@exabugs/dynamodb-client 0.7.2 → 0.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +13 -0
- package/dist/server/handler.cjs +2 -2
- package/package.json +1 -1
- package/terraform/main.tf +27 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [0.7.3] - 2025-12-28
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **Lambda KMS Access**: Added AWS default KMS key access permissions for Lambda execution environment (ADR-003)
|
|
15
|
+
- **KMSAccessDeniedException**: Resolved Lambda startup failure due to missing KMS permissions
|
|
16
|
+
- **Lambda Runtime**: Added conditional access to default KMS key used by Lambda service for function protection
|
|
17
|
+
|
|
18
|
+
### Security
|
|
19
|
+
|
|
20
|
+
- **KMS Permissions**: Limited KMS access to Lambda service only with conditional access control
|
|
21
|
+
- **Least Privilege**: Maintained security with service-specific KMS access restrictions
|
|
22
|
+
|
|
10
23
|
## [0.7.2] - 2024-12-28
|
|
11
24
|
|
|
12
25
|
### Fixed
|
package/dist/server/handler.cjs
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@exabugs/dynamodb-client",
|
|
3
|
-
"version": "0.7.
|
|
3
|
+
"version": "0.7.3",
|
|
4
4
|
"description": "DynamoDB Single-Table Client SDK with MongoDB-like API, Shadow Records, and Lambda implementation for serverless applications",
|
|
5
5
|
"author": "exabugs",
|
|
6
6
|
"license": "MIT",
|
package/terraform/main.tf
CHANGED
|
@@ -90,6 +90,31 @@ resource "aws_iam_role_policy" "records_kms" {
|
|
|
90
90
|
})
|
|
91
91
|
}
|
|
92
92
|
|
|
93
|
+
# カスタムインラインポリシー: KMSデフォルトキーアクセス(Lambda実行環境用)
|
|
94
|
+
# AWS LambdaのデフォルトKMSキーへのアクセス権限(ADR-003)
|
|
95
|
+
resource "aws_iam_role_policy" "records_kms_default" {
|
|
96
|
+
name = "kms-default-access"
|
|
97
|
+
role = aws_iam_role.lambda_records.id
|
|
98
|
+
|
|
99
|
+
policy = jsonencode({
|
|
100
|
+
Version = "2012-10-17"
|
|
101
|
+
Statement = [
|
|
102
|
+
{
|
|
103
|
+
Effect = "Allow"
|
|
104
|
+
Action = [
|
|
105
|
+
"kms:Decrypt"
|
|
106
|
+
]
|
|
107
|
+
Resource = "*"
|
|
108
|
+
Condition = {
|
|
109
|
+
StringEquals = {
|
|
110
|
+
"kms:ViaService" = "lambda.${var.region}.amazonaws.com"
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
]
|
|
115
|
+
})
|
|
116
|
+
}
|
|
117
|
+
|
|
93
118
|
# CloudWatch Logsロググループ
|
|
94
119
|
resource "aws_cloudwatch_log_group" "lambda_records" {
|
|
95
120
|
name = "/aws/lambda/${var.project_name}-${var.environment}-records"
|
|
@@ -153,7 +178,8 @@ resource "aws_lambda_function" "records" {
|
|
|
153
178
|
depends_on = [
|
|
154
179
|
aws_cloudwatch_log_group.lambda_records,
|
|
155
180
|
aws_iam_role_policy.records_dynamodb,
|
|
156
|
-
aws_iam_role_policy.records_kms
|
|
181
|
+
aws_iam_role_policy.records_kms,
|
|
182
|
+
aws_iam_role_policy.records_kms_default
|
|
157
183
|
]
|
|
158
184
|
|
|
159
185
|
tags = {
|