localstack-core 4.10.1.dev42__py3-none-any.whl → 4.11.2.dev14__py3-none-any.whl

localstack/services/events/v1/provider.py

@@ -45,6 +45,7 @@ from localstack.services.events.scheduler import JobScheduler
 from localstack.services.events.v1.models import EventsStore, events_stores
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import event_bus_arn, parse_arn
 from localstack.utils.aws.client_types import ServicePrincipal
 from localstack.utils.aws.message_forwarding import send_event_to_target
@@ -83,6 +84,14 @@ class EventsProvider(EventsApi, ServiceLifecycleHook):
     def on_before_stop(self):
         JobScheduler.shutdown()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        from moto.events.models import events_backends
+
+        from localstack.services.events.v1.models import events_stores
+
+        visitor.visit(events_backends)
+        visitor.visit(events_stores)
+
     @route("/_aws/events/rules/<path:rule_arn>/trigger")
     def trigger_scheduled_rule(self, request: Request, rule_arn: str):
         """Developer endpoint to trigger a scheduled rule."""

localstack/services/firehose/provider.py

@@ -94,6 +94,7 @@ from localstack.services.firehose.mappers import (
     convert_source_config_to_desc,
 )
 from localstack.services.firehose.models import FirehoseStore, firehose_stores
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import (
     extract_account_id_from_arn,
     extract_region_from_arn,
@@ -251,8 +252,12 @@ class FirehoseProvider(FirehoseApi):
 
     def __init__(self) -> None:
         super().__init__()
+        # TODO: stop/restart the kinesis listeners when stopping the service / reset the state / restore the state
         self.kinesis_listeners = {}
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(firehose_stores)
+
     @staticmethod
     def get_store(account_id: str, region_name: str) -> FirehoseStore:
         return firehose_stores[account_id][region_name]

localstack/services/iam/provider.py

@@ -75,6 +75,7 @@ from localstack.services.iam.resources.policy_simulator import (
 )
 from localstack.services.iam.resources.service_linked_roles import SERVICE_LINKED_ROLES
 from localstack.services.moto import call_moto
+from localstack.state import StateVisitor
 from localstack.utils.aws.request_context import extract_access_key_id_from_auth_header
 
 LOG = logging.getLogger(__name__)
@@ -110,6 +111,9 @@ class IamProvider(IamApi):
         apply_iam_patches()
         self.policy_simulator = BasicIAMPolicySimulator()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(iam_backends)
+
     @handler("CreateRole", expand=False)
     def create_role(
         self, context: RequestContext, request: CreateRoleRequest

localstack/services/kms/models.py

@@ -20,7 +20,6 @@ from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.hazmat.primitives.serialization import load_der_public_key
 
 from localstack.aws.api.kms import (
@@ -442,17 +441,15 @@ class KmsKey:
 
     def derive_shared_secret(self, public_key: bytes) -> bytes:
         key_spec = self.metadata.get("KeySpec")
-        match key_spec:
-            case KeySpec.ECC_NIST_P256 | KeySpec.ECC_SECG_P256K1:
-                algorithm = hashes.SHA256()
-            case KeySpec.ECC_NIST_P384:
-                algorithm = hashes.SHA384()
-            case KeySpec.ECC_NIST_P521:
-                algorithm = hashes.SHA512()
-            case _:
-                raise InvalidKeyUsageException(
-                    f"{self.metadata['Arn']} key usage is {self.metadata['KeyUsage']} which is not valid for DeriveSharedSecret."
-                )
+        if key_spec not in (
+            KeySpec.ECC_NIST_P256,
+            KeySpec.ECC_SECG_P256K1,
+            KeySpec.ECC_NIST_P384,
+            KeySpec.ECC_NIST_P521,
+        ):
+            raise InvalidKeyUsageException(
+                f"{self.metadata['Arn']} key usage is {self.metadata['KeyUsage']} which is not valid for DeriveSharedSecret."
+            )
 
         # Deserialize public key from DER encoded data to EllipticCurvePublicKey.
         try:
@@ -460,14 +457,7 @@ class KmsKey:
         except (UnsupportedAlgorithm, ValueError):
             raise ValidationException("")
         shared_secret = self.crypto_key.key.exchange(ec.ECDH(), pub_key)
-        # Perform shared secret derivation.
-        return HKDF(
-            algorithm=algorithm,
-            salt=None,
-            info=b"",
-            length=algorithm.digest_size,
-            backend=default_backend(),
-        ).derive(shared_secret)
+        return shared_secret
 
     # This method gets called when a key is replicated to another region. It's meant to populate the required metadata
     # fields in a new replica key.

localstack/services/kms/provider.py

@@ -138,6 +138,7 @@ from localstack.services.kms.utils import (
     validate_alias_name,
 )
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import get_partition, kms_alias_arn, parse_arn
 from localstack.utils.collections import PaginatedList
 from localstack.utils.common import select_attributes
@@ -201,6 +202,9 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
     - VerifyMac
     """
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(kms_stores)
+
     #
     # Helpers
     #

localstack/services/lambda_/api_utils.py

@@ -3,6 +3,8 @@ Everything related to behavior or implicit functionality goes into `lambda_utils
 """
 
 import datetime
+import hashlib
+import json
 import random
 import re
 import string
@@ -62,13 +64,14 @@ DESTINATION_ARN_PATTERN = re.compile(
     r"^$|arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)"
 )
 
+# TODO: what's the difference between AWS_FUNCTION_NAME_REGEX and FUNCTION_NAME_REGEX? Can we unify?
 AWS_FUNCTION_NAME_REGEX = re.compile(
-    "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_.]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$"
+    "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_.]+)(:(\\$LATEST(\\.PUBLISHED)?|[a-zA-Z0-9-_]+))?$"
 )
 
 # Pattern for extracting various attributes from a full or partial ARN or just a function name.
 FUNCTION_NAME_REGEX = re.compile(
-    r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?:(?P<account>\d{12}):)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST|[a-zA-Z0-9-_]+))?"
+    r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?:(?P<account>\d{12}):)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST(\.PUBLISHED)?|[a-zA-Z0-9-_]+))?"
 )  # also length 1-170 incl.
 # Pattern for a lambda function handler
 HANDLER_REGEX = re.compile(r"[^\s]+")
@@ -86,9 +89,11 @@ SIGNING_JOB_ARN_REGEX = re.compile(
 SIGNING_PROFILE_VERSION_ARN_REGEX = re.compile(
     r"arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)"
 )
-# Combined pattern for alias and version based on AWS error using "(|[a-zA-Z0-9$_-]+)"
-QUALIFIER_REGEX = re.compile(r"(^[a-zA-Z0-9$_-]+$)")
+# Combined pattern for alias and version based on AWS error using "\\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+"
+# This regex is based on the snapshotted validation message, just removing the double \\ before $LATEST
+QUALIFIER_REGEX = re.compile(r"^\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+$")
 # Pattern for a version qualifier
+# TODO: do we need to consider $LATEST.PUBLISHED here?
 VERSION_REGEX = re.compile(r"^[0-9]+$")
 # Pattern for an alias qualifier
 # Rules: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateAlias.html#SSS-CreateAlias-request-Name
@@ -107,36 +112,42 @@ LAMBDA_DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%f+0000"
 # An unordered list of all Lambda CPU architectures supported by LocalStack.
 ARCHITECTURES = [Architecture.arm64, Architecture.x86_64]
 
-# ARN pattern returned in validation exception messages.
-# Some excpetions from AWS return a '\.' in the function name regex
-# pattern therefore we can sub this value in when appropriate.
-ARN_NAME_PATTERN_VALIDATION_TEMPLATE = "(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{{2}}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{{1}}:)?(\\d{{12}}:)?(function:)?([a-zA-Z0-9-_{0}]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?"
+# ARN patterns returned in validation exception messages
+ARN_NAME_PATTERN_GET = r"(arn:(aws[a-zA-Z-]*)?:lambda:)?((eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_\.]+)(:(\$LATEST(\.PUBLISHED)?|[a-zA-Z0-9-_]+))?"
+ARN_NAME_PATTERN_CREATE = r"(arn:(aws[a-zA-Z-]*)?:lambda:)?((eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?"
 
 # AWS response when invalid ARNs are used in Tag operations.
-TAGGABLE_RESOURCE_ARN_PATTERN = "arn:(aws[a-zA-Z-]*):lambda:[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:(function:[a-zA-Z0-9-_]+(:(\\$LATEST|[a-zA-Z0-9-_]+))?|layer:([a-zA-Z0-9-_]+)|code-signing-config:csc-[a-z0-9]{17}|event-source-mapping:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
+TAGGABLE_RESOURCE_ARN_PATTERN = "arn:(aws[a-zA-Z-]*):lambda:(eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:(function:[a-zA-Z0-9-_]+(:(\\$LATEST|[a-zA-Z0-9-_]+))?|layer:([a-zA-Z0-9-_]+)|code-signing-config:csc-[a-z0-9]{17}|event-source-mapping:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|capacity-provider:[a-zA-Z0-9-_]+)"
 
 
 def validate_function_name(function_name_or_arn: str, operation_type: str):
     function_name, *_ = function_locators_from_arn(function_name_or_arn)
-    arn_name_pattern = ARN_NAME_PATTERN_VALIDATION_TEMPLATE.format("")
+    arn_name_pattern = ARN_NAME_PATTERN_CREATE
     max_length = 170
 
-    match operation_type:
-        case "GetFunction" | "Invoke":
-            arn_name_pattern = ARN_NAME_PATTERN_VALIDATION_TEMPLATE.format(r"\.")
-        case "CreateFunction" if function_name == function_name_or_arn:  # only a function name
+    if operation_type == "GetFunction" or operation_type == "Invoke":
+        arn_name_pattern = ARN_NAME_PATTERN_GET
+    elif operation_type == "CreateFunction":
+        # https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html#lambda-CreateFunction-request-FunctionName
+        if function_name == function_name_or_arn:  # only a function name
             max_length = 64
-        case "CreateFunction" | "DeleteFunction":
+        else:  # full or partial ARN
             max_length = 140
+    elif operation_type == "DeleteFunction":
+        max_length = 140
+        arn_name_pattern = ARN_NAME_PATTERN_GET
 
     validations = []
-    if len(function_name_or_arn) > max_length:
-        constraint = f"Member must have length less than or equal to {max_length}"
+    if not AWS_FUNCTION_NAME_REGEX.match(function_name_or_arn) or not function_name:
+        constraint = f"Member must satisfy regular expression pattern: {arn_name_pattern}"
         validation_msg = f"Value '{function_name_or_arn}' at 'functionName' failed to satisfy constraint: {constraint}"
         validations.append(validation_msg)
+        if not operation_type == "CreateFunction":
+            # Immediately raises rather than summarizing all validations, except for CreateFunction
+            return validations
 
-    if not AWS_FUNCTION_NAME_REGEX.match(function_name_or_arn) or not function_name:
-        constraint = f"Member must satisfy regular expression pattern: {arn_name_pattern}"
+    if len(function_name_or_arn) > max_length:
+        constraint = f"Member must have length less than or equal to {max_length}"
         validation_msg = f"Value '{function_name_or_arn}' at 'functionName' failed to satisfy constraint: {constraint}"
         validations.append(validation_msg)
 
@@ -154,7 +165,7 @@ def validate_qualifier(qualifier: str):
         validations.append(validation_msg)
 
     if not QUALIFIER_REGEX.match(qualifier):
-        constraint = "Member must satisfy regular expression pattern: (|[a-zA-Z0-9$_-]+)"
+        constraint = "Member must satisfy regular expression pattern: \\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+"
         validation_msg = (
             f"Value '{qualifier}' at 'qualifier' failed to satisfy constraint: {constraint}"
         )
@@ -571,6 +582,12 @@ def map_config_out(
         optional_kwargs["CodeSize"] = 0
         optional_kwargs["CodeSha256"] = version.config.image.code_sha256
 
+    if version.config.CapacityProviderConfig:
+        optional_kwargs["CapacityProviderConfig"] = version.config.CapacityProviderConfig
+        data = json.dumps(version.config.CapacityProviderConfig, sort_keys=True).encode("utf-8")
+        config_sha_256 = hashlib.sha256(data).hexdigest()
+        optional_kwargs["ConfigSha256"] = config_sha_256
+
     # output for an alias qualifier is completely the same except for the returned ARN
     if alias_name:
         function_arn = f"{':'.join(version.id.qualified_arn().split(':')[:-1])}:{alias_name}"

localstack/services/lambda_/event_source_mapping/pollers/stream_poller.py

@@ -36,7 +36,7 @@ from localstack.services.lambda_.event_source_mapping.senders.sender_utils impor
 )
 from localstack.utils.aws.arns import parse_arn, s3_bucket_name
 from localstack.utils.backoff import ExponentialBackoff
-from localstack.utils.batch_policy import Batcher
+from localstack.utils.batching import Batcher
 from localstack.utils.strings import long_uid
 
 LOG = logging.getLogger(__name__)

localstack/services/lambda_/invocation/assignment.py

@@ -88,9 +88,12 @@ class AssignmentService(OtherServiceEndpoint):
         self, version_manager_id: str, function_version: FunctionVersion
     ) -> ExecutionEnvironment:
         LOG.debug("Starting new environment")
+        initialization_type = "on-demand"
+        if function_version.config.CapacityProviderConfig:
+            initialization_type = "lambda-managed-instances"
         execution_environment = ExecutionEnvironment(
             function_version=function_version,
-            initialization_type="on-demand",
+            initialization_type=initialization_type,
             on_timeout=self.on_timeout,
             version_manager_id=version_manager_id,
         )

localstack/services/lambda_/invocation/execution_environment.py

@@ -8,6 +8,7 @@ from enum import Enum, auto
 from threading import RLock, Timer
 
 from localstack import config
+from localstack.aws.api.lambda_ import LogFormat
 from localstack.aws.connect import connect_to
 from localstack.services.lambda_.invocation.lambda_models import (
     Credentials,
@@ -149,6 +150,22 @@ class ExecutionEnvironment:
             # LOCALSTACK_USER conditionally added below
         }
         # Conditionally added environment variables
+        # Lambda advanced logging controls:
+        # https://aws.amazon.com/blogs/compute/introducing-advanced-logging-controls-for-aws-lambda-functions/
+        logging_config = self.function_version.config.logging_config
+        if logging_config.get("LogFormat") == LogFormat.JSON:
+            env_vars["AWS_LAMBDA_LOG_FORMAT"] = logging_config["LogFormat"]
+            # TODO: test this (currently not implemented in LocalStack)
+            env_vars["AWS_LAMBDA_LOG_LEVEL"] = logging_config["ApplicationLogLevel"].capitalize()
+        # Lambda Managed Instances
+        if capacity_provider_config := self.function_version.config.CapacityProviderConfig:
+            # Disable dropping privileges for parity
+            # TODO: implement mixed permissions (maybe in RIE)
+            # env_vars["LOCALSTACK_USER"] = "root"
+            env_vars["AWS_LAMBDA_MAX_CONCURRENCY"] = capacity_provider_config[
+                "LambdaManagedInstancesCapacityProviderConfig"
+            ]["PerExecutionEnvironmentMaxConcurrency"]
+            env_vars["TZ"] = ":/etc/localtime"
         if not config.LAMBDA_DISABLE_AWS_ENDPOINT_URL:
             env_vars["AWS_ENDPOINT_URL"] = (
                 f"http://{self.runtime_executor.get_endpoint_from_executor()}:{config.GATEWAY_LISTEN[0].port}"
@@ -159,8 +176,6 @@ class ExecutionEnvironment:
         # Will be overridden by the runtime itself unless it is a provided runtime
         if self.function_version.config.runtime:
             env_vars["AWS_EXECUTION_ENV"] = "AWS_Lambda_rapid"
-        if self.function_version.config.environment:
-            env_vars.update(self.function_version.config.environment)
         if config.LAMBDA_INIT_DEBUG:
             # Disable dropping privileges because it breaks debugging
             env_vars["LOCALSTACK_USER"] = "root"
@@ -175,6 +190,10 @@ class ExecutionEnvironment:
             env_vars["LOCALSTACK_MAX_PAYLOAD_SIZE"] = int(
                 config.LAMBDA_LIMITS_MAX_FUNCTION_PAYLOAD_SIZE_BYTES
             )
+
+        # Let users overwrite any environment variable at last (if they want so)
+        if self.function_version.config.environment:
+            env_vars.update(self.function_version.config.environment)
         return env_vars
 
     # Lifecycle methods

localstack/services/lambda_/invocation/lambda_models.py

@@ -12,7 +12,7 @@ import threading
 from abc import ABCMeta, abstractmethod
 from datetime import datetime
 from pathlib import Path
-from typing import IO, Literal, TypedDict
+from typing import IO, Literal, Optional, TypedDict
 
 import boto3
 from botocore.exceptions import ClientError
@@ -22,12 +22,19 @@ from localstack.aws.api import CommonServiceException
 from localstack.aws.api.lambda_ import (
     AllowedPublishers,
     Architecture,
+    CapacityProviderArn,
+    CapacityProviderConfig,
+    CapacityProviderPermissionsConfig,
+    CapacityProviderScalingConfig,
+    CapacityProviderVpcConfig,
     CodeSigningPolicies,
     Cors,
     DestinationConfig,
     FunctionUrlAuthType,
+    InstanceRequirements,
     InvocationType,
     InvokeMode,
+    KMSKeyArn,
     LastUpdateStatus,
     LoggingConfig,
     PackageType,
@@ -38,12 +45,14 @@ from localstack.aws.api.lambda_ import (
     SnapStartResponse,
     State,
     StateReasonCode,
+    Timestamp,
     TracingMode,
 )
 from localstack.aws.connect import connect_to
 from localstack.constants import AWS_REGION_US_EAST_1, INTERNAL_AWS_SECRET_ACCESS_KEY
 from localstack.services.lambda_.api_utils import qualified_lambda_arn, unqualified_lambda_arn
 from localstack.utils.archives import unzip
+from localstack.utils.files import chmod_r
 from localstack.utils.strings import long_uid, short_uid
 
 LOG = logging.getLogger(__name__)
@@ -212,6 +221,7 @@ class S3Code(ArchiveCode):
             with tempfile.NamedTemporaryFile() as file:
                 self._download_archive_to_file(file)
                 unzip(file.name, str(target_path))
+                chmod_r(str(target_path), 0o755)
 
     def destroy_cached(self) -> None:
         """
@@ -331,7 +341,7 @@ class VpcConfig:
 @dataclasses.dataclass(frozen=True)
 class UpdateStatus:
     status: LastUpdateStatus | None
-    code: str | None = None  # TODO: probably not a string
+    code: str | None = None
     reason: str | None = None
 
 
@@ -568,6 +578,9 @@ class VersionFunctionConfiguration:
     vpc_config: VpcConfig | None = None
 
     logging_config: LoggingConfig = dataclasses.field(default_factory=dict)
+    # TODO: why does `CapacityProviderConfig | None = None` fail with on Python 3.13.9:
+    #  TypeError: unsupported operand type(s) for |: 'NoneType' and 'NoneType'
+    CapacityProviderConfig: Optional[CapacityProviderConfig] = None  # noqa
 
 
 @dataclasses.dataclass(frozen=True)
@@ -580,6 +593,18 @@ class FunctionVersion:
         return self.id.qualified_arn()
 
 
+@dataclasses.dataclass
+class CapacityProvider:
+    CapacityProviderArn: CapacityProviderArn
+    # State is determined dynamically
+    VpcConfig: CapacityProviderVpcConfig
+    PermissionsConfig: CapacityProviderPermissionsConfig
+    InstanceRequirements: InstanceRequirements
+    CapacityProviderScalingConfig: CapacityProviderScalingConfig
+    LastModified: Timestamp
+    KmsKeyArn: KMSKeyArn | None = None
+
+
 @dataclasses.dataclass
 class Function:
     function_name: str

localstack/services/lambda_/invocation/lambda_service.py

@@ -5,6 +5,7 @@ import io
 import logging
 import os.path
 import random
+import time
 import uuid
 from concurrent.futures import Executor, Future, ThreadPoolExecutor
 from datetime import datetime
@@ -19,6 +20,7 @@ from localstack.aws.api.lambda_ import (
     InvalidRequestContentException,
     InvocationType,
     LastUpdateStatus,
+    NoPublishedVersionException,
     ResourceConflictException,
     ResourceNotFoundException,
     State,
@@ -190,6 +192,9 @@ class LambdaService:
             lambda_hooks.create_function_version.run(function_version.qualified_arn)
         return self.task_executor.submit(self._start_lambda_version, version_manager)
 
+    def publish_version_async(self, function_version: FunctionVersion):
+        self.task_executor.submit(self.publish_version, function_version)
+
     def publish_version(self, function_version: FunctionVersion):
         """
         Synchronously create a function version (manager)
@@ -200,6 +205,14 @@ class LambdaService:
 
         :param function_version: Function Version to create
         """
+        # HACK: trying to match the AWS timing behavior of Lambda Managed Instances for the operation
+        # publish_version followed by get_function because transitioning LastUpdateStatus from InProgress to
+        # Successful happens too fast on LocalStack (thanks to caching in prepare_version).
+        # Without this hack, test_latest_published_update_config fails at get_function_response_postpublish
+        # and test_lifecycle_invoke is flaky, sometimes not triggering the ResourceConflictException
+        # Increasing this sleep too much (e.g., 10s) shouldn't cause any side effects apart from slow responsiveness
+        if function_version.config.CapacityProviderConfig:
+            time.sleep(0.1)
         with self.lambda_version_manager_lock:
             qualified_arn = function_version.id.qualified_arn()
             version_manager = self.lambda_starting_versions.get(qualified_arn)
@@ -225,7 +238,7 @@ class LambdaService:
     def invoke(
         self,
         function_name: str,
-        qualifier: str,
+        qualifier: str | None,
         region: str,
         account_id: str,
         invocation_type: InvocationType | None,
@@ -258,13 +271,27 @@ class LambdaService:
             account=account_id,
             region=region,
         )
-        qualifier = qualifier or "$LATEST"
         state = lambda_stores[account_id][region]
         function = state.functions.get(function_name)
 
         if function is None:
+            if not qualifier:
+                invoked_arn += ":$LATEST"
             raise ResourceNotFoundException(f"Function not found: {invoked_arn}", Type="User")
 
+        # A provided qualifier always takes precedence, but the default depends on whether $LATEST.PUBLISHED exists
+        version_latest_published = function.versions.get("$LATEST.PUBLISHED")
+        if version_latest_published:
+            qualifier = qualifier or "$LATEST.PUBLISHED"
+            invoked_arn = lambda_arn(
+                function_name=function_name,
+                qualifier=qualifier,
+                account=account_id,
+                region=region,
+            )
+        else:
+            qualifier = qualifier or "$LATEST"
+
         if qualifier_is_alias(qualifier):
             alias = function.aliases.get(qualifier)
             if not alias:
@@ -282,8 +309,21 @@ class LambdaService:
         # Need the qualified arn to exactly get the target lambda
         qualified_arn = qualified_lambda_arn(function_name, version_qualifier, account_id, region)
         version = function.versions.get(version_qualifier)
+        if version is None:
+            raise ResourceNotFoundException(f"Function not found: {invoked_arn}", Type="User")
         runtime = version.config.runtime or "n/a"
         package_type = version.config.package_type
+        if version.config.CapacityProviderConfig and qualifier == "$LATEST":
+            if function.versions.get("$LATEST.PUBLISHED"):
+                raise InvalidParameterValueException(
+                    "Functions configured with capacity provider configuration can't be invoked with $LATEST qualifier. To invoke this function, specify a published version qualifier or $LATEST.PUBLISHED.",
+                    Type="User",
+                )
+            else:
+                raise NoPublishedVersionException(
+                    "The function can't be invoked because no published version exists. For functions with capacity provider configuration, either publish a version to $LATEST.PUBLISHED, or specify a published version qualifier.",
+                    Type="User",
+                )
         try:
             version_manager = self.get_lambda_version_manager(qualified_arn)
             event_manager = self.get_lambda_event_manager(qualified_arn)
@@ -393,7 +433,10 @@ class LambdaService:
 
         :param new_version: New version (with the same qualifier as an older one)
         """
-        if new_version.qualified_arn not in self.lambda_running_versions:
+        if (
+            new_version.qualified_arn not in self.lambda_running_versions
+            and not new_version.config.CapacityProviderConfig
+        ):
             raise ValueError(
                 f"Version {new_version.qualified_arn} cannot be updated if an old one is not running"
             )
@@ -437,6 +480,11 @@ class LambdaService:
                 elif new_state.state == State.Failed:
                     update_status = UpdateStatus(status=LastUpdateStatus.Failed)
                     self.task_executor.submit(new_version_manager.stop)
+                elif (
+                    new_state.state == State.ActiveNonInvocable
+                    and function_version.config.CapacityProviderConfig
+                ):
+                    update_status = UpdateStatus(status=LastUpdateStatus.Successful)
                 else:
                     # TODO what to do if state pending or inactive is supported?
                     self.task_executor.submit(new_version_manager.stop)

localstack/services/lambda_/invocation/models.py

@@ -1,5 +1,10 @@
 from localstack.aws.api.lambda_ import EventSourceMappingConfiguration
-from localstack.services.lambda_.invocation.lambda_models import CodeSigningConfig, Function, Layer
+from localstack.services.lambda_.invocation.lambda_models import (
+    CapacityProvider,
+    CodeSigningConfig,
+    Function,
+    Layer,
+)
 from localstack.services.stores import AccountRegionBundle, BaseStore, LocalAttribute
 from localstack.utils.tagging import TaggingService
 
@@ -17,6 +22,9 @@ class LambdaStore(BaseStore):
     # maps layer names to Layers
     layers: dict[str, Layer] = LocalAttribute(default=dict)
 
+    # maps capacity provider names to respective CapacityProvider
+    capacity_providers: dict[str, CapacityProvider] = LocalAttribute(default=dict)
+
     # maps resource ARNs for EventSourceMappings and CodeSigningConfiguration to tags
     TAGS = LocalAttribute(default=TaggingService)
 

localstack/services/lambda_/invocation/version_manager.py

@@ -100,11 +100,26 @@ class LambdaVersionManager:
 
             # code and reason not set for success scenario because only failed states provide this field:
             # https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunctionConfiguration.html#SSS-GetFunctionConfiguration-response-LastUpdateStatusReasonCode
-            self.state = VersionState(state=State.Active)
+            new_state = State.Active
+            if (
+                self.function_version.config.CapacityProviderConfig
+                and self.function_version.id.qualifier == "$LATEST"
+            ):
+                new_state = State.ActiveNonInvocable
+                # HACK: trying to match the AWS timing behavior of Lambda Managed Instances for the operation
+                # update_function_configuration followed by get_function because transitioning LastUpdateStatus from
+                # InProgress to Successful happens too fast on LocalStack (thanks to caching in prepare_version).
+                # Without this hack, test_latest_published_update_config fails at get_function_response_postupdate_latest
+                # TODO: this sleep has side-effects and we should be looking into alternatives
+                # Increasing this sleep too much (e.g., 3s) could cause the side effect that a created function is not
+                # ready for updates (i.e., rejected with a ResourceConflictException) and failing other tests
+                # time.sleep(0.1)
+            self.state = VersionState(state=new_state)
             LOG.debug(
-                "Changing Lambda %s (id %s) to active",
+                "Changing Lambda %s (id %s) to %s",
                 self.function_arn,
                 self.function_version.config.internal_revision,
+                new_state,
             )
         except Exception as e:
             self.state = VersionState(
@@ -113,7 +128,7 @@ class LambdaVersionManager:
                 reason=f"Error while creating lambda: {e}",
             )
             LOG.debug(
-                "Changing Lambda %s (id %s) to failed. Reason: %s",
+                "Changing Lambda %s (id %s) to Failed. Reason: %s",
                 self.function_arn,
                 self.function_version.config.internal_revision,
                 e,