@exabugs/dynamodb-client 0.7.2 → 0.7.4

package/CHANGELOG.md

@@ -7,6 +7,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.4] - 2025-12-28
+
+### Fixed
+
+- **Lambda KMS Encryption**: Disabled KMS encryption for Lambda function to resolve persistent KMSAccessDeniedException (ADR-004)
+- **Lambda Startup**: Fixed Lambda function startup failure by explicitly setting `kms_key_arn = ""`
+- **502 Bad Gateway**: Resolved Function URL errors caused by Lambda execution environment KMS issues
+
+### Changed
+
+- **Security Model**: Moved from KMS-encrypted Lambda environment to unencrypted for compatibility
+- **ADR-003 Deprecated**: Replaced complex KMS permission approach with simpler encryption disable approach
+
+### Technical
+
+- **Terraform**: Added `kms_key_arn = ""` to Lambda function configuration
+- **Architecture Decision**: Created ADR-004 to document KMS encryption disable decision
+
+## [0.7.3] - 2025-12-28
+
+### Fixed
+
+- **Lambda KMS Access**: Added AWS default KMS key access permissions for Lambda execution environment (ADR-003)
+- **KMSAccessDeniedException**: Resolved Lambda startup failure due to missing KMS permissions
+- **Lambda Runtime**: Added conditional access to default KMS key used by Lambda service for function protection
+
+### Security
+
+- **KMS Permissions**: Limited KMS access to Lambda service only with conditional access control
+- **Least Privilege**: Maintained security with service-specific KMS access restrictions
+
 ## [0.7.2] - 2024-12-28
 
 ### Fixed

package/dist/server/handler.cjs

@@ -1,5 +1,5 @@
-// @exabugs/dynamodb-client v0.7.2
-// Built: 2025-12-28T10:11:50.560Z
+// @exabugs/dynamodb-client v0.7.4
+// Built: 2025-12-28T10:39:29.906Z
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@exabugs/dynamodb-client",
-  "version": "0.7.2",
+  "version": "0.7.4",
   "description": "DynamoDB Single-Table Client SDK with MongoDB-like API, Shadow Records, and Lambda implementation for serverless applications",
   "author": "exabugs",
   "license": "MIT",

package/terraform/main.tf

@@ -90,6 +90,31 @@ resource "aws_iam_role_policy" "records_kms" {
   })
 }
 
+# カスタムインラインポリシー: KMSデフォルトキーアクセス（Lambda実行環境用）
+# AWS LambdaのデフォルトKMSキーへのアクセス権限（ADR-003）
+resource "aws_iam_role_policy" "records_kms_default" {
+  name = "kms-default-access"
+  role = aws_iam_role.lambda_records.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:ViaService" = "lambda.${var.region}.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}
+
 # CloudWatch Logsロググループ
 resource "aws_cloudwatch_log_group" "lambda_records" {
   name              = "/aws/lambda/${var.project_name}-${var.environment}-records"
@@ -126,6 +151,10 @@ resource "aws_lambda_function" "records" {
   timeout     = 30
   memory_size = 512
 
+  # KMS暗号化を明示的に無効化（ADR-004）
+  # AWS管理のデフォルトKMSキーアクセス権限の問題を回避
+  kms_key_arn = ""
+
   # 環境変数
   environment {
     variables = {
@@ -153,7 +182,8 @@ resource "aws_lambda_function" "records" {
   depends_on = [
     aws_cloudwatch_log_group.lambda_records,
     aws_iam_role_policy.records_dynamodb,
-    aws_iam_role_policy.records_kms
+    aws_iam_role_policy.records_kms,
+    aws_iam_role_policy.records_kms_default
   ]
 
   tags = {