feature: sync with aws cookbook 4.5.1 (#23)

---------

Co-authored-by: Ran Isenberg <[email protected]>

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Ran Isenberg
+Copyright (c) 2024 Ran Isenberg
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -11,7 +11,7 @@
 
 This project can serve as a cookiecutter template for new Serverless services - CDK deployment code, pipeline and handler are covered with best practices built in.
 <br></br>
-The project is based on my [AWS Lambda Cookbook template project](https://github.com/ran-isenberg/aws-lambda-handler-cookbook):
+The project is based on my [AWS Lambda Cookbook template project](https://github.com/ran-isenberg/aws-lambda-handler-cookbook) and synced to version 4.5.1:
 
 [![license](https://img.shields.io/github/license/ran-isenberg/aws-lambda-handler-cookbook)](https://github.com/ran-isenberg/aws-lambda-handler-cookbook/blob/master/LICENSE)
 ![PythonSupport](https://img.shields.io/static/v1?label=python&message=3.11&color=blue?style=flat-square&logo=python)
@@ -81,15 +81,18 @@ The documentation provides information about CDK deployment, makefile commands,
 - Python Serverless service with a recommended file structure.
 - CDK infrastructure with infrastructure tests and security tests.
 - CI/CD pipelines based on Github actions that deploys to AWS with python linters, complexity checks and style formatters.
-- CI/CD pipeline deploys to dev/staging and production environment with different gates between each environment
+- CI/CD pipeline deploys to dev/staging and production environments with different gates between each environment
 - Makefile for simple developer experience.
 - The AWS Lambda handler embodies Serverless best practices and has all the bells and whistles for a proper production ready handler.
 - AWS Lambda handler uses [AWS Lambda Powertools](https://docs.powertools.aws.dev/lambda-python/).
 - AWS Lambda handler 3 layer architecture: handler layer, logic layer and data access layer
 - Features flags and configuration based on AWS AppConfig
 - Idempotent API
+- REST API protected by WAF with four AWS managed rules in production deployment
 - CloudWatch dashboards - High level and low level including CloudWatch alarms
 - Unit, infrastructure, security, integration and end to end tests.
+- Automatically generated OpenAPI endpoint: /swagger with Pydnatic schemas for both requests and responses
+- CI swagger protection - fails the PR if your swagger JSON file (stored at docs/swagger/openapi.json) is out of date
 <br></br>
 
 ## CDK Deployment

{{cookiecutter.repo_name}}/.github/workflows/codeql-analysis.yml.yml

@@ -43,11 +43,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"

{{cookiecutter.repo_name}}/.github/workflows/main-serverless-service.yml

@@ -34,16 +34,16 @@ jobs:
           BRANCH_NAME: ${{ github.ref }}
           REPO_NAME: ${{ github.repository }}
       - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
       - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
@@ -73,9 +73,10 @@ jobs:
       - name: Codecov
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.xml
-          fail_ci_if_error: false # optional (default = false)
-          verbose: false # optional (default = false)
+          fail_ci_if_error: yes # optional (default = false)
+          verbose: yes # optional (default = false)
       - name: Run E2E tests
         run: make e2e
         env:
@@ -99,16 +100,16 @@ jobs:
           BRANCH_NAME: ${{ github.ref }}
           REPO_NAME: ${{ github.repository }}
       - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
       - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
@@ -138,13 +139,13 @@ jobs:
     if: contains('refs/heads/main', github.ref)
     steps:
       - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"

{{cookiecutter.repo_name}}/.github/workflows/pr-serverless-service.yml

@@ -31,11 +31,11 @@ jobs:
           BRANCH_NAME: ${{ github.ref }}
           REPO_NAME: ${{ github.repository }}
       - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
@@ -55,16 +55,16 @@ jobs:
       id-token: write # required for requesting the JWT (GitHub OIDC)
     steps:
       - name: Check out repository code
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
-        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "poetry" # NOTE: poetry must be installed before this step, or else cache doesn't work
       - name: Set up Node
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
@@ -94,11 +94,14 @@ jobs:
       - name: Codecov
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           files: ./coverage.xml
-          fail_ci_if_error: false # optional (default = false)
-          verbose: false # optional (default = false)
+          fail_ci_if_error: yes # optional (default = false)
+          verbose: yes # optional (default = false)
       - name: Run E2E tests
         run: make e2e
+      - name: Validate OpenAPI Documentation
+        run: make compare-openapi
       - name: Destroy stack
         if: always()
         run: make destroy

{{cookiecutter.repo_name}}/.github/workflows/scorecard.yml

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,14 +59,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
         with:
           sarif_file: results.sarif

{{cookiecutter.repo_name}}/.gitignore

@@ -250,3 +250,4 @@ dev_requirements.txt
 lambda_requirements.txt
 .dccache
 node_modules/
+.ruff_cache

{{cookiecutter.repo_name}}/.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.0.1
+    rev: v4.5.0
     hooks:
       - id: trailing-whitespace
         name: Ensure that code don't have trailing whitespace
@@ -24,3 +24,11 @@ repos:
         name: Tests should begin with test_
         args: ["--django"]
         exclude: "^(?!helpers/)"
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.1.15
+    hooks:
+      # Run the Ruff linter.
+      - id: ruff
+      # Run the Ruff formatter.
+      - id: ruff-format

{{cookiecutter.repo_name}}/Makefile

@@ -1,26 +1,27 @@
-.PHONY: dev lint complex coverage pre-commit sort deploy destroy deps unit infra-tests integration e2e coverage-tests docs lint-docs build format
+.PHONY: dev lint complex coverage pre-commit sort deploy destroy deps unit infra-tests integration e2e coverage-tests docs lint-docs build format compare-openapi openapi
 PYTHON := ".venv/bin/python3"
-
 .ONESHELL:  # run all commands in a single shell, ensuring it runs within a local virtual env
+
+OPENAPI_DIR := ./docs/swagger
+CURRENT_OPENAPI := $(OPENAPI_DIR)/openapi.json
+LATEST_OPENAPI := openapi_latest.json
+
+
 dev:
 	pip install --upgrade pip pre-commit poetry
 	pre-commit install
 # ensures poetry creates a local virtualenv (.venv)
 	poetry config --local virtualenvs.in-project true
-	poetry install
+	poetry install --no-root
 	npm ci
 
-format-fix:
-	poetry run isort .
-	poetry run yapf -vv --style=./.style -r --in-place .
-
 format:
-	poetry run isort .
-	poetry run yapf -d -vv --style=./.style -r .
+	poetry run ruff check . --fix
+
+format-fix:
+	poetry run ruff format .
 
 lint: format
-	@echo "Running flake8"
-	poetry run flake8 {{cookiecutter.service_name}}/* cdk/* tests/*
 	@echo "Running mypy"
 	$(MAKE) mypy-lint
 
@@ -34,32 +35,32 @@ pre-commit:
 	poetry run pre-commit run -a --show-diff-on-failure
 
 mypy-lint:
-	poetry run mypy --pretty {{cookiecutter.service_name}} cdk tests
+	poetry run mypy --pretty service cdk tests
 
 deps:
 	poetry export --only=dev --format=requirements.txt > dev_requirements.txt
 	poetry export --without=dev --format=requirements.txt > lambda_requirements.txt
 
 unit:
-	poetry run pytest tests/unit  --cov-config=.coveragerc --cov={{cookiecutter.service_name}} --cov-report xml
+	poetry run pytest tests/unit  --cov-config=.coveragerc --cov=service --cov-report xml
 
 build: deps
-	mkdir -p .build/lambdas ; cp -r {{cookiecutter.service_name}} .build/lambdas
+	mkdir -p .build/lambdas ; cp -r service .build/lambdas
 	mkdir -p .build/common_layer ; poetry export --without=dev --format=requirements.txt > .build/common_layer/requirements.txt
 
 infra-tests: build
 	poetry run pytest tests/infrastructure
 
 integration:
-	poetry run pytest tests/integration  --cov-config=.coveragerc --cov={{cookiecutter.service_name}} --cov-report xml
+	poetry run pytest tests/integration  --cov-config=.coveragerc --cov=service --cov-report xml
 
 e2e:
-	poetry run pytest tests/e2e  --cov-config=.coveragerc --cov={{cookiecutter.service_name}} --cov-report xml
+	poetry run pytest tests/e2e  --cov-config=.coveragerc --cov=service --cov-report xml
 
-pr: deps pre-commit complex lint lint-docs unit deploy coverage-tests e2e
+pr: deps format pre-commit complex lint lint-docs unit deploy coverage-tests e2e openapi
 
 coverage-tests:
-	poetry run pytest tests/unit tests/integration  --cov-config=.coveragerc --cov={{cookiecutter.service_name}} --cov-report xml
+	poetry run pytest tests/unit tests/integration  --cov-config=.coveragerc --cov=service --cov-report xml
 
 deploy: build
 	npx cdk deploy --app="${PYTHON} ${PWD}/app.py" --require-approval=never
@@ -78,4 +79,19 @@ watch:
 
 update-deps:
 	poetry update
+	pre-commit autoupdate
 	npm i --package-lock-only
+
+openapi:
+	poetry run python generate_openapi.py
+
+compare-openapi:
+	poetry run python generate_openapi.py --out-destination '.' --out-filename 'openapi_latest.json'
+	@if cmp --silent $(CURRENT_OPENAPI) $(LATEST_OPENAPI); then \
+		rm $(LATEST_OPENAPI); \
+		echo "Swagger file is up to date"; \
+	else \
+		echo "Swagger files are not equal, did you run 'make pr' or 'make openapi'?"; \
+		rm $(LATEST_OPENAPI); \
+		exit 1; \
+	fi