docs: catch CHANGELOG and VERSIONING up to v20.4.0 by hyunsies · Pull Request #39 · aws-samples/sample-auto-map-tagger

hyunsies · 2026-04-24T15:48:36Z

Summary

Bring CHANGELOG.md and VERSIONING.md current. CHANGELOG stopped at PR #25 (v20.3.0) but the repo shipped 9 more PRs this cycle; VERSIONING.md's example list and source-of-truth constant were also stale.

What's new in CHANGELOG

v20.4.0 entry covering:
- feat: three-path error classifier + soft AlertEmail warning (v20.4.0, §1.115-§1.120) #37 three-path error classifier (transient / permanent-ignorable / permanent-actionable) + new `TagFailureByClass` CloudWatch metric + configurator soft-warn for blank Alert Email
- feat: Q3 Option D — scope-intersection preflight (§1.108) #38 Q3 Option D scope-intersection preflight (prevents §1.108 cross-Lambda MPE contamination at deploy time)
- docs: reconciliation Lambda design (Wave 12 / plan-PR #39) #36 design doc cross-reference for the forthcoming reconciliation Lambda
v20.3.1 umbrella entry for the PATCH-class fixes shipped against v20.3.0:
- fix: add DeletionPolicy: Delete + 14-day retention on AutoTaggerLogGroup (§1.74) #29 log-group retention + DeletionPolicy (§1.74)
- fix: tighten AgreementStartDate CFN pattern + strptime safety (§1.129, §1.130) #30 CFN date pattern tightening + strptime safety (§1.129, §1.130)
- fix: CSV scoped-ids param type + S3 narrow-except + VPC-scope fall-through (CRITICAL) #33 CRITICAL scope fixes — CSV collapse + S3 narrow-except + VPC fall-through (§1.1/U2, §1.2/U3, §1.3/U5)
- feat: scripts/add_subscriber.sh — close existing-customer SNS backfill (§1.117) #34 `scripts/add_subscriber.sh` for existing-customer SNS backfill (§1.117)
- fix: remove dead cross-account code path (H1, Wave 14 Option A) #35 cross-account dead-code rip-out (H1)

What's updated in VERSIONING.md

Examples list appended with the session's PRs per their MINOR / PATCH classification
Source-of-truth version constant bumped `v20.1.0` → `v20.4.0`

Verification

`sync-check.py`: PASS
Pure docs change; no runtime / CFN / IAM / i18n surface touched

Test plan

Layer 1 checks (no semantic impact, but sync-check still validates)
N/A E2E (docs only)

🤖 Generated with Claude Code

CHANGELOG stopped at PR #25 (v20.3.0) but the repo shipped 9 more PRs this cycle. VERSIONING.md's example list and "source of truth" version constant were also stale. Bringing both current: - New v20.4.0 entry covering #37 (three-path classifier) and #38 (scope- intersection preflight), with a docs cross-reference to the #36 reconciliation Lambda design. - New v20.3.1 umbrella entry for the PATCH-class fixes shipped against v20.3.0: #29 (log retention), #30 (date pattern), #33 (CRITICAL scope fixes), #34 (SNS backfill helper), #35 (cross-account rip-out). Grouped retroactively — each shipped individually without a version bump. - VERSIONING.md examples list updated to include session PRs per their MINOR / PATCH classification. - VERSIONING.md "source of truth" constant bumped v20.1.0 → v20.4.0. Pure docs; no runtime / CFN / IAM change. sync-check passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Adds a second Lambda that runs once per day (configurable via new ReconciliationInterval CFN parameter) as a safety net for silent-failure classes the live tagging Lambda cannot catch. Implemented per the design doc merged in PR #36. The reconciliation Lambda: - Reads scope config from SSM - Enumerates every taggable in-account resource via RGTA GetResources (no 90-day CloudTrail limit) - For each resource, checks the current map-migrated tag value - Missing tag → synthesizes a CloudTrail-shaped event, sends to existing EventQueue SQS → live Lambda tags via its three-path classifier - Wrong-MPE → same path (always overwrite per Q2-2 decision). Safe because PR #38's Q3 Option D preflight prevents overlapping-scope deploys going forward. - Correctly tagged → no action, counted in ReconciliationResourcesScanned Reuses one tagging codepath — reconciliation never calls RGTA TagResources directly. Any improvement to the live Lambda's tagging path applies. New CFN resources (5): - ReconciliationFunction (Lambda) - ReconciliationSchedule (EventBridge rule, rate(24 hours) default) - ReconciliationRole (scoped IAM — ssm:GetParameter on own config, tag:GetResources *, ec2:Describe* for VPC membership, sqs:SendMessage on EventQueue, cloudwatch:PutMetricData Condition-scoped to MapAutoTagger namespace, logs on own log group) - ReconciliationLogGroup (RetentionInDays 14 per PR #29) - ReconciliationSchedulePermission (EventBridge → Lambda invoke) New CFN parameter: - ReconciliationInterval (default 'rate(24 hours)', AllowedPattern matches rate/cron expressions) New CloudWatch metrics (namespace MapAutoTagger): - ReconciliationResourcesScanned - ReconciliationMissingTag - WrongMpeCorrected (dimensions ExpectedMpe + FoundMpe) - ReconciliationTimeoutCanary (fires at 13 min elapsed — trend detector for large accounts; deferred pagination-checkpoint work per Q2-1) - ReconciliationSkippedNoCreationTime - ReconciliationConfigInvalid - ReconciliationRunAborted - ReconciliationEnqueueFailed Deliberate omissions per locked design decisions (2026-04-24): - No DynamoDB checkpoint (Q2-1 defer; canary metric surfaces trend) - No immediate-run-on-install (Q2-3 — BackfillFunction owns that window) - No BackfillFunction deprecation (Q2-3 keep-as-is) - No alert-only mode (Q2-2 always overwrite) - No ReconciliationAutoFixWrongMpe opt-out (Q2-2 always overwrite) Version bump v20.4.0 → v20.5.0 MINOR. Mirrored into configurator.html inline CFN template; sync-check enforced. VERSION_HISTORY[0] entry added. CHANGELOG.md entry for v20.5.0 documents the new capability + new metrics + what reconciliation does NOT do + the pre-Q3 edge case. Verified locally: - sync-check.py: PASS - lint_event_prefixes.py: PASS - YAML Lambda AST: both blocks clean (1611 live + 166 reconciliation) - configurator AST: all 4 blocks clean (main Lambda + reconciliation Lambda + BackfillFunction + landing-page loader) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…40) Adds a second Lambda that runs once per day (configurable via new ReconciliationInterval CFN parameter) as a safety net for silent-failure classes the live tagging Lambda cannot catch. Implemented per the design doc merged in PR #36. The reconciliation Lambda: - Reads scope config from SSM - Enumerates every taggable in-account resource via RGTA GetResources (no 90-day CloudTrail limit) - For each resource, checks the current map-migrated tag value - Missing tag → synthesizes a CloudTrail-shaped event, sends to existing EventQueue SQS → live Lambda tags via its three-path classifier - Wrong-MPE → same path (always overwrite per Q2-2 decision). Safe because PR #38's Q3 Option D preflight prevents overlapping-scope deploys going forward. - Correctly tagged → no action, counted in ReconciliationResourcesScanned Reuses one tagging codepath — reconciliation never calls RGTA TagResources directly. Any improvement to the live Lambda's tagging path applies. New CFN resources (5): - ReconciliationFunction (Lambda) - ReconciliationSchedule (EventBridge rule, rate(24 hours) default) - ReconciliationRole (scoped IAM — ssm:GetParameter on own config, tag:GetResources *, ec2:Describe* for VPC membership, sqs:SendMessage on EventQueue, cloudwatch:PutMetricData Condition-scoped to MapAutoTagger namespace, logs on own log group) - ReconciliationLogGroup (RetentionInDays 14 per PR #29) - ReconciliationSchedulePermission (EventBridge → Lambda invoke) New CFN parameter: - ReconciliationInterval (default 'rate(24 hours)', AllowedPattern matches rate/cron expressions) New CloudWatch metrics (namespace MapAutoTagger): - ReconciliationResourcesScanned - ReconciliationMissingTag - WrongMpeCorrected (dimensions ExpectedMpe + FoundMpe) - ReconciliationTimeoutCanary (fires at 13 min elapsed — trend detector for large accounts; deferred pagination-checkpoint work per Q2-1) - ReconciliationSkippedNoCreationTime - ReconciliationConfigInvalid - ReconciliationRunAborted - ReconciliationEnqueueFailed Deliberate omissions per locked design decisions (2026-04-24): - No DynamoDB checkpoint (Q2-1 defer; canary metric surfaces trend) - No immediate-run-on-install (Q2-3 — BackfillFunction owns that window) - No BackfillFunction deprecation (Q2-3 keep-as-is) - No alert-only mode (Q2-2 always overwrite) - No ReconciliationAutoFixWrongMpe opt-out (Q2-2 always overwrite) Version bump v20.4.0 → v20.5.0 MINOR. Mirrored into configurator.html inline CFN template; sync-check enforced. VERSION_HISTORY[0] entry added. CHANGELOG.md entry for v20.5.0 documents the new capability + new metrics + what reconciliation does NOT do + the pre-Q3 edge case. Verified locally: - sync-check.py: PASS - lint_event_prefixes.py: PASS - YAML Lambda AST: both blocks clean (1611 live + 166 reconciliation) - configurator AST: all 4 blocks clean (main Lambda + reconciliation Lambda + BackfillFunction + landing-page loader) Co-authored-by: Chris Hyu <chhyu@amazon.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

hyunsies merged commit df5cca2 into main Apr 24, 2026
13 checks passed

hyunsies deleted the docs/session-2026-04-24-updates branch April 24, 2026 15:53

hyunsies mentioned this pull request Apr 25, 2026

docs: D1–D6 first-pass corrections (plan-PR #40) #52

Merged

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: catch CHANGELOG and VERSIONING up to v20.4.0#39

docs: catch CHANGELOG and VERSIONING up to v20.4.0#39
hyunsies merged 1 commit intomainfrom
docs/session-2026-04-24-updates

hyunsies commented Apr 24, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

hyunsies commented Apr 24, 2026

Summary

What's new in CHANGELOG

What's updated in VERSIONING.md

Verification

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant