From 6fff363962d2ffc0bcca059127203d5266b72b58 Mon Sep 17 00:00:00 2001 From: awstools Date: Wed, 21 Aug 2024 18:23:46 +0000 Subject: [PATCH] feat(client-lambda): Release FilterCriteria encryption for Lambda EventSourceMapping, enabling customers to encrypt their filter criteria using a customer-owned KMS key. --- .../src/commands/AddPermissionCommand.ts | 6 +- .../CreateEventSourceMappingCommand.ts | 6 ++ .../src/commands/CreateFunctionCommand.ts | 6 +- .../DeleteEventSourceMappingCommand.ts | 5 ++ .../src/commands/DeleteFunctionCommand.ts | 2 +- .../commands/GetEventSourceMappingCommand.ts | 5 ++ .../ListEventSourceMappingsCommand.ts | 5 ++ .../src/commands/RemovePermissionCommand.ts | 2 +- .../UpdateEventSourceMappingCommand.ts | 6 ++ .../UpdateFunctionConfigurationCommand.ts | 2 +- clients/client-lambda/src/models/models_0.ts | 64 ++++++++++++++- .../src/protocols/Aws_restJson1.ts | 14 ++++ codegen/sdk-codegen/aws-models/lambda.json | 82 +++++++++++++++++-- 13 files changed, 184 insertions(+), 21 deletions(-) diff --git a/clients/client-lambda/src/commands/AddPermissionCommand.ts b/clients/client-lambda/src/commands/AddPermissionCommand.ts index 0f44a4d07add..288ad530da5f 100644 --- a/clients/client-lambda/src/commands/AddPermissionCommand.ts +++ b/clients/client-lambda/src/commands/AddPermissionCommand.ts @@ -28,15 +28,15 @@ export interface AddPermissionCommandInput extends AddPermissionRequest {} export interface AddPermissionCommandOutput extends AddPermissionResponse, __MetadataBearer {} /** - *

Grants an Amazon Web Service, Amazon Web Services account, or Amazon Web Services organization + *

Grants an Amazon Web Servicesservice, Amazon Web Services account, or Amazon Web Services organization * permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict * access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name * (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies * to version $LATEST.

*

To grant permission to another account, specify the account ID as the Principal. To grant * permission to an organization defined in Organizations, specify the organization ID as the - * PrincipalOrgID. For Amazon Web Services, the principal is a domain-style identifier that - * the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Services, you can also specify the ARN of the associated resource as the SourceArn. If + * PrincipalOrgID. For Amazon Web Servicesservices, the principal is a domain-style identifier that + * the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Servicesservices, you can also specify the ARN of the associated resource as the SourceArn. If * you grant permission to a service principal without specifying the source, other accounts could potentially * configure resources in their account to invoke your Lambda function.

*

This operation adds a statement to a resource-based permissions policy for the function. For more information diff --git a/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts index 78fbac3ae2ae..86f01e3726d6 100644 --- a/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts +++ b/clients/client-lambda/src/commands/CreateEventSourceMappingCommand.ts @@ -212,6 +212,7 @@ export interface CreateEventSourceMappingCommandOutput extends EventSourceMappin * CollectionName: "STRING_VALUE", * FullDocument: "UpdateLookup" || "Default", * }, + * KMSKeyArn: "STRING_VALUE", * }; * const command = new CreateEventSourceMappingCommand(input); * const response = await client.send(command); @@ -283,6 +284,11 @@ export interface CreateEventSourceMappingCommandOutput extends EventSourceMappin * // CollectionName: "STRING_VALUE", * // FullDocument: "UpdateLookup" || "Default", * // }, + * // KMSKeyArn: "STRING_VALUE", + * // FilterCriteriaError: { // FilterCriteriaError + * // ErrorCode: "STRING_VALUE", + * // Message: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-lambda/src/commands/CreateFunctionCommand.ts b/clients/client-lambda/src/commands/CreateFunctionCommand.ts index e10296b7d749..be4a0e9a02ca 100644 --- a/clients/client-lambda/src/commands/CreateFunctionCommand.ts +++ b/clients/client-lambda/src/commands/CreateFunctionCommand.ts @@ -35,7 +35,7 @@ export interface CreateFunctionCommandOutput extends FunctionConfiguration, __Me /** *

Creates a Lambda function. To create a function, you need a deployment package and an execution role. The * deployment package is a .zip file archive or container image that contains your function code. The execution role - * grants the function permission to use Amazon Web Services, such as Amazon CloudWatch Logs for log + * grants the function permission to use Amazon Web Servicesservices, such as Amazon CloudWatch Logs for log * streaming and X-Ray for request tracing.

*

If the deployment package is a container * image, then you set the package type to Image. For a container image, the code property @@ -66,9 +66,9 @@ export interface CreateFunctionCommandOutput extends FunctionConfiguration, __Me * UpdateFunctionCode, Lambda checks that the code package has a valid signature from * a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted * publishers for this function.

- *

If another Amazon Web Services account or an Amazon Web Service invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.

+ *

If another Amazon Web Services account or an Amazon Web Servicesservice invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.

*

To invoke your function directly, use Invoke. To invoke your function in response to events - * in other Amazon Web Services, create an event source mapping (CreateEventSourceMapping), + * in other Amazon Web Servicesservices, create an event source mapping (CreateEventSourceMapping), * or configure a function trigger in the other service. For more information, see Invoking Lambda * functions.

* @example diff --git a/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts index 8f72faa6c3a7..02d6e199d331 100644 --- a/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts +++ b/clients/client-lambda/src/commands/DeleteEventSourceMappingCommand.ts @@ -111,6 +111,11 @@ export interface DeleteEventSourceMappingCommandOutput extends EventSourceMappin * // CollectionName: "STRING_VALUE", * // FullDocument: "UpdateLookup" || "Default", * // }, + * // KMSKeyArn: "STRING_VALUE", + * // FilterCriteriaError: { // FilterCriteriaError + * // ErrorCode: "STRING_VALUE", + * // Message: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-lambda/src/commands/DeleteFunctionCommand.ts b/clients/client-lambda/src/commands/DeleteFunctionCommand.ts index f4e318e05d99..33b6d9c8953c 100644 --- a/clients/client-lambda/src/commands/DeleteFunctionCommand.ts +++ b/clients/client-lambda/src/commands/DeleteFunctionCommand.ts @@ -31,7 +31,7 @@ export interface DeleteFunctionCommandOutput extends __MetadataBearer {} *

Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter. * Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit * permissions for DeleteAlias.

- *

To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function + *

To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Servicesservices and resources that invoke your function * directly, delete the trigger in the service where you originally configured it.

* @example * Use a bare-bones client and the command you need to make an API call. diff --git a/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts index c6fb085966dd..010ad59aec76 100644 --- a/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts +++ b/clients/client-lambda/src/commands/GetEventSourceMappingCommand.ts @@ -109,6 +109,11 @@ export interface GetEventSourceMappingCommandOutput extends EventSourceMappingCo * // CollectionName: "STRING_VALUE", * // FullDocument: "UpdateLookup" || "Default", * // }, + * // KMSKeyArn: "STRING_VALUE", + * // FilterCriteriaError: { // FilterCriteriaError + * // ErrorCode: "STRING_VALUE", + * // Message: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts b/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts index 3309a1b1e2fc..93151b872fcc 100644 --- a/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts +++ b/clients/client-lambda/src/commands/ListEventSourceMappingsCommand.ts @@ -115,6 +115,11 @@ export interface ListEventSourceMappingsCommandOutput extends ListEventSourceMap * // CollectionName: "STRING_VALUE", * // FullDocument: "UpdateLookup" || "Default", * // }, + * // KMSKeyArn: "STRING_VALUE", + * // FilterCriteriaError: { // FilterCriteriaError + * // ErrorCode: "STRING_VALUE", + * // Message: "STRING_VALUE", + * // }, * // }, * // ], * // }; diff --git a/clients/client-lambda/src/commands/RemovePermissionCommand.ts b/clients/client-lambda/src/commands/RemovePermissionCommand.ts index 0ae7c022de6e..2c712bda8091 100644 --- a/clients/client-lambda/src/commands/RemovePermissionCommand.ts +++ b/clients/client-lambda/src/commands/RemovePermissionCommand.ts @@ -28,7 +28,7 @@ export interface RemovePermissionCommandInput extends RemovePermissionRequest {} export interface RemovePermissionCommandOutput extends __MetadataBearer {} /** - *

Revokes function-use permission from an Amazon Web Service or another Amazon Web Services account. You + *

Revokes function-use permission from an Amazon Web Servicesservice or another Amazon Web Services account. You * can get the ID of the statement from the output of GetPolicy.

* @example * Use a bare-bones client and the command you need to make an API call. diff --git a/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts b/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts index 830c05bad910..f498e42feed0 100644 --- a/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts +++ b/clients/client-lambda/src/commands/UpdateEventSourceMappingCommand.ts @@ -192,6 +192,7 @@ export interface UpdateEventSourceMappingCommandOutput extends EventSourceMappin * CollectionName: "STRING_VALUE", * FullDocument: "UpdateLookup" || "Default", * }, + * KMSKeyArn: "STRING_VALUE", * }; * const command = new UpdateEventSourceMappingCommand(input); * const response = await client.send(command); @@ -263,6 +264,11 @@ export interface UpdateEventSourceMappingCommandOutput extends EventSourceMappin * // CollectionName: "STRING_VALUE", * // FullDocument: "UpdateLookup" || "Default", * // }, + * // KMSKeyArn: "STRING_VALUE", + * // FilterCriteriaError: { // FilterCriteriaError + * // ErrorCode: "STRING_VALUE", + * // Message: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts b/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts index fbabf9bfff07..770386c650de 100644 --- a/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts +++ b/clients/client-lambda/src/commands/UpdateFunctionConfigurationCommand.ts @@ -47,7 +47,7 @@ export interface UpdateFunctionConfigurationCommandOutput extends FunctionConfig *

These settings can vary between versions of a function and are locked when you publish a version. You can't * modify the configuration of a published version, only the unpublished version.

*

To configure function concurrency, use PutFunctionConcurrency. To grant invoke permissions - * to an Amazon Web Services account or Amazon Web Service, use AddPermission.

+ * to an Amazon Web Services account or Amazon Web Servicesservice, use AddPermission.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-lambda/src/models/models_0.ts b/clients/client-lambda/src/models/models_0.ts index 3e5b9b5239a0..d28a45eb490c 100644 --- a/clients/client-lambda/src/models/models_0.ts +++ b/clients/client-lambda/src/models/models_0.ts @@ -397,7 +397,7 @@ export interface AddPermissionRequest { Action: string | undefined; /** - *

The Amazon Web Service or Amazon Web Services account that invokes the function. If you specify a + *

The Amazon Web Servicesservice or Amazon Web Services account that invokes the function. If you specify a * service, use SourceArn or SourceAccount to limit who can invoke the function through * that service.

* @public @@ -405,7 +405,7 @@ export interface AddPermissionRequest { Principal: string | undefined; /** - *

For Amazon Web Services, the ARN of the Amazon Web Services resource that invokes the function. For + *

For Amazon Web Servicesservices, the ARN of the Amazon Web Services resource that invokes the function. For * example, an Amazon S3 bucket or Amazon SNS topic.

*

Note that Lambda configures the comparison using the StringLike operator.

* @public @@ -413,7 +413,7 @@ export interface AddPermissionRequest { SourceArn?: string; /** - *

For Amazon Web Service, the ID of the Amazon Web Services account that owns the resource. Use this + *

For Amazon Web Servicesservice, the ID of the Amazon Web Services account that owns the resource. Use this * together with SourceArn to ensure that the specified account owns the resource. It is possible for an * Amazon S3 bucket to be deleted by its owner and recreated by another account.

* @public @@ -1263,6 +1263,35 @@ export interface CreateEventSourceMappingRequest { * @public */ DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig; + + /** + *

+ * The ARN of the Key Management Service (KMS) customer managed key that Lambda + * uses to encrypt your function's filter criteria. + * By default, Lambda does not encrypt your filter criteria object. Specify this + * property to encrypt data using your own customer managed key. + *

+ * @public + */ + KMSKeyArn?: string; +} + +/** + *

An object that contains details about an error related to filter criteria encryption.

+ * @public + */ +export interface FilterCriteriaError { + /** + *

The KMS exception that resulted from filter criteria encryption or decryption.

+ * @public + */ + ErrorCode?: string; + + /** + *

The error message.

+ * @public + */ + Message?: string; } /** @@ -1325,6 +1354,10 @@ export interface EventSourceMappingConfiguration { /** *

An object that defines the filter criteria that * determine whether Lambda should process an event. For more information, see Lambda event filtering.

+ *

If filter criteria is encrypted, this field shows up as null in the response + * of ListEventSourceMapping API calls. You can view this field in plaintext in the response of + * GetEventSourceMapping and DeleteEventSourceMapping calls if you have + * kms:Decrypt permissions for the correct KMS key.

* @public */ FilterCriteria?: FilterCriteria; @@ -1449,6 +1482,20 @@ export interface EventSourceMappingConfiguration { * @public */ DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig; + + /** + *

+ * The ARN of the Key Management Service (KMS) customer managed key that Lambda + * uses to encrypt your function's filter criteria.

+ * @public + */ + KMSKeyArn?: string; + + /** + *

An object that contains details about an error related to filter criteria encryption.

+ * @public + */ + FilterCriteriaError?: FilterCriteriaError; } /** @@ -7014,6 +7061,17 @@ export interface UpdateEventSourceMappingRequest { * @public */ DocumentDBEventSourceConfig?: DocumentDBEventSourceConfig; + + /** + *

+ * The ARN of the Key Management Service (KMS) customer managed key that Lambda + * uses to encrypt your function's filter criteria. + * By default, Lambda does not encrypt your filter criteria object. Specify this + * property to encrypt data using your own customer managed key. + *

+ * @public + */ + KMSKeyArn?: string; } /** diff --git a/clients/client-lambda/src/protocols/Aws_restJson1.ts b/clients/client-lambda/src/protocols/Aws_restJson1.ts index 97ec1cbc0037..660509819981 100644 --- a/clients/client-lambda/src/protocols/Aws_restJson1.ts +++ b/clients/client-lambda/src/protocols/Aws_restJson1.ts @@ -446,6 +446,7 @@ export const se_CreateEventSourceMappingCommand = async ( FilterCriteria: (_) => _json(_), FunctionName: [], FunctionResponseTypes: (_) => _json(_), + KMSKeyArn: [], MaximumBatchingWindowInSeconds: [], MaximumRecordAgeInSeconds: [], MaximumRetryAttempts: [], @@ -1689,6 +1690,7 @@ export const se_UpdateEventSourceMappingCommand = async ( FilterCriteria: (_) => _json(_), FunctionName: [], FunctionResponseTypes: (_) => _json(_), + KMSKeyArn: [], MaximumBatchingWindowInSeconds: [], MaximumRecordAgeInSeconds: [], MaximumRetryAttempts: [], @@ -1941,8 +1943,10 @@ export const de_CreateEventSourceMappingCommand = async ( DocumentDBEventSourceConfig: _json, EventSourceArn: __expectString, FilterCriteria: _json, + FilterCriteriaError: _json, FunctionArn: __expectString, FunctionResponseTypes: _json, + KMSKeyArn: __expectString, LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))), LastProcessingResult: __expectString, MaximumBatchingWindowInSeconds: __expectInt32, @@ -2104,8 +2108,10 @@ export const de_DeleteEventSourceMappingCommand = async ( DocumentDBEventSourceConfig: _json, EventSourceArn: __expectString, FilterCriteria: _json, + FilterCriteriaError: _json, FunctionArn: __expectString, FunctionResponseTypes: _json, + KMSKeyArn: __expectString, LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))), LastProcessingResult: __expectString, MaximumBatchingWindowInSeconds: __expectInt32, @@ -2339,8 +2345,10 @@ export const de_GetEventSourceMappingCommand = async ( DocumentDBEventSourceConfig: _json, EventSourceArn: __expectString, FilterCriteria: _json, + FilterCriteriaError: _json, FunctionArn: __expectString, FunctionResponseTypes: _json, + KMSKeyArn: __expectString, LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))), LastProcessingResult: __expectString, MaximumBatchingWindowInSeconds: __expectInt32, @@ -3401,8 +3409,10 @@ export const de_UpdateEventSourceMappingCommand = async ( DocumentDBEventSourceConfig: _json, EventSourceArn: __expectString, FilterCriteria: _json, + FilterCriteriaError: _json, FunctionArn: __expectString, FunctionResponseTypes: _json, + KMSKeyArn: __expectString, LastModified: (_) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))), LastProcessingResult: __expectString, MaximumBatchingWindowInSeconds: __expectInt32, @@ -4797,8 +4807,10 @@ const de_EventSourceMappingConfiguration = (output: any, context: __SerdeContext DocumentDBEventSourceConfig: _json, EventSourceArn: __expectString, FilterCriteria: _json, + FilterCriteriaError: _json, FunctionArn: __expectString, FunctionResponseTypes: _json, + KMSKeyArn: __expectString, LastModified: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))), LastProcessingResult: __expectString, MaximumBatchingWindowInSeconds: __expectInt32, @@ -4840,6 +4852,8 @@ const de_EventSourceMappingsList = (output: any, context: __SerdeContext): Event // de_FilterCriteria omitted. +// de_FilterCriteriaError omitted. + // de_FilterList omitted. // de_FunctionArnList omitted. diff --git a/codegen/sdk-codegen/aws-models/lambda.json b/codegen/sdk-codegen/aws-models/lambda.json index 3b12de67a7a6..c0288cab588b 100644 --- a/codegen/sdk-codegen/aws-models/lambda.json +++ b/codegen/sdk-codegen/aws-models/lambda.json @@ -1753,7 +1753,7 @@ } ], "traits": { - "smithy.api#documentation": "

Grants an Amazon Web Service, Amazon Web Services account, or Amazon Web Services organization\n permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict\n access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name\n (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies\n to version $LATEST.

\n

To grant permission to another account, specify the account ID as the Principal. To grant\n permission to an organization defined in Organizations, specify the organization ID as the\n PrincipalOrgID. For Amazon Web Services, the principal is a domain-style identifier that\n the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Services, you can also specify the ARN of the associated resource as the SourceArn. If\n you grant permission to a service principal without specifying the source, other accounts could potentially\n configure resources in their account to invoke your Lambda function.

\n

This operation adds a statement to a resource-based permissions policy for the function. For more information\n about function policies, see Using resource-based policies for Lambda.

", + "smithy.api#documentation": "

Grants an Amazon Web Servicesservice, Amazon Web Services account, or Amazon Web Services organization\n permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict\n access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name\n (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies\n to version $LATEST.

\n

To grant permission to another account, specify the account ID as the Principal. To grant\n permission to an organization defined in Organizations, specify the organization ID as the\n PrincipalOrgID. For Amazon Web Servicesservices, the principal is a domain-style identifier that\n the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Servicesservices, you can also specify the ARN of the associated resource as the SourceArn. If\n you grant permission to a service principal without specifying the source, other accounts could potentially\n configure resources in their account to invoke your Lambda function.

\n

This operation adds a statement to a resource-based permissions policy for the function. For more information\n about function policies, see Using resource-based policies for Lambda.

", "smithy.api#http": { "method": "POST", "uri": "/2015-03-31/functions/{FunctionName}/policy", @@ -1789,20 +1789,20 @@ "Principal": { "target": "com.amazonaws.lambda#Principal", "traits": { - "smithy.api#documentation": "

The Amazon Web Service or Amazon Web Services account that invokes the function. If you specify a\n service, use SourceArn or SourceAccount to limit who can invoke the function through\n that service.

", + "smithy.api#documentation": "

The Amazon Web Servicesservice or Amazon Web Services account that invokes the function. If you specify a\n service, use SourceArn or SourceAccount to limit who can invoke the function through\n that service.

", "smithy.api#required": {} } }, "SourceArn": { "target": "com.amazonaws.lambda#Arn", "traits": { - "smithy.api#documentation": "

For Amazon Web Services, the ARN of the Amazon Web Services resource that invokes the function. For\n example, an Amazon S3 bucket or Amazon SNS topic.

\n

Note that Lambda configures the comparison using the StringLike operator.

" + "smithy.api#documentation": "

For Amazon Web Servicesservices, the ARN of the Amazon Web Services resource that invokes the function. For\n example, an Amazon S3 bucket or Amazon SNS topic.

\n

Note that Lambda configures the comparison using the StringLike operator.

" } }, "SourceAccount": { "target": "com.amazonaws.lambda#SourceOwner", "traits": { - "smithy.api#documentation": "

For Amazon Web Service, the ID of the Amazon Web Services account that owns the resource. Use this\n together with SourceArn to ensure that the specified account owns the resource. It is possible for an\n Amazon S3 bucket to be deleted by its owner and recreated by another account.

" + "smithy.api#documentation": "

For Amazon Web Servicesservice, the ID of the Amazon Web Services account that owns the resource. Use this\n together with SourceArn to ensure that the specified account owns the resource. It is possible for an\n Amazon S3 bucket to be deleted by its owner and recreated by another account.

" } }, "EventSourceToken": { @@ -2670,6 +2670,12 @@ "traits": { "smithy.api#documentation": "

Specific configuration settings for a DocumentDB event source.

" } + }, + "KMSKeyArn": { + "target": "com.amazonaws.lambda#KMSKeyArn", + "traits": { + "smithy.api#documentation": "

\n The ARN of the Key Management Service (KMS) customer managed key that Lambda\n uses to encrypt your function's filter criteria.\n By default, Lambda does not encrypt your filter criteria object. Specify this\n property to encrypt data using your own customer managed key.\n

" + } } }, "traits": { @@ -2714,7 +2720,7 @@ } ], "traits": { - "smithy.api#documentation": "

Creates a Lambda function. To create a function, you need a deployment package and an execution role. The\n deployment package is a .zip file archive or container image that contains your function code. The execution role\n grants the function permission to use Amazon Web Services, such as Amazon CloudWatch Logs for log\n streaming and X-Ray for request tracing.

\n

If the deployment package is a container\n image, then you set the package type to Image. For a container image, the code property\n must include the URI of a container image in the Amazon ECR registry. You do not need to specify the\n handler and runtime properties.

\n

If the deployment package is a .zip file archive, then\n you set the package type to Zip. For a .zip file archive, the code property specifies the location of\n the .zip file. You must also specify the handler and runtime properties. The code in the deployment package must\n be compatible with the target instruction set architecture of the function (x86-64 or\n arm64). If you do not specify the architecture, then the default value is\n x86-64.

\n

When you create a function, Lambda provisions an instance of the function and its supporting\n resources. If your function connects to a VPC, this process can take a minute or so. During this time, you can't\n invoke or modify the function. The State, StateReason, and StateReasonCode\n fields in the response from GetFunctionConfiguration indicate when the function is ready to\n invoke. For more information, see Lambda function states.

\n

A function has an unpublished version, and can have published versions and aliases. The unpublished version\n changes when you update your function's code and configuration. A published version is a snapshot of your function\n code and configuration that can't be changed. An alias is a named resource that maps to a version, and can be\n changed to map to a different version. Use the Publish parameter to create version 1 of\n your function from its initial configuration.

\n

The other parameters let you configure version-specific and function-level settings. You can modify\n version-specific settings later with UpdateFunctionConfiguration. Function-level settings apply\n to both the unpublished and published versions of the function, and include tags (TagResource)\n and per-function concurrency limits (PutFunctionConcurrency).

\n

You can use code signing if your deployment package is a .zip file archive. To enable code signing for this\n function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with\n UpdateFunctionCode, Lambda checks that the code package has a valid signature from\n a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted\n publishers for this function.

\n

If another Amazon Web Services account or an Amazon Web Service invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.

\n

To invoke your function directly, use Invoke. To invoke your function in response to events\n in other Amazon Web Services, create an event source mapping (CreateEventSourceMapping),\n or configure a function trigger in the other service. For more information, see Invoking Lambda\n functions.

", + "smithy.api#documentation": "

Creates a Lambda function. To create a function, you need a deployment package and an execution role. The\n deployment package is a .zip file archive or container image that contains your function code. The execution role\n grants the function permission to use Amazon Web Servicesservices, such as Amazon CloudWatch Logs for log\n streaming and X-Ray for request tracing.

\n

If the deployment package is a container\n image, then you set the package type to Image. For a container image, the code property\n must include the URI of a container image in the Amazon ECR registry. You do not need to specify the\n handler and runtime properties.

\n

If the deployment package is a .zip file archive, then\n you set the package type to Zip. For a .zip file archive, the code property specifies the location of\n the .zip file. You must also specify the handler and runtime properties. The code in the deployment package must\n be compatible with the target instruction set architecture of the function (x86-64 or\n arm64). If you do not specify the architecture, then the default value is\n x86-64.

\n

When you create a function, Lambda provisions an instance of the function and its supporting\n resources. If your function connects to a VPC, this process can take a minute or so. During this time, you can't\n invoke or modify the function. The State, StateReason, and StateReasonCode\n fields in the response from GetFunctionConfiguration indicate when the function is ready to\n invoke. For more information, see Lambda function states.

\n

A function has an unpublished version, and can have published versions and aliases. The unpublished version\n changes when you update your function's code and configuration. A published version is a snapshot of your function\n code and configuration that can't be changed. An alias is a named resource that maps to a version, and can be\n changed to map to a different version. Use the Publish parameter to create version 1 of\n your function from its initial configuration.

\n

The other parameters let you configure version-specific and function-level settings. You can modify\n version-specific settings later with UpdateFunctionConfiguration. Function-level settings apply\n to both the unpublished and published versions of the function, and include tags (TagResource)\n and per-function concurrency limits (PutFunctionConcurrency).

\n

You can use code signing if your deployment package is a .zip file archive. To enable code signing for this\n function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with\n UpdateFunctionCode, Lambda checks that the code package has a valid signature from\n a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted\n publishers for this function.

\n

If another Amazon Web Services account or an Amazon Web Servicesservice invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.

\n

To invoke your function directly, use Invoke. To invoke your function in response to events\n in other Amazon Web Servicesservices, create an event source mapping (CreateEventSourceMapping),\n or configure a function trigger in the other service. For more information, see Invoking Lambda\n functions.

", "smithy.api#http": { "method": "POST", "uri": "/2015-03-31/functions", @@ -3217,7 +3223,7 @@ } ], "traits": { - "smithy.api#documentation": "

Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit\n permissions for DeleteAlias.

\n

To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.

", + "smithy.api#documentation": "

Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter.\n Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit\n permissions for DeleteAlias.

\n

To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Servicesservices and resources that invoke your function\n directly, delete the trigger in the service where you originally configured it.

", "smithy.api#http": { "method": "DELETE", "uri": "/2015-03-31/functions/{FunctionName}", @@ -3968,7 +3974,7 @@ "FilterCriteria": { "target": "com.amazonaws.lambda#FilterCriteria", "traits": { - "smithy.api#documentation": "

An object that defines the filter criteria that\n determine whether Lambda should process an event. For more information, see Lambda event filtering.

" + "smithy.api#documentation": "

An object that defines the filter criteria that\n determine whether Lambda should process an event. For more information, see Lambda event filtering.

\n

If filter criteria is encrypted, this field shows up as null in the response\n of ListEventSourceMapping API calls. You can view this field in plaintext in the response of\n GetEventSourceMapping and DeleteEventSourceMapping calls if you have\n kms:Decrypt permissions for the correct KMS key.

" } }, "FunctionArn": { @@ -4084,6 +4090,18 @@ "traits": { "smithy.api#documentation": "

Specific configuration settings for a DocumentDB event source.

" } + }, + "KMSKeyArn": { + "target": "com.amazonaws.lambda#KMSKeyArn", + "traits": { + "smithy.api#documentation": "

\n The ARN of the Key Management Service (KMS) customer managed key that Lambda\n uses to encrypt your function's filter criteria.

" + } + }, + "FilterCriteriaError": { + "target": "com.amazonaws.lambda#FilterCriteriaError", + "traits": { + "smithy.api#documentation": "

An object that contains details about an error related to filter criteria encryption.

" + } } }, "traits": { @@ -4201,6 +4219,46 @@ "smithy.api#documentation": "

\n An object that contains the filters for an event source.\n

" } }, + "com.amazonaws.lambda#FilterCriteriaError": { + "type": "structure", + "members": { + "ErrorCode": { + "target": "com.amazonaws.lambda#FilterCriteriaErrorCode", + "traits": { + "smithy.api#documentation": "

The KMS exception that resulted from filter criteria encryption or decryption.

" + } + }, + "Message": { + "target": "com.amazonaws.lambda#FilterCriteriaErrorMessage", + "traits": { + "smithy.api#documentation": "

The error message.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

An object that contains details about an error related to filter criteria encryption.

" + } + }, + "com.amazonaws.lambda#FilterCriteriaErrorCode": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 10, + "max": 50 + }, + "smithy.api#pattern": "^[A-Za-z]+Exception$" + } + }, + "com.amazonaws.lambda#FilterCriteriaErrorMessage": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 10, + "max": 2048 + }, + "smithy.api#pattern": ".*" + } + }, "com.amazonaws.lambda#FilterList": { "type": "list", "member": { @@ -9850,7 +9908,7 @@ } ], "traits": { - "smithy.api#documentation": "

Revokes function-use permission from an Amazon Web Service or another Amazon Web Services account. You\n can get the ID of the statement from the output of GetPolicy.

", + "smithy.api#documentation": "

Revokes function-use permission from an Amazon Web Servicesservice or another Amazon Web Services account. You\n can get the ID of the statement from the output of GetPolicy.

", "smithy.api#http": { "method": "DELETE", "uri": "/2015-03-31/functions/{FunctionName}/policy/{StatementId}", @@ -11531,6 +11589,12 @@ "traits": { "smithy.api#documentation": "

Specific configuration settings for a DocumentDB event source.

" } + }, + "KMSKeyArn": { + "target": "com.amazonaws.lambda#KMSKeyArn", + "traits": { + "smithy.api#documentation": "

\n The ARN of the Key Management Service (KMS) customer managed key that Lambda\n uses to encrypt your function's filter criteria.\n By default, Lambda does not encrypt your filter criteria object. Specify this\n property to encrypt data using your own customer managed key.\n

" + } } }, "traits": { @@ -11696,7 +11760,7 @@ } ], "traits": { - "smithy.api#documentation": "

Modify the version-specific settings of a Lambda function.

\n

When you update a function, Lambda provisions an instance of the function and its supporting\n resources. If your function connects to a VPC, this process can take a minute. During this time, you can't modify\n the function, but you can still invoke it. The LastUpdateStatus, LastUpdateStatusReason,\n and LastUpdateStatusReasonCode fields in the response from GetFunctionConfiguration\n indicate when the update is complete and the function is processing events with the new configuration. For more\n information, see Lambda\n function states.

\n

These settings can vary between versions of a function and are locked when you publish a version. You can't\n modify the configuration of a published version, only the unpublished version.

\n

To configure function concurrency, use PutFunctionConcurrency. To grant invoke permissions\n to an Amazon Web Services account or Amazon Web Service, use AddPermission.

", + "smithy.api#documentation": "

Modify the version-specific settings of a Lambda function.

\n

When you update a function, Lambda provisions an instance of the function and its supporting\n resources. If your function connects to a VPC, this process can take a minute. During this time, you can't modify\n the function, but you can still invoke it. The LastUpdateStatus, LastUpdateStatusReason,\n and LastUpdateStatusReasonCode fields in the response from GetFunctionConfiguration\n indicate when the update is complete and the function is processing events with the new configuration. For more\n information, see Lambda\n function states.

\n

These settings can vary between versions of a function and are locked when you publish a version. You can't\n modify the configuration of a published version, only the unpublished version.

\n

To configure function concurrency, use PutFunctionConcurrency. To grant invoke permissions\n to an Amazon Web Services account or Amazon Web Servicesservice, use AddPermission.

", "smithy.api#http": { "method": "PUT", "uri": "/2015-03-31/functions/{FunctionName}/configuration",