@slates-integrations/aws-lambda 0.2.0-rc.6

package/README.md

@@ -0,0 +1,89 @@
+# <img src="https://provider-logos.metorial-cdn.com/amazon.svg" height="20"> Aws Lambda
+
+Create, update, configure, and delete serverless Lambda functions. Invoke functions synchronously or asynchronously. Manage function code deployment via ZIP archives or container images. Publish immutable function versions and create aliases with weighted traffic shifting for canary and blue/green deployments. Create and manage layers for shared code, dependencies, and runtimes. Configure event source mappings to poll events from SQS, Kinesis, DynamoDB Streams, Kafka, and Amazon MQ. Set up function URLs as dedicated HTTPS endpoints. Manage concurrency settings including reserved and provisioned concurrency. Configure asynchronous invocation retry behavior and destination routing. Manage resource-based permissions policies, tags, runtime update mode, recursive loop detection, and durable execution workflows.
+
+## Tools
+
+### Configure Async Invocation
+
+List, get, set, update, or remove the asynchronous invocation configuration for a Lambda function. Controls retry behavior, maximum event age, and destination routing for successful or failed invocations (to SQS, SNS, Lambda, S3, or EventBridge).
+
+### Create Function
+
+Create a new Lambda function. Provide the function code via an S3 location, container image URI, or base64-encoded ZIP file. Requires a function name and an IAM execution role ARN at minimum.
+
+### Delete Function
+
+Delete a Lambda function. Optionally specify a **qualifier** to delete only a specific version (not \
+
+### Get Account Settings
+
+Retrieve Lambda account-level settings and limits for the configured region, including concurrent execution limits, code storage usage, and total code size.
+
+### Get Function
+
+Retrieve detailed information about a Lambda function including its configuration, code location, concurrency settings, and tags. Supports fetching a specific version or alias using the **qualifier** parameter.
+
+### Invoke Function
+
+Invoke a Lambda function synchronously or asynchronously. **Synchronous** (RequestResponse) returns the function's output. **Asynchronous** (Event) queues the event and returns immediately. Use **DryRun** to validate permissions without executing.
+
+### List Functions
+
+List Lambda functions in the configured AWS region. Returns function names, ARNs, runtimes, and key configuration. Use **maxItems** to control page size and **marker** for pagination.
+
+### Manage Alias
+
+Create, update, get, delete, or list aliases for a Lambda function. Aliases are named pointers to function versions, enabling canary and blue/green deployments via weighted traffic shifting.
+
+### Manage Concurrency
+
+Configure reserved and provisioned concurrency for a Lambda function. **Reserved concurrency** guarantees a set amount of concurrent executions. **Provisioned concurrency** keeps execution environments warm to eliminate cold starts.
+
+### Manage Durable Execution
+
+Inspect, list, stop, or send callbacks for Lambda durable executions. Durable executions are long-running, stateful workflows that can be checkpointed and resumed. Supports viewing execution history, state, and sending callback signals for human-in-the-loop patterns.
+
+### Manage Event Source Mapping
+
+Create, update, get, delete, or list event source mappings that connect Lambda to streaming/queue services (SQS, Kinesis, DynamoDB Streams, Kafka, Amazon MQ). Lambda automatically polls the source and invokes the function.
+
+### Manage Function URL
+
+Create, update, get, or delete a dedicated HTTPS endpoint (function URL) for a Lambda function. Function URLs provide public API access without needing API Gateway. Supports IAM authentication or open access, and configurable CORS.
+
+### Manage Layer
+
+Publish, get, delete, or list Lambda layers and their versions. Layers are reusable packages of libraries, dependencies, or custom runtimes that can be attached to functions.
+
+### Manage Permission
+
+Add, remove, or view resource-based policy statements on a Lambda function. These policies grant other AWS accounts or services (e.g., S3, API Gateway, EventBridge) permission to invoke the function.
+
+### Manage Recursion Config
+
+Get or set recursive loop detection for a Lambda function. Lambda defaults to terminating detected recursive invocation loops; only use Allow for intentional recursive designs with safeguards.
+
+### Manage Runtime Management
+
+Get or set the runtime update mode for a Lambda function version. Runtime management controls whether Lambda applies runtime patches automatically, on function updates, or pins a manual runtime version ARN.
+
+### Manage Tags
+
+List, add, or remove tags on a Lambda function. Tags are key-value pairs used for organization, cost allocation, and access control. Provide the full function ARN for tag operations.
+
+### Publish Version
+
+Publish an immutable version from the current \
+
+### Update Function
+
+Update a Lambda function's code and/or configuration. Provide **code** fields to update the deployment package, or **configuration** fields to modify settings like runtime, handler, memory, timeout, environment variables, layers, and VPC. Both can be updated in a single call.
+
+## License
+
+This integration is licensed under the [FSL-1.1](https://github.com/metorial/metorial-platform/blob/dev/LICENSE).
+
+<div align="center">
+  <sub>Built with ❤️ by <a href="https://metorial.com">Metorial</a></sub>
+</div>

package/docs/SPEC.md

@@ -0,0 +1,91 @@
+# Slates Specification for AWS Lambda
+
+## Overview
+
+AWS Lambda is a serverless compute service from Amazon Web Services that runs code in response to events without requiring server provisioning or management. It automatically scales execution and uses pay-per-use pricing. The Lambda API allows managing functions, layers, event source mappings, aliases, versions, concurrency settings, and invoking functions programmatically.
+
+## Authentication
+
+AWS Lambda uses **IAM-based authentication** exclusively. All API requests must be authenticated using AWS credentials.
+
+**AWS Signature Version 4 (SigV4)**
+
+AWS Signature Version 4 (SigV4) is the AWS signing protocol for adding authentication information to AWS API requests. Every request to the Lambda API must be signed using this protocol.
+
+Required credentials:
+
+- **AWS Access Key ID**: Identifies the IAM user or role making the request.
+- **AWS Secret Access Key**: Used to compute the request signature.
+- **AWS Session Token** (optional): Required when using temporary credentials from AWS STS (Security Token Service), assumed roles, or federated identities.
+
+Signing requests involves creating a canonical request based on the request details, calculating a signature using your AWS credentials, and adding this signature to the request as an Authorization header.
+
+Credentials can be obtained in several ways:
+
+- **IAM User**: Long-term access key ID and secret access key created in the IAM console.
+- **IAM Role (assumed via STS)**: Temporary credentials obtained via `sts:AssumeRole`, commonly used for cross-account access or applications running on AWS infrastructure (EC2, ECS, Lambda).
+- **Federated Identity**: A federated identity is a user from your enterprise directory, web identity provider, or Directory Service that accesses AWS services using credentials from an identity source. Federated identities assume roles that provide temporary credentials.
+
+The API endpoint follows the pattern: `https://lambda.{region}.amazonaws.com`. The region must also be specified as part of the signing process.
+
+**Permissions**: Access to specific Lambda actions is controlled via IAM policies. You control access by creating policies and attaching them to AWS identities or resources. A policy defines permissions when associated with an identity or resource. Lambda actions are prefixed with `lambda:` (e.g., `lambda:InvokeFunction`, `lambda:CreateFunction`).
+
+## Features
+
+### Function Management
+
+Create, update, configure, and delete Lambda functions. You can upload function code as a ZIP archive or a container image, set runtime and handler configurations, assign execution roles, configure environment variables, memory, timeout, and VPC networking. Environment variables modify application behavior without new code deployments. Versions safely test new features while maintaining stable production environments.
+
+### Function Invocation
+
+Invoke Lambda functions synchronously (RequestResponse) or asynchronously (Event). Synchronous invocation returns the function result in the response. Asynchronous invocation queues the event and returns immediately.
+
+### Versions and Aliases
+
+Publish immutable versions of functions and create aliases that point to specific versions. Aliases support weighted traffic shifting between two versions, enabling canary or blue/green deployment patterns.
+
+### Layers
+
+A Lambda layer is a .zip file archive that contains supplementary code or data. Layers usually contain library dependencies, a custom runtime, or configuration files. You can publish, version, and share layers across functions and AWS accounts. You can include up to five layers per function.
+
+### Event Source Mappings
+
+Connect Lambda functions to streaming or queue-based AWS services so Lambda automatically polls for and processes events. With event source mapping, Lambda actively fetches (or pulls) events from a queue or stream. You configure Lambda to check for events from a supported service, and Lambda handles the polling and invocation of your function. Supported sources include SQS, Kinesis, DynamoDB Streams, Apache Kafka, and Amazon MQ.
+
+### Function URLs
+
+Function URLs create public-facing APIs and endpoints without additional services. Each function URL provides a dedicated HTTPS endpoint. Auth type can be set to `AWS_IAM` (SigV4-signed requests) or `NONE` (open access). CORS can be configured on the URL.
+
+### Concurrency and Scaling
+
+Configure reserved concurrency to guarantee a function always has access to a set amount of concurrency. Provisioned concurrency keeps a specified number of execution environments initialized to reduce cold starts. Scaling configuration allows controlling how quickly functions scale up.
+
+### Asynchronous Invocation Configuration
+
+Configure how Lambda handles asynchronous invocations, including maximum retry attempts, maximum event age, and destination routing for successful or failed invocations (to SQS, SNS, Lambda, S3, or EventBridge).
+
+### Runtime Management
+
+Control whether Lambda applies runtime patches automatically, only when the function is updated, or through a pinned manual runtime version ARN.
+
+### Recursive Loop Detection
+
+Read and configure Lambda's recursive loop detection behavior. The default `Terminate` mode stops detected recursive invocation loops; `Allow` should be reserved for intentional recursive designs with guardrails.
+
+### Permissions Management
+
+Manage resource-based policies on functions and layers. Add or remove permission statements that grant other AWS accounts or services the ability to invoke functions or use layers.
+
+### Tagging
+
+Apply key-value tags to Lambda functions for organization, cost tracking, and access control purposes.
+
+### Durable Executions
+
+Manage long-running, stateful workflows via durable functions. You can checkpoint, inspect history and state, stop executions, and send callback signals for human-in-the-loop or asynchronous task patterns.
+
+## Events
+
+The provider does not support webhooks or event subscriptions via the Lambda API itself. Lambda functions are _consumers_ of events from other AWS services (S3, API Gateway, EventBridge, etc.), but the Lambda management API does not provide a webhook or subscription mechanism to notify external systems about changes to Lambda resources.
+
+To monitor changes to Lambda resources (e.g., function creation, updates, deletions), you would use **AWS CloudTrail** combined with **Amazon EventBridge**, which can capture Lambda API calls as events and route them to targets. However, this is not a built-in feature of the Lambda API itself.

package/logo.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="62" height="62" fill="none"><rect width="62" height="62" rx="31" fill="#fff"/><use xlink:href="#B" fill="#f90"/><use xlink:href="#C" fill-rule="evenodd" fill="#000"/><use xlink:href="#B" fill="#f90"/><use xlink:href="#C" fill-rule="evenodd" fill="#000"/><defs ><path id="B" d="M47.451 45.221c-18.161 8.643-29.431 1.412-36.646-2.98-.447-.277-1.205.065-.547.821C12.661 45.975 20.538 53 30.82 53c10.289 0 16.41-5.614 17.176-6.593.761-.971.223-1.507-.545-1.186h0zm5.1-2.817c-.488-.635-2.965-.753-4.525-.562-1.562.186-3.906 1.14-3.702 1.714.105.215.318.118 1.391.022 1.076-.107 4.09-.488 4.718.333.631.827-.961 4.764-1.252 5.4-.281.635.107.799.635.376.52-.423 1.463-1.518 2.095-3.067.628-1.558 1.011-3.731.64-4.215z"/><path id="C" d="M35.24 27.585c0 2.268.057 4.159-1.089 6.173-.925 1.638-2.391 2.645-4.028 2.645-2.235 0-3.537-1.703-3.537-4.216 0-4.961 4.446-5.862 8.654-5.862v1.261zm5.87 14.188c-.385.344-.942.368-1.375.139-1.932-1.605-2.276-2.349-3.34-3.881-3.193 3.259-5.453 4.233-9.595 4.233-4.896 0-8.711-3.021-8.711-9.071 0-4.724 2.563-7.941 6.206-9.513 3.16-1.392 7.573-1.638 10.946-2.022v-.753c0-1.384.106-3.021-.704-4.216-.712-1.073-2.071-1.515-3.267-1.515-2.219 0-4.2 1.138-4.683 3.496-.098.524-.483 1.04-1.007 1.064l-5.649-.606c-.475-.107-.999-.491-.868-1.22C20.364 11.063 26.545 9 32.079 9c2.833 0 6.533.753 8.769 2.898 2.833 2.644 2.563 6.173 2.563 10.013v9.071c0 2.726 1.13 3.922 2.194 5.395.377.524.459 1.154-.016 1.547-1.187.991-3.299 2.833-4.462 3.864l-.016-.016"/></defs></svg>

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "@slates-integrations/aws-lambda",
+  "main": "src/index.ts",
+  "type": "module",
+  "scripts": {
+    "build": "bunx @vercel/ncc build src/index.ts -o dist -m -s",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@aws-sdk/client-lambda": "^3.1043.0",
+    "@lowerdeck/error": "^1.1.0",
+    "@slates/aws-sdk-http-handler": "1.0.0-rc.1",
+    "@types/node": "^20",
+    "slates": "1.0.0-rc.10",
+    "zod": "^4.2"
+  },
+  "devDependencies": {
+    "typescript": "^5"
+  },
+  "version": "0.2.0-rc.6"
+}

package/slate.json

@@ -0,0 +1,23 @@
+{
+  "name": "@amazon/aws-lambda",
+  "description": "Create, update, configure, and delete serverless Lambda functions. Invoke functions synchronously or asynchronously. Manage function code deployment via ZIP archives or container images. Publish immutable function versions and create aliases with weighted traffic shifting for canary and blue/green deployments. Create and manage layers for shared code, dependencies, and runtimes. Configure event source mappings to poll events from SQS, Kinesis, DynamoDB Streams, Kafka, and Amazon MQ. Set up function URLs as dedicated HTTPS endpoints. Manage concurrency settings including reserved and provisioned concurrency. Configure asynchronous invocation retry behavior and destination routing. Manage resource-based permissions policies, tags, runtime update mode, recursive loop detection, and durable execution workflows.",
+  "categories": [
+    "apis-and-http-requests",
+    "code-execution"
+  ],
+  "skills": [
+    "create and manage functions",
+    "invoke functions",
+    "publish versions and aliases",
+    "manage layers",
+    "configure event source mappings",
+    "create function URLs",
+    "manage concurrency settings",
+    "configure async invocation",
+    "manage permissions policies",
+    "manage durable executions",
+    "manage runtime updates",
+    "manage recursive loop detection"
+  ],
+  "logoUrl": "https://provider-logos.metorial-cdn.com/amazon.svg"
+}

package/src/auth.ts

@@ -0,0 +1,51 @@
+import { SlateAuth } from 'slates';
+import { z } from 'zod';
+
+export let auth = SlateAuth.create()
+  .output(
+    z.object({
+      accessKeyId: z.string(),
+      secretAccessKey: z.string(),
+      sessionToken: z.string().optional()
+    })
+  )
+  .addCustomAuth({
+    type: 'auth.custom',
+    name: 'AWS IAM Access Keys',
+    key: 'aws_iam_credentials',
+
+    inputSchema: z.object({
+      accessKeyId: z.string().describe('AWS Access Key ID'),
+      secretAccessKey: z.string().describe('AWS Secret Access Key')
+    }),
+
+    getOutput: async ctx => {
+      return {
+        output: {
+          accessKeyId: ctx.input.accessKeyId,
+          secretAccessKey: ctx.input.secretAccessKey
+        }
+      };
+    }
+  })
+  .addCustomAuth({
+    type: 'auth.custom',
+    name: 'AWS Temporary Credentials (STS)',
+    key: 'aws_temporary_credentials',
+
+    inputSchema: z.object({
+      accessKeyId: z.string().describe('Temporary AWS Access Key ID'),
+      secretAccessKey: z.string().describe('Temporary AWS Secret Access Key'),
+      sessionToken: z.string().describe('AWS Session Token')
+    }),
+
+    getOutput: async ctx => {
+      return {
+        output: {
+          accessKeyId: ctx.input.accessKeyId,
+          secretAccessKey: ctx.input.secretAccessKey,
+          sessionToken: ctx.input.sessionToken
+        }
+      };
+    }
+  });

package/src/config.ts

@@ -0,0 +1,8 @@
+import { SlateConfig } from 'slates';
+import { z } from 'zod';
+
+export let config = SlateConfig.create(
+  z.object({
+    region: z.string().describe('AWS region for Lambda API (e.g., us-east-1, eu-west-1)')
+  })
+);

package/src/index.ts

@@ -0,0 +1,50 @@
+import { Slate } from 'slates';
+import { spec } from './spec';
+import {
+  listFunctions,
+  getFunction,
+  createFunction,
+  updateFunction,
+  deleteFunction,
+  invokeFunction,
+  publishVersion,
+  manageAlias,
+  manageLayer,
+  manageEventSourceMapping,
+  manageFunctionUrl,
+  manageConcurrency,
+  managePermission,
+  manageTags,
+  configureAsyncInvocation,
+  manageDurableExecution,
+  getAccountSettings,
+  manageRuntimeManagement,
+  manageRecursionConfig
+} from './tools/index';
+import { functionChanges, inboundWebhook } from './triggers/index';
+
+export let provider = Slate.create({
+  spec,
+  tools: [
+    listFunctions,
+    getFunction,
+    createFunction,
+    updateFunction,
+    deleteFunction,
+    invokeFunction,
+    publishVersion,
+    manageAlias,
+    manageLayer,
+    manageEventSourceMapping,
+    manageFunctionUrl,
+    manageConcurrency,
+    managePermission,
+    manageTags,
+    configureAsyncInvocation,
+    manageDurableExecution,
+    getAccountSettings,
+    manageRuntimeManagement,
+    manageRecursionConfig
+  ],
+  triggers: [inboundWebhook, functionChanges]
+});

package/src/lib/aws-signer.ts

@@ -0,0 +1,158 @@
+import crypto from 'crypto';
+
+export interface AwsCredentials {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken?: string;
+}
+
+export interface SignRequestParams {
+  method: string;
+  url: string;
+  headers: Record<string, string>;
+  body?: string;
+  region: string;
+  service: string;
+  credentials: AwsCredentials;
+}
+
+let hmacSha256 = (key: string | ArrayBuffer, data: string): ArrayBuffer => {
+  let keyBuffer: ArrayBuffer;
+  if (typeof key === 'string') {
+    keyBuffer = new TextEncoder().encode(key).buffer as ArrayBuffer;
+  } else {
+    keyBuffer = key;
+  }
+  let hmac = crypto.createHmac('sha256', new Uint8Array(keyBuffer));
+  hmac.update(data);
+  let digest = hmac.digest();
+  return digest.buffer.slice(
+    digest.byteOffset,
+    digest.byteOffset + digest.byteLength
+  ) as ArrayBuffer;
+};
+
+let sha256Hex = (data: string): string => {
+  return crypto.createHash('sha256').update(data).digest('hex');
+};
+
+let toHex = (buffer: ArrayBuffer): string => {
+  let bytes = new Uint8Array(buffer);
+  let hex = '';
+  for (let i = 0; i < bytes.length; i++) {
+    hex += bytes[i]!.toString(16).padStart(2, '0');
+  }
+  return hex;
+};
+
+let uriEncode = (str: string, encodeSlash: boolean = true): string => {
+  let encoded = '';
+  for (let i = 0; i < str.length; i++) {
+    let ch = str[i]!;
+    if (
+      (ch >= 'A' && ch <= 'Z') ||
+      (ch >= 'a' && ch <= 'z') ||
+      (ch >= '0' && ch <= '9') ||
+      ch === '-' ||
+      ch === '_' ||
+      ch === '.' ||
+      ch === '~'
+    ) {
+      encoded += ch;
+    } else if (ch === '/' && !encodeSlash) {
+      encoded += ch;
+    } else {
+      let bytes = new TextEncoder().encode(ch);
+      for (let b of bytes) {
+        encoded += '%' + b.toString(16).toUpperCase().padStart(2, '0');
+      }
+    }
+  }
+  return encoded;
+};
+
+export let signRequest = (params: SignRequestParams): Record<string, string> => {
+  let { method, url, headers, body, region, service, credentials } = params;
+
+  let parsedUrl = new URL(url);
+  let now = new Date();
+  let dateStamp = now.toISOString().replace(/[-:]/g, '').slice(0, 8);
+  let amzDate = dateStamp + 'T' + now.toISOString().replace(/[-:]/g, '').slice(9, 15) + 'Z';
+
+  let signedHeaders: Record<string, string> = { ...headers };
+  signedHeaders['host'] = parsedUrl.host;
+  signedHeaders['x-amz-date'] = amzDate;
+
+  if (credentials.sessionToken) {
+    signedHeaders['x-amz-security-token'] = credentials.sessionToken;
+  }
+
+  let canonicalUri = uriEncode(decodeURIComponent(parsedUrl.pathname), false);
+
+  let queryParams: [string, string][] = [];
+  parsedUrl.searchParams.forEach((value, key) => {
+    queryParams.push([key, value]);
+  });
+  queryParams.sort((a, b) => {
+    if (a[0] < b[0]) return -1;
+    if (a[0] > b[0]) return 1;
+    return a[1] < b[1] ? -1 : a[1] > b[1] ? 1 : 0;
+  });
+  let canonicalQueryString = queryParams
+    .map(([k, v]) => `${uriEncode(k)}=${uriEncode(v)}`)
+    .join('&');
+
+  let headerKeys = Object.keys(signedHeaders)
+    .map(k => k.toLowerCase())
+    .sort();
+
+  let canonicalHeaders = headerKeys
+    .map(k => {
+      let val =
+        signedHeaders[Object.keys(signedHeaders).find(h => h.toLowerCase() === k)!] || '';
+      return `${k}:${val.trim()}\n`;
+    })
+    .join('');
+
+  let signedHeadersList = headerKeys.join(';');
+
+  let payloadHash = sha256Hex(body || '');
+
+  let canonicalRequest = [
+    method.toUpperCase(),
+    canonicalUri,
+    canonicalQueryString,
+    canonicalHeaders,
+    signedHeadersList,
+    payloadHash
+  ].join('\n');
+
+  let credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+
+  let stringToSign = [
+    'AWS4-HMAC-SHA256',
+    amzDate,
+    credentialScope,
+    sha256Hex(canonicalRequest)
+  ].join('\n');
+
+  let dateKey = hmacSha256('AWS4' + credentials.secretAccessKey, dateStamp);
+  let dateRegionKey = hmacSha256(dateKey, region);
+  let dateRegionServiceKey = hmacSha256(dateRegionKey, service);
+  let signingKey = hmacSha256(dateRegionServiceKey, 'aws4_request');
+
+  let signature = toHex(hmacSha256(signingKey, stringToSign));
+
+  let authorization = `AWS4-HMAC-SHA256 Credential=${credentials.accessKeyId}/${credentialScope}, SignedHeaders=${signedHeadersList}, Signature=${signature}`;
+
+  let result: Record<string, string> = {
+    'x-amz-date': amzDate,
+    authorization: authorization
+  };
+
+  if (credentials.sessionToken) {
+    result['x-amz-security-token'] = credentials.sessionToken;
+  }
+
+  return result;
+};