@exabugs/dynamodb-client 0.7.3 → 0.7.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +29 -0
- package/dist/server/handler.cjs +2 -2
- package/package.json +1 -1
- package/terraform/main.tf +8 -51
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [0.7.5] - 2025-12-28
|
|
11
|
+
|
|
12
|
+
### Removed
|
|
13
|
+
|
|
14
|
+
- **All KMS Settings Verification**: Removed all KMS-related settings to verify if they were actually necessary
|
|
15
|
+
- Removed `aws_iam_role_policy.records_kms_default` IAM policy resource (Lambda execution environment)
|
|
16
|
+
- Removed `aws_iam_role_policy.records_kms` IAM policy resource (Parameter Store access)
|
|
17
|
+
- Removed `kms_key_arn = ""` setting from Lambda function
|
|
18
|
+
- Current Lambda function uses only environment variables, not Parameter Store SecureString
|
|
19
|
+
- This is part of ADR-005 verification to determine the true cause of Lambda Function URL issues
|
|
20
|
+
|
|
21
|
+
## [0.7.4] - 2025-12-28
|
|
22
|
+
|
|
23
|
+
### Fixed
|
|
24
|
+
|
|
25
|
+
- **Lambda KMS Encryption**: Disabled KMS encryption for Lambda function to resolve persistent KMSAccessDeniedException (ADR-004)
|
|
26
|
+
- **Lambda Startup**: Fixed Lambda function startup failure by explicitly setting `kms_key_arn = ""`
|
|
27
|
+
- **502 Bad Gateway**: Resolved Function URL errors caused by Lambda execution environment KMS issues
|
|
28
|
+
|
|
29
|
+
### Changed
|
|
30
|
+
|
|
31
|
+
- **Security Model**: Moved from KMS-encrypted Lambda environment to unencrypted for compatibility
|
|
32
|
+
- **ADR-003 Deprecated**: Replaced complex KMS permission approach with simpler encryption disable approach
|
|
33
|
+
|
|
34
|
+
### Technical
|
|
35
|
+
|
|
36
|
+
- **Terraform**: Added `kms_key_arn = ""` to Lambda function configuration
|
|
37
|
+
- **Architecture Decision**: Created ADR-004 to document KMS encryption disable decision
|
|
38
|
+
|
|
10
39
|
## [0.7.3] - 2025-12-28
|
|
11
40
|
|
|
12
41
|
### Fixed
|
package/dist/server/handler.cjs
CHANGED
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@exabugs/dynamodb-client",
|
|
3
|
-
"version": "0.7.
|
|
3
|
+
"version": "0.7.5",
|
|
4
4
|
"description": "DynamoDB Single-Table Client SDK with MongoDB-like API, Shadow Records, and Lambda implementation for serverless applications",
|
|
5
5
|
"author": "exabugs",
|
|
6
6
|
"license": "MIT",
|
package/terraform/main.tf
CHANGED
|
@@ -65,55 +65,10 @@ resource "aws_iam_role_policy" "records_dynamodb" {
|
|
|
65
65
|
})
|
|
66
66
|
}
|
|
67
67
|
|
|
68
|
-
#
|
|
69
|
-
# Lambda
|
|
70
|
-
resource "aws_iam_role_policy" "records_kms" {
|
|
71
|
-
name = "kms-access"
|
|
72
|
-
role = aws_iam_role.lambda_records.id
|
|
68
|
+
# Parameter Store用KMSアクセスポリシーを削除(ADR-005による検証)
|
|
69
|
+
# 現在のLambda関数は環境変数のみを使用し、Parameter StoreのSecureStringは使用していない
|
|
73
70
|
|
|
74
|
-
|
|
75
|
-
Version = "2012-10-17"
|
|
76
|
-
Statement = [
|
|
77
|
-
{
|
|
78
|
-
Effect = "Allow"
|
|
79
|
-
Action = [
|
|
80
|
-
"kms:Decrypt"
|
|
81
|
-
]
|
|
82
|
-
Resource = "*"
|
|
83
|
-
Condition = {
|
|
84
|
-
StringEquals = {
|
|
85
|
-
"kms:ViaService" = "ssm.${var.region}.amazonaws.com"
|
|
86
|
-
}
|
|
87
|
-
}
|
|
88
|
-
}
|
|
89
|
-
]
|
|
90
|
-
})
|
|
91
|
-
}
|
|
92
|
-
|
|
93
|
-
# カスタムインラインポリシー: KMSデフォルトキーアクセス(Lambda実行環境用)
|
|
94
|
-
# AWS LambdaのデフォルトKMSキーへのアクセス権限(ADR-003)
|
|
95
|
-
resource "aws_iam_role_policy" "records_kms_default" {
|
|
96
|
-
name = "kms-default-access"
|
|
97
|
-
role = aws_iam_role.lambda_records.id
|
|
98
|
-
|
|
99
|
-
policy = jsonencode({
|
|
100
|
-
Version = "2012-10-17"
|
|
101
|
-
Statement = [
|
|
102
|
-
{
|
|
103
|
-
Effect = "Allow"
|
|
104
|
-
Action = [
|
|
105
|
-
"kms:Decrypt"
|
|
106
|
-
]
|
|
107
|
-
Resource = "*"
|
|
108
|
-
Condition = {
|
|
109
|
-
StringEquals = {
|
|
110
|
-
"kms:ViaService" = "lambda.${var.region}.amazonaws.com"
|
|
111
|
-
}
|
|
112
|
-
}
|
|
113
|
-
}
|
|
114
|
-
]
|
|
115
|
-
})
|
|
116
|
-
}
|
|
71
|
+
# KMSデフォルトキーアクセスポリシーを削除(ADR-005による検証)
|
|
117
72
|
|
|
118
73
|
# CloudWatch Logsロググループ
|
|
119
74
|
resource "aws_cloudwatch_log_group" "lambda_records" {
|
|
@@ -151,6 +106,9 @@ resource "aws_lambda_function" "records" {
|
|
|
151
106
|
timeout = 30
|
|
152
107
|
memory_size = 512
|
|
153
108
|
|
|
109
|
+
# KMS暗号化設定を削除(ADR-005による検証)
|
|
110
|
+
# kms_key_arn = ""
|
|
111
|
+
|
|
154
112
|
# 環境変数
|
|
155
113
|
environment {
|
|
156
114
|
variables = {
|
|
@@ -177,9 +135,8 @@ resource "aws_lambda_function" "records" {
|
|
|
177
135
|
# CloudWatch Logsへの依存関係を明示
|
|
178
136
|
depends_on = [
|
|
179
137
|
aws_cloudwatch_log_group.lambda_records,
|
|
180
|
-
aws_iam_role_policy.records_dynamodb
|
|
181
|
-
aws_iam_role_policy.records_kms
|
|
182
|
-
aws_iam_role_policy.records_kms_default
|
|
138
|
+
aws_iam_role_policy.records_dynamodb
|
|
139
|
+
# aws_iam_role_policy.records_kms # ADR-005による検証のため削除(Parameter Store未使用)
|
|
183
140
|
]
|
|
184
141
|
|
|
185
142
|
tags = {
|