Releases: timpugh/lambda-powertools-reference
Releases · timpugh/lambda-powertools-reference
v1.0.1 — Documentation patch
v1.0.1 — Documentation patch
Documentation-only release. No code or infrastructure changes.
Highlights:
- AWS architecture diagram embedded at the top of the README, generated
via the deploy-on-aws Claude Code plugin's aws-architecture-diagram
skill. Source committed at docs/architecture.drawio; rendered PNG at
docs/architecture.png. Covers the request path, Lambda's config/state
dependencies, the audit + access-log analytics pipeline, and the
auxiliary observability layer. Ten numbered steps + right-side legend. - CHANGELOG.md auto-generated from conventional-commit history via
git-cliff (cliff.toml). Dependabot bumps and merge commits filtered
out so the changelog reflects feature/fix/docs/CI history rather than
dependency churn. - README "Commit message convention" section documents the git-cliff
workflow and mentions Commitizen as an optional author-time enforcer
for forks that want it. - "Worth flagging if forked for a real workload" section adds ggshield
(full-history secret scanning), a pointer to Renovate's post-upgrade
tasks feature, and CloudEvents (event-format spec to adopt up front
if a fork ever introduces async event sources).
v1.0.0 — First stable release
v1.0.0 — First stable release
A production-grade AWS CDK reference architecture for Lambda + Powertools
serverless applications.
Highlights:
- Three-stack composition (WAF, backend, frontend) inside a cdk.Stage,
with cross-region WAF reference support. - CMK encryption end-to-end on every resource that supports a per-resource
key: DynamoDB, Lambda env vars, all log groups, frontend S3 bucket,
AppConfig hosted configuration content, SQS DLQs, and CloudTrail trail
log files. Account/region-wide encryption settings (X-Ray, Glue
catalog) deliberately out of scope per the forkability constraints. - Five-rule-pack cdk-nag gating every synth (AwsSolutions, Serverless,
NIST 800-53 R5, HIPAA Security, PCI DSS 3.2.1), descending into
Stage-nested stacks via the '**' glob. - Confused-deputy-guarded service-principal grants on every CMK
(CloudWatch Logs, CloudTrail, GuardDuty). - WAF with five managed rule sets + forwarded-IP rate limit, attached
to CloudFront. - CloudTrail with object-level S3 data events on every audited bucket,
log-file integrity validation, CMK-encrypted trail log files, and
account/source-ARN-scoped bucket-policy Deny statements. - Async failure destination on every CDK-managed singleton Lambda so
CloudFormation provider crashes preserve their event envelope to SQS. - Supply-chain hygiene: pip-audit + bandit + hash-pinned actions +
grouped Dependabot updates + uv.lock <-> lambda/requirements.txt
drift check in CI + v1.0 safety nets (detect-private-key,
check-merge-conflict, check-added-large-files). - CloudWatch RUM browser telemetry joined to backend X-Ray traces via
cwr's client-side X-Ray segment integration. - Athena + Glue access-log analytics with per-object SSE-KMS overrides
on query results. - Powertools idempotency on the application Lambda with caller-supplied
Idempotency-Key header enforcement (raise_on_no_idempotency_key=True). - Zensical-built HTML documentation deployed to GitHub Pages on every
push to main, with OpenAPI spec regenerated from the live handler.
See TODO.md "Production readiness checklist" for the items a fork
needs to fill in before customer traffic touches it.