",
     "AWSWAFReadOnlyAccess": "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess",
+    "AWSWellArchitectedDiscoveryServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSWellArchitectedDiscoveryServiceRolePolicy",
     "AWSWellArchitectedOrganizationsServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AWSWellArchitectedOrganizationsServiceRolePolicy",
     "AWSWickrFullAccess": "arn:aws:iam::aws:policy/AWSWickrFullAccess",
     "AWSXRayDaemonWriteAccess": "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
@@ -561,6 +563,9 @@
     "AmazonCloudWatchRUMFullAccess": "arn:aws:iam::aws:policy/AmazonCloudWatchRUMFullAccess",
     "AmazonCloudWatchRUMReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonCloudWatchRUMReadOnlyAccess",
     "AmazonCloudWatchRUMServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AmazonCloudWatchRUMServiceRolePolicy",
+    "AmazonCodeCatalystFullAccess": "arn:aws:iam::aws:policy/AmazonCodeCatalystFullAccess",
+    "AmazonCodeCatalystReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonCodeCatalystReadOnlyAccess",
+    "AmazonCodeCatalystSupportAccess": "arn:aws:iam::aws:policy/service-role/AmazonCodeCatalystSupportAccess",
     "AmazonCodeGuruProfilerAgentAccess": "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerAgentAccess",
     "AmazonCodeGuruProfilerFullAccess": "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess",
     "AmazonCodeGuruProfilerReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerReadOnlyAccess",
@@ -779,6 +784,8 @@
     "AmazonNimbleStudio-StudioUser": "arn:aws:iam::aws:policy/AmazonNimbleStudio-StudioUser",
     "AmazonOmicsFullAccess": "arn:aws:iam::aws:policy/AmazonOmicsFullAccess",
     "AmazonOmicsReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonOmicsReadOnlyAccess",
+    "AmazonOpenSearchIngestionFullAccess": "arn:aws:iam::aws:policy/AmazonOpenSearchIngestionFullAccess",
+    "AmazonOpenSearchIngestionReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonOpenSearchIngestionReadOnlyAccess",
     "AmazonOpenSearchIngestionServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchIngestionServiceRolePolicy",
     "AmazonOpenSearchServerlessServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchServerlessServiceRolePolicy",
     "AmazonOpenSearchServiceCognitoAccess": "arn:aws:iam::aws:policy/AmazonOpenSearchServiceCognitoAccess",
@@ -870,6 +877,7 @@
     "AmazonSageMakerGroundTruthExecution": "arn:aws:iam::aws:policy/AmazonSageMakerGroundTruthExecution",
     "AmazonSageMakerMechanicalTurkAccess": "arn:aws:iam::aws:policy/AmazonSageMakerMechanicalTurkAccess",
     "AmazonSageMakerModelGovernanceUseAccess": "arn:aws:iam::aws:policy/AmazonSageMakerModelGovernanceUseAccess",
+    "AmazonSageMakerModelRegistryFullAccess": "arn:aws:iam::aws:policy/AmazonSageMakerModelRegistryFullAccess",
     "AmazonSageMakerNotebooksServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/AmazonSageMakerNotebooksServiceRolePolicy",
     "AmazonSageMakerPipelinesIntegrations": "arn:aws:iam::aws:policy/AmazonSageMakerPipelinesIntegrations",
     "AmazonSageMakerReadOnly": "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly",
@@ -892,6 +900,7 @@
     "AmazonTranscribeReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonTranscribeReadOnlyAccess",
     "AmazonVPCCrossAccountNetworkInterfaceOperations": "arn:aws:iam::aws:policy/AmazonVPCCrossAccountNetworkInterfaceOperations",
     "AmazonVPCFullAccess": "arn:aws:iam::aws:policy/AmazonVPCFullAccess",
+    "AmazonVPCReachabilityAnalyzerPathComponentReadPolicy": "arn:aws:iam::aws:policy/AmazonVPCReachabilityAnalyzerPathComponentReadPolicy",
     "AmazonVPCReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess",
     "AmazonWorkDocsFullAccess": "arn:aws:iam::aws:policy/AmazonWorkDocsFullAccess",
     "AmazonWorkDocsReadOnlyAccess": "arn:aws:iam::aws:policy/AmazonWorkDocsReadOnlyAccess",
@@ -1013,6 +1022,7 @@
     "IVSRecordToS3": "arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3",
     "KafkaConnectServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/KafkaConnectServiceRolePolicy",
     "KafkaServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/KafkaServiceRolePolicy",
+    "KeyspacesReplicationServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/KeyspacesReplicationServiceRolePolicy",
     "LakeFormationDataAccessServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/LakeFormationDataAccessServiceRolePolicy",
     "LexBotPolicy": "arn:aws:iam::aws:policy/aws-service-role/LexBotPolicy",
     "LexChannelPolicy": "arn:aws:iam::aws:policy/aws-service-role/LexChannelPolicy",
@@ -1033,7 +1043,15 @@
     "PowerUserAccess": "arn:aws:iam::aws:policy/PowerUserAccess",
     "QuickSightAccessForS3StorageManagementAnalyticsReadOnly": "arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly",
     "RDSCloudHsmAuthorizationRole": "arn:aws:iam::aws:policy/service-role/RDSCloudHsmAuthorizationRole",
+    "ROSAAmazonEBSCSIDriverOperatorPolicy": "arn:aws:iam::aws:policy/service-role/ROSAAmazonEBSCSIDriverOperatorPolicy",
+    "ROSACloudNetworkConfigOperatorPolicy": "arn:aws:iam::aws:policy/service-role/ROSACloudNetworkConfigOperatorPolicy",
+    "ROSAControlPlaneOperatorPolicy": "arn:aws:iam::aws:policy/service-role/ROSAControlPlaneOperatorPolicy",
+    "ROSAImageRegistryOperatorPolicy": "arn:aws:iam::aws:policy/service-role/ROSAImageRegistryOperatorPolicy",
+    "ROSAIngressOperatorPolicy": "arn:aws:iam::aws:policy/service-role/ROSAIngressOperatorPolicy",
+    "ROSAKMSProviderPolicy": "arn:aws:iam::aws:policy/service-role/ROSAKMSProviderPolicy",
+    "ROSAKubeControllerPolicy": "arn:aws:iam::aws:policy/service-role/ROSAKubeControllerPolicy",
     "ROSAManageSubscription": "arn:aws:iam::aws:policy/ROSAManageSubscription",
+    "ROSAWorkerInstancePolicy": "arn:aws:iam::aws:policy/service-role/ROSAWorkerInstancePolicy",
     "ReadOnlyAccess": "arn:aws:iam::aws:policy/ReadOnlyAccess",
     "ResourceGroupsServiceRolePolicy": "arn:aws:iam::aws:policy/aws-service-role/ResourceGroupsServiceRolePolicy",
     "ResourceGroupsandTagEditorFullAccess": "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess",
@@ -1455,6 +1473,7 @@
     "AmazonMQFullAccess": "arn:aws-cn:iam::aws:policy/AmazonMQFullAccess",
     "AmazonMQServiceRolePolicy": "arn:aws-cn:iam::aws:policy/aws-service-role/AmazonMQServiceRolePolicy",
     "AmazonMSKFullAccess": "arn:aws-cn:iam::aws:policy/AmazonMSKFullAccess",
+    "AmazonMWAAServiceRolePolicy": "arn:aws-cn:iam::aws:policy/aws-service-role/AmazonMWAAServiceRolePolicy",
     "AmazonOpenSearchServiceCognitoAccess": "arn:aws-cn:iam::aws:policy/AmazonOpenSearchServiceCognitoAccess",
     "AmazonOpenSearchServiceFullAccess": "arn:aws-cn:iam::aws:policy/AmazonOpenSearchServiceFullAccess",
     "AmazonOpenSearchServiceReadOnlyAccess": "arn:aws-cn:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess",