From 5370bdd167c27b785b18ecfe6b47c8f1beec14d3 Mon Sep 17 00:00:00 2001 From: Harold Sun Date: Fri, 20 Mar 2026 05:43:03 +0000 Subject: [PATCH] feat!: GA readiness improvements BREAKING CHANGE: Remove readiness_check_min_unhealthy_status field and AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS env var. Use readiness_check_healthy_status / AWS_LWA_READINESS_CHECK_HEALTHY_STATUS instead. - Remove deprecated readiness_check_min_unhealthy_status from AdapterOptions - Remove ENV_READINESS_CHECK_MIN_UNHEALTHY_STATUS constant and fallback logic - Remove #[allow(deprecated)] annotations no longer needed - Add migration guide section to README (0.x to 1.0) - Add SECURITY.md with vulnerability reporting policy - Update README security section to reference SECURITY.md - Add CHANGELOG entries for v0.8.0 through v1.0.0 - Fix outdated repo URL in docs/development.md --- CHANGELOG.md | 140 ++++++++++++++++++++++++++++++++++++++ README.md | 32 ++++++++- SECURITY.md | 17 +++++ docs/development.md | 4 +- src/lib.rs | 35 +--------- tests/integ_tests/main.rs | 2 - 6 files changed, 190 insertions(+), 40 deletions(-) create mode 100644 SECURITY.md diff --git a/CHANGELOG.md b/CHANGELOG.md index adfcb91f..eae7c13d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,143 @@ +## v1.0.0 - 2026-03-20 + +### Major Updates + +This is the first GA release of AWS Lambda Web Adapter. It includes multi-tenancy support, Lambda Managed Instances, improved error handling, zero-copy body conversion, comprehensive documentation, and a migration path from 0.x. + +### Breaking Changes + +- Removed `AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS` and the `readiness_check_min_unhealthy_status` field. Use `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` / `readiness_check_healthy_status` instead. +- Non-prefixed environment variables (`HOST`, `READINESS_CHECK_PORT`, etc.) are deprecated and will be removed in 2.0. Use `AWS_LWA_` prefixed versions. + +### Features + +- **Multi-tenancy support**: Propagate `tenant_id` from Lambda context as `x-amz-tenant-id` header (#631) +- **Lambda Managed Instances**: Support concurrent request handling in a single execution environment (#625) +- **Error status codes**: New `AWS_LWA_ERROR_STATUS_CODES` env var to treat specific HTTP status codes as Lambda failures (#558) +- **Runtime API proxy**: New `AWS_LWA_LAMBDA_RUNTIME_API_PROXY` env var to proxy Lambda runtime API calls (#588) +- **Healthy status ranges**: New `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` supporting comma-separated codes and ranges (e.g., `200-399,404`) (#638) + +### Performance + +- Zero-copy body conversion — avoid unnecessary allocations when forwarding request bodies (#627) +- Add `panic=abort` and `opt-level=s` to release profile for smaller binary size (#646) + +### Bug Fixes + +- Don't append trailing `?` when query string is empty (#657) +- Fix `path_through_path` renamed to `pass_through_path` (#619) +- Override user-set `x-amzn-{lambda,request}-context` headers to prevent spoofing (#286) +- Remove `transfer-encoding` header from responses for SAM local compatibility (#442) +- Warn when configured `authorization_source` header is not found in request (#479) + +### Documentation + +- Comprehensive rustdoc documentation for all public types and methods +- Added migration guide for 0.x to 1.0 upgrade +- Added SECURITY.md +- Added user guide with GitHub Pages deployment (#639) + +### CI/CD + +- Split pipeline into separate PR, Merge, and Release workflows (#642) +- Add conventional commits changelog generation and commit linting (#641) +- Add workflow to verify examples without deployment (#643) +- Daily security audit via `rustsec/audit-check` (#391) +- Benchmark tracking with PR comments + +--- + +## v0.9.1 - 2025-04-23 + +### Features + +- Add `AWS_LWA_LAMBDA_RUNTIME_API_PROXY` to overwrite Lambda Runtime API endpoint (#588) + +### Examples + +- Bun server with GraphQL examples (#584) + +--- + +## v0.9.0 - 2025-01-10 + +### Features + +- Force Lambda failure on configurable HTTP error status codes (#558) +- Streaming API backend-only example (#543) + +### Examples + +- SvelteKit SSR zip example (#561) +- Remix examples (#524) +- FastHTML examples (#496) + +### Improvements + +- Simplify debug logging for app readiness checks (#520) +- Read AWS region from env var (#518) + +--- + +## v0.8.4 - 2024-07-27 + +### Features + +- Add `authorization_source` feature to copy custom header to `Authorization` (#478) +- Warn when configured authorization source header not found (#479) + +--- + +## v0.8.3 - 2024-04-21 + +### Bug Fixes + +- Remove `transfer-encoding` header from responses (#442) + +### Examples + +- Javalin 6 example using Arm64 image (#425) +- NestJS example (#394) +- FastAPI Background Tasks example (#408) +- FastAPI response streaming with Claude3 refactor (#416) + +--- + +## v0.8.2 - 2024-04-10 + +### Improvements + +- Add daily security audit (#391) +- Upgrade lambda-http crate to 0.9.3 (#390) + +### Examples + +- Go HTTP example (#383) +- Sinatra example (#365) + +--- + +## v0.8.1 - 2024-01-24 + +### Bug Fixes + +- Minor fixes and dependency updates + +--- + +## v0.8.0 - 2024-01-22 + +### Features + +- Pass-through events support for non-HTTP triggers (#342) +- Adopt `cargo-lambda` for builds (#337) + +### Examples + +- SQS + Express.js example (#347, #348) + +--- + ## v0.7.1 - 2023-08-18 # Major Updates diff --git a/README.md b/README.md index 1a61624c..a2a8b719 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ The readiness check port/path and traffic port can be configured using environme > `HOST`, `READINESS_CHECK_PORT`, `READINESS_CHECK_PATH`, `READINESS_CHECK_PROTOCOL`, `REMOVE_BASE_PATH`, `ASYNC_INIT`. > Please migrate to the `AWS_LWA_` prefixed versions. Note: `PORT` is not deprecated and remains a supported fallback for `AWS_LWA_PORT`. > -> Additionally, `AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS` is deprecated. Use `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` instead. +> Additionally, `AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS` has been removed in 1.0. Use `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` instead. 👉 [Detailed configuration docs](https://awslabs.github.io/aws-lambda-web-adapter/configuration/environment-variables.html) @@ -128,6 +128,34 @@ This project was inspired by several community projects. - [re:Web](https://github.com/apparentorder/reweb) - [Serverlessish](https://github.com/glassechidna/serverlessish) +## Migrating from 0.x to 1.0 + +### Environment Variables + +All environment variables now use the `AWS_LWA_` prefix. The old non-prefixed names still work but are deprecated and will be removed in version 2.0. + +| Old (Deprecated) | New | +|------------------------------|--------------------------------------------| +| `READINESS_CHECK_PORT` | `AWS_LWA_READINESS_CHECK_PORT` | +| `READINESS_CHECK_PATH` | `AWS_LWA_READINESS_CHECK_PATH` | +| `READINESS_CHECK_PROTOCOL` | `AWS_LWA_READINESS_CHECK_PROTOCOL` | +| `REMOVE_BASE_PATH` | `AWS_LWA_REMOVE_BASE_PATH` | +| `ASYNC_INIT` | `AWS_LWA_ASYNC_INIT` | + +> **Note:** `PORT` is **not** deprecated and remains a supported fallback for `AWS_LWA_PORT`. + +### Readiness Check Health Status + +`AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS` has been removed. Use `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` instead, which accepts comma-separated codes and ranges: + +```bash +# Old +AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS=400 + +# New (equivalent) +AWS_LWA_READINESS_CHECK_HEALTHY_STATUS=100-399 +``` + ## Similar Projects Several projects also provide similar capabilities as language specific packages/frameworks. @@ -140,7 +168,7 @@ Several projects also provide similar capabilities as language specific packages ## Security -See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. +See [SECURITY](SECURITY.md) for vulnerability reporting and [CONTRIBUTING](CONTRIBUTING.md) for more information. ## License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..680af1f9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a potential security issue in this project, we ask that you notify AWS/Amazon Security via our +[vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). + +Please do **not** create a public GitHub issue for security vulnerabilities. + +## Supported Versions + +We recommend always using the latest version of AWS Lambda Web Adapter to ensure you have the most recent security patches. + +| Version | Supported | +|---------|--------------------| +| 1.x | :white_check_mark: | +| < 1.0 | :x: | diff --git a/docs/development.md b/docs/development.md index 7a4db2b7..0d97ec44 100644 --- a/docs/development.md +++ b/docs/development.md @@ -8,8 +8,8 @@ AWS Lambda executes functions in x86_64 Amazon Linux Environment. We need to com First, clone this repo to your local computer. ```shell -$ git clone https://github.com/aws-samples/aws-lambda-adapter.git -$ cd aws-lambda-adapter +$ git clone https://github.com/awslabs/aws-lambda-web-adapter.git +$ cd aws-lambda-web-adapter ``` ### Compiling with Docker diff --git a/src/lib.rs b/src/lib.rs index 9d77b258..522f9bd9 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -71,7 +71,6 @@ const ENV_READINESS_CHECK_PORT: &str = "AWS_LWA_READINESS_CHECK_PORT"; const ENV_READINESS_CHECK_PATH: &str = "AWS_LWA_READINESS_CHECK_PATH"; const ENV_READINESS_CHECK_PROTOCOL: &str = "AWS_LWA_READINESS_CHECK_PROTOCOL"; const ENV_READINESS_CHECK_HEALTHY_STATUS: &str = "AWS_LWA_READINESS_CHECK_HEALTHY_STATUS"; -const ENV_READINESS_CHECK_MIN_UNHEALTHY_STATUS: &str = "AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS"; const ENV_REMOVE_BASE_PATH: &str = "AWS_LWA_REMOVE_BASE_PATH"; const ENV_PASS_THROUGH_PATH: &str = "AWS_LWA_PASS_THROUGH_PATH"; const ENV_ASYNC_INIT: &str = "AWS_LWA_ASYNC_INIT"; @@ -281,12 +280,6 @@ pub struct AdapterOptions { /// Default: [`Protocol::Http`] pub readiness_check_protocol: Protocol, - /// Deprecated: Use `readiness_check_healthy_status` instead. - /// - /// Minimum HTTP status code considered unhealthy. - #[deprecated(since = "1.0.0", note = "Use readiness_check_healthy_status instead")] - pub readiness_check_min_unhealthy_status: u16, - /// List of HTTP status codes considered healthy for readiness checks. /// /// Can be configured via `AWS_LWA_READINESS_CHECK_HEALTHY_STATUS` using: @@ -382,36 +375,19 @@ fn get_optional_env_with_deprecation(new_name: &str, old_name: &str) -> Option Self { let port = env::var(ENV_PORT) .or_else(|_| env::var(ENV_PORT_DEPRECATED)) .unwrap_or_else(|_| "8080".to_string()); // Handle readiness check healthy status codes - // New env var takes precedence, then fall back to deprecated min_unhealthy_status let readiness_check_healthy_status = if let Ok(val) = env::var(ENV_READINESS_CHECK_HEALTHY_STATUS) { parse_status_codes(&val) - } else if let Ok(val) = env::var(ENV_READINESS_CHECK_MIN_UNHEALTHY_STATUS) { - tracing::warn!( - "Environment variable '{}' is deprecated. \ - Please use '{}' instead (e.g., '100-499').", - ENV_READINESS_CHECK_MIN_UNHEALTHY_STATUS, - ENV_READINESS_CHECK_HEALTHY_STATUS - ); - let min_unhealthy: u16 = val.parse().unwrap_or(500); - (100..min_unhealthy).collect() } else { - // Default: 100-499 (same as previous default of min_unhealthy=500) + // Default: 100-499 (100..500).collect() }; - // For backward compatibility, also set the deprecated field - let readiness_check_min_unhealthy_status = env::var(ENV_READINESS_CHECK_MIN_UNHEALTHY_STATUS) - .unwrap_or_else(|_| "500".to_string()) - .parse() - .unwrap_or(500); - AdapterOptions { host: get_env_with_deprecation(ENV_HOST, ENV_HOST_DEPRECATED, "127.0.0.1"), port: port.clone(), @@ -420,7 +396,6 @@ impl Default for AdapterOptions { ENV_READINESS_CHECK_PORT_DEPRECATED, &port, ), - readiness_check_min_unhealthy_status, readiness_check_healthy_status, readiness_check_path: get_env_with_deprecation( ENV_READINESS_CHECK_PATH, @@ -1106,13 +1081,11 @@ mod tests { }); // Prepare adapter configuration - only 200-399 are healthy - #[allow(deprecated)] let options = AdapterOptions { host: app_server.host(), port: app_server.port().to_string(), readiness_check_port: app_server.port().to_string(), readiness_check_path: "/healthcheck".to_string(), - readiness_check_min_unhealthy_status: 400, readiness_check_healthy_status: (200..400).collect(), ..Default::default() }; @@ -1137,7 +1110,6 @@ mod tests { let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap(); let port = listener.local_addr().unwrap().port(); - #[allow(deprecated)] let options = AdapterOptions { host: "127.0.0.1".to_string(), port: port.to_string(), @@ -1158,7 +1130,6 @@ mod tests { #[tokio::test] async fn test_tcp_readiness_check_failure() { // Use a port that nothing is listening on - #[allow(deprecated)] let options = AdapterOptions { host: "127.0.0.1".to_string(), port: "19999".to_string(), @@ -1203,7 +1174,6 @@ mod tests { #[test] fn test_adapter_new_invalid_host() { - #[allow(deprecated)] let options = AdapterOptions { host: "invalid host with spaces".to_string(), port: "8080".to_string(), @@ -1218,7 +1188,6 @@ mod tests { #[test] fn test_adapter_new_valid_config() { - #[allow(deprecated)] let options = AdapterOptions { host: "127.0.0.1".to_string(), port: "3000".to_string(), @@ -1273,7 +1242,6 @@ mod tests { #[test] fn test_compression_disabled_with_response_stream() { - #[allow(deprecated)] let options = AdapterOptions { compression: true, invoke_mode: LambdaInvokeMode::ResponseStream, @@ -1289,7 +1257,6 @@ mod tests { #[test] fn test_compression_enabled_with_buffered() { - #[allow(deprecated)] let options = AdapterOptions { compression: true, invoke_mode: LambdaInvokeMode::Buffered, diff --git a/tests/integ_tests/main.rs b/tests/integ_tests/main.rs index 1fd1e615..5961e82c 100644 --- a/tests/integ_tests/main.rs +++ b/tests/integ_tests/main.rs @@ -69,7 +69,6 @@ fn test_adapter_options_from_namespaced_env() { env::set_var("AWS_LWA_ENABLE_COMPRESSION", "true"); env::set_var("AWS_LWA_INVOKE_MODE", "response_stream"); env::set_var("AWS_LWA_AUTHORIZATION_SOURCE", "auth-token"); - env::remove_var("AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS"); // Initialize adapter with env options let options = AdapterOptions::default(); @@ -964,7 +963,6 @@ fn test_deprecated_env_var_fallback() { env::remove_var("AWS_LWA_INVOKE_MODE"); env::remove_var("AWS_LWA_AUTHORIZATION_SOURCE"); env::remove_var("AWS_LWA_READINESS_CHECK_HEALTHY_STATUS"); - env::remove_var("AWS_LWA_READINESS_CHECK_MIN_UNHEALTHY_STATUS"); // Set only deprecated (non-prefixed) env vars env::set_var("PORT", "4000");