SAM v1.15.0 Release: Simplified API Gateway Resource Policies and Multiple Event Source Updates

Community Contributors to this Release

@53ningen, @adanilev, @ArendAMZN, @beck3905, @chrisoverzero, @dalumiller, @Jacco, @kennyk, @khamaileon, @MattTunny, @sambattalio, @singledigit, @TDaglis, @tim-pugh, @yuimam

Amazon API Gateway simplified resource policy support

SAM 1.14.0 release added support for adding Amazon API Gateway resource policies, allowing you to specify custom resource policy statements. This release adds a simplified syntax for creating API Gateway resource policies for the common use cases of whitelisting and blacklisting based on AWS Account, IP address range, and source VPC. For more information about Amazon API Gateway resource policies, see the Amazon API Gateway developer guide. (#1077)

Globals:
  Api:
    OpenApiVersion: "3.0.1"
    Auth:
      ResourcePolicy:
        AwsAccountWhitelist: ['account-id']
        AwsAccountBlacklist: ['account-id']
        SourceVpcWhitelist: ['vpc-1234']
        SourceVpcBlacklist: ['vpce-1234']
        IpRangeWhitelist: ['1.2.3.4/24']
        IpRangeBlacklist: ['1.2.3.4']

Resources:
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: .
      MemorySize: 128

      Events:
        Api:
          Type: Api
          Properties:
            Path: /apione
            Method: any

Cognito event type

This release adds support for Cognito as a Lambda function event type. This allows you to easily add Lambda functions for customizing Cognito user pool workflows. For more information on Cognito user pool workflows with Lambda triggers, see the Cognito developer guide. A big thank you to @Jacco for contributing this feature! (#1066)

Resources:
  PreSignupLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: .
      Handler: index.handler
      MemorySize: 128
      Runtime: nodejs8.10
      Events:
        CognitoUserPoolPreSignup:
          Type: Cognito
          Properties:
            UserPool: !Ref MyUserPool
            Trigger: PreSignUp

  MyUserPool:
    Type: AWS::Cognito::UserPool

SNS event supports SQS Subscription

The SNS event type now supports a SqsSubscription property. When set to true, rather than connecting the Lambda function directly to the provided SNS topic, an SQS queue is created and subscribed to the SNS topic, and the Lambda function is subscribed to the SQS queue. This feature eliminates the CloudFormation boilerplate required to setup this common pattern. For more information about SNS and SQS, see the developer documentation. A big thank you to @53ningen for contributing this feature! (#1065)

Resources:
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: .
      MemorySize: 128
      Events:
        SNSEvent:
          Type: SNS
          Properties:
            Topic:
              Ref: MySnsTopic
            SqsSubscription: true

  MySnsTopic:
    Type: AWS::SNS::Topic

MaximumBatchingWindowInSeconds support for stream event sources

This feature adds support for MaximumBatchingWindowInSeconds property for Kinesis and DynamoDb event types. For more information about this property, see the AWS CloudFormation user guide. (#1120)

Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: .
      Handler: index.handler
      Runtime: nodejs8.10
      AutoPublishAlias: Live
      Events:
        KinesisStream:
          Type: Kinesis
          Properties:
            Stream:
              Fn::GetAtt: [MyStream, Arn]
            BatchSize: 100
            MaximumBatchingWindowInSeconds: 20
            StartingPosition: TRIM_HORIZON

  MyStream:
    Type: AWS::Kinesis::Stream
    Properties:
      ShardCount: 1

Api event request parameter customization

This feature allows you to specify API request parameter customizations directly on AWS::Serverless::Function Api events. Previously, you had to manage your own OpenApi document in order to use this feature of Amazon API Gateway. For more information on Request Parameters, see the Amazon API Gateway developer documentation. A big thank you to @beck3905 for contributing this feature! (#953)

Globals:
  Api:
    CacheClusterEnabled: true
    CacheClusterSize: '0.5'

Resources:
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: .
      Events:
        PostApi:
          Type: Api
          Properties:
            Path: /post
            Method: POST
            RequestParameters:
              - method.request.header.Authorization:
                  Required: true
                  Caching: true
              - method.request.querystring.type

Api event permissions fix

Before this change, SAM was generating 2 Lambda permissions per Api event. Now, SAM will generate a single Lambda permission per Api event. This change reduces the number of permissions created for Api events by half, reducing the chances of users hitting Lambda policy size limits. (#1119)

Change Log:

1. (#1068)(#1090)(#1079)(#1096)(#1114)(#530)(#1121)(#1122)(#1103) (#1059) Documentation and example updates
2. (#1084) Add ssm:GetParametersByPath to SSMParameterReadPolicy
3. (#1015) Allow setting auth to NONE with AWS_IAM default authorizer
4. (#1088) Allow references in NotificationARNs property
5. (#1066) Add cognito event sources
6. (#1093) Remove extra stage only when OpenApiVersion is set
7. (#1065) Add SQS option to SNS event
8. (#1101)(#1113) Add code commit policy templates
9. (#1105) Use scoped logger instead of root
10. (#1104) Openapi version type errors
11. (#1035) Randomize logical IDs of API stage and Lambda permission
12. (#1120) Add support for aws lambda streaming batch feature
13. (#1119) Combine test and prod permissions for api events
14. (#1077) Support for resource policy Iam, Vpc and Ip whitelist/blacklist
15. (#1072) Add tag related permissions to S3FullAccess Policy
16. (#953) Add RequestParameters Support

SAM v1.14.0 Release: API Key Authorization and API Resource Policies Support

Community Contributors to this Release

@53ningen, @cfbarbero, @easydonny, @eduardovra, @falnyr, @Gaurav2Github, @kdnakt, @lo1tuma, @parimaldeshmukh, @sambattalio, @yan12125

API Key Authorization

This is the first step in supporting ApiGateway API Keys and Usage Plans in SAM. You can now require API Keys on API endpoints by specifying ApiKeyRequired: true in the Auth property of a Serverless::Api or in a Serverless::Function event configuration. In upcoming releases we will provide support for usage plans. For more information about setting up and using API Keys, see the developer documentation. A big thank you to @cfbarbero for contributing this feature! (#943)

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        ApiKeyRequired: true # sets for all resource methods

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: .
      Handler: index.handler
      Runtime: nodejs8.10
      Events:
        ApiKey:
          Type: Api
          Properties:
            RestApiId: !Ref MyApi
            Path: /
            Method: get
            Auth:
              ApiKeyRequired: true # sets for single resource method

API Resource Policies

This is the first of two proposed changes to add support for ApiGateway resource policies; the second change will come in a future release. This change adds support for the CustomStatements field of the ResourcePolicy field inside the Auth property of a Serverless::Api. This property allows template authors to set one or multiple resource policies that will be added to the ApiGateway RestApi. Resource policies are also necessary for using PRIVATE API Gateway APIs. For more information about creating and using resource policies for APIs, see this blog post. (#1045)

Globals:
  Api:
    Auth:
      ResourcePolicy:
        CustomStatements:
          - Effect: "Allow"
            Principal: "*"
            Action: "execute-api:Invoke"
            Resource: "execute-api:*/*/*"
Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: .
      Handler: index.handler
      Runtime: nodejs8.10
      Events:
        Api:
          Type: Api
          Properties:
            Method: put
            Path: /

Change Log:

1. (#996)(#1018)(#1023)(#1024)(#1027)(#1031)(#1041)(#1048)(#1049)(#1064) Documentation and example updates.
2. (#985) Remove unused CollectionId parameter from RekognitionFacesPolicy
3. (#1011) Add es:ESHttpPut in ElasticsearchHttpPostPolicy
4. (#989) Support SNS topic from a different region in a Serverless::Function event
5. (#943) Support ApiKey Auth
6. (#993) Support adding tags to API Stage
7. (#1006) Add optional Enabled, Name, Description fields to CloudWatch Schedule Events
8. (#998) Update requirements
9. (#986) Allow setting InvokeRole for AWS_IAM Auth to NONE
10. (#1034) Remove cfn-lint from tests
11. (#992) Fix invalid Lambda function permissions on API path
12. (#1054) Make sure Name and Type exist as properties of PrimaryKey for Serverless::SimpleTable
13. (#1045) API Gateway Resource Policies support
14. (#1062) Make sure ApplicationId property of Location on Serverless::Application is not null
15. (#988) Add support for using Fn::If in function policies

SAM v1.13.2 Patch Release: Redeploy API GW when OpenApiVersion flag is added (bug fix)

This patch release fixes a bug where the API GW would not redeploy if you added OpenApiVersion in certain cases. The fix takes into account the OpenApiVersion flag when calculating the hash to determine if the API has changed and needs to be redeployed.

Changelog
(#1056)(#1061) Redeploy api if OpenApiVersion changes.

SAM v1.13.1 Patch Release

SAM v1.13.1 Patch Release: Binary Media Types bug fix

This patch release fixes a bug with Binary Media Types introduced in 1.13.0 and reported in issue #1036. SAM wasn't converting the encoding of the Binary Media Types from *~1* to */* before adding them to the swagger document, which resulted in the corruption of some APIs that use Binary Media Types in SAM. This was fixed in #1043

Changelog

(#1043) Fix Binary Media Types regression

SAM v1.13.0 Release

SAM v1.13.0 Release: OpenApi 3 Support and Request Models Support

OpenApi 3.0 support and Stage "stage" fix

We have now added support for OpenApi 3.0 in SAM. This is an opt-in feature that can be enabled by using the OpenApiVersion property for an AWS::Serverless::Api. This property is supported at both the resource and global levels of the template.

Globals:
  Api:
    OpenApiVersion: '3.0.1'

Resources:
  ImplicitApiFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: s3://sam-demo-bucket/member_portal.zip
      Handler: index.gethtml
      Runtime: nodejs8.10
      Events:
        GetHtml:
          Type: Api
          Properties:
            Path: /
            Method: get

If you opt into this flag, SAM also fixes the issue where a stage named "stage" was created by default. #191

API Request Models Support

This feature adds support for listing Models in the Api resource and defining a model to be used in the Api event source. Previously, the only way to do this was to manually write the swagger file. This now makes it much simpler to define the models, and special callout to community member @beck3905 for adding this feature.

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      Models:
        User:
          type: object
          required:
            - grant_type
            - username
            - password
          properties:
            grant_type:
              type: string
            username:
              type: string
            password:
              type: string
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs6.10
      CodeUri: src/
      Events:
        GetApi:
          Type: Api
          Properties:
            Path: /post
            Method: POST
            RestApiId:
              Ref: MyApi
            RequestModel:
              Model: User
              Required: true

Change Log:

1. (#932)(#949)(#990) OpenApi 3.0 support and stage stage bug fix
2. (#948) API Request Models Support by @beck3905
3. (#958) Fix CORS options method when DefaultAuthorizer is used
4. (#954) Fix API Binary Media Types update issue
5. (#946)(#973) Bug fixes
6. (#962)(#961)(#960)(#963)(#979) version bumps in dependencies
7. (#950)(#968)(#982) Additions to docs and examples

SAM v1.12.0 Release

SAM v1.12.0 Release: Reference custom Lambda CodeDeploy configurations

Reference Custom Lambda CodeDeploy Configurations

Previously in SAM, you could configure CodeDeploy to enable gradual code deployments for your AWS Lambda functions. Now, you can reference existing custom CodeDeploy configurations in the DeploymentPreference property of an AWS::Serverless::Function. Thank you @Buffer0x7cd for contributing this feature! (#848)

To learn more about implementing gradual Lambda deployments using CodeDeploy, see this blog post. To learn more about how to create a custom Lambda CodeDeploy configuration, see the AWS Documentation.

# Example using a custom CodeDeploy configuration
Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: s3://sam-demo-bucket/demo.zip
      Handler: index.handler
      Runtime: python3.6
      AutoPublishAlias: live
      DeploymentPreference:
        Type: MyCustomDeploymentConfiguration  # Name of CodeDeploy configuration

Change Log:

(#904) Add StepFunctionsExecutionPolicy
(#908 #913) Bug fixes by @jadhavmanoj
(#918 #966) Additional bug fixes
(#888) Run cfn-lint on test outputs
(#605 #883 #886 #887) Example app updates
(#899 #902 #905 #909 #919) Documentation updates

v1.11.0 Release: Support API IAM Permissions Auth and API Gateway Responses

SAM v1.11.0 Release: SAM now supports two more API Gateway Features - IAM Authorizers and Gateway Responses

IAM Authorizers

AWS SAM previously let you control who can access your Amazon API Gateway APIs with an Amazon Cognito user pool or an API Gateway Lambda Authorizer. Now, you can control access to an API defined in SAM with IAM Permissions. To learn more, see controlling access to APIs using IAM permissions and an example application that uses this feature. Shout out to @horike37 for this contribution! (#827)

Gateway Responses

With this release, you can also define Gateway Responses in your AWS::Serverless::API resources. Amazon API Gateway lets you customize the content of error responses, and you can now define these in SAM. To learn more, see Set up Gateway Responses to Customize Error Responses and an example application that uses this feature. Shout out to @chrisoverzero for this contribution! (#841)

FindInMap support for Serverless::Application

This release also adds support for using FindInMap to specify the ApplicationId and SemanticVersion properties of a Serverless::Application. To learn more, see the docs for FindInMap and Nested Applications. (#856)

# Example application using !FindInMap
  ApplicationFindInMap:
    Type: 'AWS::Serverless::Application'
    Properties:
      Location:
        ApplicationId: !FindInMap
          - ApplicationLocations
          - !Ref 'AWS::Region'
          - ApplicationId
        SemanticVersion: !FindInMap
          - ApplicationLocations
          - !Ref 'AWS::Region'
          - Version 

Change Log:

(#808) Add ReservedConcurrentExecutions to globals
(#858) Fix ElasticsearchHttpPostPolicy resource reference
(#855) Support using AWS::Region in Ref and Sub
(#831 #814 #879) Documentation and examples updates
(#835) Add VersionDescription property to Serverless::Function
(#847) Update ServerlessRepoReadWriteAccessPolicy
(#873 #860 #846 #845) Add additional template validation

SAM v1.10.0: Conditions support!

SAM v1.10.0 Release: Conditions for Serverless resources

You can now define conditions on AWS::Serverless resources. Conditions are statements that let you define the circumstances under which resources get created or configured. With this release, you can conditionally create AWS::Serverless resources. For example, if you deploy your serverless application to multiple environments such as test and prod, you can choose to only deploy specific AWS::Serverless::Functions to your test environment. Conditions on AWS::Serverless resources are also applied to other generated resources (#755), and the swagger definitions generated by SAM on AWS::Serverless::Api resources (#804). Shout out to @Jacco for contributing to this feature! (#653 #707)

Change Log:

Policy Templates

(#620 #686) Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy
(#615) Add DynamoDBReconfigurePolicy
(#426) Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy
(#556) Add EKSDescribePolicy
(#715) Add SESBulkTemplatedCrudPolicy
(#729) Add FilterLogEventsPolicy
(#625) Add SSMParameterReadPolicy
(#723) Add SESEmailTemplateCrudPolicy
(#769) Add s3:PutObjectAcl to S3CrudPolicy

Other changes

(#464) Add allow_credentials CORS option
(#643) Add support for AccessLogSetting and CanarySetting Serverless::Api properties
(#657) Add support for X-Ray in Serverless::Api
(#786) Add support for MinimumCompressionSize in Serverless::Api
(#682) Add Auth to Serverless::Api globals
(#763) Remove trailing slashes from APIGW permissions
(#648) Add SNS FilterPolicy and an example application
(#690) Add Enabled property to Serverless::Function event sources
(#782) Add support for PermissionsBoundary in Serverless::Function
(#697) Fix boto3 client initialization
(#700) Add PublicAccessBlockConfiguration property to S3 bucket resource
(#705) Make PAY_PER_REQUEST default mode for Serverless::SimpleTable
(#709) Add limited support for resolving intrinsics in Serverless::LayerVersion
(#720) SAM now uses Flake8
(#737) Add example application for S3 Events written in Go
(#604 #632 #644 #741) Updated several example applications

SAM v1.9.0: Lambda Layers and Nested Applications

SAM v1.9.0: Lambda Layers and Nested Applications

Nested Transforms and the AWS::Serverless::Application Resource

You can now assemble and deploy new serverless architectures using nested applications supported by AWS SAM and the AWS Serverless Application Repository.

Nested applications enable you to rapidly build highly sophisticated serverless architectures by reusing and composing authored and maintained services using SAM and the Serverless Application Repository. You can deploy serverless architectures as a set of serverless applications and easily share those architectures privately across teams and organizations or publicly with developers in the open-source community. Using nested applications, you can build more powerful applications, easily manage serverless artifacts, avoid duplicated work, and help ensure consistency and best practices across your teams and organizations.

The new AWS::Serverless::Application transforms into a AWS::CloudFormation::Stack (also known as a nested stack) resource by resolving the Location property to an S3 template URL. SAM users can either provide direct links to a nested template or provide an ApplicationId and SemanticVersion pair from the Serverless Application Repository and SAM will retrieve the template and all its resources for you. This allows developers re-use common application building blocks as well as share and consume them via the Serverless Application Repository.

Learn more in the SAM developer documentation or in the AWS::Serverless::Application specification. We have also included a sample application that uses this feature.

Introducing AWS::Serverless::LayerVersion

Lambda functions in a serverless application typically share common dependencies such as SDKs, frameworks, and runtimes. Lambda Layers are a new type of artifact that can contain arbitrary code and data, and may be referenced by multiple functions at the same time. With layers, you can centrally manage common components across multiple functions enabling better code reuse. You can now use AWS SAM and AWS SAM CLI to locally test, deploy and manage serverless applications that leverage Layers. An AWS::Serverless::LayerVersion transforms into an AWS::Lambda::LayerVersion.

Since an AWS::Lambda::LayerVersion resource is immutable, CloudFormation currently automatically creates a new version and deletes the old version of the Lambda Layer after each update. By default, SAM prevents CloudFormation from deleting old versions by appending a 10-digit SHA (based on all resource parameters) to the logical id of the LayerVersion resource and adding a DeletionPolicy: Retain attribute. This means that any update to the Lambda Layer will result in the creation of a new version, and the old version will still be available for use.

Learn more about Lambda Layers in the Lambda Layers documentation, and in the SAM developer documentation.

Other Updates

#670 Added AWS WorkMail hello world lambda function example
#639 Added link to the new AWS SAM Developer documentation
There were also a few documentation fixes and updates.

Releasing SAM v1.8.0 - API Gateway Authorizers!

What's New in SAM v1.8.0?

Define API Gateway Authorizers in SAM

#546 You can use AWS SAM to easily control who can access your API Gateway APIs with an Amazon Cognito user pool or an API Gateway Lambda Authorizer. An authorizer can be a Lambda authorizer, which is a Lambda function that you provide to control access to your API methods, or it can be an Amazon Cognito user pool, which is a user directory in Amazon Cognito. In SAM, you can define these authorizers as a property of an API, or as a new resource which can be used across multiple APIs.

To get started, check out the specification updates for using the new Authorizer (Auth) parameter within an AWS::Serverless::Api resource or within an API event for an AWS::Serverless::Function. See more examples of how to use Cognito authorizers, Lambda request authorizers, and Lambda token authorizers.

Other Updates

#511 Add dynamodb:DescribeTable to DynamoDBCrudPolicy
#589 Added RekognitionFacesManagementPolicy

Contribute to SAM

Help shape future SAM development! Add your opinions on proposed features and try tackling good first issues. Join the #samdev Slack channel where a growing community of Serverless developers hangs out.