DataDog
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/build_layer.yml‎
Lines changed: 55 additions & 3 deletions b/‎.github/workflows/build_layer.yml‎
Lines changed: 55 additions & 3 deletions
diff --git a/‎.github/workflows/update-snapshots.yml‎
Lines changed: 13 additions & 3 deletions b/‎.github/workflows/update-snapshots.yml‎
Lines changed: 13 additions & 3 deletions
diff --git a/‎Dockerfile‎
Lines changed: 2 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ci/datasources/runtimes.yaml‎
Lines changed: 8 additions & 0 deletions b/‎ci/datasources/runtimes.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎ci/publish_layers.sh‎
Lines changed: 8 additions & 0 deletions b/‎ci/publish_layers.sh‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎datadog_lambda/api.py‎
Lines changed: 20 additions & 5 deletions b/‎datadog_lambda/api.py‎
Lines changed: 20 additions & 5 deletions
diff --git a/‎datadog_lambda/tag_object.py‎
Lines changed: 1 addition & 1 deletion b/‎datadog_lambda/tag_object.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎datadog_lambda/tracing.py‎
Lines changed: 18 additions & 6 deletions b/‎datadog_lambda/tracing.py‎
Lines changed: 18 additions & 6 deletions
@@ -43,7 +43,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13', '3.14']
 
     steps:
       - name: Checkout
 
@@ -2,28 +2,80 @@ name: Build Layers for system-Tests
 
 on:
   workflow_dispatch:
+  pull_request:
   push:
     branches:
       - "main"
 
 jobs:
+  get-ddtrace-run-id:
+    runs-on: ubuntu-latest
+    outputs:
+      run-id: ${{ steps.get-ddtrace-run-id.outputs.run_id }}
+    steps:
+      - name: Resolve Run ID of latest dd-trace-py build
+        id: get-ddtrace-run-id
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          RUN_ID=$(gh run list \
+            --repo DataDog/dd-trace-py \
+            --workflow build_deploy.yml \
+            --branch main \
+            --status success \
+            --limit 1 \
+            --json databaseId \
+            --jq '.[0].databaseId')
+
+          echo "run_id=$RUN_ID" >> $GITHUB_OUTPUT
+
   build:
     runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
 
+    needs: get-ddtrace-run-id
+
     strategy:
       fail-fast: false
       matrix:
         arch: [arm64, amd64]
-        python_version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python_version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Build artifact name
+        id: build-artifact-name
+        run: |
+          if [ "${{ matrix.arch }}" == "amd64" ]; then
+            ARCH="x86_64"
+          else
+            ARCH="aarch64"
+          fi
+
+          VER="${{ matrix.python_version }}"
+          PY_VERSION_NO_DOT="${VER//./}"
+
+          echo "artifact_name=wheels-cp${PY_VERSION_NO_DOT}-manylinux_${ARCH}" >> $GITHUB_OUTPUT
+
+      - name: Download ddtrace Wheel
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ steps.build-artifact-name.outputs.artifact_name }}
+          repository: DataDog/dd-trace-py
+          run-id: ${{ needs.get-ddtrace-run-id.outputs.run-id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path: ./artifacts
+
+      - name: Find ddtrace Wheel
+        id: find-ddtrace-wheel
+        run: |
+          echo "wheel_path=$(find ./artifacts -name "*.whl" | head -n 1)" >> $GITHUB_OUTPUT
+
       - name: Patch pyproject.toml
         run: |
-          echo "Patching pyproject.toml to use main branch of dd-trace-py"
-          sed -i 's|^ddtrace =.*$|ddtrace = { git = "https://github.com/DataDog/dd-trace-py.git" }|' pyproject.toml
+          echo "Patching pyproject.toml to use latest build of dd-trace-py"
+          sed -i 's|^ddtrace =.*$|ddtrace = { file = "${{ steps.find-ddtrace-wheel.outputs.wheel_path }}" }|' pyproject.toml
 
       - name: Build layer for Python ${{ matrix.python_version }} on ${{ matrix.arch }}
         run: |
 
@@ -1,8 +1,7 @@
 name: update-snapshots
 
 on:
-  schedule:
-    - cron: "0 15 * * *" # every day 11am EST
+  workflow_dispatch:
 
 jobs:
   check:
@@ -47,8 +46,19 @@ jobs:
         working-directory: tests/integration
         run: yarn install
 
-      - name: Update Snapshots
+      - name: Update Snapshots (amd64)
         env:
+          ARCH: amd64
+          UPDATE_SNAPSHOTS: true
+          BUILD_LAYERS: true
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: ./scripts/run_integration_tests.sh
+
+      - name: Update Snapshots (arm64)
+        env:
+          ARCH: arm64
           UPDATE_SNAPSHOTS: true
           BUILD_LAYERS: true
           DD_API_KEY: ${{ secrets.DD_API_KEY }}
 
@@ -15,6 +15,7 @@ RUN set -eux; \
       rm gcc && ln -s gcc10-gcc gcc; \
       rm g++ && ln -s gcc10-g++ g++; \
       rm cc && ln -s gcc10-cc cc; \
+      rm c++ && ln -s gcc10-c++ c++; \
     fi
 
 # Add Rust compiler which is needed to build dd-trace-py from source
@@ -32,6 +33,7 @@ RUN rm -rf ./python/lib/$runtime/site-packages/botocore*
 RUN rm -rf ./python/lib/$runtime/site-packages/setuptools
 RUN rm -rf ./python/lib/$runtime/site-packages/jsonschema/tests
 RUN rm -f ./python/lib/$runtime/site-packages/ddtrace/appsec/_iast/_ast/iastpatch*.so
+RUN rm -rf ./python/lib/$runtime/site-packages/ddtrace/appsec/_iast/_taint_tracking/_vendor
 RUN rm -f ./python/lib/$runtime/site-packages/ddtrace/appsec/_iast/_taint_tracking/*.so
 RUN rm -f ./python/lib/$runtime/site-packages/ddtrace/appsec/_iast/_stacktrace*.so
 # remove *.dist-info directories except any entry_points.txt files and METADATA files required for Appsec Software Composition Analysis
 
@@ -6,7 +6,7 @@
 [![Slack](https://chat.datadoghq.com/badge.svg?bg=632CA6)](https://chat.datadoghq.com/)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/DataDog/datadog-lambda-python/blob/main/LICENSE)
 
-Datadog Lambda Library for Python (3.8, 3.9, 3.10, 3.11, 3.12, and 3.13) enables [enhanced Lambda metrics](https://docs.datadoghq.com/serverless/enhanced_lambda_metrics), [distributed tracing](https://docs.datadoghq.com/serverless/distributed_tracing), and [custom metric submission](https://docs.datadoghq.com/serverless/custom_metrics) from AWS Lambda functions.
+Datadog Lambda Library for Python (3.8, 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14) enables [enhanced Lambda metrics](https://docs.datadoghq.com/serverless/enhanced_lambda_metrics), [distributed tracing](https://docs.datadoghq.com/serverless/distributed_tracing), and [custom metric submission](https://docs.datadoghq.com/serverless/custom_metrics) from AWS Lambda functions.
 
 ## Installation
 
 
@@ -47,3 +47,11 @@ runtimes:
     python_version: "3.13"
     arch: "arm64"
     image: "3.13.0"
+  - name: "python314"
+    python_version: "3.14"
+    arch: "amd64"
+    image: "3.14.0"
+  - name: "python314"
+    python_version: "3.14"
+    arch: "arm64"
+    image: "3.14.0"
@@ -23,6 +23,8 @@ AWS_CLI_PYTHON_VERSIONS=(
     "python3.12"
     "python3.13"
     "python3.13"
+    "python3.14"
+    "python3.14"
 )
 PYTHON_VERSIONS=(
     "3.8-amd64"
@@ -37,6 +39,8 @@ PYTHON_VERSIONS=(
     "3.12-arm64"
     "3.13-amd64"
     "3.13-arm64"
+    "3.14-amd64"
+    "3.14-arm64"
 )
 LAYER_PATHS=(
     ".layers/datadog_lambda_py-amd64-3.8.zip"
@@ -51,6 +55,8 @@ LAYER_PATHS=(
     ".layers/datadog_lambda_py-arm64-3.12.zip"
     ".layers/datadog_lambda_py-amd64-3.13.zip"
     ".layers/datadog_lambda_py-arm64-3.13.zip"
+    ".layers/datadog_lambda_py-amd64-3.14.zip"
+    ".layers/datadog_lambda_py-arm64-3.14.zip"
 )
 LAYERS=(
     "Datadog-Python38"
@@ -65,6 +71,8 @@ LAYERS=(
     "Datadog-Python312-ARM"
     "Datadog-Python313"
     "Datadog-Python313-ARM"
+    "Datadog-Python314"
+    "Datadog-Python314-ARM"
 )
 STAGES=('prod', 'sandbox', 'staging', 'gov-staging', 'gov-prod')
 
 
@@ -5,6 +5,14 @@
 
 logger = logging.getLogger(__name__)
 KMS_ENCRYPTION_CONTEXT_KEY = "LambdaFunctionName"
+SSM_FIPS_SUPPORTED_REGIONS = {
+    "us-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+    "ca-central-1",
+    "ca-west-1",
+}
 api_key = None
 
 
@@ -92,11 +100,18 @@ def get_api_key() -> str:
         )["SecretString"]
     elif DD_API_KEY_SSM_NAME:
         # SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
-        fips_endpoint = (
-            f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
-            if config.fips_mode_enabled
-            else None
-        )
+        fips_endpoint = None
+        if config.fips_mode_enabled:
+            if LAMBDA_REGION in SSM_FIPS_SUPPORTED_REGIONS:
+                fips_endpoint = f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
+            else:
+                # Log warning if SSM FIPS endpoint is not supported for commercial region
+                if not config.is_gov_region:
+                    logger.warning(
+                        "FIPS mode is enabled, but '%s' does not support SSM FIPS endpoints. "
+                        "Using standard SSM endpoint.",
+                        LAMBDA_REGION,
+                    )
         ssm_client = _boto3_client("ssm", endpoint_url=fips_endpoint)
         api_key = ssm_client.get_parameter(
             Name=DD_API_KEY_SSM_NAME, WithDecryption=True
 
@@ -62,6 +62,6 @@ def _should_try_string(obj):
 
 def _redact_val(k, v):
     split_key = k.split(".").pop() or k
-    if split_key in redactable_keys:
+    if split_key.lower() in redactable_keys:
         return "redacted"
     return v
@@ -927,6 +927,7 @@ def create_inferred_span_from_lambda_function_url_event(event, context):
     InferredSpanInfo.set_tags(tags, tag_source="self", synchronicity="sync")
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
         span.start_ns = int(request_time_epoch * 1e6)
     return span
 
@@ -1047,6 +1048,7 @@ def create_inferred_span_from_api_gateway_websocket_event(
     span = tracer.trace("aws.apigateway.websocket", **args)
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
         span.start_ns = int(
             finish_time_ns
             if finish_time_ns is not None
@@ -1061,6 +1063,8 @@ def create_inferred_span_from_api_gateway_event(
     event, context, decode_authorizer_context: bool = True
 ):
     request_context = event.get("requestContext")
+    identity = request_context.get("identity")
+
     domain = request_context.get("domainName", "")
     api_id = request_context.get("apiId")
     service_name = determine_service_name(
@@ -1072,11 +1076,11 @@ def create_inferred_span_from_api_gateway_event(
     resource_path = _get_resource_path(event, request_context)
     resource = f"{method} {resource_path}"
     tags = {
-        "operation_name": "aws.apigateway.rest",
         "http.url": http_url,
         "endpoint": path,
         "http.method": method,
         "resource_names": resource,
+        "http.useragent": identity.get("userAgent"),
         "span.kind": "server",
         "apiid": api_id,
         "apiname": api_id,
@@ -1091,7 +1095,7 @@ def create_inferred_span_from_api_gateway_event(
     args = {
         "service": service_name,
         "resource": resource,
-        "span_type": "http",
+        "span_type": "web",
     }
     tracer.set_tags(_dd_origin)
     upstream_authorizer_span = None
@@ -1103,6 +1107,7 @@ def create_inferred_span_from_api_gateway_event(
     span = tracer.trace("aws.apigateway", **args)
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
         # start time pushed by the inserted authorizer span
         span.start_ns = int(
             finish_time_ns
@@ -1140,13 +1145,12 @@ def create_inferred_span_from_http_api_event(
     resource_path = _get_resource_path(event, request_context)
     resource = f"{method} {resource_path}"
     tags = {
-        "operation_name": "aws.httpapi",
         "endpoint": path,
         "http.url": http_url,
         "http.method": http.get("method"),
         "http.protocol": http.get("protocol"),
         "http.source_ip": http.get("sourceIp"),
-        "http.user_agent": http.get("userAgent"),
+        "http.useragent": http.get("userAgent"),
         "resource_names": resource,
         "request_id": context.aws_request_id,
         "apiid": api_id,
@@ -1167,10 +1171,11 @@ def create_inferred_span_from_http_api_event(
                 Headers.Parent_Span_Finish_Time
             )
     span = tracer.trace(
-        "aws.httpapi", service=service_name, resource=resource, span_type="http"
+        "aws.httpapi", service=service_name, resource=resource, span_type="web"
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
         span.start_ns = int(inferred_span_start_ns)
     return span
 
@@ -1237,6 +1242,7 @@ def create_inferred_span_from_sqs_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
     span.start = start_time
     if upstream_span:
         span.parent_id = upstream_span.span_id
@@ -1278,6 +1284,7 @@ def create_inferred_span_from_sns_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
     span.start = dt.replace(tzinfo=timezone.utc).timestamp()
     return span
 
@@ -1313,6 +1320,7 @@ def create_inferred_span_from_kinesis_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
     span.start = request_time_epoch
     return span
 
@@ -1345,6 +1353,7 @@ def create_inferred_span_from_dynamodb_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
 
     span.start = int(request_time_epoch)
     return span
@@ -1381,6 +1390,7 @@ def create_inferred_span_from_s3_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
     span.start = dt.replace(tzinfo=timezone.utc).timestamp()
     return span
 
@@ -1421,10 +1431,11 @@ def create_inferred_span_from_eventbridge_event(event, context):
     )
     if span:
         span.set_tags(tags)
+        span.set_metric(InferredSpanInfo.METRIC, 1.0)
     span.start = dt.replace(tzinfo=timezone.utc).timestamp()
 
     # Since inferred span will later parent Lambda, preserve Lambda's current parent
-    if dd_trace_context.span_id:
+    if dd_trace_context and getattr(dd_trace_context, "span_id", None):
         span.parent_id = dd_trace_context.span_id
 
     return span
@@ -1512,6 +1523,7 @@ class InferredSpanInfo(object):
     BASE_NAME = "_inferred_span"
     SYNCHRONICITY = f"{BASE_NAME}.synchronicity"
     TAG_SOURCE = f"{BASE_NAME}.tag_source"
+    METRIC = f"_dd.{BASE_NAME}"
 
     @staticmethod
     def set_tags(