feat(parameters): accept boto3_client to support private endpoints and ease testing

[ran-isenberg]

Fixes: #1079

Summary

Changes

Please provide a summary of what's being changed

This adds a new boto3_client constructor parameter to the Parameters feature to unblock customers using VPC endpoints.

I didn't add it to DynamoDB parameter because i'm not sure it's possible there. Fixed also the docs. All clients have it now, and DynamoDB has a note in docstrings + type referring to Resource Client (high-level) not Client (low-level) like SSM, SecretsManager and AppConfig.

User experience

Please share what the user experience looks like before and after this change

import boto3

from aws_lambda_powertools.utilities import parameters

# Initialize clients with custom VPC endpoint
ssm = boto3.client("ssm", endpoint_url="custom_endpoint")
secrets = boto3.client("secretsmanager", endpoint_url="custom_endpoint")
appconfig = boto3.client("appconfig", endpoint_url="custom_endpoint")


ssm_provider = parameters.SSMProvider(boto3_client=ssm)
secrets_provider = parameters.SecretsProvider(boto3_client=secrets)
appconf_provider = parameters.AppConfigProvider(environment="my_env", application="my_app", boto3_client=appconfig)

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• Meet tenets criteria
• I have performed a self-review of my this change
• Changes are tested
• Changes are documented
• PR title follows conventional commit semantics

Is this a breaking change?

RFC issue number:

Checklist:

• Migration process documented
• Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

---

View rendered docs/utilities/parameters.md

[codecov-commenter]

Codecov Report

Merging #1096 (cec2f33) into develop (0777858) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff            @@
##           develop    #1096   +/-   ##
========================================
  Coverage    99.88%   99.88%           
========================================
  Files          119      119           
  Lines         5414     5425   +11     
  Branches       616      618    +2     
========================================
+ Hits          5408     5419   +11     
  Misses           2        2           
  Partials         4        4           

Impacted Files	Coverage Δ
...ambda_powertools/utilities/parameters/appconfig.py	100.00% <100.00%> (ø)
aws_lambda_powertools/utilities/parameters/base.py	100.00% <100.00%> (ø)
...lambda_powertools/utilities/parameters/dynamodb.py	100.00% <100.00%> (ø)
..._lambda_powertools/utilities/parameters/secrets.py	100.00% <100.00%> (ø)
aws_lambda_powertools/utilities/parameters/ssm.py	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0777858...cec2f33. Read the comment docs.

[ran-isenberg]

not really sure why codecov doesnt show an updated version. I added tests

[heitorlessa]

thanks for that @ran-isenberg - fixed the title as I see this as a bug as customers can't use the functionality we provide.

The pull request body is missing our required acknowledgements: are you okay if I edit the content to add them back as I can't review PRs without it?

Thanks a lot!

[ran-isenberg]

@heitorlessa after all this time, do you really need to ask? :)
go for it

[heitorlessa]

Two minor changes - 1/ Make use of forward reference for type annotation ( "SSMClient" from mypy_boto3_<service), and 2/ refactor branching logic into a static method to prevent logic discrepancy in a future change.

I ran out of time to look into the tests and DynamoDB, but I will as soon as I'm able.

Side note: Secrets Manager and SSM seem to be the only ones supporting endpoint_url according to this doc, yet boto3_client will benefit everyone's testing: https://docs.aws.amazon.com/vpc/latest/privatelink/integrated-services-vpce-list.html

[heitorlessa]

Can we turn this into a builder static method in the parent class? Return type could be Any as we will be able to cast the correct one for each client built w/ mypy_boto3.

This will prevent future an accidental logic discrepancy between them and localize change. It could accept the boto3_client, boto3_session, boto3_config, and boto3_service_name to initialize.

Let me know if it doesn't make sense

[ran-isenberg]

i didnt add it to the dymamo class becuase we dont use a client there, not usre you can create a table from a client class.
so if it's not the dynamodb, it shouldn't be in the parent

[michaelbrewer]

Two minor changes - 1/ Make use of forward reference for type annotation ( "SSMClient" from mypy_boto3_<service), and 2/ refactor branching logic into a static method to prevent logic discrepancy in a future change.

I ran out of time to look into the tests and DynamoDB, but I will as soon as I'm able.

Side note: Secrets Manager and SSM seem to be the only ones supporting endpoint_url according to this doc, yet boto3_client will benefit everyone's testing: docs.aws.amazon.com/vpc/latest/privatelink/integrated-services-vpce-list.html

@heitorlessa @ran-isenberg - should we be bundling boto3-stubs as part of the python runtime? self.client is typed as Any and so it only benefits internal usage and not external. And internally we just explode the sdk_options into the method. So very little benefit. It would be nice to keep this light before splitting up modules.

[heitorlessa]

Haven't forgotten @ran-isenberg. I'll look into as soon as I can this week.

[michaelbrewer]

When this is released as is and it has to include a new runtime dependency for internal typing.

Can we include a warning in the changelog for customers like me at FiServ, who needs to scan for upstream issues and resolve conflicts if using a conflicting boto stubs.

Or change this make this optional dependency

[michaelbrewer]

maybe 2 PRs

• 154 lines to fix just feat(parameters): Allow settings boto3.client() arguments #1079
• 430 lines or more for the mypy stubs and what ever other packages could use it. Like Idempotency, Batch, Parameters, Data Class (code_pipeline_job_event)

[heitorlessa]

@ran-isenberg thanks for making those changes. I've made code change suggestions along with explanations about why they're needed - let me know if they don't make sense.

For the DynamoDB and parent static method piece, GitHub seems to have swallowed the review thread and I can't make comments anymore. I understand you concern about having a static method in the parent that's applicable to two clients (SSM, SecretsManager) but DynamoDB. I'd like to propose a solution to unblock this PR, as we still need to address DynamoDB regardless.

Suggestion: Add the same boto3_client in DynamoDB with an explicit resource type definition, plus doc strings as well as docs stating that we expect a DynamoDB resource client. I thought about boto3_resource_client but ultimately it will come down to practicality at this point, hence the suggestion of keeping boto3_client, as resource is also a client (high level vs low level).

[michaelbrewer]

@ran-isenberg thanks for making those changes. I've made code change suggestions along with explanations about why they're needed - let me know if they don't make sense.

For the DynamoDB and parent static method piece, GitHub seems to have swallowed the review thread and I can't make comments anymore. I understand you concern about having a static method in the parent that's applicable to two clients (SSM, SecretsManager) but DynamoDB. I'd like to propose a solution to unblock this PR, as we still need to address DynamoDB regardless.

Suggestion: Add the same boto3_client in DynamoDB with an explicit resource type definition, plus doc strings as well as docs stating that we expect a DynamoDB resource client. I thought about boto3_resource_client but ultimately it will come down to practicality at this point, hence the suggestion of keeping boto3_client, as resource is also a client (high level vs low level).

Great work in finding an alternative of doing typing checking during development time and not make a required runtime dependency.

But does this make sense as part of this pull request? At a minimum just the added client parameter is needed to resolve #1079

[heitorlessa]

@heitorlessa @michaelbrewer I pushed the changes you wanted. I didnt do the dynamodb changes as I dont fully understand what you suggested. DynamoDB already gets an optional boto session, so not really sure what the client has to do with anything. We create a table from the session.
Feel free to make the changes yourself or explain them again :)

Thanks a lot for making those changes, Ran! I'll push the other changes and ping you for review later this week

As promised, I've transferred what I had in my local branch and made additional fixes. This is now ready for review.

@gshpychka - @sthulb will review and once approved we should release it ASAP to unblock the VPC private endpoints. We had a delay in getting this out to you due to a larger operational and internal work.

[michaelbrewer]

@heitorlessa @michaelbrewer I pushed the changes you wanted. I didnt do the dynamodb changes as I dont fully understand what you suggested. DynamoDB already gets an optional boto session, so not really sure what the client has to do with anything. We create a table from the session.
Feel free to make the changes yourself or explain them again :)

Thanks a lot for making those changes, Ran! I'll push the other changes and ping you for review later this week

As promised, I've transferred what I had in my local branch and made additional fixes. This is now ready to be review.

@gshpychka - @sthulb will review and once approved we should release it ASAP to unblock the VPC private endpoints. We had a delay in getting this out to you due to a larger operational and internal work.

Would this be a major release update? Have you done integration testing (due to the large number of changes)

[michaelbrewer]

For this kind of change docs with examples should also be added to avoid confusion between using client vs resource.

note, the original request was for appconfig.

[michaelbrewer]

As a customer without clarification this would be confusing and not everyone uses mypy types

[heitorlessa]

Agreed on the docs, I will make those changes tomorrow (docs, not param name) and merge it.

[michaelbrewer]

thanks clarity always helps.

[michaelbrewer]

overall for DynamoDBProvider the resource client so that you can set the endpoint url seems redundant when you already have endpoint_url as a parameter.

With 8 parameters now, this is borderline code smell.

[michaelbrewer]

@heitorlessa the docs definitely helps! It might be a good general call out to recommend people use boto3 session where possible

[sthulb]

This PR looks fine to me.

My only qualm is about the order of session and clients in the providers, but given it's new functionality, it can be ignored

[sthulb]

Would this be a major release update? Have you done integration testing (due to the large number of changes)

As per semver, this would require a minor release. 1.x.0, this doesn't remove any functionality or fundamentally change anything for users.

[michaelbrewer]

Would this be a major release update? Have you done integration testing (due to the large number of changes)

As per semver, this would require a minor release. 1.x.0, this doesn't remove any functionality or fundamentally change anything for users.

so a feature release ie: 1.26.0. I never expect this to be a 2.0.0 release.