Merge branch 'develop' into custom_mask

leandrodamascena · web-flow · commit f37af9352df7 · 2025-01-13T17:54:30.000Z
diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml
@@ -1,3 +1,5 @@
+name: Region Bootstrap
+
 # bootstraps new regions
 #
 # PURPOSE
@@ -27,7 +29,6 @@ on:
         required: true
         description: AWS region to bootstrap (i.e. eu-west-1)
 
-name: Region Bootstrap
 run-name: Region Bootstrap ${{ inputs.region }}
 
 permissions:
@@ -38,13 +39,13 @@ jobs:
     name: Install CDK
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     environment: layer-${{ inputs.environment }}
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ inputs.region }}
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -69,7 +70,7 @@ jobs:
     name: Copy Layers
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
       id-token: write
     strategy:
       matrix:
@@ -90,7 +91,7 @@ jobs:
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -106,4 +107,4 @@ jobs:
         run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
       - id: run-balance
         name: Run Balance
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false
diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml
@@ -43,10 +43,11 @@ jobs:
       statuses: read
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: eu-central-1
-          role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
       - name: Invoke Lambda function
         run: |
diff --git a/.github/workflows/layer_govcloud.yml b/.github/workflows/layer_govcloud.yml
@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud)
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud)
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/layer_govcloud_python313.yml b/.github/workflows/layer_govcloud_python313.yml
@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud) - Temporary for Python 3.13
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud) - Temporary for Python 3.13
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish_v3_layer.yml b/.github/workflows/publish_v3_layer.yml
@@ -303,8 +303,8 @@ jobs:
     needs: [update_v3_layer_arn_docs, prepare_docs_alias]
     permissions:
       # lower privilege propagated from parent workflow (release.yml)
-      contents: write
-      pages: write
+      #contents: write
+      #pages: write
       pull-requests: none
       id-token: write
     secrets: inherit
diff --git a/.github/workflows/quality_check.yml b/.github/workflows/quality_check.yml
@@ -60,7 +60,7 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies
-        run: make dev
+        run: make dev-quality-code
       - name: Formatting and Linting
         run: make lint
       - name: Static type checking
diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml
@@ -152,11 +152,12 @@ jobs:
 
       - name: Install poetry
         run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
-      - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/reusable_deploy_v2_sar.yml b/.github/workflows/reusable_deploy_v2_sar.yml
@@ -89,19 +89,19 @@ jobs:
           integrity_hash: ${{ inputs.source_code_integrity_hash }}
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
-
-      - name: AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
-      # NOTE
-      # We connect to Layers account to log our intent to publish a SAR Layer
-      # we then jump to our specific SAR Account with the correctly scoped IAM Role
-      # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod)
+        # NOTE
+        # We connect to Layers account to log our intent to publish a SAR Layer
+        # we then jump to our specific SAR Account with the correctly scoped IAM Role
+        # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod)
       - name: AWS credentials SAR role
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         id: aws-credentials-sar-role
         with:
           aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
@@ -110,6 +110,8 @@ jobs:
           role-duration-seconds: 1200
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }}
+          mask-aws-account-id: true
+
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/reusable_deploy_v3_layer_stack.yml b/.github/workflows/reusable_deploy_v3_layer_stack.yml
@@ -154,11 +154,12 @@ jobs:
 
       - name: Install poetry
         run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
-      - name: aws credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/reusable_deploy_v3_sar.yml b/.github/workflows/reusable_deploy_v3_sar.yml
@@ -86,18 +86,19 @@ jobs:
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
 
-      - name: AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
       # NOTE
       # We connect to Layers account to log our intent to publish a SAR Layer
       # we then jump to our specific SAR Account with the correctly scoped IAM Role
       # this allows us to have a single trail when a release occurs for a given layer (beta+prod+SAR beta+SAR prod)
       - name: AWS credentials SAR role
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         id: aws-credentials-sar-role
         with:
           aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
@@ -106,6 +107,7 @@ jobs:
           role-duration-seconds: 1200
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml
@@ -40,9 +40,9 @@ jobs:
     runs-on: ubuntu-latest
     environment: "Docs"
     permissions:
-      contents: write  # push to gh-pages
+      contents: read  # push to gh-pages
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
-      pages: write     # uncomment if mike fails as we migrated to S3 hosting
+      #pages: write     # uncomment if mike fails as we migrated to S3 hosting
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
@@ -79,10 +79,11 @@ jobs:
           poetry run mike set-default --push latest
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+          mask-aws-account-id: true
       - name: Copy API Docs
         run: |
           cp -r api site/
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -70,11 +70,12 @@ jobs:
           npm ci
           npx cdk --version
       - name: Install dependencies
-        run: make dev
+        run: make dev-quality-code
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_TEST_ROLE_ARN }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
+          mask-aws-account-id: true
       - name: Test
         run: make e2e-test
diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml
@@ -1,3 +1,6 @@
+name: SSM Parameters
+run-name: SSM Parameters - Python
+
 # SSM Parameters update
 #
 # PROCESS
@@ -38,9 +41,6 @@ on:
         type: string
         required: true
 
-name: SSM Parameters
-run-name: SSM Parameters - Python
-
 permissions:
   contents: read
 
@@ -59,14 +59,14 @@ jobs:
           ]
 
     permissions:
-      contents: write
+      contents: read
       id-token: write
     steps:
       - id: transform
         run: |
           echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       - id: creds
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: ${{ matrix.region }}
           role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -16,31 +16,35 @@
 
 ## Maintenance
 
-* **ci:** new pre-release 3.4.1a4 ([#5796](https://github.com/aws-powertools/powertools-lambda-python/issues/5796))
 * **ci:** new pre-release 3.4.1a0 ([#5783](https://github.com/aws-powertools/powertools-lambda-python/issues/5783))
+* **ci:** new pre-release 3.4.1a1 ([#5789](https://github.com/aws-powertools/powertools-lambda-python/issues/5789))
 * **ci:** new pre-release 3.4.1a9 ([#5822](https://github.com/aws-powertools/powertools-lambda-python/issues/5822))
+* **ci:** new pre-release 3.4.1a2 ([#5791](https://github.com/aws-powertools/powertools-lambda-python/issues/5791))
 * **ci:** new pre-release 3.4.1a8 ([#5818](https://github.com/aws-powertools/powertools-lambda-python/issues/5818))
 * **ci:** new pre-release 3.4.1a7 ([#5816](https://github.com/aws-powertools/powertools-lambda-python/issues/5816))
 * **ci:** new pre-release 3.4.1a6 ([#5813](https://github.com/aws-powertools/powertools-lambda-python/issues/5813))
-* **ci:** new pre-release 3.4.1a1 ([#5789](https://github.com/aws-powertools/powertools-lambda-python/issues/5789))
-* **ci:** new pre-release 3.4.1a2 ([#5791](https://github.com/aws-powertools/powertools-lambda-python/issues/5791))
 * **ci:** new pre-release 3.4.1a5 ([#5807](https://github.com/aws-powertools/powertools-lambda-python/issues/5807))
 * **ci:** new pre-release 3.4.1a3 ([#5794](https://github.com/aws-powertools/powertools-lambda-python/issues/5794))
-* **deps:** bump jinja2 from 3.1.4 to 3.1.5 in /docs ([#5787](https://github.com/aws-powertools/powertools-lambda-python/issues/5787))
+* **ci:** new pre-release 3.4.1a4 ([#5796](https://github.com/aws-powertools/powertools-lambda-python/issues/5796))
 * **deps:** bump pydantic-settings from 2.7.0 to 2.7.1 ([#5815](https://github.com/aws-powertools/powertools-lambda-python/issues/5815))
-* **deps-dev:** bump boto3-stubs from 1.35.87 to 1.35.89 ([#5804](https://github.com/aws-powertools/powertools-lambda-python/issues/5804))
+* **deps:** bump jinja2 from 3.1.4 to 3.1.5 in /docs ([#5787](https://github.com/aws-powertools/powertools-lambda-python/issues/5787))
+* **deps-dev:** bump boto3-stubs from 1.35.90 to 1.35.92 ([#5827](https://github.com/aws-powertools/powertools-lambda-python/issues/5827))
 * **deps-dev:** bump mypy from 1.14.0 to 1.14.1 ([#5812](https://github.com/aws-powertools/powertools-lambda-python/issues/5812))
 * **deps-dev:** bump boto3-stubs from 1.35.89 to 1.35.90 ([#5809](https://github.com/aws-powertools/powertools-lambda-python/issues/5809))
+* **deps-dev:** bump cdklabs-generative-ai-cdk-constructs from 0.1.287 to 0.1.288 ([#5793](https://github.com/aws-powertools/powertools-lambda-python/issues/5793))
 * **deps-dev:** bump cfn-lint from 1.22.2 to 1.22.3 ([#5810](https://github.com/aws-powertools/powertools-lambda-python/issues/5810))
+* **deps-dev:** bump aws-cdk-aws-lambda-python-alpha from 2.173.2a0 to 2.173.4a0 ([#5811](https://github.com/aws-powertools/powertools-lambda-python/issues/5811))
+* **deps-dev:** bump aws-cdk-lib from 2.173.4 to 2.174.1 ([#5838](https://github.com/aws-powertools/powertools-lambda-python/issues/5838))
+* **deps-dev:** bump boto3-stubs from 1.35.87 to 1.35.89 ([#5804](https://github.com/aws-powertools/powertools-lambda-python/issues/5804))
 * **deps-dev:** bump jinja2 from 3.1.4 to 3.1.5 ([#5788](https://github.com/aws-powertools/powertools-lambda-python/issues/5788))
-* **deps-dev:** bump aws-cdk-lib from 2.173.2 to 2.173.4 ([#5803](https://github.com/aws-powertools/powertools-lambda-python/issues/5803))
+* **deps-dev:** bump aws-cdk from 2.173.2 to 2.173.4 ([#5802](https://github.com/aws-powertools/powertools-lambda-python/issues/5802))
 * **deps-dev:** bump boto3-stubs from 1.35.86 to 1.35.87 ([#5786](https://github.com/aws-powertools/powertools-lambda-python/issues/5786))
-* **deps-dev:** bump aws-cdk-aws-lambda-python-alpha from 2.173.2a0 to 2.173.4a0 ([#5811](https://github.com/aws-powertools/powertools-lambda-python/issues/5811))
-* **deps-dev:** bump cdklabs-generative-ai-cdk-constructs from 0.1.287 to 0.1.288 ([#5793](https://github.com/aws-powertools/powertools-lambda-python/issues/5793))
+* **deps-dev:** bump aws-cdk from 2.173.4 to 2.174.0 ([#5832](https://github.com/aws-powertools/powertools-lambda-python/issues/5832))
+* **deps-dev:** bump ruff from 0.8.4 to 0.8.6 ([#5833](https://github.com/aws-powertools/powertools-lambda-python/issues/5833))
 * **deps-dev:** bump boto3-stubs from 1.35.85 to 1.35.86 ([#5780](https://github.com/aws-powertools/powertools-lambda-python/issues/5780))
 * **deps-dev:** bump mypy from 1.13.0 to 1.14.0 ([#5779](https://github.com/aws-powertools/powertools-lambda-python/issues/5779))
-* **deps-dev:** bump boto3-stubs from 1.35.90 to 1.35.92 ([#5827](https://github.com/aws-powertools/powertools-lambda-python/issues/5827))
-* **deps-dev:** bump aws-cdk from 2.173.2 to 2.173.4 ([#5802](https://github.com/aws-powertools/powertools-lambda-python/issues/5802))
+* **deps-dev:** bump boto3-stubs from 1.35.92 to 1.35.93 ([#5835](https://github.com/aws-powertools/powertools-lambda-python/issues/5835))
+* **deps-dev:** bump aws-cdk-lib from 2.173.2 to 2.173.4 ([#5803](https://github.com/aws-powertools/powertools-lambda-python/issues/5803))
 
 
 <a name="v3.4.0"></a>
diff --git a/Makefile b/Makefile
@@ -10,6 +10,11 @@ dev:
 	poetry install --extras "all redis datamasking"
 	pre-commit install
 
+dev-quality-code:
+	pip install --upgrade pip pre-commit poetry
+	poetry install --extras "all redis datamasking"
+	pre-commit install
+
 dev-gitpod:
 	pip install --upgrade pip poetry
 	poetry install --extras "all redis datamasking"
@@ -115,4 +120,4 @@ mypy:
 
 
 dev-version-plugin:
-	poetry self add git+https://github.com/monim67/poetry-bumpversion@315fe3324a699fa12ec20e202eb7375d4327d1c4
+	poetry self add git+https://github.com/monim67/poetry-bumpversion@348de6f247222e2953d649932426e63492e0a6bf
diff --git a/aws_lambda_powertools/shared/version.py b/aws_lambda_powertools/shared/version.py
@@ -1,3 +1,3 @@
 """Exposes version constant to avoid circular dependencies."""
 
-VERSION = "3.4.1a9"
+VERSION = "3.4.1a10"
diff --git a/docs/we_made_this.md b/docs/we_made_this.md
@@ -126,6 +126,14 @@ This article will walk you through using Powertools for AWS Lambda to optimize y
 
 [Streaming data with AWS Lambda & Powertools for AWS Lambda](https://towardsdev.com/streaming-data-with-aws-lambda-5f0e81f854cd){target="_blank" rel="nofollow"}
 
+### Simplified Data Masking in AWS Lambda with Powertools
+
+Learn to implement data masking in AWS Lambda with Powertools, protecting sensitive data in healthcare and finance while ensuring compliance with HIPAA and PCI-DSS regulations.
+
+> **Author: [Avinash Dalvi](https://www.linkedin.com/in/avinash-dalvi-315b021a/){target="_blank" rel="nofollow"}** :material-linkedin:
+
+[Simplified Data Masking in AWS Lambda with Powertools](https://www.internetkatta.com/simplified-data-masking-in-aws-lambda-with-powertool){target="_blank" rel="nofollow"}
+
 ## Videos
 
 #### Building a resilient input handling with Parser
diff --git a/examples/event_handler_graphql/src/requirements.txt b/examples/event_handler_graphql/src/requirements.txt
@@ -1,2 +1,2 @@
 aws-lambda-powertools[tracer]
-requests
+requests>=2.32.0
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/poetry.lock b/poetry.lock
diff --git a/provenance/3.4.1a10/multiple.intoto.jsonl b/provenance/3.4.1a10/multiple.intoto.jsonl
diff --git a/pyproject.toml b/pyproject.toml
diff --git a/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/requirements.txt b/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1024/requirements.txt
diff --git a/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/requirements.txt b/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_128/requirements.txt
diff --git a/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1769/requirements.txt b/tests/performance/data_masking/load_test_data_masking/pt-load-test-stack/function_1769/requirements.txt
