chore(merge-back): 2.153.0

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.153.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.152.0-alpha.0...v2.153.0-alpha.0) (2024-08-19)
+
 ## [2.152.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.1-alpha.0...v2.152.0-alpha.0) (2024-08-14)
 
 ## [2.151.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.151.0-alpha.0...v2.151.1-alpha.0) (2024-08-14)

CHANGELOG.v2.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.153.0](https://github.com/aws/aws-cdk/compare/v2.152.0...v2.153.0) (2024-08-19)
+
+
+### Features
+
+* **lambda:** support Recursive Loop Protection property ([572fe0a](https://github.com/aws/aws-cdk/commit/572fe0a68f18724f5b43460c1858634b5aff45e5))
+
 ## [2.152.0](https://github.com/aws/aws-cdk/compare/v2.151.1...v2.152.0) (2024-08-14)
 
 

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.js.snapshot/stack.template.json

@@ -0,0 +1,190 @@
+{
+ "Resources": {
+  "LambdaWithRecursionLoopProtectionServiceRoleA7B94605": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "LambdaWithRecursionLoopProtectionA3FC83DA": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "foo"
+    },
+    "Handler": "index.handler",
+    "RecursiveLoop": "Terminate",
+    "Role": {
+     "Fn::GetAtt": [
+      "LambdaWithRecursionLoopProtectionServiceRoleA7B94605",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.9"
+   },
+   "DependsOn": [
+    "LambdaWithRecursionLoopProtectionServiceRoleA7B94605"
+   ]
+  },
+  "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "LambdaWithoutRecursionLoopProtectionB8E30B60": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "foo"
+    },
+    "Handler": "index.handler",
+    "RecursiveLoop": "Allow",
+    "Role": {
+     "Fn::GetAtt": [
+      "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.9"
+   },
+   "DependsOn": [
+    "LambdaWithoutRecursionLoopProtectionServiceRole72AE2C03"
+   ]
+  },
+  "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "LambdaWithDefaultRecursionLoopProtectionAAC84758": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "foo"
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.9"
+   },
+   "DependsOn": [
+    "LambdaWithDefaultRecursionLoopProtectionServiceRoleFFB5B9DB"
+   ]
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-lambda/test/integ.lambda-recursive-loop.ts

@@ -0,0 +1,32 @@
+import * as cdk from 'aws-cdk-lib';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { InlineCode, Runtime } from 'aws-cdk-lib/aws-lambda';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'stack');
+
+new lambda.Function(stack, 'LambdaWithRecursionLoopProtection', {
+  runtime: Runtime.PYTHON_3_9,
+  handler: 'index.handler',
+  code: new InlineCode('foo'),
+  recursiveLoop: lambda.RecursiveLoop.TERMINATE,
+});
+
+new lambda.Function(stack, 'LambdaWithoutRecursionLoopProtection', {
+  runtime: Runtime.PYTHON_3_9,
+  handler: 'index.handler',
+  code: new InlineCode('foo'),
+  recursiveLoop: lambda.RecursiveLoop.ALLOW,
+});
+
+new lambda.Function(stack, 'LambdaWithDefaultRecursionLoopProtection', {
+  runtime: Runtime.PYTHON_3_9,
+  handler: 'index.handler',
+  code: new InlineCode('foo'),
+});
+
+new IntegTest(app, 'LambdaRecursiveLoopTest', {
+  testCases: [stack],
+});

packages/aws-cdk-lib/aws-lambda/README.md

@@ -1009,8 +1009,7 @@ const fn = new lambda.Function(this, 'MyFunction', {
 });
 ```
 
-See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/concurrent-executions.html)
-managing concurrency.
+https://docs.aws.amazon.com/lambda/latest/dg/invocation-recursion.html
 
 ## Lambda with SnapStart
 
@@ -1086,6 +1085,26 @@ new lambda.Function(this, 'Lambda', {
 Providing a user-controlled log group was rolled out to commercial regions on 2023-11-16.
 If you are deploying to another type of region, please check regional availability first.
 
+## Lambda with Recursive Loop protection
+
+Recursive loop protection is to stop unintended loops. The customers are opted in by default for Lambda to detect and terminate unintended loops between Lambda and other AWS Services.
+The property can be assigned two values here, "Allow" and "Terminate". 
+
+The default value is set to "Terminate", which lets the Lambda to detect and terminate the recursive loops. 
+
+When the value is set to "Allow", the customers opt out of recursive loop detection and Lambda does not terminate recursive loops if any. 
+
+See [the AWS documentation](https://docs.aws.amazon.com/lambda/latest/dg/invocation-recursion.html) to learn more about AWS Lambda Recusrive Loop Detection
+
+```ts
+const fn = new lambda.Function(this, 'MyFunction', {
+  code: lambda.Code.fromAsset(path.join(__dirname, 'handler.zip')),
+  runtime: lambda.Runtime.JAVA_11,
+  handler: 'example.Handler::handleRequest',
+  recursiveLoop: lambda.RecursiveLoop.TERMINATE,
+  });
+```
+
 ### Legacy Log Retention
 
 As an alternative to providing a custom, user controlled log group, the legacy `logRetention` property can be used to set a different expiration period.

packages/aws-cdk-lib/aws-lambda/lib/function.ts

@@ -140,6 +140,17 @@ export enum LoggingFormat {
   JSON = 'JSON',
 }
 
+export enum RecursiveLoop {
+  /**
+   * Allows the recursive loop to happen and does not terminate it.
+  */
+  ALLOW = 'Allow',
+  /**
+   * Terminates the recursive loop.
+   */
+  TERMINATE = 'Terminate',
+}
+
 /**
  * Non runtime options
  */
@@ -535,6 +546,14 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
    */
   readonly loggingFormat?: LoggingFormat;
 
+  /**
+  * Sets the Recursive Loop Protection for Lambda Function.
+  * It lets Lambda detect and terminate unintended recusrive loops.
+  *
+  * @default RecursiveLoop.Terminate
+  */
+  readonly recursiveLoop?: RecursiveLoop;
+
   /**
    * Sets the application log level for the function.
    * @deprecated Use `applicationLogLevelV2` as a property instead.
@@ -1025,6 +1044,7 @@ export class Function extends FunctionBase {
       runtimeManagementConfig: props.runtimeManagementMode?.runtimeManagementConfig,
       snapStart: this.configureSnapStart(props),
       loggingConfig: this.getLoggingConfig(props),
+      recursiveLoop: props.recursiveLoop,
     });
 
     if ((props.tracing !== undefined) || (props.adotInstrumentation !== undefined)) {

packages/aws-cdk-lib/aws-lambda/test/function.test.ts

@@ -3489,6 +3489,67 @@ describe('function', () => {
     });
   });
 
+  describe('Recursive Loop', () => {
+    test('with recursive loop protection', () => {
+      const stack = new cdk.Stack();
+      new lambda.Function(stack, 'MyLambda', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'bar',
+        runtime: lambda.Runtime.NODEJS_LATEST,
+        recursiveLoop: lambda.RecursiveLoop.TERMINATE,
+      });
+
+      Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+        Properties:
+        {
+          Code: { ZipFile: 'foo' },
+          Handler: 'bar',
+          Runtime: lambda.Runtime.NODEJS_LATEST.name,
+          RecursiveLoop: 'Terminate',
+        },
+      });
+    });
+
+    test('without recursive loop protection', () => {
+      const stack = new cdk.Stack();
+      new lambda.Function(stack, 'MyLambda', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'bar',
+        runtime: lambda.Runtime.NODEJS_LATEST,
+        recursiveLoop: lambda.RecursiveLoop.ALLOW,
+      });
+
+      Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+        Properties:
+        {
+          Code: { ZipFile: 'foo' },
+          Handler: 'bar',
+          Runtime: lambda.Runtime.NODEJS_LATEST.name,
+          RecursiveLoop: 'Allow',
+        },
+      });
+    });
+
+    test('default recursive loop protection', () => {
+      const stack = new cdk.Stack();
+      new lambda.Function(stack, 'MyLambda', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'bar',
+        runtime: lambda.Runtime.NODEJS_LATEST,
+      });
+
+      Template.fromStack(stack).hasResource('AWS::Lambda::Function', {
+        Properties:
+        {
+          Code: { ZipFile: 'foo' },
+          Handler: 'bar',
+          Runtime: lambda.Runtime.NODEJS_LATEST.name,
+          // for default, if the property is not set up in stack it doesn't show up in the template.
+        },
+      });
+    });
+  });
+
   test('called twice for the same service principal but with different conditions', () => {
     // GIVEN
     const stack = new cdk.Stack();

packages/aws-cdk-lib/awslint.json

@@ -361,6 +361,7 @@
     "docs-public-apis:aws-cdk-lib.aws_lambda.RuntimeManagementMode.mode",
     "docs-public-apis:aws-cdk-lib.aws_lambda.RuntimeManagementMode.arn",
     "docs-public-apis:aws-cdk-lib.aws_lambda.SnapStartConf",
+    "docs-public-apis:aws-cdk-lib.aws_lambda.RecursiveLoop",
     "docs-public-apis:aws-cdk-lib.aws_lambda.SnapStartConf.ON_PUBLISHED_VERSIONS",
     "docs-public-apis:aws-cdk-lib.aws_lambda.Version.fromVersionAttributes",
     "docs-public-apis:aws-cdk-lib.aws_lambda_event_sources.ApiEventSource",

version.v2.json

@@ -1,4 +1,4 @@
 {
-  "version": "2.152.0",
-  "alphaVersion": "2.152.0-alpha.0"
+  "version": "2.153.0",
+  "alphaVersion": "2.153.0-alpha.0"
 }