Merge branch 'release/v1.27.0'

README.md

@@ -87,7 +87,7 @@ Read the [SAM Documentation Contribution Guide](https://github.com/awsdocs/aws-s
 started. 
 
 ### Join the SAM Community on Slack
-[Join the SAM developers channel (#samdev)](https://join.slack.com/t/awsdevelopers/shared_invite/enQtMzg3NTc5OTM2MzcxLTIxNjc0ZTJkNmYyNWY3OWE4NTFiNzU1ZTM2Y2VkNmFlNjQ2YjI3YTE1ZDA5YjE5NDE2MjVmYWFlYWIxNjE2NjU) on Slack to collaborate with fellow community members and the AWS SAM team.
+[Join the SAM developers channel (#samdev)](https://join.slack.com/t/awsdevelopers/shared_invite/zt-h82odes6-qYN2Cxit7hBGIvC6oMjGpg) on Slack to collaborate with fellow community members and the AWS SAM team.
 
 
 

docs/policy_templates.rst

@@ -74,4 +74,4 @@ folder.
       - CloudWatchPutMetricPolicy: {}      
 
 .. _policy_templates.json: https://github.com/awslabs/serverless-application-model/blob/develop/samtranslator/policy_templates_data/policy_templates.json
-.. _all_policy_templates.yaml: https://github.com/awslabs/serverless-application-model/blob/develop/examples/2016-10-31/policy_templates/all_policy_templates.yaml
+.. _all_policy_templates.yaml: https://github.com/awslabs/serverless-application-model/blob/develop/tests/translator/input/all_policy_templates.yaml

requirements/base.txt

@@ -1,3 +1,4 @@
+pyrsistent~=0.16.0; python_version<"3"
 boto3~=1.5
 enum34~=1.1; python_version<"3.4"
 jsonschema~=3.0

samtranslator/__init__.py

@@ -1 +1 @@
-__version__ = "1.26.0"
+__version__ = "1.27.0"

samtranslator/model/lambda_.py

@@ -107,7 +107,7 @@ class LambdaLayerVersion(Resource):
         "Content": PropertyType(True, is_type(dict)),
         "Description": PropertyType(False, is_str()),
         "LayerName": PropertyType(False, is_str()),
-        "CompatibleRuntimes": PropertyType(False, list_of(is_str())),
+        "CompatibleRuntimes": PropertyType(False, list_of(one_of(is_str(), is_type(dict)))),
         "LicenseInfo": PropertyType(False, is_str()),
     }
 

samtranslator/model/sam_resources.py

@@ -66,7 +66,7 @@ class SamFunction(SamResourceMacro):
         "VpcConfig": PropertyType(False, is_type(dict)),
         "Role": PropertyType(False, is_str()),
         "AssumeRolePolicyDocument": PropertyType(False, is_type(dict)),
-        "Policies": PropertyType(False, one_of(is_str(), list_of(one_of(is_str(), is_type(dict), is_type(dict))))),
+        "Policies": PropertyType(False, one_of(is_str(), is_type(dict), list_of(one_of(is_str(), is_type(dict))))),
         "PermissionsBoundary": PropertyType(False, is_str()),
         "Environment": PropertyType(False, dict_of(is_str(), is_type(dict))),
         "Events": PropertyType(False, dict_of(is_str(), is_type(dict))),
@@ -1015,7 +1015,7 @@ class SamLayerVersion(SamResourceMacro):
         "LayerName": PropertyType(False, one_of(is_str(), is_type(dict))),
         "Description": PropertyType(False, is_str()),
         "ContentUri": PropertyType(True, one_of(is_str(), is_type(dict))),
-        "CompatibleRuntimes": PropertyType(False, list_of(is_str())),
+        "CompatibleRuntimes": PropertyType(False, list_of(one_of(is_str(), is_type(dict)))),
         "LicenseInfo": PropertyType(False, is_str()),
         "RetentionPolicy": PropertyType(False, is_str()),
     }
@@ -1121,6 +1121,7 @@ class SamStateMachine(SamResourceMacro):
         "Type": PropertyType(False, is_str()),
         "Tags": PropertyType(False, is_type(dict)),
         "Policies": PropertyType(False, one_of(is_str(), list_of(one_of(is_str(), is_type(dict), is_type(dict))))),
+        "Tracing": PropertyType(False, is_type(dict)),
     }
     event_resolver = ResourceTypeResolver(samtranslator.model.stepfunctions.events,)
 
@@ -1142,6 +1143,7 @@ def to_cloudformation(self, **kwargs):
             definition_substitutions=self.DefinitionSubstitutions,
             role=self.Role,
             state_machine_type=self.Type,
+            tracing=self.Tracing,
             events=self.Events,
             event_resources=event_resources,
             event_resolver=self.event_resolver,

samtranslator/model/stepfunctions/generators.py

@@ -40,6 +40,7 @@ def __init__(
         definition_substitutions,
         role,
         state_machine_type,
+        tracing,
         events,
         event_resources,
         event_resolver,
@@ -62,6 +63,7 @@ def __init__(
         :param definition_substitutions: Variable-to-value mappings to be replaced in the State Machine definition
         :param role: Role ARN to use for the execution role
         :param state_machine_type: Type of the State Machine
+        :param tracing: Tracing configuration for the State Machine
         :param events: List of event sources for the State Machine
         :param event_resources: Event resources to link
         :param event_resolver: Resolver that maps Event types to Event classes
@@ -83,6 +85,7 @@ def __init__(
         self.definition_substitutions = definition_substitutions
         self.role = role
         self.type = state_machine_type
+        self.tracing = tracing
         self.events = events
         self.event_resources = event_resources
         self.event_resolver = event_resolver
@@ -144,6 +147,7 @@ def to_cloudformation(self):
         self.state_machine.StateMachineName = self.name
         self.state_machine.StateMachineType = self.type
         self.state_machine.LoggingConfiguration = self.logging
+        self.state_machine.TracingConfiguration = self.tracing
         self.state_machine.Tags = self._construct_tag_list()
 
         event_resources = self._generate_event_resources()

samtranslator/model/stepfunctions/resources.py

@@ -15,6 +15,7 @@ class StepFunctionsStateMachine(Resource):
         "StateMachineType": PropertyType(False, is_str()),
         "Tags": PropertyType(False, list_of(is_type(dict))),
         "DefinitionSubstitutions": PropertyType(False, is_type(dict)),
+        "TracingConfiguration": PropertyType(False, is_type(dict)),
     }
 
     runtime_attrs = {

samtranslator/swagger/swagger.py

@@ -3,8 +3,8 @@
 import re
 from six import string_types
 
-from samtranslator.model.intrinsics import ref, is_intrinsic_no_value
-from samtranslator.model.intrinsics import make_conditional, fnSub, is_intrinsic_if
+from samtranslator.model.intrinsics import ref
+from samtranslator.model.intrinsics import make_conditional, fnSub
 from samtranslator.model.exceptions import InvalidDocumentException, InvalidTemplateException
 
 
@@ -853,6 +853,10 @@ def add_resource_policy(self, resource_policy, path, api_id, stage):
         ip_range_blacklist = resource_policy.get("IpRangeBlacklist")
         source_vpc_whitelist = resource_policy.get("SourceVpcWhitelist")
         source_vpc_blacklist = resource_policy.get("SourceVpcBlacklist")
+        source_vpc_intrinsic_whitelist = resource_policy.get("IntrinsicVpcWhitelist")
+        source_vpce_intrinsic_whitelist = resource_policy.get("IntrinsicVpceWhitelist")
+        source_vpc_intrinsic_blacklist = resource_policy.get("IntrinsicVpcBlacklist")
+        source_vpce_intrinsic_blacklist = resource_policy.get("IntrinsicVpceBlacklist")
 
         if aws_account_whitelist is not None:
             resource_list = self._get_method_path_uri_list(path, api_id, stage)
@@ -870,13 +874,31 @@ def add_resource_policy(self, resource_policy, path, api_id, stage):
             resource_list = self._get_method_path_uri_list(path, api_id, stage)
             self._add_ip_resource_policy_for_method(ip_range_blacklist, "IpAddress", resource_list)
 
-        if source_vpc_whitelist is not None:
+        if (
+            (source_vpc_blacklist is not None)
+            or (source_vpc_intrinsic_blacklist is not None)
+            or (source_vpce_intrinsic_blacklist is not None)
+        ):
+            blacklist_dict = {
+                "StringEndpointList": source_vpc_blacklist,
+                "IntrinsicVpcList": source_vpc_intrinsic_blacklist,
+                "IntrinsicVpceList": source_vpce_intrinsic_blacklist,
+            }
             resource_list = self._get_method_path_uri_list(path, api_id, stage)
-            self._add_vpc_resource_policy_for_method(source_vpc_whitelist, "StringNotEquals", resource_list)
+            self._add_vpc_resource_policy_for_method(blacklist_dict, "StringEquals", resource_list)
 
-        if source_vpc_blacklist is not None:
+        if (
+            (source_vpc_whitelist is not None)
+            or (source_vpc_intrinsic_whitelist is not None)
+            or (source_vpce_intrinsic_whitelist is not None)
+        ):
+            whitelist_dict = {
+                "StringEndpointList": source_vpc_whitelist,
+                "IntrinsicVpcList": source_vpc_intrinsic_whitelist,
+                "IntrinsicVpceList": source_vpce_intrinsic_whitelist,
+            }
             resource_list = self._get_method_path_uri_list(path, api_id, stage)
-            self._add_vpc_resource_policy_for_method(source_vpc_blacklist, "StringEquals", resource_list)
+            self._add_vpc_resource_policy_for_method(whitelist_dict, "StringNotEquals", resource_list)
 
         self._doc[self._X_APIGW_POLICY] = self.resource_policy
 
@@ -980,33 +1002,44 @@ def _add_ip_resource_policy_for_method(self, ip_list, conditional, resource_list
                 statement.extend([deny_statement])
             self.resource_policy["Statement"] = statement
 
-    def _add_vpc_resource_policy_for_method(self, endpoint_list, conditional, resource_list):
+    def _add_vpc_resource_policy_for_method(self, endpoint_dict, conditional, resource_list):
         """
         This method generates a policy statement to grant/deny specific VPC/VPCE access to the API method and
         appends it to the swagger under `x-amazon-apigateway-policy`
         :raises ValueError: If the conditional passed in does not match the allowed values.
         """
-        if not endpoint_list:
-            return
 
         if conditional not in ["StringNotEquals", "StringEquals"]:
             raise ValueError("Conditional must be one of {}".format(["StringNotEquals", "StringEquals"]))
 
-        vpce_regex = r"^vpce-"
-        vpc_regex = r"^vpc-"
-        vpc_list = []
-        vpce_list = []
-        for endpoint in endpoint_list:
-            if re.match(vpce_regex, endpoint):
-                vpce_list.append(endpoint)
-            if re.match(vpc_regex, endpoint):
-                vpc_list.append(endpoint)
-
         condition = {}
-        if vpc_list:
-            condition["aws:SourceVpc"] = vpc_list
-        if vpce_list:
-            condition["aws:SourceVpce"] = vpce_list
+        string_endpoint_list = endpoint_dict.get("StringEndpointList")
+        intrinsic_vpc_endpoint_list = endpoint_dict.get("IntrinsicVpcList")
+        intrinsic_vpce_endpoint_list = endpoint_dict.get("IntrinsicVpceList")
+
+        if string_endpoint_list is not None:
+            vpce_regex = r"^vpce-"
+            vpc_regex = r"^vpc-"
+            vpc_list = []
+            vpce_list = []
+            for endpoint in string_endpoint_list:
+                if re.match(vpce_regex, endpoint):
+                    vpce_list.append(endpoint)
+                if re.match(vpc_regex, endpoint):
+                    vpc_list.append(endpoint)
+            if vpc_list:
+                condition.setdefault("aws:SourceVpc", []).extend(vpc_list)
+            if vpce_list:
+                condition.setdefault("aws:SourceVpce", []).extend(vpce_list)
+        if intrinsic_vpc_endpoint_list is not None:
+            condition.setdefault("aws:SourceVpc", []).extend(intrinsic_vpc_endpoint_list)
+        if intrinsic_vpce_endpoint_list is not None:
+            condition.setdefault("aws:SourceVpce", []).extend(intrinsic_vpce_endpoint_list)
+
+        # Skip writing to transformed template if both vpc and vpce endpoint lists are empty
+        if (not condition.get("aws:SourceVpc", [])) and (not condition.get("aws:SourceVpce", [])):
+            return
+
         self.resource_policy["Version"] = "2012-10-17"
         allow_statement = {}
         allow_statement["Effect"] = "Allow"

tests/model/stepfunctions/test_state_machine_generator.py

@@ -22,6 +22,7 @@ def setUp(self):
             "definition_substitutions": None,
             "role": None,
             "state_machine_type": None,
+            "tracing": None,
             "events": None,
             "event_resources": None,
             "event_resolver": None,