npm - @exabugs/dynamodb-client - Versions diffs - 0.7.4 → 0.8.0 - Mend

@exabugs/dynamodb-client 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +35 -0
package/dist/server/handler.cjs +2 -2
package/package.json +1 -1
package/terraform/main.tf +8 -59
package/terraform/modules/parameter-store/main.tf +0 -54
package/terraform/modules/parameter-store/variables.tf +0 -10
package/terraform/variables.tf +0 -14

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,41 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [0.8.0] - 2025-12-28
+### BREAKING CHANGES
+- **Removed asanowa-specific parameters for library generalization**
+  - Removed `cognito_client_id` parameter (aud verification not needed for generic library)
+  - Removed `cognito_admin_ui_client_id` parameter (asanowa-specific, moved to project-specific configuration)
+  - Removed `cognito_user_pool_domain` parameter (OAuth flow specific, not needed for JWT verification)
+  - Removed `COGNITO_CLIENT_ID` environment variable from Records Lambda
+  - Removed `COGNITO_REGION` environment variable (redundant, extracted from user pool ID)
+  - Removed Admin UI Cognito parameters from Parameter Store module (asanowa-specific)
+### Migration Guide
+If your project was using the removed parameters:
+1. **cognito_client_id**: Remove from module call. JWT verification now works without aud validation for better generalization.
+2. **cognito_admin_ui_client_id** and **cognito_user_pool_domain**: Move these to your project-specific Parameter Store configuration.
+3. **COGNITO_REGION**: No longer needed. Region is automatically extracted from `cognito_user_pool_id`.
+### What remains
+- `cognito_user_pool_id`: Still required for JWT signature verification (JWKS endpoint construction)
+## [0.7.5] - 2025-12-28
+### Removed
+- **All KMS Settings Verification**: Removed all KMS-related settings to verify if they were actually necessary
+  - Removed `aws_iam_role_policy.records_kms_default` IAM policy resource (Lambda execution environment)
+  - Removed `aws_iam_role_policy.records_kms` IAM policy resource (Parameter Store access)
+  - Removed `kms_key_arn = ""` setting from Lambda function
+  - Current Lambda function uses only environment variables, not Parameter Store SecureString
+  - This is part of ADR-005 verification to determine the true cause of Lambda Function URL issues
 ## [0.7.4] - 2025-12-28
 ### Fixed

package/dist/server/handler.cjs CHANGED Viewed

@@ -1,5 +1,5 @@
-// @exabugs/dynamodb-client v0.7.4
-// Built: 2025-12-28T10:39:29.906Z
+// @exabugs/dynamodb-client v0.8.0
+// Built: 2025-12-28T12:59:33.043Z
 "use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@exabugs/dynamodb-client",
-  "version": "0.7.4",
+  "version": "0.8.0",
   "description": "DynamoDB Single-Table Client SDK with MongoDB-like API, Shadow Records, and Lambda implementation for serverless applications",
   "author": "exabugs",
   "license": "MIT",

package/terraform/main.tf CHANGED Viewed

@@ -65,55 +65,10 @@ resource "aws_iam_role_policy" "records_dynamodb" {
   })
 }
-# カスタムインラインポリシー: KMSアクセス（Parameter Store用）
-# Lambda関数がSecureString環境変数を復号化するために必要
-resource "aws_iam_role_policy" "records_kms" {
-  name = "kms-access"
-  role = aws_iam_role.lambda_records.id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "kms:Decrypt"
-        ]
-        Resource = "*"
-        Condition = {
-          StringEquals = {
-            "kms:ViaService" = "ssm.${var.region}.amazonaws.com"
-          }
-        }
-      }
-    ]
-  })
-}
+# Parameter Store用KMSアクセスポリシーを削除（ADR-005による検証）
+# 現在のLambda関数は環境変数のみを使用し、Parameter StoreのSecureStringは使用していない
-# カスタムインラインポリシー: KMSデフォルトキーアクセス（Lambda実行環境用）
-# AWS LambdaのデフォルトKMSキーへのアクセス権限（ADR-003）
-resource "aws_iam_role_policy" "records_kms_default" {
-  name = "kms-default-access"
-  role = aws_iam_role.lambda_records.id
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "kms:Decrypt"
-        ]
-        Resource = "*"
-        Condition = {
-          StringEquals = {
-            "kms:ViaService" = "lambda.${var.region}.amazonaws.com"
-          }
-        }
-      }
-    ]
-  })
-}
+# KMSデフォルトキーアクセスポリシーを削除（ADR-005による検証）
 # CloudWatch Logsロググループ
 resource "aws_cloudwatch_log_group" "lambda_records" {
@@ -151,9 +106,8 @@ resource "aws_lambda_function" "records" {
   timeout     = 30
   memory_size = 512
-  # KMS暗号化を明示的に無効化（ADR-004）
-  # AWS管理のデフォルトKMSキーアクセス権限の問題を回避
-  kms_key_arn = ""
+  # KMS暗号化設定を削除（ADR-005による検証）
+  # kms_key_arn = ""
   # 環境変数
   environment {
@@ -162,8 +116,6 @@ resource "aws_lambda_function" "records" {
       REGION               = var.region
       TABLE_NAME           = var.dynamodb_table_name
       COGNITO_USER_POOL_ID = var.cognito_user_pool_id
-      COGNITO_CLIENT_ID    = var.cognito_client_id
-      COGNITO_REGION       = var.region
       LOG_LEVEL            = var.log_level
       # シャドウ設定（環境変数ベース）
       SHADOW_CREATED_AT_FIELD = var.shadow_created_at_field
@@ -181,9 +133,8 @@ resource "aws_lambda_function" "records" {
   # CloudWatch Logsへの依存関係を明示
   depends_on = [
     aws_cloudwatch_log_group.lambda_records,
-    aws_iam_role_policy.records_dynamodb,
-    aws_iam_role_policy.records_kms,
-    aws_iam_role_policy.records_kms_default
+    aws_iam_role_policy.records_dynamodb
+    # aws_iam_role_policy.records_kms  # ADR-005による検証のため削除（Parameter Store未使用）
   ]
   tags = {
@@ -231,9 +182,7 @@ module "parameter_store" {
   records_function_arn = aws_lambda_function.records.arn
   # Cognito設定
-  cognito_user_pool_id       = var.cognito_user_pool_id
-  cognito_admin_ui_client_id = var.cognito_admin_ui_client_id
-  cognito_user_pool_domain   = var.cognito_user_pool_domain
+  cognito_user_pool_id = var.cognito_user_pool_id
   # DynamoDB設定
   dynamodb_table_name = var.dynamodb_table_name

package/terraform/modules/parameter-store/main.tf CHANGED Viewed

@@ -42,60 +42,6 @@ resource "aws_ssm_parameter" "lambda_records_function_arn" {
   }
 }
-# 外部参照用のパラメータ（実際の値を設定）
-# アプリケーション（Admin UI、Fetch Lambda等）がこれらの値を参照する
-# Cognito User Pool ID (Admin UI参照用)
-resource "aws_ssm_parameter" "app_admin_ui_cognito_user_pool_id" {
-  name      = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-user-pool-id"
-  type      = local.parameter_type
-  tier      = local.parameter_tier
-  value     = var.cognito_user_pool_id
-  overwrite = true
-  description = "Cognito User Pool ID for Admin UI"
-  tags = {
-    Environment = var.environment
-    ManagedBy   = "terraform"
-    Category    = "app-config"
-  }
-}
-# Cognito Client ID (Admin UI参照用)
-resource "aws_ssm_parameter" "app_admin_ui_cognito_client_id" {
-  name      = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-client-id"
-  type      = local.parameter_type
-  tier      = local.parameter_tier
-  value     = var.cognito_admin_ui_client_id
-  overwrite = true
-  description = "Cognito Client ID for Admin UI"
-  tags = {
-    Environment = var.environment
-    ManagedBy   = "terraform"
-    Category    = "app-config"
-  }
-}
-# Cognito Domain (Admin UI参照用)
-resource "aws_ssm_parameter" "app_admin_ui_cognito_domain" {
-  name      = "/${var.project_name}/${var.environment}/app/admin-ui/cognito-domain"
-  type      = local.parameter_type
-  tier      = local.parameter_tier
-  value     = "${var.cognito_user_pool_domain}.auth.${var.region}.amazoncognito.com"
-  overwrite = true
-  description = "Cognito Domain for Admin UI"
-  tags = {
-    Environment = var.environment
-    ManagedBy   = "terraform"
-    Category    = "app-config"
-  }
-}
 # DynamoDB Table Name (外部参照用)
 resource "aws_ssm_parameter" "infra_dynamodb_table_name" {
   name      = "/${var.project_name}/${var.environment}/infra/dynamodb-table-name"

package/terraform/modules/parameter-store/variables.tf CHANGED Viewed

@@ -30,16 +30,6 @@ variable "cognito_user_pool_id" {
   type        = string
 }
-variable "cognito_admin_ui_client_id" {
-  description = "Admin UI用Cognito User Pool Client ID"
-  type        = string
-}
-variable "cognito_user_pool_domain" {
-  description = "Cognito User Pool Domain"
-  type        = string
-}
 variable "dynamodb_table_name" {
   description = "DynamoDB Table Name"
   type        = string

package/terraform/variables.tf CHANGED Viewed

@@ -30,21 +30,7 @@ variable "cognito_user_pool_id" {
   type        = string
 }
-variable "cognito_client_id" {
-  description = "Cognito App Client ID（オプション、指定時は aud を検証）"
-  type        = string
-  default     = ""
-}
-variable "cognito_user_pool_domain" {
-  description = "Cognito User Pool Domain"
-  type        = string
-}
-variable "cognito_admin_ui_client_id" {
-  description = "Admin UI用Cognito User Pool Client ID"
-  type        = string
-}
 variable "log_retention_days" {
   description = "CloudWatch Logsの保持期間（日数）"