Merge pull request #3676 from aws/tmp/1731113614/main

Merge main to develop

.cfnlintrc.yaml

@@ -131,6 +131,7 @@ ignore_templates:
   - tests/translator/output/**/function_with_mq.json  # Property "EventSourceArn" can Fn::GetAtt to a resource of types [AWS::DynamoDB::GlobalTable, AWS::DynamoDB::Table, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::SQS::Queue]
   - tests/translator/output/**/function_with_mq_using_autogen_role.json  # Property "EventSourceArn" can Fn::GetAtt to a resource of types [AWS::DynamoDB::GlobalTable, AWS::DynamoDB::Table, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::SQS::Queue]
   - tests/translator/output/**/function_with_recursive_loop.json  # Invalid Property Resources/RecursiveLoopParameterFunction/Properties/RecursiveLoop
+  - tests/translator/output/**/function_with_sourcekmskeyarn.json  # Invalid Property Resources/SourceKMSKeyArnParameterFunction/Properties/SourceKMSKeyArn
   - tests/translator/output/**/function_with_tracing.json # Obsolete DependsOn on resource
   - tests/translator/output/**/api_with_propagate_tags.json # TODO: Intentional error transform tests. Will be updated.
   - tests/translator/output/**/function_with_intrinsics_resource_attribute.json # CFN now supports intrinsics in DeletionPolicy

samtranslator/__init__.py

@@ -1 +1 @@
-__version__ = "1.91.0"
+__version__ = "1.92.0"

samtranslator/internal/schema_source/aws_serverless_function.py

@@ -513,6 +513,7 @@ class ScheduleV2Event(BaseModel):
 RuntimeManagementConfig = Optional[PassThroughProp]  # TODO: check the type
 LoggingConfig = Optional[PassThroughProp]  # TODO: add documentation
 RecursiveLoop = Optional[PassThroughProp]
+SourceKMSKeyArn = Optional[PassThroughProp]
 
 
 class Properties(BaseModel):
@@ -640,6 +641,7 @@ class Properties(BaseModel):
     VpcConfig: Optional[VpcConfig] = prop("VpcConfig")
     LoggingConfig: Optional[PassThroughProp]  # TODO: add documentation
     RecursiveLoop: Optional[PassThroughProp]  # TODO: add documentation
+    SourceKMSKeyArn: Optional[PassThroughProp]  # TODO: add documentation
 
 
 class Globals(BaseModel):
@@ -699,6 +701,7 @@ class Globals(BaseModel):
     RuntimeManagementConfig: Optional[RuntimeManagementConfig] = prop("RuntimeManagementConfig")
     LoggingConfig: Optional[PassThroughProp]  # TODO: add documentation
     RecursiveLoop: Optional[PassThroughProp]  # TODO: add documentation
+    SourceKMSKeyArn: Optional[PassThroughProp]  # TODO: add documentation
 
 
 class Resource(ResourceAttributes):

samtranslator/model/sam_resources.py

@@ -181,6 +181,7 @@ class SamFunction(SamResourceMacro):
         "RuntimeManagementConfig": PassThroughProperty(False),
         "LoggingConfig": PassThroughProperty(False),
         "RecursiveLoop": PassThroughProperty(False),
+        "SourceKMSKeyArn": PassThroughProperty(False),
     }
 
     FunctionName: Optional[Intrinsicable[str]]
@@ -224,6 +225,7 @@ class SamFunction(SamResourceMacro):
     FunctionUrlConfig: Optional[Dict[str, Any]]
     LoggingConfig: Optional[Dict[str, Any]]
     RecursiveLoop: Optional[str]
+    SourceKMSKeyArn: Optional[str]
 
     event_resolver = ResourceTypeResolver(
         samtranslator.model.eventsources,
@@ -885,7 +887,10 @@ def _construct_inline_code(*args: Any, **kwargs: Dict[str, Any]) -> Dict[str, An
         else:
             raise InvalidResourceException(self.logical_id, "Either 'InlineCode' or 'CodeUri' must be set.")
         dispatch_function: Callable[..., Dict[str, Any]] = artifact_dispatch[filtered_key]
-        return dispatch_function(artifacts[filtered_key], self.logical_id, filtered_key)
+        code_dict = dispatch_function(artifacts[filtered_key], self.logical_id, filtered_key)
+        if self.SourceKMSKeyArn and packagetype == ZIP:
+            code_dict["SourceKMSKeyArn"] = self.SourceKMSKeyArn
+        return code_dict
 
     def _construct_version(  # noqa: PLR0912
         self,

samtranslator/plugins/globals/globals.py

@@ -55,6 +55,7 @@ class Globals:
             "RuntimeManagementConfig",
             "LoggingConfig",
             "RecursiveLoop",
+            "SourceKMSKeyArn",
         ],
         # Everything except
         #   DefinitionBody: because its hard to reason about merge of Swagger dictionaries
@@ -100,7 +101,7 @@ class Globals:
     }
     # unreleased_properties *must be* part of supported_properties too
     unreleased_properties: Dict[str, List[str]] = {
-        SamResourceType.Function.value: ["RuntimeManagementConfig", "RecursiveLoop"],
+        SamResourceType.Function.value: ["RuntimeManagementConfig", "RecursiveLoop", "SourceKMSKeyArn"],
     }
 
     def __init__(self, template: Dict[str, Any]) -> None:

samtranslator/schema/schema.json

@@ -278785,6 +278785,9 @@
           "markdownDescription": "Create a snapshot of any new Lambda function version\\. A snapshot is a cached state of your initialized function, including all of its dependencies\\. The function is initialized just once and the cached state is reused for all future invocations, improving application performance by reducing the number of times your function must be initialized\\. To learn more, see [Improving startup performance with Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) in the *AWS Lambda Developer Guide*\\.  \n*Type*: [SnapStart](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html)  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`SnapStart`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html) property of an `AWS::Lambda::Function` resource\\.",
           "title": "SnapStart"
         },
+        "SourceKMSKeyArn": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "Tags": {
           "markdownDescription": "A map \\(string to string\\) that specifies the tags added to this function\\. For details about valid keys and values for tags, see [Tag Key and Value Requirements](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#configuration-tags-restrictions) in the *AWS Lambda Developer Guide*\\.  \nWhen the stack is created, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.  \n*Type*: Map  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is similar to the [`Tags`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-tags) property of an `AWS::Lambda::Function` resource\\. The `Tags` property in AWS SAM consists of key\\-value pairs \\(whereas in AWS CloudFormation this property consists of a list of `Tag` objects\\)\\. Also, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.",
           "title": "Tags",
@@ -279179,6 +279182,9 @@
           "markdownDescription": "Create a snapshot of any new Lambda function version\\. A snapshot is a cached state of your initialized function, including all of its dependencies\\. The function is initialized just once and the cached state is reused for all future invocations, improving application performance by reducing the number of times your function must be initialized\\. To learn more, see [Improving startup performance with Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) in the *AWS Lambda Developer Guide*\\.  \n*Type*: [SnapStart](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html)  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`SnapStart`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html) property of an `AWS::Lambda::Function` resource\\.",
           "title": "SnapStart"
         },
+        "SourceKMSKeyArn": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "Tags": {
           "markdownDescription": "A map \\(string to string\\) that specifies the tags added to this function\\. For details about valid keys and values for tags, see [Tag Key and Value Requirements](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#configuration-tags-restrictions) in the *AWS Lambda Developer Guide*\\.  \nWhen the stack is created, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.  \n*Type*: Map  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is similar to the [`Tags`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-tags) property of an `AWS::Lambda::Function` resource\\. The `Tags` property in AWS SAM consists of key\\-value pairs \\(whereas in AWS CloudFormation this property consists of a list of `Tag` objects\\)\\. Also, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.",
           "title": "Tags",

schema_source/sam.schema.json

@@ -5528,6 +5528,9 @@
           "markdownDescription": "Create a snapshot of any new Lambda function version\\. A snapshot is a cached state of your initialized function, including all of its dependencies\\. The function is initialized just once and the cached state is reused for all future invocations, improving application performance by reducing the number of times your function must be initialized\\. To learn more, see [Improving startup performance with Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) in the *AWS Lambda Developer Guide*\\.  \n*Type*: [SnapStart](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html)  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`SnapStart`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html) property of an `AWS::Lambda::Function` resource\\.",
           "title": "SnapStart"
         },
+        "SourceKMSKeyArn": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "Tags": {
           "markdownDescription": "A map \\(string to string\\) that specifies the tags added to this function\\. For details about valid keys and values for tags, see [Tag Key and Value Requirements](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#configuration-tags-restrictions) in the *AWS Lambda Developer Guide*\\.  \nWhen the stack is created, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.  \n*Type*: Map  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is similar to the [`Tags`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-tags) property of an `AWS::Lambda::Function` resource\\. The `Tags` property in AWS SAM consists of key\\-value pairs \\(whereas in AWS CloudFormation this property consists of a list of `Tag` objects\\)\\. Also, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.",
           "title": "Tags",
@@ -6113,6 +6116,9 @@
           "markdownDescription": "Create a snapshot of any new Lambda function version\\. A snapshot is a cached state of your initialized function, including all of its dependencies\\. The function is initialized just once and the cached state is reused for all future invocations, improving application performance by reducing the number of times your function must be initialized\\. To learn more, see [Improving startup performance with Lambda SnapStart](https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html) in the *AWS Lambda Developer Guide*\\.  \n*Type*: [SnapStart](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html)  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`SnapStart`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-snapstart.html) property of an `AWS::Lambda::Function` resource\\.",
           "title": "SnapStart"
         },
+        "SourceKMSKeyArn": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "Tags": {
           "markdownDescription": "A map \\(string to string\\) that specifies the tags added to this function\\. For details about valid keys and values for tags, see [Tag Key and Value Requirements](https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#configuration-tags-restrictions) in the *AWS Lambda Developer Guide*\\.  \nWhen the stack is created, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.  \n*Type*: Map  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is similar to the [`Tags`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-tags) property of an `AWS::Lambda::Function` resource\\. The `Tags` property in AWS SAM consists of key\\-value pairs \\(whereas in AWS CloudFormation this property consists of a list of `Tag` objects\\)\\. Also, AWS SAM automatically adds a `lambda:createdBy:SAM` tag to this Lambda function, and to the default roles that are generated for this function\\.",
           "title": "Tags",

tests/translator/input/function_with_sourcekmskeyarn.yaml

@@ -0,0 +1,21 @@
+Parameters:
+  SourceKMSKeyArnParam:
+    Type: String
+    Default: arn:aws:kms:us-west-2:123456789012:key/dec86919-7219-4e8d-8871-7f1609df2c7f
+
+Resources:
+  SourceKMSKeyArnFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Handler: hello.handler
+      Runtime: python3.9
+      SourceKMSKeyArn: arn:aws:kms:us-west-2:987654321098:key/dec86919-7219-4e8d-8871-7f1609df2c7f
+
+  SourceKMSKeyArnParameterFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: s3://sam-demo-bucket/hello.zip
+      Handler: hello.handler
+      Runtime: python3.9
+      SourceKMSKeyArn: !Ref SourceKMSKeyArnParam

tests/translator/input/globals_for_function.yaml

@@ -33,6 +33,7 @@ Globals:
     LoggingConfig:
       LogGroup: myJsonStructuredLogs
     RecursiveLoop: ALLOW
+    SourceKMSKeyArn: arn:aws:kms:us-west-2:123456789012:key/dec86919-7219-4e8d-8871-7f1609df2c7f
 
 
 
@@ -67,3 +68,4 @@ Resources:
       RuntimeManagementConfig:
         UpdateRuntimeOn: FunctionChange
       RecursiveLoop: TERMINATE
+      SourceKMSKeyArn: arn:aws:kms:us-west-2:987654321098:key/dec86919-7219-4e8d-8871-7f1609df2c7f

tests/translator/output/aws-cn/function_with_sourcekmskeyarn.json

@@ -0,0 +1,120 @@
+{
+  "Parameters": {
+    "SourceKMSKeyArnParam": {
+      "Default": "arn:aws:kms:us-west-2:123456789012:key/dec86919-7219-4e8d-8871-7f1609df2c7f",
+      "Type": "String"
+    }
+  },
+  "Resources": {
+    "SourceKMSKeyArnFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip",
+          "SourceKMSKeyArn": "arn:aws:kms:us-west-2:987654321098:key/dec86919-7219-4e8d-8871-7f1609df2c7f"
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "SourceKMSKeyArnFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "python3.9",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "SourceKMSKeyArnFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    },
+    "SourceKMSKeyArnParameterFunction": {
+      "Properties": {
+        "Code": {
+          "S3Bucket": "sam-demo-bucket",
+          "S3Key": "hello.zip",
+          "SourceKMSKeyArn": {
+            "Ref": "SourceKMSKeyArnParam"
+          }
+        },
+        "Handler": "hello.handler",
+        "Role": {
+          "Fn::GetAtt": [
+            "SourceKMSKeyArnParameterFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "python3.9",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "SourceKMSKeyArnParameterFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}

tests/translator/output/aws-cn/globals_for_function.json

@@ -7,7 +7,8 @@
         ],
         "Code": {
           "S3Bucket": "sam-demo-bucket",
-          "S3Key": "hello.zip"
+          "S3Key": "hello.zip",
+          "SourceKMSKeyArn": "arn:aws:kms:us-west-2:987654321098:key/dec86919-7219-4e8d-8871-7f1609df2c7f"
         },
         "Environment": {
           "Variables": {
@@ -84,7 +85,7 @@
         },
         "FunctionVersion": {
           "Fn::GetAtt": [
-            "FunctionWithOverridesVersion096ed3b52b",
+            "FunctionWithOverridesVersionb52716e99f",
             "Version"
           ]
         },
@@ -133,7 +134,7 @@
       },
       "Type": "AWS::IAM::Role"
     },
-    "FunctionWithOverridesVersion096ed3b52b": {
+    "FunctionWithOverridesVersionb52716e99f": {
       "DeletionPolicy": "Retain",
       "Properties": {
         "FunctionName": {
@@ -149,7 +150,8 @@
         ],
         "Code": {
           "S3Bucket": "global-bucket",
-          "S3Key": "global.zip"
+          "S3Key": "global.zip",
+          "SourceKMSKeyArn": "arn:aws:kms:us-west-2:123456789012:key/dec86919-7219-4e8d-8871-7f1609df2c7f"
         },
         "Environment": {
           "Variables": {
@@ -217,7 +219,7 @@
         },
         "FunctionVersion": {
           "Fn::GetAtt": [
-            "MinimalFunctionVersione7c6f56e4d",
+            "MinimalFunctionVersion5244f38b49",
             "Version"
           ]
         },
@@ -262,7 +264,7 @@
       },
       "Type": "AWS::IAM::Role"
     },
-    "MinimalFunctionVersione7c6f56e4d": {
+    "MinimalFunctionVersion5244f38b49": {
       "DeletionPolicy": "Retain",
       "Properties": {
         "FunctionName": {