Merged in upstream/develop

Author: RobRoseKnows

.flake8

@@ -1,3 +1,3 @@
 [flake8]
 max-line-length = 120
-ignore = E126
+ignore = E126 F821 W504 W605

Makefile

@@ -39,6 +39,10 @@ init:
 	$(info [*] Install requirements...)
 	@pip install -r requirements/dev.txt -r requirements/base.txt
 
+flake:
+	$(info [*] Running flake8...)
+	@flake8 samtranslator
+
 test:
 	$(info [*] Run the unit test with minimum code coverage of $(CODE_COVERAGE)%...)
 	@pytest --cov samtranslator --cov-report term-missing --cov-fail-under $(CODE_COVERAGE) tests
@@ -49,7 +53,7 @@ build-docs:
 	@$(MAKE) -C docs/website html
 
 # Command to run everytime you make changes to verify everything works
-dev: test
+dev: flake test
 
 # Verifications to run before sending a pull request
 pr: init dev
@@ -68,4 +72,4 @@ TARGETS
 	build-docs  Generate the documentation.
 	pr          Perform all checks before submitting a Pull Request.
 
-endef
+endef

README.md

@@ -1,5 +1,6 @@
 [![Build Status](https://travis-ci.org/awslabs/serverless-application-model.svg?branch=develop)](https://travis-ci.org/awslabs/serverless-application-model)
 [![PyPI version](https://badge.fury.io/py/aws-sam-translator.svg)](https://badge.fury.io/py/aws-sam-translator)
+[![Codecov Test Coverage](https://codecov.io/gh/awslabs/serverless-application-model/branch/master/graphs/badge.svg?style=flat)](https://codecov.io/gh/awslabs/serverless-application-model)
 
 ![Logo](aws_sam_introduction.png)
 
@@ -10,16 +11,11 @@ This GitHub project is the starting point for AWS SAM. It contains the SAM speci
 
 The SAM specification and implementation are open sourced under the Apache 2.0 license. The current version of the SAM specification is available at [AWS SAM 2016-10-31](versions/2016-10-31.md).
 
-
-## Creating a serverless application using SAM
-To create a serverless application using SAM, first, you create a SAM template: a JSON or YAML configuration file that describes your Lambda functions, API endpoints and the other resources in your application. Then, you test, upload, and deploy your application using the [AWS SAM CLI](https://github.com/awslabs/aws-sam-cli). During deployment, SAM automatically translates your application’s specification into CloudFormation syntax, filling in default values for any unspecified properties and determining the appropriate mappings and invocation permissions to setup for any Lambda functions.
-
-[Read the How-To Guide](HOWTO.md) and see [examples](examples/) to learn how to define & deploy serverless applications using SAM.
-
+Documentation about using AWS SAM to define, test, and deploy serverless applications is available at [AWS Serverless Application Model Developer Guide](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html).
 
 ## Contributing new features and enhancements to SAM
 You can build serverless applications faster and further simplify your development of serverless applications by defining new event sources, new resource types, and new parameters within SAM. Additionally, you can modify SAM to integrate it with other frameworks and deployment providers from the community for building serverless applications.
 
 [Read the Development Guide](DEVELOPMENT_GUIDE.rst) for in-depth information on how to start making changes.
 
-[Join the SAM developers channel (#samdev) on Slack](https://awssamopensource.splashthat.com/) to collaborate with fellow community members and the AWS SAM team.
+[Join the SAM developers channel (#samdev) on Slack](https://join.slack.com/t/awsdevelopers/shared_invite/enQtMzg3NTc5OTM2MzcxLTdjYTdhYWE3OTQyYTU4Njk1ZWY4Y2ZjYjBhMTUxNGYzNDg5MWQ1ZTc5MTRlOGY0OTI4NTdlZTMwNmI5YTgwOGM/) to collaborate with fellow community members and the AWS SAM team.

docs/cloudformation_compatibility.rst

@@ -60,6 +60,7 @@ Tracing                            All
 KmsKeyArn                          All
 DeadLetterQueue                    All
 DeploymentPreference               All
+Layers                             All
 AutoPublishAlias             Ref of a CloudFormation Parameter  Alias resources created by SAM uses a LocicalId <FunctionLogicalId+AliasName>. So SAM either needs a string for alias name, or a Ref to template Parameter that SAM can resolve into a string.
 ReservedConcurrentExecutions       All
 ============================ ================================== ========================
@@ -168,6 +169,21 @@ EndpointConfiguration               All
 MethodSettings                      All
 BinaryMediaTypes                    All
 Cors                                All
+TracingEnabled                      All
+================================== ======================== ========================
+
+
+AWS::Serverless::Application
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+================================== ======================== ========================
+     Property Name                 Intrinsic(s) Supported          Reasons
+================================== ======================== ========================
+Location                            None                     SAM expects exact values for the Location property
+Parameters                          All
+NotificationArns                    All
+Tags                                All
+TimeoutInMinutes                    All
 ================================== ======================== ========================
 
 

docs/conf.py

@@ -31,9 +31,9 @@
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = ['sphinx.ext.todo',
-    'sphinx.ext.ifconfig',
-    'sphinx.ext.viewcode',
-    'sphinx.ext.githubpages']
+              'sphinx.ext.ifconfig',
+              'sphinx.ext.viewcode',
+              'sphinx.ext.githubpages']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
@@ -85,25 +85,29 @@
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-html_theme = 'alabaster'
+html_theme = 'sphinx_rtd_theme'
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #
+
 html_theme_options = {
-    'description': "Define your serverless infrastructure as a simple YAML file",
-    'logo': 'logo.png',
-    'logo_name': True,
-    'logo_text_align': 'center',
-    'github_user': 'awslabs',
-    'github_repo': 'serverless-application-model',
-    'github_button': True,
-    'github_type': 'star',
-    'github_banner': True,
-    'sidebar_collapse': True,
 }
 
+# html_theme_options = {
+#     'description': "Define your serverless infrastructure as a simple YAML file",
+#     'logo': 'logo.png',
+#     'logo_name': True,
+#     'logo_text_align': 'center',
+#     'github_user': 'awslabs',
+#     'github_repo': 'serverless-application-model',
+#     'github_button': True,
+#     'github_type': 'star',
+#     'github_banner': True,
+#     'sidebar_collapse': True,
+# }
+
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
@@ -116,9 +120,9 @@
 # refs: http://alabaster.readthedocs.io/en/latest/installation.html#sidebars
 html_sidebars = {
     '**': [
-	'about.html',
-        'navigation.html',   
-	'relations.html'
+        'about.html',
+        'navigation.html',
+        'relations.html'
     ]
 }
 
@@ -180,7 +184,6 @@
 ]
 
 
-
 # -- Options for Epub output ----------------------------------------------
 
 # Bibliographic Dublin Core info.
@@ -200,5 +203,3 @@
 
 # A list of files that should not be packed into the epub file.
 epub_exclude_files = ['search.html']
-
-

docs/globals.rst

@@ -23,9 +23,10 @@ Example:
   Resources:
     HelloWorldFunction:
       Type: AWS::Serverless::Function
-      Environment:
-        Variables:
-          MESSAGE: "Hello From SAM"
+      Properties:
+        Environment:
+          Variables:
+            MESSAGE: "Hello From SAM"
 
     ThumbnailFunction:
       Type: AWS::Serverless::Function
@@ -64,6 +65,7 @@ Currently, the following resources and properties are being supported:
       Tags:
       Tracing:
       KmsKeyArn:
+      Layers:
       AutoPublishAlias:
       DeploymentPreference:
     
@@ -79,6 +81,9 @@ Currently, the following resources and properties are being supported:
       MethodSettings:
       BinaryMediaTypes:
       Cors:
+      AccessLogSetting:
+      CanarySetting:
+      TracingEnabled:
 
     SimpleTable:
       # Properties of AWS::Serverless::SimpleTable

docs/internals/generated_resources.rst

@@ -70,6 +70,7 @@ Example:
       AutoPublishAlias: live
       DeploymentPreference: 
         Type: Linear10PercentEvery10Minutes
+        Role: "arn"
       ...
 
 
@@ -83,6 +84,8 @@ AWS::CodeDeploy::DeploymentGroup   MyFunction\ **DeploymentGroup**
 AWS::IAM::Role                     CodeDeployServiceRole
 ================================== ================================
 
+  NOTE: ``AWS::IAM::Role`` resources are only generated if no Role parameter is supplied for DeploymentPreference
+
 With Events
 ~~~~~~~~~~~
 

docs/safe_lambda_deployments.rst

@@ -105,6 +105,9 @@ resource:
           # Validation Lambda functions that are run before & after traffic shifting
           PreTraffic: !Ref PreTrafficLambdaFunction
           PostTraffic: !Ref PostTrafficLambdaFunction
+        # Provide a custom role for CodeDeploy traffic shifting here, if you don't supply one
+        # SAM will create one for you with default permissions
+        Role: !Ref IAMRoleForCodeDeploy # Parameter example, you can pass an IAM ARN
 
   AliasErrorMetricGreaterThanZeroAlarm:
     Type: "AWS::CloudWatch::Alarm"
@@ -130,9 +133,11 @@ resource:
       ComparisonOperator: GreaterThanThreshold
       Dimensions:
         - Name: Resource
-          Value: !Ref MyLambdaFunction.Version
+          Value: !Sub "${MyLambdaFunction}:live"
         - Name: FunctionName
           Value: !Ref MyLambdaFunction
+        - Name: ExecutedVersion
+          Value: !GetAtt MyLambdaFunction.Version.Version
       EvaluationPeriods: 2
       MetricName: Errors
       Namespace: AWS/Lambda
@@ -162,6 +167,7 @@ resource:
       FunctionName: 'CodeDeployHook_preTrafficHook'
       DeploymentPreference:
         Enabled: false
+        Role: ""
       Environment:
         Variables:
           CurrentVersion: !Ref MyLambdaFunction.Version
@@ -176,6 +182,7 @@ CloudFormation, the following happens:
 - During traffic shifting, if any of the CloudWatch Alarms go to *Alarm* state, CodeDeploy will immediately flip the Alias back to old version and report a failure to CloudFormation.
 - After traffic shifting completes, CodeDeploy will invoke the **PostTraffic Hook** Lambda function. This is similar to PreTraffic Hook where the function must callback to CodeDeploy to report a Success or a Failure. PostTraffic hook is a great place to run integration tests or other validation actions.
 - If everything went well, the Alias will be pointing to the new Lambda Version.
+- If you supply the "Role" argument to the DeploymentPreference, it will prevent SAM from creating a role and instead use the provided CodeDeploy role for traffic shifting
 
 NOTE: Verify that your AWS SDK version supports PutLifecycleEventHookExecutionStatus. For example, Python requires SDK version 1.4.8 or newer.
 
@@ -294,13 +301,32 @@ Internally, SAM will create the following resources in your CloudFormation stack
    SAM template belongs to its own Deployment Group.
 -  Adds ``UpdatePolicy`` on ``AWS::Lambda::Alias`` resource that is
    connected to the function's Deployment Group resource.
--  One ``AWS::IAM::Role`` called "CodeDeployServiceRole".
+-  One ``AWS::IAM::Role`` called "CodeDeployServiceRole", if no custom role is provided
 
 CodeDeploy assumes that there are no dependencies between Deployment Groups and hence will deploy them in parallel.
 Since every Lambda function is to its own CodeDeploy DeploymentGroup, they will be deployed in parallel.
 The CodeDeploy service will assume the new CodeDeployServiceRole to Invoke any Pre/Post hook functions and perform the traffic shifting and Alias updates.
 
   NOTE: The CodeDeployServiceRole only allows InvokeFunction on functions with names prefixed with  ``CodeDeployHook_``. For example,  you should name your Hook functions as such: ``CodeDeployHook_PreTrafficHook``.
 
+Production errors preventing deployments
+~~~~~~~~~
+In some situations, an issue that is happening in production may prevent you from deploying a fix. This may happen when a deployment happens when traffic is too low to register enough errors to trigger a roll back, or where someone is sending malicious traffic through to a lambda and you haven’t accounted for the scenario where they do. 
+
+When this happens, the alarm for errors in the current lambda version is in an error state, which will cause code deploy to roll back any attempted deploys straight away.
+
+To release code in this situation, you need to
+
+- Go into the CodeDeploy console
+- Select the application you want to deploy to
+- Select the corresponding Deployment Group
+- Select “Edit”
+- Select “Advanced - optional”
+- Select "ignore alarm configuration"
+- Save the changes
+
+Run your deployment as usual
+
+Then once deployment has successfully run, return to the CodeDeploy console, and follow the above steps but this time deselect “ignore alarm configuration”.
 
 .. _Globals: globals.rst

examples/2016-10-31/api_backend/template.yaml

@@ -1,4 +1,4 @@
-AWSTemplateFormatVersion: '2010-09-09'
+AWSTemplateFormatVersion: "2010-09-09"
 Transform: AWS::Serverless-2016-10-31
 Description: Simple CRUD webservice. State is stored in a SimpleTable (DynamoDB) resource.
 Resources:
@@ -8,7 +8,9 @@ Resources:
       Handler: index.get
       Runtime: nodejs6.10
       CodeUri: src/
-      Policies: AmazonDynamoDBReadOnlyAccess
+      Policies:
+        - DynamoDBReadPolicy:
+          TableName: !Ref Table
       Environment:
         Variables:
           TABLE_NAME: !Ref Table
@@ -25,7 +27,9 @@ Resources:
       Handler: index.put
       Runtime: nodejs6.10
       CodeUri: src/
-      Policies: AmazonDynamoDBFullAccess
+      Policies:
+        - DynamoDBCrudPolicy:
+          TableName: !Ref Table
       Environment:
         Variables:
           TABLE_NAME: !Ref Table
@@ -42,7 +46,9 @@ Resources:
       Handler: index.delete
       Runtime: nodejs6.10
       CodeUri: src/
-      Policies: AmazonDynamoDBFullAccess
+      Policies:
+        - DynamoDBCrudPolicy:
+          TableName: !Ref Table
       Environment:
         Variables:
           TABLE_NAME: !Ref Table
@@ -57,7 +63,6 @@ Resources:
     Type: AWS::Serverless::SimpleTable
 
 Outputs:
-    ApiURL:
-      Description: "API endpoint URL for Prod environment"
-      Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/resource/"
-
+  ApiURL:
+    Description: "API endpoint URL for Prod environment"
+    Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/resource/"

examples/2016-10-31/api_cognito_auth/template.yaml

@@ -40,6 +40,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         ProxyAny:
@@ -48,6 +49,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /{proxy+}
             Method: ANY
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         GetUsers:
@@ -56,6 +58,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /users
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         GetUser:
@@ -64,6 +67,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /users/{userId}
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         CreateUser: