localstack-core 4.10.1.dev42__py3-none-any.whl → 4.12.1.dev18__py3-none-any.whl

localstack/services/events/provider.py

@@ -168,6 +168,7 @@ from localstack.services.events.utils import (
     recursive_remove_none_values_from_dict,
 )
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.common import truncate
 from localstack.utils.event_matcher import matches_event
 from localstack.utils.strings import long_uid
@@ -246,6 +247,9 @@ class EventsProvider(EventsApi, ServiceLifecycleHook):
         self._connection_service_store: ConnectionServiceDict = {}
         self._api_destination_service_store: ApiDestinationServiceDict = {}
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(events_stores)
+
     def on_before_start(self):
         JobScheduler.start()
 

localstack/services/events/v1/provider.py

@@ -45,6 +45,7 @@ from localstack.services.events.scheduler import JobScheduler
 from localstack.services.events.v1.models import EventsStore, events_stores
 from localstack.services.moto import call_moto
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import event_bus_arn, parse_arn
 from localstack.utils.aws.client_types import ServicePrincipal
 from localstack.utils.aws.message_forwarding import send_event_to_target
@@ -83,6 +84,14 @@ class EventsProvider(EventsApi, ServiceLifecycleHook):
     def on_before_stop(self):
         JobScheduler.shutdown()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        from moto.events.models import events_backends
+
+        from localstack.services.events.v1.models import events_stores
+
+        visitor.visit(events_backends)
+        visitor.visit(events_stores)
+
     @route("/_aws/events/rules/<path:rule_arn>/trigger")
     def trigger_scheduled_rule(self, request: Request, rule_arn: str):
         """Developer endpoint to trigger a scheduled rule."""

localstack/services/firehose/provider.py

@@ -94,6 +94,7 @@ from localstack.services.firehose.mappers import (
     convert_source_config_to_desc,
 )
 from localstack.services.firehose.models import FirehoseStore, firehose_stores
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import (
     extract_account_id_from_arn,
     extract_region_from_arn,
@@ -251,8 +252,12 @@ class FirehoseProvider(FirehoseApi):
 
     def __init__(self) -> None:
         super().__init__()
+        # TODO: stop/restart the kinesis listeners when stopping the service / reset the state / restore the state
         self.kinesis_listeners = {}
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(firehose_stores)
+
     @staticmethod
     def get_store(account_id: str, region_name: str) -> FirehoseStore:
         return firehose_stores[account_id][region_name]

localstack/services/iam/provider.py

@@ -75,6 +75,7 @@ from localstack.services.iam.resources.policy_simulator import (
 )
 from localstack.services.iam.resources.service_linked_roles import SERVICE_LINKED_ROLES
 from localstack.services.moto import call_moto
+from localstack.state import StateVisitor
 from localstack.utils.aws.request_context import extract_access_key_id_from_auth_header
 
 LOG = logging.getLogger(__name__)
@@ -110,6 +111,9 @@ class IamProvider(IamApi):
         apply_iam_patches()
         self.policy_simulator = BasicIAMPolicySimulator()
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(iam_backends)
+
     @handler("CreateRole", expand=False)
     def create_role(
         self, context: RequestContext, request: CreateRoleRequest

localstack/services/kinesis/packages.py

@@ -7,7 +7,7 @@ from localstack.packages import InstallTarget, Package
 from localstack.packages.core import GitHubReleaseInstaller, NodePackageInstaller
 from localstack.packages.java import JavaInstallerMixin, java_package
 
-_KINESIS_MOCK_VERSION = os.environ.get("KINESIS_MOCK_VERSION") or "0.5.1"
+_KINESIS_MOCK_VERSION = os.environ.get("KINESIS_MOCK_VERSION") or "0.5.2"
 
 
 class KinesisMockEngine(StrEnum):

localstack/services/kms/models.py

@@ -20,7 +20,6 @@ from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.padding import PSS, PKCS1v15
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.hazmat.primitives.serialization import load_der_public_key
 
 from localstack.aws.api.kms import (
@@ -233,7 +232,10 @@ class KmsCryptoKey:
 
         if key_spec.startswith("RSA"):
             key_size = RSA_CRYPTO_KEY_LENGTHS.get(key_spec)
-            key = rsa.generate_private_key(public_exponent=65537, key_size=key_size)
+            if key_material:
+                key = crypto_serialization.load_der_private_key(key_material, password=None)
+            else:
+                key = rsa.generate_private_key(public_exponent=65537, key_size=key_size)
         elif key_spec.startswith("ECC"):
             curve = ECC_CURVES.get(key_spec)
             if key_material:
@@ -442,17 +444,15 @@ class KmsKey:
 
     def derive_shared_secret(self, public_key: bytes) -> bytes:
         key_spec = self.metadata.get("KeySpec")
-        match key_spec:
-            case KeySpec.ECC_NIST_P256 | KeySpec.ECC_SECG_P256K1:
-                algorithm = hashes.SHA256()
-            case KeySpec.ECC_NIST_P384:
-                algorithm = hashes.SHA384()
-            case KeySpec.ECC_NIST_P521:
-                algorithm = hashes.SHA512()
-            case _:
-                raise InvalidKeyUsageException(
-                    f"{self.metadata['Arn']} key usage is {self.metadata['KeyUsage']} which is not valid for DeriveSharedSecret."
-                )
+        if key_spec not in (
+            KeySpec.ECC_NIST_P256,
+            KeySpec.ECC_SECG_P256K1,
+            KeySpec.ECC_NIST_P384,
+            KeySpec.ECC_NIST_P521,
+        ):
+            raise InvalidKeyUsageException(
+                f"{self.metadata['Arn']} key usage is {self.metadata['KeyUsage']} which is not valid for DeriveSharedSecret."
+            )
 
         # Deserialize public key from DER encoded data to EllipticCurvePublicKey.
         try:
@@ -460,14 +460,7 @@ class KmsKey:
         except (UnsupportedAlgorithm, ValueError):
             raise ValidationException("")
         shared_secret = self.crypto_key.key.exchange(ec.ECDH(), pub_key)
-        # Perform shared secret derivation.
-        return HKDF(
-            algorithm=algorithm,
-            salt=None,
-            info=b"",
-            length=algorithm.digest_size,
-            backend=default_backend(),
-        ).derive(shared_secret)
+        return shared_secret
 
     # This method gets called when a key is replicated to another region. It's meant to populate the required metadata
     # fields in a new replica key.
@@ -646,7 +639,8 @@ class KmsKey:
         # https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html
         # "To edit a tag, specify an existing tag key and a new tag value."
         for i, tag in enumerate(tags, start=1):
-            validate_tag(i, tag)
+            if tag.get("TagKey") != TAG_KEY_CUSTOM_KEY_MATERIAL:
+                validate_tag(i, tag)
             self.tags[tag.get("TagKey")] = tag.get("TagValue")
 
     def schedule_key_deletion(self, pending_window_in_days: int) -> None:

localstack/services/kms/provider.py

@@ -138,6 +138,7 @@ from localstack.services.kms.utils import (
     validate_alias_name,
 )
 from localstack.services.plugins import ServiceLifecycleHook
+from localstack.state import StateVisitor
 from localstack.utils.aws.arns import get_partition, kms_alias_arn, parse_arn
 from localstack.utils.collections import PaginatedList
 from localstack.utils.common import select_attributes
@@ -201,6 +202,9 @@ class KmsProvider(KmsApi, ServiceLifecycleHook):
     - VerifyMac
     """
 
+    def accept_state_visitor(self, visitor: StateVisitor):
+        visitor.visit(kms_stores)
+
     #
     # Helpers
     #

localstack/services/lambda_/analytics.py

@@ -14,9 +14,10 @@ function_counter = LabeledCounter(
         "status",
         "runtime",
         "package_type",
-        # only for operation "invoke"
-        "invocation_type",
+        "invocation_type",  # only for operation "invoke", otherwise "n/a"
+        "initialization_type",
     ],
+    schema_version=2,
 )
 
 
@@ -38,6 +39,14 @@ class FunctionStatus(StrEnum):
     invocation_error = "invocation_error"
 
 
+class FunctionInitializationType(StrEnum):
+    # Maps to the Lambda environment variable AWS_LAMBDA_INITIALIZATION_TYPE
+    on_demand = "on-demand"
+    lambda_managed_instances = "lambda-managed-instances"
+    # Only applies to the operation "invoke" because provisioned concurrency is not configured on "create"
+    provisioned_concurrency = "provisioned-concurrency"
+
+
 esm_counter = LabeledCounter(namespace=NAMESPACE, name="esm", labels=["source", "status"])
 
 

localstack/services/lambda_/api_utils.py

@@ -3,6 +3,8 @@ Everything related to behavior or implicit functionality goes into `lambda_utils
 """
 
 import datetime
+import hashlib
+import json
 import random
 import re
 import string
@@ -62,13 +64,14 @@ DESTINATION_ARN_PATTERN = re.compile(
     r"^$|arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)"
 )
 
+# TODO: what's the difference between AWS_FUNCTION_NAME_REGEX and FUNCTION_NAME_REGEX? Can we unify?
 AWS_FUNCTION_NAME_REGEX = re.compile(
-    "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_.]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?$"
+    "^(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:)?(\\d{12}:)?(function:)?([a-zA-Z0-9-_.]+)(:(\\$LATEST(\\.PUBLISHED)?|[a-zA-Z0-9-_]+))?$"
 )
 
 # Pattern for extracting various attributes from a full or partial ARN or just a function name.
 FUNCTION_NAME_REGEX = re.compile(
-    r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?:(?P<account>\d{12}):)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST|[a-zA-Z0-9-_]+))?"
+    r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?:(?P<account>\d{12}):)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST(\.PUBLISHED)?|[a-zA-Z0-9-_]+))?"
 )  # also length 1-170 incl.
 # Pattern for a lambda function handler
 HANDLER_REGEX = re.compile(r"[^\s]+")
@@ -86,9 +89,11 @@ SIGNING_JOB_ARN_REGEX = re.compile(
 SIGNING_PROFILE_VERSION_ARN_REGEX = re.compile(
     r"arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}(-gov)?-[a-z]+-\d{1})?:(\d{12})?:(.*)"
 )
-# Combined pattern for alias and version based on AWS error using "(|[a-zA-Z0-9$_-]+)"
-QUALIFIER_REGEX = re.compile(r"(^[a-zA-Z0-9$_-]+$)")
+# Combined pattern for alias and version based on AWS error using "\\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+"
+# This regex is based on the snapshotted validation message, just removing the double \\ before $LATEST
+QUALIFIER_REGEX = re.compile(r"^\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+$")
 # Pattern for a version qualifier
+# TODO: do we need to consider $LATEST.PUBLISHED here?
 VERSION_REGEX = re.compile(r"^[0-9]+$")
 # Pattern for an alias qualifier
 # Rules: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateAlias.html#SSS-CreateAlias-request-Name
@@ -107,36 +112,42 @@ LAMBDA_DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%f+0000"
 # An unordered list of all Lambda CPU architectures supported by LocalStack.
 ARCHITECTURES = [Architecture.arm64, Architecture.x86_64]
 
-# ARN pattern returned in validation exception messages.
-# Some excpetions from AWS return a '\.' in the function name regex
-# pattern therefore we can sub this value in when appropriate.
-ARN_NAME_PATTERN_VALIDATION_TEMPLATE = "(arn:(aws[a-zA-Z-]*)?:lambda:)?([a-z]{{2}}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{{1}}:)?(\\d{{12}}:)?(function:)?([a-zA-Z0-9-_{0}]+)(:(\\$LATEST|[a-zA-Z0-9-_]+))?"
+# ARN patterns returned in validation exception messages
+ARN_NAME_PATTERN_GET = r"(arn:(aws[a-zA-Z-]*)?:lambda:)?((eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_\.]+)(:(\$LATEST(\.PUBLISHED)?|[a-zA-Z0-9-_]+))?"
+ARN_NAME_PATTERN_CREATE = r"(arn:(aws[a-zA-Z-]*)?:lambda:)?((eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\d{1}:)?(\d{12}:)?(function:)?([a-zA-Z0-9-_]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?"
 
 # AWS response when invalid ARNs are used in Tag operations.
-TAGGABLE_RESOURCE_ARN_PATTERN = "arn:(aws[a-zA-Z-]*):lambda:[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:(function:[a-zA-Z0-9-_]+(:(\\$LATEST|[a-zA-Z0-9-_]+))?|layer:([a-zA-Z0-9-_]+)|code-signing-config:csc-[a-z0-9]{17}|event-source-mapping:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})"
+TAGGABLE_RESOURCE_ARN_PATTERN = "arn:(aws[a-zA-Z-]*):lambda:(eusc-)?[a-z]{2}((-gov)|(-iso([a-z]?)))?-[a-z]+-\\d{1}:\\d{12}:(function:[a-zA-Z0-9-_]+(:(\\$LATEST|[a-zA-Z0-9-_]+))?|layer:([a-zA-Z0-9-_]+)|code-signing-config:csc-[a-z0-9]{17}|event-source-mapping:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|capacity-provider:[a-zA-Z0-9-_]+)"
 
 
 def validate_function_name(function_name_or_arn: str, operation_type: str):
     function_name, *_ = function_locators_from_arn(function_name_or_arn)
-    arn_name_pattern = ARN_NAME_PATTERN_VALIDATION_TEMPLATE.format("")
+    arn_name_pattern = ARN_NAME_PATTERN_CREATE
     max_length = 170
 
-    match operation_type:
-        case "GetFunction" | "Invoke":
-            arn_name_pattern = ARN_NAME_PATTERN_VALIDATION_TEMPLATE.format(r"\.")
-        case "CreateFunction" if function_name == function_name_or_arn:  # only a function name
+    if operation_type == "GetFunction" or operation_type == "Invoke":
+        arn_name_pattern = ARN_NAME_PATTERN_GET
+    elif operation_type == "CreateFunction":
+        # https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html#lambda-CreateFunction-request-FunctionName
+        if function_name == function_name_or_arn:  # only a function name
             max_length = 64
-        case "CreateFunction" | "DeleteFunction":
+        else:  # full or partial ARN
             max_length = 140
+    elif operation_type == "DeleteFunction":
+        max_length = 140
+        arn_name_pattern = ARN_NAME_PATTERN_GET
 
     validations = []
-    if len(function_name_or_arn) > max_length:
-        constraint = f"Member must have length less than or equal to {max_length}"
+    if not AWS_FUNCTION_NAME_REGEX.match(function_name_or_arn) or not function_name:
+        constraint = f"Member must satisfy regular expression pattern: {arn_name_pattern}"
         validation_msg = f"Value '{function_name_or_arn}' at 'functionName' failed to satisfy constraint: {constraint}"
         validations.append(validation_msg)
+        if not operation_type == "CreateFunction":
+            # Immediately raises rather than summarizing all validations, except for CreateFunction
+            return validations
 
-    if not AWS_FUNCTION_NAME_REGEX.match(function_name_or_arn) or not function_name:
-        constraint = f"Member must satisfy regular expression pattern: {arn_name_pattern}"
+    if len(function_name_or_arn) > max_length:
+        constraint = f"Member must have length less than or equal to {max_length}"
         validation_msg = f"Value '{function_name_or_arn}' at 'functionName' failed to satisfy constraint: {constraint}"
         validations.append(validation_msg)
 
@@ -154,7 +165,7 @@ def validate_qualifier(qualifier: str):
         validations.append(validation_msg)
 
     if not QUALIFIER_REGEX.match(qualifier):
-        constraint = "Member must satisfy regular expression pattern: (|[a-zA-Z0-9$_-]+)"
+        constraint = "Member must satisfy regular expression pattern: \\$(LATEST(\\.PUBLISHED)?)|[a-zA-Z0-9-_$]+"
         validation_msg = (
             f"Value '{qualifier}' at 'qualifier' failed to satisfy constraint: {constraint}"
         )
@@ -571,6 +582,12 @@ def map_config_out(
         optional_kwargs["CodeSize"] = 0
         optional_kwargs["CodeSha256"] = version.config.image.code_sha256
 
+    if version.config.CapacityProviderConfig:
+        optional_kwargs["CapacityProviderConfig"] = version.config.CapacityProviderConfig
+        data = json.dumps(version.config.CapacityProviderConfig, sort_keys=True).encode("utf-8")
+        config_sha_256 = hashlib.sha256(data).hexdigest()
+        optional_kwargs["ConfigSha256"] = config_sha_256
+
     # output for an alias qualifier is completely the same except for the returned ARN
     if alias_name:
         function_arn = f"{':'.join(version.id.qualified_arn().split(':')[:-1])}:{alias_name}"

localstack/services/lambda_/event_source_mapping/pollers/stream_poller.py

@@ -36,7 +36,7 @@ from localstack.services.lambda_.event_source_mapping.senders.sender_utils impor
 )
 from localstack.utils.aws.arns import parse_arn, s3_bucket_name
 from localstack.utils.backoff import ExponentialBackoff
-from localstack.utils.batch_policy import Batcher
+from localstack.utils.batching import Batcher
 from localstack.utils.strings import long_uid
 
 LOG = logging.getLogger(__name__)

localstack/services/lambda_/invocation/assignment.py

@@ -88,9 +88,12 @@ class AssignmentService(OtherServiceEndpoint):
         self, version_manager_id: str, function_version: FunctionVersion
     ) -> ExecutionEnvironment:
         LOG.debug("Starting new environment")
+        initialization_type = "on-demand"
+        if function_version.config.CapacityProviderConfig:
+            initialization_type = "lambda-managed-instances"
         execution_environment = ExecutionEnvironment(
             function_version=function_version,
-            initialization_type="on-demand",
+            initialization_type=initialization_type,
             on_timeout=self.on_timeout,
             version_manager_id=version_manager_id,
         )

localstack/services/lambda_/invocation/event_manager.py

@@ -13,6 +13,7 @@ from botocore.config import Config
 from localstack import config
 from localstack.aws.api.lambda_ import InvocationType, TooManyRequestsException
 from localstack.services.lambda_.analytics import (
+    FunctionInitializationType,
     FunctionOperation,
     FunctionStatus,
     function_counter,
@@ -198,22 +199,22 @@ class Poller:
     def handle_message(self, message: dict) -> None:
         failure_cause = None
         qualifier = self.version_manager.function_version.id.qualifier
+        function_config = self.version_manager.function_version.config
         event_invoke_config = self.version_manager.function.event_invoke_configs.get(qualifier)
         runtime = None
         status = None
+        # TODO: handle initialization_type provisioned-concurrency, which requires enriching invocation_result
+        initialization_type = (
+            FunctionInitializationType.lambda_managed_instances
+            if function_config.CapacityProviderConfig
+            else FunctionInitializationType.on_demand
+        )
         try:
             sqs_invocation = SQSInvocation.decode(message["Body"])
             invocation = sqs_invocation.invocation
             try:
                 invocation_result = self.version_manager.invoke(invocation=invocation)
-                function_config = self.version_manager.function_version.config
-                function_counter.labels(
-                    operation=FunctionOperation.invoke,
-                    runtime=function_config.runtime or "n/a",
-                    status=FunctionStatus.success,
-                    invocation_type=InvocationType.Event,
-                    package_type=function_config.package_type,
-                ).increment()
+                status = FunctionStatus.success
             except Exception as e:
                 # Reserved concurrency == 0
                 if self.version_manager.function.reserved_concurrent_executions == 0:
@@ -223,6 +224,7 @@ class Poller:
                 elif not has_enough_time_for_retry(sqs_invocation, event_invoke_config):
                     failure_cause = "EventAgeExceeded"
                     status = FunctionStatus.event_age_exceeded_error
+
                 if failure_cause:
                     invocation_result = InvocationResult(
                         is_error=True, request_id=invocation.request_id, payload=None, logs=None
@@ -240,14 +242,14 @@ class Poller:
                 sqs_client.delete_message(
                     QueueUrl=self.event_queue_url, ReceiptHandle=message["ReceiptHandle"]
                 )
-                # status MUST be set before returning
-                package_type = self.version_manager.function_version.config.package_type
+                assert status, "status MUST be set before returning"
                 function_counter.labels(
                     operation=FunctionOperation.invoke,
                     runtime=runtime or "n/a",
                     status=status,
                     invocation_type=InvocationType.Event,
-                    package_type=package_type,
+                    package_type=function_config.package_type,
+                    initialization_type=initialization_type,
                 ).increment()
 
             # Good summary blogpost: https://haithai91.medium.com/aws-lambdas-retry-behaviors-edff90e1cf1b
@@ -257,6 +259,8 @@ class Poller:
             if event_invoke_config and event_invoke_config.maximum_retry_attempts is not None:
                 max_retry_attempts = event_invoke_config.maximum_retry_attempts
 
+            assert invocation_result, "Invocation result MUST exist if we are not returning before"
+
             # An invocation error either leads to a terminal failure or to a scheduled retry
             if invocation_result.is_error:  # invocation error
                 failure_cause = None

localstack/services/lambda_/invocation/execution_environment.py

@@ -8,6 +8,7 @@ from enum import Enum, auto
 from threading import RLock, Timer
 
 from localstack import config
+from localstack.aws.api.lambda_ import LogFormat
 from localstack.aws.connect import connect_to
 from localstack.services.lambda_.invocation.lambda_models import (
     Credentials,
@@ -149,6 +150,22 @@ class ExecutionEnvironment:
             # LOCALSTACK_USER conditionally added below
         }
         # Conditionally added environment variables
+        # Lambda advanced logging controls:
+        # https://aws.amazon.com/blogs/compute/introducing-advanced-logging-controls-for-aws-lambda-functions/
+        logging_config = self.function_version.config.logging_config
+        if logging_config.get("LogFormat") == LogFormat.JSON:
+            env_vars["AWS_LAMBDA_LOG_FORMAT"] = logging_config["LogFormat"]
+            # TODO: test this (currently not implemented in LocalStack)
+            env_vars["AWS_LAMBDA_LOG_LEVEL"] = logging_config["ApplicationLogLevel"].capitalize()
+        # Lambda Managed Instances
+        if capacity_provider_config := self.function_version.config.CapacityProviderConfig:
+            # Disable dropping privileges for parity
+            # TODO: implement mixed permissions (maybe in RIE)
+            # env_vars["LOCALSTACK_USER"] = "root"
+            env_vars["AWS_LAMBDA_MAX_CONCURRENCY"] = capacity_provider_config[
+                "LambdaManagedInstancesCapacityProviderConfig"
+            ]["PerExecutionEnvironmentMaxConcurrency"]
+            env_vars["TZ"] = ":/etc/localtime"
         if not config.LAMBDA_DISABLE_AWS_ENDPOINT_URL:
             env_vars["AWS_ENDPOINT_URL"] = (
                 f"http://{self.runtime_executor.get_endpoint_from_executor()}:{config.GATEWAY_LISTEN[0].port}"
@@ -159,8 +176,6 @@ class ExecutionEnvironment:
         # Will be overridden by the runtime itself unless it is a provided runtime
         if self.function_version.config.runtime:
             env_vars["AWS_EXECUTION_ENV"] = "AWS_Lambda_rapid"
-        if self.function_version.config.environment:
-            env_vars.update(self.function_version.config.environment)
         if config.LAMBDA_INIT_DEBUG:
             # Disable dropping privileges because it breaks debugging
             env_vars["LOCALSTACK_USER"] = "root"
@@ -175,6 +190,10 @@ class ExecutionEnvironment:
             env_vars["LOCALSTACK_MAX_PAYLOAD_SIZE"] = int(
                 config.LAMBDA_LIMITS_MAX_FUNCTION_PAYLOAD_SIZE_BYTES
             )
+
+        # Let users overwrite any environment variable at last (if they want so)
+        if self.function_version.config.environment:
+            env_vars.update(self.function_version.config.environment)
         return env_vars
 
     # Lifecycle methods

localstack/services/lambda_/invocation/lambda_models.py

@@ -12,7 +12,7 @@ import threading
 from abc import ABCMeta, abstractmethod
 from datetime import datetime
 from pathlib import Path
-from typing import IO, Literal, TypedDict
+from typing import IO, Literal, Optional, TypedDict
 
 import boto3
 from botocore.exceptions import ClientError
@@ -22,12 +22,20 @@ from localstack.aws.api import CommonServiceException
 from localstack.aws.api.lambda_ import (
     AllowedPublishers,
     Architecture,
+    CapacityProviderArn,
+    CapacityProviderConfig,
+    CapacityProviderPermissionsConfig,
+    CapacityProviderScalingConfig,
+    CapacityProviderVpcConfig,
     CodeSigningPolicies,
     Cors,
     DestinationConfig,
+    FunctionScalingConfig,
     FunctionUrlAuthType,
+    InstanceRequirements,
     InvocationType,
     InvokeMode,
+    KMSKeyArn,
     LastUpdateStatus,
     LoggingConfig,
     PackageType,
@@ -38,12 +46,14 @@ from localstack.aws.api.lambda_ import (
     SnapStartResponse,
     State,
     StateReasonCode,
+    Timestamp,
     TracingMode,
 )
 from localstack.aws.connect import connect_to
 from localstack.constants import AWS_REGION_US_EAST_1, INTERNAL_AWS_SECRET_ACCESS_KEY
 from localstack.services.lambda_.api_utils import qualified_lambda_arn, unqualified_lambda_arn
 from localstack.utils.archives import unzip
+from localstack.utils.files import chmod_r
 from localstack.utils.strings import long_uid, short_uid
 
 LOG = logging.getLogger(__name__)
@@ -212,6 +222,7 @@ class S3Code(ArchiveCode):
             with tempfile.NamedTemporaryFile() as file:
                 self._download_archive_to_file(file)
                 unzip(file.name, str(target_path))
+                chmod_r(str(target_path), 0o755)
 
     def destroy_cached(self) -> None:
         """
@@ -331,7 +342,7 @@ class VpcConfig:
 @dataclasses.dataclass(frozen=True)
 class UpdateStatus:
     status: LastUpdateStatus | None
-    code: str | None = None  # TODO: probably not a string
+    code: str | None = None
     reason: str | None = None
 
 
@@ -568,6 +579,9 @@ class VersionFunctionConfiguration:
     vpc_config: VpcConfig | None = None
 
     logging_config: LoggingConfig = dataclasses.field(default_factory=dict)
+    # TODO: why does `CapacityProviderConfig | None = None` fail with on Python 3.13.9:
+    #  TypeError: unsupported operand type(s) for |: 'NoneType' and 'NoneType'
+    CapacityProviderConfig: Optional[CapacityProviderConfig] = None  # noqa
 
 
 @dataclasses.dataclass(frozen=True)
@@ -580,6 +594,18 @@ class FunctionVersion:
         return self.id.qualified_arn()
 
 
+@dataclasses.dataclass
+class CapacityProvider:
+    CapacityProviderArn: CapacityProviderArn
+    # State is determined dynamically
+    VpcConfig: CapacityProviderVpcConfig
+    PermissionsConfig: CapacityProviderPermissionsConfig
+    InstanceRequirements: InstanceRequirements
+    CapacityProviderScalingConfig: CapacityProviderScalingConfig
+    LastModified: Timestamp
+    KmsKeyArn: KMSKeyArn | None = None
+
+
 @dataclasses.dataclass
 class Function:
     function_name: str
@@ -600,6 +626,9 @@ class Function:
     provisioned_concurrency_configs: dict[str, ProvisionedConcurrencyConfiguration] = (
         dataclasses.field(default_factory=dict)
     )
+    function_scaling_configs: dict[str, FunctionScalingConfig] = dataclasses.field(
+        default_factory=dict
+    )
 
     lock: threading.RLock = dataclasses.field(default_factory=threading.RLock)
     next_version: int = 1