Merge branch 'develop' into feat/allow-canned-acl-with-s3-crud-policy

.flake8

@@ -1,3 +1,3 @@
 [flake8]
 max-line-length = 120
-ignore = E126
+ignore = E126 F821 W504 W605

Makefile

@@ -39,6 +39,10 @@ init:
 	$(info [*] Install requirements...)
 	@pip install -r requirements/dev.txt -r requirements/base.txt
 
+flake:
+	$(info [*] Running flake8...)
+	@flake8 samtranslator
+
 test:
 	$(info [*] Run the unit test with minimum code coverage of $(CODE_COVERAGE)%...)
 	@pytest --cov samtranslator --cov-report term-missing --cov-fail-under $(CODE_COVERAGE) tests
@@ -49,7 +53,7 @@ build-docs:
 	@$(MAKE) -C docs/website html
 
 # Command to run everytime you make changes to verify everything works
-dev: test
+dev: flake test
 
 # Verifications to run before sending a pull request
 pr: init dev
@@ -68,4 +72,4 @@ TARGETS
 	build-docs  Generate the documentation.
 	pr          Perform all checks before submitting a Pull Request.
 
-endef
+endef

docs/cloudformation_compatibility.rst

@@ -169,6 +169,7 @@ EndpointConfiguration               All
 MethodSettings                      All
 BinaryMediaTypes                    All
 Cors                                All
+TracingEnabled                      All
 ================================== ======================== ========================
 
 

docs/globals.rst

@@ -80,6 +80,9 @@ Currently, the following resources and properties are being supported:
       MethodSettings:
       BinaryMediaTypes:
       Cors:
+      AccessLogSetting:
+      CanarySetting:
+      TracingEnabled:
 
     SimpleTable:
       # Properties of AWS::Serverless::SimpleTable

examples/2016-10-31/api_cognito_auth/template.yaml

@@ -40,6 +40,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         ProxyAny:
@@ -48,6 +49,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /{proxy+}
             Method: ANY
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         GetUsers:
@@ -56,6 +58,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /users
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         GetUser:
@@ -64,6 +67,7 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /users/{userId}
             Method: GET
+            # NOTE: This endpoint is publicly accessible
             Auth:
               Authorizer: NONE
         CreateUser:

examples/2016-10-31/api_lambda_request_auth/README.md

@@ -6,6 +6,13 @@ The Authorizer Lambda Function in this example simply accepts an `auth` query st
 
 ## Running the example
 
+Optional: Uncomment the following lines in `template.yaml` to enable a publicly accessible endpoint:
+
+```yaml
+# Auth:
+#   Authorizer: NONE
+```
+
 Deploy the example into your account:
 
 ```bash
@@ -15,7 +22,7 @@ aws cloudformation package --template-file template.yaml --output-template-file
 aws cloudformation deploy --template-file ./template.packaged.yaml --stack-name sam-example-api-lambda-request-auth --capabilities CAPABILITY_IAM
 ```
 
-Invoke the API's root endpoint `/` without an `auth` query string to see the API respond with a 200. In the SAM template, we explicitly state `Authorizer: NONE` to make this a public/open endpoint (the Authorizer Lambda Function is not invoked).
+Invoke the API's root endpoint `/` without an `auth` query string to see the API respond with a 200 (assuming you followed the optional step above). In the SAM template, we explicitly state `Authorizer: NONE` to make this a public/open endpoint (the Authorizer Lambda Function is not invoked).
 
 ```bash
 api_url=$(aws cloudformation describe-stacks --stack-name sam-example-api-lambda-request-auth --query 'Stacks[].Outputs[?OutputKey==`ApiURL`].OutputValue' --output text)

examples/2016-10-31/api_lambda_request_auth/template.yaml

@@ -38,8 +38,9 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /
             Method: get
-            Auth:
-              Authorizer: NONE
+            # NOTE: Uncomment the two lines below to make `GET /` publicly accessible
+            # Auth:
+            #   Authorizer: NONE
         GetUsers:
           Type: Api
           Properties:

examples/2016-10-31/api_lambda_token_auth/README.md

@@ -6,6 +6,13 @@ The Authorizer Lambda Function in this example simply accepts an `Authorization`
 
 ## Running the example
 
+Optional: Uncomment the following lines in `template.yaml` to enable a publicly accessible endpoint:
+
+```yaml
+# Auth:
+#   Authorizer: NONE
+```
+
 Deploy the example into your account:
 
 ```bash
@@ -15,7 +22,7 @@ aws cloudformation package --template-file template.yaml --output-template-file
 aws cloudformation deploy --template-file ./template.packaged.yaml --stack-name sam-example-api-lambda-token-auth --capabilities CAPABILITY_IAM
 ```
 
-Invoke the API's root endpoint `/` without an `Authorization` header to see the API respond with a 200. In the SAM template, we explicitly state `Authorizer: NONE` to make this a public/open endpoint (the Authorizer Lambda Function is not invoked).
+Invoke the API's root endpoint `/` without an `Authorization` header to see the API respond with a 200 (assuming you followed the optional step above). In the SAM template, we explicitly state `Authorizer: NONE` to make this a public/open endpoint (the Authorizer Lambda Function is not invoked).
 
 ```bash
 curl "$(aws cloudformation describe-stacks --stack-name sam-example-api-lambda-token-auth --query 'Stacks[].Outputs[?OutputKey==`ApiURL`].OutputValue' --output text)"

examples/2016-10-31/api_lambda_token_auth/template.yaml

@@ -31,8 +31,9 @@ Resources:
             RestApiId: !Ref MyApi
             Path: /
             Method: get
-            Auth:
-              Authorizer: NONE
+            # NOTE: Uncomment the two lines below to make `GET /` publicly accessible
+            # Auth:
+            #   Authorizer: NONE
         GetUsers:
           Type: Api
           Properties:

examples/2016-10-31/lambda_sns_filter_policy/README.md

@@ -0,0 +1,35 @@
+# Lambda function + Filtered SNS Subscription Example
+
+This example shows you how to create a Lambda function with a SNS event source. 
+
+The Lambda function does not receive all messages published to the SNS topic but only a subset. The messages are filtered based on the attributes attached to
+ the message.
+
+## Running the example 
+
+Deploy the example into your account:
+
+```bash
+# Replace YOUR_S3_ARTIFACTS_BUCKET with the name of a bucket which already exists in your account
+aws cloudformation package --template-file template.yaml --output-template-file template.packaged.yaml --s3-bucket YOUR_S3_ARTIFACTS_BUCKET
+
+aws cloudformation deploy --template-file ./template.packaged.yaml --stack-name sam-example-lambda-sns-filter-policy --capabilities CAPABILITY_IAM
+```
+
+The Lambda function will only receive messages with the attribute `sport` set to `football`.
+
+In the AWS console go to the topic sam-example-lambda-sns-filter-policy and push the Publish to Topic button.
+At the bottom of the Publish page you can add message attributes. Add one attribute:
+- key: sport
+- Attribute type: String
+- value: football
+
+Enter an arbitrary message body and publish the message.
+In Cloudwatch the log group /aws/lambda/sam-example-lambda-sns-filter-policy-notification-logger appears and the logging contains the message attributes of 
+the received message.
+
+Now publish a couple of other messages with other values for the attribute `sport` or without the attribute `sport`. 
+The Lambda function will not receive these messages.  
+
+## Additional resources
+https://docs.aws.amazon.com/sns/latest/dg/message-filtering.html

examples/2016-10-31/lambda_sns_filter_policy/src/index.js

@@ -0,0 +1,8 @@
+'use strict';
+
+
+exports.handler = async (event, context, callback) => {
+    console.log("Message attributes: " + JSON.stringify(event.Records[0].Sns.MessageAttributes));
+
+    callback(null, "Success");
+};

examples/2016-10-31/lambda_sns_filter_policy/template.yaml

@@ -0,0 +1,24 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: Lambda function with SNS filter policy
+Resources:
+  NotificationLogger:
+    Type: AWS::Serverless::Function
+    Properties:
+      CodeUri: ./src
+      Handler: index.handler
+      Runtime: nodejs8.10
+      FunctionName: sam-example-lambda-sns-filter-policy-notification-logger
+      Events:
+        NotificationTopic:
+          Type: SNS
+          Properties:
+            Topic: !Ref Notifications
+            FilterPolicy:
+              sport:
+                - football
+
+  Notifications:
+    Type: AWS::SNS::Topic
+    Properties:
+      TopicName: sam-example-lambda-sns-filter-policy

examples/2016-10-31/policy_templates/all_policy_templates.yaml

@@ -80,4 +80,8 @@ Resources:
         - KMSDecryptPolicy:
             KeyId: keyId
 
+        - SESBulkTemplatedCrudPolicy:
+            IdentityName: name
 
+        - FilterLogEventsPolicy:
+            LogGroupName: name

examples/apps/api-gateway-authorizer-nodejs/index.js

@@ -312,7 +312,8 @@ AuthPolicy.prototype = (function AuthPolicyClass() {
 
 
 exports.handler = (event, context, callback) => {
-    console.log('Client token:', event.authorizationToken);
+    // incoming token value
+    var token = event.authorizationToken;
     console.log('Method ARN:', event.methodArn);
 
     // validate the incoming token

examples/apps/api-gateway-authorizer-python/lambda_function.py

@@ -4,7 +4,8 @@
 
 
 def lambda_handler(event, context):
-    print("Client token: " + event['authorizationToken'])
+    # incoming token value
+    token = event['authorizationToken']
     print("Method ARN: " + event['methodArn'])
 
     '''

examples/apps/rekognition-python/template.yaml

@@ -2,8 +2,9 @@ AWSTemplateFormatVersion: '2010-09-09'
 Transform: 'AWS::Serverless-2016-10-31'
 Description: An Amazon S3 trigger that uses rekognition APIs to detect faces
 Parameters:
-  BucketNameParameter:
+  BucketNamePrefix:
     Type: String
+    Default: sam-example
   CollectionIdParameter:
     Type: String
 Resources:
@@ -18,7 +19,7 @@ Resources:
       Timeout: 3
       Policies:
         - S3CrudPolicy:
-            BucketName: !Ref BucketNameParameter
+            BucketName: !Sub "${BucketNamePrefix}-rekognition"
         - RekognitionNoDataAccessPolicy:
             CollectionId: !Ref CollectionIdParameter
         - RekognitionWriteOnlyAccessPolicy:
@@ -33,3 +34,5 @@ Resources:
               - 's3:ObjectCreated:*'
   Bucket1:
     Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-rekognition"

examples/apps/s3-get-object-python/template.yaml

@@ -4,8 +4,9 @@ Description: >-
   An Amazon S3 trigger that retrieves metadata for the object that has been
   updated.
 Parameters:
-  BucketNameParameter:
+  BucketNamePrefix:
     Type: String
+    Default: sam-example
 Resources:
   s3getobjectpython:
     Type: 'AWS::Serverless::Function'
@@ -20,7 +21,7 @@ Resources:
       Timeout: 3
       Policies:
         - S3CrudPolicy:
-            BucketName: !Ref BucketNameParameter
+            BucketName: !Sub "${BucketNamePrefix}-get-object-python"
       Events:
         BucketEvent1:
           Type: S3
@@ -31,3 +32,5 @@ Resources:
               - 's3:ObjectCreated:*'
   Bucket1:
     Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-get-object-python"

examples/apps/s3-get-object-python3/template.yaml

@@ -4,8 +4,9 @@ Description: >-
   An Amazon S3 trigger that retrieves metadata for the object that has been
   updated.
 Parameters:
-  BucketNameParameter:
+  BucketNamePrefix:
     Type: String
+    Default: sam-example
 Resources:
   s3getobjectpython3:
     Type: 'AWS::Serverless::Function'
@@ -20,7 +21,7 @@ Resources:
       Timeout: 3
       Policies:
         - S3CrudPolicy:
-            BucketName: !Ref BucketNameParameter
+            BucketName: !Sub "${BucketNamePrefix}-get-object-python3"
       Events:
         BucketEvent1:
           Type: S3
@@ -31,3 +32,5 @@ Resources:
               - 's3:ObjectCreated:*'
   Bucket1:
     Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-get-object-python3"

examples/apps/s3-get-object/template.yaml

@@ -4,8 +4,9 @@ Description: >-
   An Amazon S3 trigger that retrieves metadata for the object that has been
   updated.
 Parameters:
-  BucketNameParameter:
+  BucketNamePrefix:
     Type: String
+    Default: sam-example
 Resources:
   s3getobject:
     Type: 'AWS::Serverless::Function'
@@ -20,14 +21,15 @@ Resources:
       Timeout: 3
       Policies:
         - S3CrudPolicy:
-            BucketName: !Ref BucketNameParameter
+            BucketName: !Sub "${BucketNamePrefix}-get-object"
       Events:
         BucketEvent1:
           Type: S3
           Properties:
-            Bucket:
-              Ref: Bucket1
+            Bucket: !Ref Bucket1
             Events:
               - 's3:ObjectCreated:*'
   Bucket1:
     Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: !Sub "${BucketNamePrefix}-get-object"

requirements/dev.txt

@@ -9,9 +9,8 @@ PyYAML==3.12
 pytest>=3.0.7
 py>=1.4.33
 mock>=2.0.0
-nose>=1.3.7
 parameterized>=0.6.1
-requests>=2.11.1
+requests>=2.20.0
 
 # CLI requirements
 docopt>=0.6.2

samtranslator/__init__.py

@@ -1 +1 @@
-__version__ = '1.9.0'
+__version__ = '1.10.0'