From 0c470f6e777f94f3df52660226f58ff94a1a2835 Mon Sep 17 00:00:00 2001 From: awstools Date: Fri, 8 Nov 2024 19:22:21 +0000 Subject: [PATCH] feat(client-lambda): This release adds support for using AWS KMS customer managed keys to encrypt AWS Lambda .zip deployment packages. --- .../src/commands/CreateFunctionCommand.ts | 1 + .../src/commands/GetFunctionCommand.ts | 1 + .../src/commands/UpdateFunctionCodeCommand.ts | 1 + clients/client-lambda/src/models/models_0.ts | 88 +++++++++++++++---- .../src/protocols/Aws_restJson1.ts | 2 + codegen/sdk-codegen/aws-models/lambda.json | 26 +++++- 6 files changed, 100 insertions(+), 19 deletions(-) diff --git a/clients/client-lambda/src/commands/CreateFunctionCommand.ts b/clients/client-lambda/src/commands/CreateFunctionCommand.ts index 96bf5a7ab69b..30028ab7cb72 100644 --- a/clients/client-lambda/src/commands/CreateFunctionCommand.ts +++ b/clients/client-lambda/src/commands/CreateFunctionCommand.ts @@ -88,6 +88,7 @@ export interface CreateFunctionCommandOutput extends FunctionConfiguration, __Me * S3Key: "STRING_VALUE", * S3ObjectVersion: "STRING_VALUE", * ImageUri: "STRING_VALUE", + * SourceKMSKeyArn: "STRING_VALUE", * }, * Description: "STRING_VALUE", * Timeout: Number("int"), diff --git a/clients/client-lambda/src/commands/GetFunctionCommand.ts b/clients/client-lambda/src/commands/GetFunctionCommand.ts index 3e841152b540..ab3cac5d387e 100644 --- a/clients/client-lambda/src/commands/GetFunctionCommand.ts +++ b/clients/client-lambda/src/commands/GetFunctionCommand.ts @@ -152,6 +152,7 @@ export interface GetFunctionCommandOutput extends GetFunctionResponse, __Metadat * // Location: "STRING_VALUE", * // ImageUri: "STRING_VALUE", * // ResolvedImageUri: "STRING_VALUE", + * // SourceKMSKeyArn: "STRING_VALUE", * // }, * // Tags: { // Tags * // "": "STRING_VALUE", diff --git a/clients/client-lambda/src/commands/UpdateFunctionCodeCommand.ts b/clients/client-lambda/src/commands/UpdateFunctionCodeCommand.ts index 3b98430fab37..24ee05bde236 100644 --- a/clients/client-lambda/src/commands/UpdateFunctionCodeCommand.ts +++ b/clients/client-lambda/src/commands/UpdateFunctionCodeCommand.ts @@ -68,6 +68,7 @@ export interface UpdateFunctionCodeCommandOutput extends FunctionConfiguration, * Architectures: [ // ArchitecturesList * "x86_64" || "arm64", * ], + * SourceKMSKeyArn: "STRING_VALUE", * }; * const command = new UpdateFunctionCodeCommand(input); * const response = await client.send(command); diff --git a/clients/client-lambda/src/models/models_0.ts b/clients/client-lambda/src/models/models_0.ts index cfab2f5f0f02..f36ee3d6bd14 100644 --- a/clients/client-lambda/src/models/models_0.ts +++ b/clients/client-lambda/src/models/models_0.ts @@ -1629,6 +1629,13 @@ export interface FunctionCode { * @public */ ImageUri?: string; + + /** + *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's + * .zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key.

+ * @public + */ + SourceKMSKeyArn?: string; } /** @@ -2040,12 +2047,23 @@ export interface CreateFunctionRequest { Environment?: Environment; /** - *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's - * environment variables. When - * Lambda SnapStart is activated, Lambda also uses - * this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to - * encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). - * If you don't provide a customer managed key, Lambda uses a default service key.

+ *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

+ * + *

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

* @public */ KMSKeyArn?: string; @@ -2536,8 +2554,23 @@ export interface FunctionConfiguration { Environment?: EnvironmentResponse; /** - *

The KMS key that's used to encrypt the function's environment variables. When Lambda SnapStart is activated, this key is also used to encrypt the function's snapshot. This key is - * returned only if you've configured a customer managed key.

+ *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

+ * + *

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

* @public */ KMSKeyArn?: string; @@ -3349,6 +3382,13 @@ export interface FunctionCodeLocation { * @public */ ResolvedImageUri?: string; + + /** + *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's + * .zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key.

+ * @public + */ + SourceKMSKeyArn?: string; } /** @@ -3399,7 +3439,7 @@ export interface GetFunctionResponse { /** *

The function's tags. Lambda - * returns tag data only if you have explicit allow permissions for lambda:ListTags.

+ * returns tag data only if you have explicit allow permissions for lambda:ListTags.

* @public */ Tags?: Record; @@ -7206,6 +7246,13 @@ export interface UpdateFunctionCodeRequest { * @public */ Architectures?: Architecture[]; + + /** + *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's + * .zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services managed key.

+ * @public + */ + SourceKMSKeyArn?: string; } /** @@ -7307,12 +7354,23 @@ export interface UpdateFunctionConfigurationRequest { DeadLetterConfig?: DeadLetterConfig; /** - *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's - * environment variables. When - * Lambda SnapStart is activated, Lambda also uses - * this key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to - * encrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). - * If you don't provide a customer managed key, Lambda uses a default service key.

+ *

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

+ *
    + *
  • + *

    The function's environment variables.

    + *
  • + *
  • + *

    The function's Lambda SnapStart snapshots.

    + *
  • + *
  • + *

    When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see + * Specifying a customer managed key for Lambda.

    + *
  • + *
  • + *

    The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

    + *
  • + *
+ *

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

* @public */ KMSKeyArn?: string; diff --git a/clients/client-lambda/src/protocols/Aws_restJson1.ts b/clients/client-lambda/src/protocols/Aws_restJson1.ts index 92622a289949..78cf241e4208 100644 --- a/clients/client-lambda/src/protocols/Aws_restJson1.ts +++ b/clients/client-lambda/src/protocols/Aws_restJson1.ts @@ -1728,6 +1728,7 @@ export const se_UpdateFunctionCodeCommand = async ( S3Bucket: [], S3Key: [], S3ObjectVersion: [], + SourceKMSKeyArn: [], ZipFile: (_) => context.base64Encoder(_), }) ); @@ -4646,6 +4647,7 @@ const se_FunctionCode = (input: FunctionCode, context: __SerdeContext): any => { S3Bucket: [], S3Key: [], S3ObjectVersion: [], + SourceKMSKeyArn: [], ZipFile: context.base64Encoder, }); }; diff --git a/codegen/sdk-codegen/aws-models/lambda.json b/codegen/sdk-codegen/aws-models/lambda.json index 19f1685a55cb..2f1bd5adeda2 100644 --- a/codegen/sdk-codegen/aws-models/lambda.json +++ b/codegen/sdk-codegen/aws-models/lambda.json @@ -2974,7 +2974,7 @@ "KMSKeyArn": { "target": "com.amazonaws.lambda#KMSKeyArn", "traits": { - "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's \nenvironment variables. When \nLambda SnapStart is activated, Lambda also uses \nthis key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to \nencrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR).\nIf you don't provide a customer managed key, Lambda uses a default service key.

" + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

\n
    \n
  • \n

    The function's environment variables.

    \n
  • \n
  • \n

    The function's Lambda SnapStart snapshots.

    \n
  • \n
  • \n

    When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see \nSpecifying a customer managed key for Lambda.

    \n
  • \n
  • \n

    The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

    \n
  • \n
\n

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

" } }, "TracingConfig": { @@ -4559,6 +4559,12 @@ "traits": { "smithy.api#documentation": "

URI of a container image in the\n Amazon ECR registry.

" } + }, + "SourceKMSKeyArn": { + "target": "com.amazonaws.lambda#KMSKeyArn", + "traits": { + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's \n.zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key.

" + } } }, "traits": { @@ -4591,6 +4597,12 @@ "traits": { "smithy.api#documentation": "

The resolved URI for the image.

" } + }, + "SourceKMSKeyArn": { + "target": "com.amazonaws.lambda#String", + "traits": { + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's \n.zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key.

" + } } }, "traits": { @@ -4694,7 +4706,7 @@ "KMSKeyArn": { "target": "com.amazonaws.lambda#KMSKeyArn", "traits": { - "smithy.api#documentation": "

The KMS key that's used to encrypt the function's environment variables. When Lambda SnapStart is activated, this key is also used to encrypt the function's snapshot. This key is\n returned only if you've configured a customer managed key.

" + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

\n
    \n
  • \n

    The function's environment variables.

    \n
  • \n
  • \n

    The function's Lambda SnapStart snapshots.

    \n
  • \n
  • \n

    When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see \n Specifying a customer managed key for Lambda.

    \n
  • \n
  • \n

    The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

    \n
  • \n
\n

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

" } }, "TracingConfig": { @@ -5926,7 +5938,7 @@ "Tags": { "target": "com.amazonaws.lambda#Tags", "traits": { - "smithy.api#documentation": "

The function's tags. Lambda\n returns tag data only if you have explicit allow permissions for lambda:ListTags.

" + "smithy.api#documentation": "

The function's tags. Lambda\n returns tag data only if you have explicit allow permissions for lambda:ListTags.

" } }, "TagsError": { @@ -12760,6 +12772,12 @@ "traits": { "smithy.api#documentation": "

The instruction set architecture that the function supports. Enter a string array with one of the valid values (arm64 or x86_64).\n The default value is x86_64.

" } + }, + "SourceKMSKeyArn": { + "target": "com.amazonaws.lambda#KMSKeyArn", + "traits": { + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's \n .zip deployment package. If you don't provide a customer managed key, Lambda uses an Amazon Web Services managed key.

" + } } }, "traits": { @@ -12908,7 +12926,7 @@ "KMSKeyArn": { "target": "com.amazonaws.lambda#KMSKeyArn", "traits": { - "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt your function's \nenvironment variables. When \nLambda SnapStart is activated, Lambda also uses \nthis key is to encrypt your function's snapshot. If you deploy your function using a container image, Lambda also uses this key to \nencrypt your function when it's deployed. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR).\nIf you don't provide a customer managed key, Lambda uses a default service key.

" + "smithy.api#documentation": "

The ARN of the Key Management Service (KMS) customer managed key that's used to encrypt the following resources:

\n
    \n
  • \n

    The function's environment variables.

    \n
  • \n
  • \n

    The function's Lambda SnapStart snapshots.

    \n
  • \n
  • \n

    When used with SourceKMSKeyArn, the unzipped version of the .zip deployment package that's used for function invocations. For more information, see \nSpecifying a customer managed key for Lambda.

    \n
  • \n
  • \n

    The optimized version of the container image that's used for function invocations. Note that this is not the same key that's used to protect your container image in the Amazon Elastic Container Registry (Amazon ECR). For more information, see Function lifecycle.

    \n
  • \n
\n

If you don't provide a customer managed key, Lambda uses an Amazon Web Services owned key or an Amazon Web Services managed key.

" } }, "TracingConfig": {