@ttoss/lambda-postgres-query 0.3.29 → 0.4.0

package/README.md

@@ -28,27 +28,45 @@ export default template;
 
 ### Lambda Handler
 
-Create a handler file that exports the Lambda function:
+Create a handler file that exports both Lambda functions:
 
 ```typescript
-export { handler } from '@ttoss/lambda-postgres-query';
+export { handler, readOnlyHandler } from '@ttoss/lambda-postgres-query';
 ```
 
 ### Environment Variables
 
-Configure the following environment variables:
+Configure the following environment variables for the general-purpose Lambda:
 
 ```env
 DATABASE_NAME=your_database_name
 DATABASE_USERNAME=your_username
 DATABASE_PASSWORD=your_password
 DATABASE_HOST=your_database_host
-DATABASE_HOST_READ_ONLY=your_read_only_host  # Optional
 DATABASE_PORT=5432
 SECURITY_GROUP_IDS=sg-xxxxx,sg-yyyyy
 SUBNET_IDS=subnet-xxxxx,subnet-yyyyy
 ```
 
+For the dedicated read-only Lambda (`readOnlyHandler`), define at least one `*_READ_ONLY` variable. Any read-only variable that is not set falls back to the corresponding main variable. For example, to point only the host to a read replica:
+
+```env
+DATABASE_HOST_READ_ONLY=your_read_only_host
+# DATABASE_NAME, DATABASE_USERNAME, DATABASE_PASSWORD, DATABASE_PORT are reused automatically
+```
+
+To use a fully isolated read-only database user:
+
+```env
+DATABASE_NAME_READ_ONLY=your_read_only_database_name
+DATABASE_USERNAME_READ_ONLY=your_read_only_username
+DATABASE_PASSWORD_READ_ONLY=your_read_only_password
+DATABASE_HOST_READ_ONLY=your_read_only_host
+DATABASE_PORT_READ_ONLY=5432
+```
+
+> **Security note:** If none of the `*_READ_ONLY` variables are set, the read-only Lambda throws an error at invocation time.
+
 ### Deployment
 
 Add a deploy script to your `package.json`:
@@ -96,12 +114,6 @@ const result = await query({
   values: [userId],
 });
 
-// Use read-only connection
-const result = await query({
-  text: 'SELECT * FROM users',
-  readOnly: true, // Defaults to true
-});
-
 // Disable automatic camelCase conversion
 const result = await query({
   text: 'SELECT * FROM users',
@@ -115,6 +127,12 @@ const result = await query({
 });
 ```
 
+## Security: Isolating Read-Only Access
+
+Deploying a dedicated `readOnlyHandler` Lambda lets you enforce the principle of least privilege at the AWS IAM level. Services that only need to read data (dashboards, reports, public APIs) receive IAM permissions to invoke **only** the read-only Lambda — they have no way to invoke the general-purpose Lambda and cannot perform write operations, regardless of the SQL they send.
+
+This means a compromised or misconfigured service can never corrupt or delete data; it is limited to SELECT queries enforced both by the database (`BEGIN READ ONLY` transaction) and by the IAM boundary.
+
 ## API Reference
 
 ### `createLambdaPostgresQueryTemplate(options?)`
@@ -141,7 +159,6 @@ Accepts either a SQL string or an options object extending [`QueryConfig`](https
 
 - `text` (string): SQL query text
 - `values` (array, optional): Query parameter values
-- `readOnly` (boolean, optional): Use read-only database host if available. Default: `true`
 - `lambdaPostgresQueryFunction` (string, optional): Name of the query Lambda function. Default: `LAMBDA_POSTGRES_QUERY_FUNCTION` environment variable
 - `camelCaseKeys` (boolean, optional): Convert snake_case column names to camelCase. Default: `true`
 
@@ -151,4 +168,8 @@ A [`QueryResult`](https://node-postgres.com/apis/result) object with transformed
 
 ### `handler`
 
-AWS Lambda handler function for processing database queries within the VPC.
+AWS Lambda handler function for processing database queries within the VPC. Uses `DATABASE_NAME`, `DATABASE_USERNAME`, `DATABASE_PASSWORD`, `DATABASE_HOST`, and `DATABASE_PORT`.
+
+### `readOnlyHandler`
+
+AWS Lambda handler function for processing **read-only** database queries within the VPC. Enforces read-only access via a PostgreSQL `BEGIN READ ONLY` transaction. Uses dedicated `*_READ_ONLY` environment variables where defined, falling back to the main variables for any that are not set. Throws an error at invocation time if none of the `*_READ_ONLY` variables are defined.

package/dist/cloudformation/index.d.cts

@@ -5,14 +5,18 @@ import { QueryParams } from '../index.cjs';
 import 'pg';
 
 declare const HANDLER_DEFAULT = "handler.handler";
+declare const HANDLER_READ_ONLY_DEFAULT = "handler.readOnlyHandler";
 declare const MEMORY_SIZE_DEFAULT = 128;
 declare const TIMEOUT_DEFAULT = 30;
-declare const createLambdaPostgresQueryTemplate: ({ handler, memorySize, timeout, }?: {
+declare const createLambdaPostgresQueryTemplate: ({ handler, readOnlyHandler, memorySize, timeout, }?: {
     handler?: string;
+    readOnlyHandler?: string;
     memorySize?: number;
     timeout?: number;
 }) => CloudFormationTemplate;
 
 declare const handler: Handler<QueryParams>;
 
-export { HANDLER_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler };
+declare const readOnlyHandler: Handler<QueryParams>;
+
+export { HANDLER_DEFAULT, HANDLER_READ_ONLY_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler, readOnlyHandler };

package/dist/cloudformation/index.d.ts

@@ -5,14 +5,18 @@ import { QueryParams } from '../index.js';
 import 'pg';
 
 declare const HANDLER_DEFAULT = "handler.handler";
+declare const HANDLER_READ_ONLY_DEFAULT = "handler.readOnlyHandler";
 declare const MEMORY_SIZE_DEFAULT = 128;
 declare const TIMEOUT_DEFAULT = 30;
-declare const createLambdaPostgresQueryTemplate: ({ handler, memorySize, timeout, }?: {
+declare const createLambdaPostgresQueryTemplate: ({ handler, readOnlyHandler, memorySize, timeout, }?: {
     handler?: string;
+    readOnlyHandler?: string;
     memorySize?: number;
     timeout?: number;
 }) => CloudFormationTemplate;
 
 declare const handler: Handler<QueryParams>;
 
-export { HANDLER_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler };
+declare const readOnlyHandler: Handler<QueryParams>;
+
+export { HANDLER_DEFAULT, HANDLER_READ_ONLY_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler, readOnlyHandler };

package/dist/cloudformation/index.js

@@ -32,19 +32,23 @@ var __toCommonJS = mod => __copyProps(__defProp({}, "__esModule", {
 var cloudformation_exports = {};
 __export(cloudformation_exports, {
   HANDLER_DEFAULT: () => HANDLER_DEFAULT,
+  HANDLER_READ_ONLY_DEFAULT: () => HANDLER_READ_ONLY_DEFAULT,
   MEMORY_SIZE_DEFAULT: () => MEMORY_SIZE_DEFAULT,
   TIMEOUT_DEFAULT: () => TIMEOUT_DEFAULT,
   createLambdaPostgresQueryTemplate: () => createLambdaPostgresQueryTemplate,
-  handler: () => handler
+  handler: () => handler,
+  readOnlyHandler: () => readOnlyHandler
 });
 module.exports = __toCommonJS(cloudformation_exports);
 
 // src/cloudformation/createLambdaPostgresQueryTemplate.ts
 var HANDLER_DEFAULT = "handler.handler";
+var HANDLER_READ_ONLY_DEFAULT = "handler.readOnlyHandler";
 var MEMORY_SIZE_DEFAULT = 128;
 var TIMEOUT_DEFAULT = 30;
 var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
   handler: handler2 = HANDLER_DEFAULT,
+  readOnlyHandler: readOnlyHandler2 = HANDLER_READ_ONLY_DEFAULT,
   memorySize = 128,
   timeout = 30
 } = {}) => {
@@ -70,13 +74,32 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
       },
       DatabasePassword: {
         Type: "String",
-        Description: "Database password."
+        Description: "Database password.",
+        NoEcho: true
       },
       DatabasePort: {
         Type: "String",
         Default: "5432",
         Description: "Database port."
       },
+      DatabaseNameReadOnly: {
+        Type: "String",
+        Description: "Database name for read-only access."
+      },
+      DatabaseUsernameReadOnly: {
+        Type: "String",
+        Description: "Database username for read-only access."
+      },
+      DatabasePasswordReadOnly: {
+        Type: "String",
+        Description: "Database password for read-only access.",
+        NoEcho: true
+      },
+      DatabasePortReadOnly: {
+        Type: "String",
+        Default: "5432",
+        Description: "Database port for read-only access."
+      },
       LambdaS3Bucket: {
         Type: "String",
         Description: "The S3 bucket where the Lambda code is stored."
@@ -135,15 +158,12 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
           Role: {
             "Fn::GetAtt": ["LambdaQueryExecutionRole", "Arn"]
           },
-          Runtime: "nodejs22.x",
+          Runtime: "nodejs24.x",
           Environment: {
             Variables: {
               DATABASE_HOST: {
                 Ref: "DatabaseHost"
               },
-              DATABASE_HOST_READ_ONLY: {
-                Ref: "DatabaseHostReadOnly"
-              },
               DATABASE_NAME: {
                 Ref: "DatabaseName"
               },
@@ -177,7 +197,84 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
               Ref: "LambdaQueryFunction"
             }]]
           },
-          RetentionInDays: 7
+          RetentionInDays: 3
+        }
+      },
+      LambdaReadOnlyQueryFunction: {
+        Type: "AWS::Lambda::Function",
+        Properties: {
+          Code: {
+            S3Bucket: {
+              Ref: "LambdaS3Bucket"
+            },
+            S3Key: {
+              Ref: "LambdaS3Key"
+            },
+            S3ObjectVersion: {
+              Ref: "LambdaS3ObjectVersion"
+            }
+          },
+          MemorySize: memorySize,
+          Timeout: timeout,
+          Handler: readOnlyHandler2,
+          Role: {
+            "Fn::GetAtt": ["LambdaQueryExecutionRole", "Arn"]
+          },
+          Runtime: "nodejs24.x",
+          Environment: {
+            Variables: {
+              DATABASE_HOST: {
+                Ref: "DatabaseHost"
+              },
+              DATABASE_NAME: {
+                Ref: "DatabaseName"
+              },
+              DATABASE_USERNAME: {
+                Ref: "DatabaseUsername"
+              },
+              DATABASE_PASSWORD: {
+                Ref: "DatabasePassword"
+              },
+              DATABASE_PORT: {
+                Ref: "DatabasePort"
+              },
+              DATABASE_HOST_READ_ONLY: {
+                Ref: "DatabaseHostReadOnly"
+              },
+              DATABASE_NAME_READ_ONLY: {
+                Ref: "DatabaseNameReadOnly"
+              },
+              DATABASE_USERNAME_READ_ONLY: {
+                Ref: "DatabaseUsernameReadOnly"
+              },
+              DATABASE_PASSWORD_READ_ONLY: {
+                Ref: "DatabasePasswordReadOnly"
+              },
+              DATABASE_PORT_READ_ONLY: {
+                Ref: "DatabasePortReadOnly"
+              }
+            }
+          },
+          VpcConfig: {
+            SecurityGroupIds: {
+              Ref: "SecurityGroupIds"
+            },
+            SubnetIds: {
+              Ref: "SubnetIds"
+            }
+          }
+        }
+      },
+      LambdaReadOnlyQueryFunctionLogs: {
+        Type: "AWS::Logs::LogGroup",
+        DependsOn: "LambdaReadOnlyQueryFunction",
+        Properties: {
+          LogGroupName: {
+            "Fn::Join": ["", ["/aws/lambda/", {
+              Ref: "LambdaReadOnlyQueryFunction"
+            }]]
+          },
+          RetentionInDays: 3
         }
       }
     },
@@ -193,6 +290,18 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
         Value: {
           "Fn::GetAtt": ["LambdaQueryFunction", "Arn"]
         }
+      },
+      LambdaPostgresReadOnlyQueryFunction: {
+        Description: "Lambda function to query PostgreSQL (read-only).",
+        Value: {
+          Ref: "LambdaReadOnlyQueryFunction"
+        }
+      },
+      LambdaPostgresReadOnlyQueryFunctionArn: {
+        Description: "Lambda function to query PostgreSQL (read-only) ARN.",
+        Value: {
+          "Fn::GetAtt": ["LambdaReadOnlyQueryFunction", "Arn"]
+        }
       }
     }
   };
@@ -204,7 +313,6 @@ var database = process.env.DATABASE_NAME;
 var username = process.env.DATABASE_USERNAME;
 var password = process.env.DATABASE_PASSWORD;
 var host = process.env.DATABASE_HOST;
-var hostReadOnly = process.env.DATABASE_HOST_READ_ONLY;
 var port = process.env.DATABASE_PORT;
 var handler = /* @__PURE__ */__name(async event => {
   try {
@@ -212,7 +320,7 @@ var handler = /* @__PURE__ */__name(async event => {
       database,
       user: username,
       password,
-      host: event.readOnly && hostReadOnly ? hostReadOnly : host,
+      host,
       port: Number(port)
     });
     await client.connect();
@@ -230,11 +338,60 @@ var handler = /* @__PURE__ */__name(async event => {
     throw error;
   }
 }, "handler");
+
+// src/cloudformation/lambdaReadOnlyQueryHandler.ts
+var import_pg2 = require("pg");
+var databaseReadOnly = process.env.DATABASE_NAME_READ_ONLY;
+var usernameReadOnly = process.env.DATABASE_USERNAME_READ_ONLY;
+var passwordReadOnly = process.env.DATABASE_PASSWORD_READ_ONLY;
+var hostReadOnly = process.env.DATABASE_HOST_READ_ONLY;
+var portReadOnly = process.env.DATABASE_PORT_READ_ONLY;
+var readOnlyHandler = /* @__PURE__ */__name(async event => {
+  if (!databaseReadOnly && !usernameReadOnly && !passwordReadOnly && !hostReadOnly && !portReadOnly) {
+    throw new Error("At least one read-only override must be defined (DATABASE_NAME_READ_ONLY, DATABASE_USERNAME_READ_ONLY, DATABASE_PASSWORD_READ_ONLY, DATABASE_HOST_READ_ONLY, DATABASE_PORT_READ_ONLY). Unset overrides fall back to the corresponding non-read-only env vars.");
+  }
+  const database2 = databaseReadOnly || process.env.DATABASE_NAME;
+  const username2 = usernameReadOnly || process.env.DATABASE_USERNAME;
+  const password2 = passwordReadOnly || process.env.DATABASE_PASSWORD;
+  const host2 = hostReadOnly || process.env.DATABASE_HOST;
+  const port2 = portReadOnly || process.env.DATABASE_PORT;
+  try {
+    const client = new import_pg2.Client({
+      database: database2,
+      user: username2,
+      password: password2,
+      host: host2,
+      port: Number(port2)
+    });
+    await client.connect();
+    try {
+      await client.query("BEGIN READ ONLY");
+      try {
+        const res = await client.query(event);
+        await client.query("COMMIT");
+        return res;
+      } catch (queryError) {
+        await client.query("ROLLBACK");
+        throw queryError;
+      }
+    } finally {
+      await client.end();
+    }
+  } catch (error) {
+    console.error("Error running read-only query", {
+      error,
+      event
+    });
+    throw error;
+  }
+}, "readOnlyHandler");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   HANDLER_DEFAULT,
+  HANDLER_READ_ONLY_DEFAULT,
   MEMORY_SIZE_DEFAULT,
   TIMEOUT_DEFAULT,
   createLambdaPostgresQueryTemplate,
-  handler
+  handler,
+  readOnlyHandler
 });

package/dist/esm/cloudformation/index.js

@@ -3,10 +3,12 @@ import { __name } from "../chunk-V4MHYKRI.js";
 
 // src/cloudformation/createLambdaPostgresQueryTemplate.ts
 var HANDLER_DEFAULT = "handler.handler";
+var HANDLER_READ_ONLY_DEFAULT = "handler.readOnlyHandler";
 var MEMORY_SIZE_DEFAULT = 128;
 var TIMEOUT_DEFAULT = 30;
 var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
   handler: handler2 = HANDLER_DEFAULT,
+  readOnlyHandler: readOnlyHandler2 = HANDLER_READ_ONLY_DEFAULT,
   memorySize = 128,
   timeout = 30
 } = {}) => {
@@ -32,13 +34,32 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
       },
       DatabasePassword: {
         Type: "String",
-        Description: "Database password."
+        Description: "Database password.",
+        NoEcho: true
       },
       DatabasePort: {
         Type: "String",
         Default: "5432",
         Description: "Database port."
       },
+      DatabaseNameReadOnly: {
+        Type: "String",
+        Description: "Database name for read-only access."
+      },
+      DatabaseUsernameReadOnly: {
+        Type: "String",
+        Description: "Database username for read-only access."
+      },
+      DatabasePasswordReadOnly: {
+        Type: "String",
+        Description: "Database password for read-only access.",
+        NoEcho: true
+      },
+      DatabasePortReadOnly: {
+        Type: "String",
+        Default: "5432",
+        Description: "Database port for read-only access."
+      },
       LambdaS3Bucket: {
         Type: "String",
         Description: "The S3 bucket where the Lambda code is stored."
@@ -97,15 +118,12 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
           Role: {
             "Fn::GetAtt": ["LambdaQueryExecutionRole", "Arn"]
           },
-          Runtime: "nodejs22.x",
+          Runtime: "nodejs24.x",
           Environment: {
             Variables: {
               DATABASE_HOST: {
                 Ref: "DatabaseHost"
               },
-              DATABASE_HOST_READ_ONLY: {
-                Ref: "DatabaseHostReadOnly"
-              },
               DATABASE_NAME: {
                 Ref: "DatabaseName"
               },
@@ -139,7 +157,84 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
               Ref: "LambdaQueryFunction"
             }]]
           },
-          RetentionInDays: 7
+          RetentionInDays: 3
+        }
+      },
+      LambdaReadOnlyQueryFunction: {
+        Type: "AWS::Lambda::Function",
+        Properties: {
+          Code: {
+            S3Bucket: {
+              Ref: "LambdaS3Bucket"
+            },
+            S3Key: {
+              Ref: "LambdaS3Key"
+            },
+            S3ObjectVersion: {
+              Ref: "LambdaS3ObjectVersion"
+            }
+          },
+          MemorySize: memorySize,
+          Timeout: timeout,
+          Handler: readOnlyHandler2,
+          Role: {
+            "Fn::GetAtt": ["LambdaQueryExecutionRole", "Arn"]
+          },
+          Runtime: "nodejs24.x",
+          Environment: {
+            Variables: {
+              DATABASE_HOST: {
+                Ref: "DatabaseHost"
+              },
+              DATABASE_NAME: {
+                Ref: "DatabaseName"
+              },
+              DATABASE_USERNAME: {
+                Ref: "DatabaseUsername"
+              },
+              DATABASE_PASSWORD: {
+                Ref: "DatabasePassword"
+              },
+              DATABASE_PORT: {
+                Ref: "DatabasePort"
+              },
+              DATABASE_HOST_READ_ONLY: {
+                Ref: "DatabaseHostReadOnly"
+              },
+              DATABASE_NAME_READ_ONLY: {
+                Ref: "DatabaseNameReadOnly"
+              },
+              DATABASE_USERNAME_READ_ONLY: {
+                Ref: "DatabaseUsernameReadOnly"
+              },
+              DATABASE_PASSWORD_READ_ONLY: {
+                Ref: "DatabasePasswordReadOnly"
+              },
+              DATABASE_PORT_READ_ONLY: {
+                Ref: "DatabasePortReadOnly"
+              }
+            }
+          },
+          VpcConfig: {
+            SecurityGroupIds: {
+              Ref: "SecurityGroupIds"
+            },
+            SubnetIds: {
+              Ref: "SubnetIds"
+            }
+          }
+        }
+      },
+      LambdaReadOnlyQueryFunctionLogs: {
+        Type: "AWS::Logs::LogGroup",
+        DependsOn: "LambdaReadOnlyQueryFunction",
+        Properties: {
+          LogGroupName: {
+            "Fn::Join": ["", ["/aws/lambda/", {
+              Ref: "LambdaReadOnlyQueryFunction"
+            }]]
+          },
+          RetentionInDays: 3
         }
       }
     },
@@ -155,6 +250,18 @@ var createLambdaPostgresQueryTemplate = /* @__PURE__ */__name(({
         Value: {
           "Fn::GetAtt": ["LambdaQueryFunction", "Arn"]
         }
+      },
+      LambdaPostgresReadOnlyQueryFunction: {
+        Description: "Lambda function to query PostgreSQL (read-only).",
+        Value: {
+          Ref: "LambdaReadOnlyQueryFunction"
+        }
+      },
+      LambdaPostgresReadOnlyQueryFunctionArn: {
+        Description: "Lambda function to query PostgreSQL (read-only) ARN.",
+        Value: {
+          "Fn::GetAtt": ["LambdaReadOnlyQueryFunction", "Arn"]
+        }
       }
     }
   };
@@ -166,7 +273,6 @@ var database = process.env.DATABASE_NAME;
 var username = process.env.DATABASE_USERNAME;
 var password = process.env.DATABASE_PASSWORD;
 var host = process.env.DATABASE_HOST;
-var hostReadOnly = process.env.DATABASE_HOST_READ_ONLY;
 var port = process.env.DATABASE_PORT;
 var handler = /* @__PURE__ */__name(async event => {
   try {
@@ -174,7 +280,7 @@ var handler = /* @__PURE__ */__name(async event => {
       database,
       user: username,
       password,
-      host: event.readOnly && hostReadOnly ? hostReadOnly : host,
+      host,
       port: Number(port)
     });
     await client.connect();
@@ -192,4 +298,51 @@ var handler = /* @__PURE__ */__name(async event => {
     throw error;
   }
 }, "handler");
-export { HANDLER_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler };
+
+// src/cloudformation/lambdaReadOnlyQueryHandler.ts
+import { Client as Client2 } from "pg";
+var databaseReadOnly = process.env.DATABASE_NAME_READ_ONLY;
+var usernameReadOnly = process.env.DATABASE_USERNAME_READ_ONLY;
+var passwordReadOnly = process.env.DATABASE_PASSWORD_READ_ONLY;
+var hostReadOnly = process.env.DATABASE_HOST_READ_ONLY;
+var portReadOnly = process.env.DATABASE_PORT_READ_ONLY;
+var readOnlyHandler = /* @__PURE__ */__name(async event => {
+  if (!databaseReadOnly && !usernameReadOnly && !passwordReadOnly && !hostReadOnly && !portReadOnly) {
+    throw new Error("At least one read-only override must be defined (DATABASE_NAME_READ_ONLY, DATABASE_USERNAME_READ_ONLY, DATABASE_PASSWORD_READ_ONLY, DATABASE_HOST_READ_ONLY, DATABASE_PORT_READ_ONLY). Unset overrides fall back to the corresponding non-read-only env vars.");
+  }
+  const database2 = databaseReadOnly || process.env.DATABASE_NAME;
+  const username2 = usernameReadOnly || process.env.DATABASE_USERNAME;
+  const password2 = passwordReadOnly || process.env.DATABASE_PASSWORD;
+  const host2 = hostReadOnly || process.env.DATABASE_HOST;
+  const port2 = portReadOnly || process.env.DATABASE_PORT;
+  try {
+    const client = new Client2({
+      database: database2,
+      user: username2,
+      password: password2,
+      host: host2,
+      port: Number(port2)
+    });
+    await client.connect();
+    try {
+      await client.query("BEGIN READ ONLY");
+      try {
+        const res = await client.query(event);
+        await client.query("COMMIT");
+        return res;
+      } catch (queryError) {
+        await client.query("ROLLBACK");
+        throw queryError;
+      }
+    } finally {
+      await client.end();
+    }
+  } catch (error) {
+    console.error("Error running read-only query", {
+      error,
+      event
+    });
+    throw error;
+  }
+}, "readOnlyHandler");
+export { HANDLER_DEFAULT, HANDLER_READ_ONLY_DEFAULT, MEMORY_SIZE_DEFAULT, TIMEOUT_DEFAULT, createLambdaPostgresQueryTemplate, handler, readOnlyHandler };

package/dist/esm/index.js

@@ -9,7 +9,6 @@ var textDecoder = new TextDecoder("utf-8");
 var query = /* @__PURE__ */__name(async params => {
   try {
     const {
-      readOnly = true,
       // eslint-disable-next-line turbo/no-undeclared-env-vars
       lambdaPostgresQueryFunction = process.env.LAMBDA_POSTGRES_QUERY_FUNCTION,
       camelCaseKeys = true,
@@ -20,7 +19,6 @@ var query = /* @__PURE__ */__name(async params => {
     const input = {
       FunctionName: lambdaPostgresQueryFunction,
       Payload: JSON.stringify({
-        readOnly,
         ...pgParams
       })
     };

package/dist/index.d.cts

@@ -2,7 +2,6 @@ import * as pg from 'pg';
 import { QueryConfig, QueryResultRow } from 'pg';
 
 type QueryParams = {
-    readOnly?: boolean;
     lambdaPostgresQueryFunction?: string;
     camelCaseKeys?: boolean;
 } & QueryConfig;

package/dist/index.d.ts

@@ -2,7 +2,6 @@ import * as pg from 'pg';
 import { QueryConfig, QueryResultRow } from 'pg';
 
 type QueryParams = {
-    readOnly?: boolean;
     lambdaPostgresQueryFunction?: string;
     camelCaseKeys?: boolean;
 } & QueryConfig;

package/dist/index.js

@@ -54,7 +54,6 @@ var textDecoder = new TextDecoder("utf-8");
 var query = /* @__PURE__ */__name(async params => {
   try {
     const {
-      readOnly = true,
       // eslint-disable-next-line turbo/no-undeclared-env-vars
       lambdaPostgresQueryFunction = process.env.LAMBDA_POSTGRES_QUERY_FUNCTION,
       camelCaseKeys = true,
@@ -65,7 +64,6 @@ var query = /* @__PURE__ */__name(async params => {
     const input = {
       FunctionName: lambdaPostgresQueryFunction,
       Payload: JSON.stringify({
-        readOnly,
         ...pgParams
       })
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ttoss/lambda-postgres-query",
-  "version": "0.3.29",
+  "version": "0.4.0",
   "description": "Create a Lambda function that queries a PostgreSQL database.",
   "license": "MIT",
   "author": "ttoss",
@@ -29,19 +29,19 @@
     "dist"
   ],
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.731.1",
+    "@aws-sdk/client-lambda": "^3.1025.0",
     "camelcase-keys": "^7.0.2",
-    "pg": "^8.16.3",
-    "@ttoss/cloudformation": "^0.12.9"
+    "pg": "^8.20.0",
+    "@ttoss/cloudformation": "^0.12.10"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",
-    "@types/pg": "^8.11.10",
+    "@types/pg": "^8.20.0",
     "aws-sdk-client-mock": "^4.1.0",
     "jest": "^30.3.0",
     "tsup": "^8.5.1",
-    "@ttoss/test-utils": "^4.2.7",
-    "@ttoss/config": "^1.37.7"
+    "@ttoss/config": "^1.37.8",
+    "@ttoss/test-utils": "^4.2.8"
   },
   "keywords": [
     "aws",