Release/v1.14.0

HOWTO.md

@@ -53,7 +53,7 @@ packaged template that can be readily deployed to CloudFormation.
 $ aws cloudformation package \
     --template-file /path_to_template/template.yaml \
     --s3-bucket bucket-name \
-    --s3-prefix appname/branchname/version
+    --s3-prefix appname/branchname/version \
     --output-template-file packaged-template.yaml
 ```
 
@@ -63,7 +63,7 @@ Or using the aws-sam-cli
 $ sam package \
     --template-file /path_to_template/template.yaml \
     --s3-bucket bucket-name \
-    --s3-prefix appname/branchname/version
+    --s3-prefix appname/branchname/version \
     --output-template-file packaged-template.yaml
 ```
 
@@ -104,7 +104,7 @@ Or using aws-sam-cli
 ```bash
 $ sam deploy \
     --template-file /path_to_template/packaged-template.yaml \
-    --stack-name my-new-stack
+    --stack-name my-new-stack \
     --capabilities CAPABILITY_IAM
 ```
 

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright 2016 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

docs/cloudformation_compatibility.rst

@@ -125,6 +125,9 @@ Schedule
 ======================== ================================== ========================
 Schedule                 All
 Input                    All
+Name                     All
+Description              All
+Enabled                  All
 ======================== ================================== ========================
 
 CloudWatchEvent

docs/safe_lambda_deployments.rst

@@ -93,7 +93,7 @@ resource:
     Type: AWS::Serverless::Function
     Properties:
       Handler: index.handler
-      Runtime: nodejs6.10
+      Runtime: nodejs8.10
       AutoPublishAlias: live
       DeploymentPreference:
         Type: Linear10PercentEvery10Minutes
@@ -162,8 +162,8 @@ resource:
           - Effect: "Allow"
             Action:
               - "lambda:InvokeFunction"
-            Resource: !Ref MyLambdaFunction.Version
-      Runtime: nodejs6.10
+            Resource: !GetAtt MyLambdaFunction.Arn
+      Runtime: nodejs8.10
       FunctionName: 'CodeDeployHook_preTrafficHook'
       DeploymentPreference:
         Enabled: false
@@ -286,7 +286,7 @@ Hooks are extremely powerful because:
           - Effect: "Allow"
             Action:
               - "lambda:InvokeFunction"
-            Resource: !Ref MyLambdaFunction.Version
+            Resource: !GetAtt MyLambdaFunction.Arn
 
 Checkout the lambda_safe_deployments_ folder for an example for how to create SAM template that contains a hook function.
 

examples/2016-10-31/api_aws_iam_auth/template.yaml

@@ -8,7 +8,7 @@ Resources:
       StageName: Prod
       Auth:
         DefaultAuthorizer: AWS_IAM
-        InvokeRole: CALLER_CREDENTIALS
+        InvokeRole: CALLER_CREDENTIALS # default, can specify other role or NONE
 
   MyFunction:
     Type: AWS::Serverless::Function

examples/2016-10-31/api_cognito_auth/package.json

@@ -19,12 +19,12 @@
     "configure-cognito-user-pool": "npm run set-cognito-user-pool-id && npm run set-cognito-user-pool-client-id && npm run set-api-id && npm run set-api-url && npm run update-user-pool-client && npm run create-user-pool-domain",
     "set-cognito-user-pool-id": "npm config set COGNITO_USER_POOL_ID $(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`CognitoUserPoolId`].OutputValue' --output text)",
     "set-cognito-user-pool-client-id": "npm config set COGNITO_USER_POOL_CLIENT_ID $(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`CognitoUserPoolClientId`].OutputValue' --output text)",
-    "set-api-url": "npm config set API_URL $(aws cloudformation describe-stacks --stack-name sam-example-api-cognito-auth --query 'Stacks[].Outputs[?OutputKey==`ApiUrl`].OutputValue' --output text)",
-    "set-api-id": "npm config set API_ID $(aws cloudformation describe-stacks --stack-name sam-example-api-cognito-auth --query 'Stacks[].Outputs[?OutputKey==`ApiId`].OutputValue' --output text)",
+    "set-api-url": "npm config set API_URL $(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`ApiUrl`].OutputValue' --output text)",
+    "set-api-id": "npm config set API_ID $(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`ApiId`].OutputValue' --output text)",
     "update-user-pool-client": "aws cognito-idp update-user-pool-client --user-pool-id $(npm config get COGNITO_USER_POOL_ID) --client-id $(npm config get COGNITO_USER_POOL_CLIENT_ID) --supported-identity-providers COGNITO --callback-urls \"[\\\"$(npm config get API_URL)\\\"]\" --allowed-o-auth-flows code implicit --allowed-o-auth-scopes openid email --allowed-o-auth-flows-user-pool-client",
     "create-user-pool-domain": "aws cognito-idp create-user-pool-domain --domain $(npm config get API_ID) --user-pool-id $(npm config get COGNITO_USER_POOL_ID)",
-    "open-signup-page": "open \"https://$(npm config get API_ID).auth.us-east-1.amazoncognito.com/signup?response_type=code&client_id=$(npm config get COGNITO_USER_POOL_CLIENT_ID)&redirect_uri=$(npm config get API_URL)\"",
-    "open-login-page": "open \"https://$(npm config get API_ID).auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=$(npm config get COGNITO_USER_POOL_CLIENT_ID)&redirect_uri=$(npm config get API_URL)\"",
+    "open-signup-page": "open \"https://$(npm config get API_ID).auth.$(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`Region`].OutputValue' --output text).amazoncognito.com/signup?response_type=code&client_id=$(npm config get COGNITO_USER_POOL_CLIENT_ID)&redirect_uri=$(npm config get API_URL)\"",
+    "open-login-page": "open \"https://$(npm config get API_ID).auth.$(aws cloudformation describe-stacks --stack-name $(npm config get STACK_NAME) --query 'Stacks[].Outputs[?OutputKey==`Region`].OutputValue' --output text).amazoncognito.com/login?response_type=code&client_id=$(npm config get COGNITO_USER_POOL_CLIENT_ID)&redirect_uri=$(npm config get API_URL)\"",
     "open-api-ui": "open \"$(npm config get API_URL)\""
   }
 }

examples/2016-10-31/api_cognito_auth/template.yaml

@@ -140,6 +140,10 @@ Resources:
       #       UserPool: !Ref MyCognitoUserPool
 
 Outputs:
+    Region:
+      Description: "Region"
+      Value: !Ref AWS::Region
+
     ApiId:
       Description: "API ID"
       Value: !Ref MyApi

examples/2016-10-31/api_resource_policy/README.md

@@ -0,0 +1,11 @@
+# Api Resource Policy Event Source Example
+
+Example SAM template for adding Custom Resource Policy to Api.
+
+## Running the example
+
+```bash
+# Replace YOUR_S3_ARTIFACTS_BUCKET
+aws cloudformation package --template-file template.yaml --output-template-file cfn-transformed-template.yaml --s3-bucket YOUR_S3_ARTIFACTS_BUCKET
+aws cloudformation deploy --template-file ./cfn-transformed-template.yaml --stack-name example-resource-policy --capabilities CAPABILITY_IAM
+```

examples/2016-10-31/api_resource_policy/template.yaml

@@ -0,0 +1,37 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Globals:
+  Api:
+    Auth:
+      ResourcePolicy:
+        CustomStatements: [{
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "execute-api:Invoke",
+            "Resource": "execute-api:*/*/*",
+            "Condition": {
+                "IpAddress": {
+                    "aws:SourceIp": "1.2.3.4"
+                }
+            }
+        }]
+Resources:
+  MyFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event) => {
+          const response = {
+            statusCode: 200,
+            body: JSON.stringify('Hello from Lambda!'),
+          };
+          return response;
+        };
+      Handler: index.handler
+      Runtime: nodejs8.10
+      Events:
+        Api:
+          Type: Api
+          Properties:
+            Method: Put
+            Path: /get

examples/2016-10-31/lambda_safe_deployments/template.yaml

@@ -34,7 +34,7 @@ Resources:
           - Effect: "Allow"
             Action:
               - "lambda:InvokeFunction"
-            Resource: !Ref safeTest.Version
+            Resource: !GetAtt safeTest.Arn
       Runtime: nodejs8.10
       FunctionName: 'CodeDeployHook_preTrafficHook'
       DeploymentPreference:

examples/apps/api-gateway-multiple-origin-cors/package.json

@@ -9,7 +9,7 @@
   "author": "",
   "devDependencies": {
     "jest": "^23.1.0",
-    "lodash": ">=4.17.11",
+    "lodash": ">=4.17.13",
     "merge": ">=1.2.1"
   },
   "jest": {

examples/apps/microservice-http-endpoint-python3/lambda_function.py

@@ -33,7 +33,7 @@ def lambda_handler(event, context):
 
     operations = {
         'DELETE': lambda dynamo, x: dynamo.delete_item(TableName=table_name, **x),
-		'GET': lambda dynamo, x: dynamo.scan(TableName=table_name, **x) if x else dynamo.scan(TableName=table_name),
+	'GET': lambda dynamo, x: dynamo.scan(TableName=table_name, **x) if x else dynamo.scan(TableName=table_name),
         'POST': lambda dynamo, x: dynamo.put_item(TableName=table_name, **x),
         'PUT': lambda dynamo, x: dynamo.update_item(TableName=table_name, **x),
     }

requirements/dev.txt

@@ -3,15 +3,15 @@ flake8>=3.3.0
 tox>=2.2.1
 pytest-cov>=2.4.0
 pylint>=1.7.2,<2.0
-pyyaml>=4.2b1
+pyyaml>=5.1
 
 # Test requirements
 pytest>=3.0.7
-py>=1.4.33
 mock>=2.0.0
 parameterized>=0.6.1
+
+# Requirements for examples
 requests>=2.20.0
-cfn-lint>=0.18.1
 
 # CLI requirements
 docopt>=0.6.2

samtranslator/__init__.py

@@ -1 +1 @@
-__version__ = '1.13.2'
+__version__ = '1.14.0'

samtranslator/model/api/api_generator.py

@@ -13,6 +13,7 @@
 from samtranslator.model.intrinsics import is_instrinsic, fnSub
 from samtranslator.model.lambda_ import LambdaPermission
 from samtranslator.translator.arn_generator import ArnGenerator
+from samtranslator.model.tags.resource_tagging import get_tag_list
 
 _CORS_WILDCARD = "'*'"
 CorsProperties = namedtuple("_CorsProperties", ["AllowMethods", "AllowHeaders", "AllowOrigin", "MaxAge",
@@ -21,16 +22,17 @@
 CorsProperties.__new__.__defaults__ = (None, None, _CORS_WILDCARD, None, False)
 
 AuthProperties = namedtuple("_AuthProperties",
-                            ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight"])
-AuthProperties.__new__.__defaults__ = (None, None, None, True)
+                            ["Authorizers", "DefaultAuthorizer", "InvokeRole", "AddDefaultAuthorizerToCorsPreflight",
+                             "ApiKeyRequired", "ResourcePolicy"])
+AuthProperties.__new__.__defaults__ = (None, None, None, True, None, None)
 
 GatewayResponseProperties = ["ResponseParameters", "ResponseTemplates", "StatusCode"]
 
 
 class ApiGenerator(object):
 
     def __init__(self, logical_id, cache_cluster_enabled, cache_cluster_size, variables, depends_on,
-                 definition_body, definition_uri, name, stage_name, endpoint_configuration=None,
+                 definition_body, definition_uri, name, stage_name, tags=None, endpoint_configuration=None,
                  method_settings=None, binary_media=None, minimum_compression_size=None, cors=None,
                  auth=None, gateway_responses=None, access_log_setting=None, canary_setting=None,
                  tracing_enabled=None, resource_attributes=None, passthrough_resource_attributes=None,
@@ -46,6 +48,7 @@ def __init__(self, logical_id, cache_cluster_enabled, cache_cluster_size, variab
         :param definition_uri: URI to API definition
         :param name: Name of the API Gateway resource
         :param stage_name: Name of the Stage
+        :param tags: Stage Tags
         :param access_log_setting: Whether to send access logs and where for Stage
         :param canary_setting: Canary Setting for Stage
         :param tracing_enabled: Whether active tracing with X-ray is enabled
@@ -62,6 +65,7 @@ def __init__(self, logical_id, cache_cluster_enabled, cache_cluster_size, variab
         self.definition_uri = definition_uri
         self.name = name
         self.stage_name = stage_name
+        self.tags = tags
         self.endpoint_configuration = endpoint_configuration
         self.method_settings = method_settings
         self.binary_media = binary_media
@@ -75,6 +79,7 @@ def __init__(self, logical_id, cache_cluster_enabled, cache_cluster_size, variab
         self.resource_attributes = resource_attributes
         self.passthrough_resource_attributes = passthrough_resource_attributes
         self.open_api_version = open_api_version
+        self.remove_extra_stage = open_api_version
         self.models = models
 
     def _construct_rest_api(self):
@@ -115,6 +120,8 @@ def _construct_rest_api(self):
         if self.definition_uri:
             rest_api.BodyS3Location = self._construct_body_s3_dict()
         elif self.definition_body:
+            # # Post Process OpenApi Auth Settings
+            self.definition_body = self._openapi_postprocess(self.definition_body)
             rest_api.Body = self.definition_body
 
         if self.name:
@@ -152,7 +159,7 @@ def _construct_body_s3_dict(self):
             body_s3['Version'] = s3_pointer['Version']
         return body_s3
 
-    def _construct_deployment(self, rest_api, open_api_version):
+    def _construct_deployment(self, rest_api):
         """Constructs and returns the ApiGateway Deployment.
 
         :param model.apigateway.ApiGatewayRestApi rest_api: the RestApi for this Deployment
@@ -162,7 +169,7 @@ def _construct_deployment(self, rest_api, open_api_version):
         deployment = ApiGatewayDeployment(self.logical_id + 'Deployment',
                                           attributes=self.passthrough_resource_attributes)
         deployment.RestApiId = rest_api.get_runtime_attr('rest_api_id')
-        if not self.open_api_version:
+        if not self.remove_extra_stage:
             deployment.StageName = 'Stage'
 
         return deployment
@@ -193,7 +200,10 @@ def _construct_stage(self, deployment, swagger):
         stage.TracingEnabled = self.tracing_enabled
 
         if swagger is not None:
-            deployment.make_auto_deployable(stage, self.open_api_version, swagger)
+            deployment.make_auto_deployable(stage, self.remove_extra_stage, swagger)
+
+        if self.tags is not None:
+            stage.Tags = get_tag_list(self.tags)
 
         return stage
 
@@ -205,7 +215,7 @@ def to_cloudformation(self):
         """
 
         rest_api = self._construct_rest_api()
-        deployment = self._construct_deployment(rest_api, self.open_api_version)
+        deployment = self._construct_deployment(rest_api)
 
         swagger = None
         if rest_api.Body is not None:
@@ -308,11 +318,16 @@ def _add_auth(self):
         authorizers = self._get_authorizers(auth_properties.Authorizers, auth_properties.DefaultAuthorizer)
 
         if authorizers:
-            swagger_editor.add_authorizers(authorizers)
+            swagger_editor.add_authorizers_security_definitions(authorizers)
             self._set_default_authorizer(swagger_editor, authorizers, auth_properties.DefaultAuthorizer,
                                          auth_properties.AddDefaultAuthorizerToCorsPreflight)
 
-        # Assign the Swagger back to template
+        if auth_properties.ApiKeyRequired:
+            swagger_editor.add_apikey_security_definition()
+            self._set_default_apikey_required(swagger_editor)
+
+        if auth_properties.ResourcePolicy:
+            swagger_editor.add_resource_policy(auth_properties.ResourcePolicy)
 
         self.definition_body = self._openapi_postprocess(swagger_editor.swagger)
 
@@ -506,6 +521,10 @@ def _set_default_authorizer(self, swagger_editor, authorizers, default_authorize
             swagger_editor.set_path_default_authorizer(path, default_authorizer, authorizers=authorizers,
                                                        add_default_auth_to_preflight=add_default_auth_to_preflight)
 
+    def _set_default_apikey_required(self, swagger_editor):
+        for path in swagger_editor.iter_on_path():
+            swagger_editor.set_path_default_apikey_required(path)
+
     def _set_endpoint_configuration(self, rest_api, value):
         """
         Sets endpoint configuration property of AWS::ApiGateway::RestApi resource

samtranslator/model/apigateway.py

@@ -2,7 +2,7 @@
 
 from samtranslator.model import PropertyType, Resource
 from samtranslator.model.exceptions import InvalidResourceException
-from samtranslator.model.types import is_type, one_of, is_str
+from samtranslator.model.types import is_type, one_of, is_str, list_of
 from samtranslator.model.intrinsics import ref, fnSub
 from samtranslator.translator import logical_id_generator
 from samtranslator.translator.arn_generator import ArnGenerator
@@ -40,6 +40,7 @@ class ApiGatewayStage(Resource):
             'Description': PropertyType(False, is_str()),
             'RestApiId': PropertyType(True, is_str()),
             'StageName': PropertyType(True, one_of(is_str(), is_type(dict))),
+            'Tags': PropertyType(False, list_of(is_type(dict))),
             'TracingEnabled': PropertyType(False, is_type(bool)),
             'Variables': PropertyType(False, is_type(dict)),
             "MethodSettings": PropertyType(False, is_type(list))