feat: Support Disabled Tracing Configuration (#3223)

Author: GavinZZ

samtranslator/internal/schema_source/aws_serverless_function.py

@@ -484,7 +484,7 @@ class ScheduleV2Event(BaseModel):
 VpcConfig = Optional[PassThroughProp]
 Environment = Optional[PassThroughProp]
 Tags = Optional[DictStrAny]
-Tracing = Optional[SamIntrinsicable[Literal["Active", "PassThrough"]]]
+Tracing = Optional[SamIntrinsicable[Literal["Active", "PassThrough", "Disabled"]]]
 KmsKeyArn = Optional[PassThroughProp]
 Layers = Optional[PassThroughProp]
 AutoPublishAlias = Optional[SamIntrinsicable[str]]

samtranslator/model/lambda_.py

@@ -4,6 +4,8 @@
 from samtranslator.model.intrinsics import fnGetAtt, ref
 from samtranslator.utils.types import Intrinsicable
 
+LAMBDA_TRACING_CONFIG_DISABLED = "Disabled"
+
 
 class LambdaFunction(Resource):
     resource_type = "AWS::Lambda::Function"

samtranslator/model/sam_resources.py

@@ -1,4 +1,4 @@
-""" SAM macro definitions """
+""" SAM macro definitions """
 import copy
 from contextlib import suppress
 from typing import Any, Callable, Dict, List, Optional, Tuple, Union, cast
@@ -88,6 +88,7 @@
     ref,
 )
 from samtranslator.model.lambda_ import (
+    LAMBDA_TRACING_CONFIG_DISABLED,
     LambdaAlias,
     LambdaEventInvokeConfig,
     LambdaFunction,
@@ -265,7 +266,7 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def]
         if self.DeadLetterQueue:
             self._validate_dlq(self.DeadLetterQueue)
 
-        lambda_function = self._construct_lambda_function()
+        lambda_function = self._construct_lambda_function(intrinsics_resolver)
         resources.append(lambda_function)
 
         if self.ProvisionedConcurrencyConfig and not self.AutoPublishAlias:
@@ -325,6 +326,7 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def]
             execution_role = self._construct_role(
                 managed_policy_map,
                 event_invoke_policies,
+                intrinsics_resolver,
                 get_managed_policy_map,
             )
             lambda_function.Role = execution_role.get_runtime_attr("arn")
@@ -543,7 +545,7 @@ def _get_resolved_alias_name(
 
         return resolved_alias_name
 
-    def _construct_lambda_function(self) -> LambdaFunction:
+    def _construct_lambda_function(self, intrinsics_resolver: IntrinsicsResolver) -> LambdaFunction:
         """Constructs and returns the Lambda function.
 
         :returns: a list containing the Lambda function and execution role resources
@@ -576,7 +578,10 @@ def _construct_lambda_function(self) -> LambdaFunction:
         lambda_function.SnapStart = self.SnapStart
         lambda_function.EphemeralStorage = self.EphemeralStorage
 
-        if self.Tracing:
+        tracing = intrinsics_resolver.resolve_parameter_refs(self.Tracing)
+
+        # Explicitly setting Trace to 'Disabled' is the same as omitting Tracing property.
+        if self.Tracing and tracing != LAMBDA_TRACING_CONFIG_DISABLED:
             lambda_function.TracingConfig = {"Mode": self.Tracing}
 
         if self.DeadLetterQueue:
@@ -608,6 +613,7 @@ def _construct_role(
         self,
         managed_policy_map: Dict[str, Any],
         event_invoke_policies: List[Dict[str, Any]],
+        intrinsics_resolver: IntrinsicsResolver,
         get_managed_policy_map: Optional[GetManagedPolicyMap] = None,
     ) -> IAMRole:
         """Constructs a Lambda execution role based on this SAM function's Policies property.
@@ -624,7 +630,11 @@ def _construct_role(
         )
 
         managed_policy_arns = [ArnGenerator.generate_aws_managed_policy_arn("service-role/AWSLambdaBasicExecutionRole")]
-        if self.Tracing:
+
+        tracing = intrinsics_resolver.resolve_parameter_refs(self.Tracing)
+
+        # Do not add xray policy to generated IAM role if users explicitly specify 'Disabled' in Tracing property.
+        if self.Tracing and tracing != LAMBDA_TRACING_CONFIG_DISABLED:
             managed_policy_name = get_xray_managed_policy_name()
             managed_policy_arns.append(ArnGenerator.generate_aws_managed_policy_arn(managed_policy_name))
         if self.VpcConfig:

samtranslator/schema/schema.json

@@ -244070,7 +244070,8 @@
             {
               "enum": [
                 "Active",
-                "PassThrough"
+                "PassThrough",
+                "Disabled"
               ],
               "type": "string"
             }
@@ -244456,7 +244457,8 @@
             {
               "enum": [
                 "Active",
-                "PassThrough"
+                "PassThrough",
+                "Disabled"
               ],
               "type": "string"
             }

schema_source/sam.schema.json

@@ -5432,7 +5432,8 @@
             {
               "enum": [
                 "Active",
-                "PassThrough"
+                "PassThrough",
+                "Disabled"
               ],
               "type": "string"
             }
@@ -6009,7 +6010,8 @@
             {
               "enum": [
                 "Active",
-                "PassThrough"
+                "PassThrough",
+                "Disabled"
               ],
               "type": "string"
             }

tests/translator/input/function_with_tracing.yaml

@@ -5,8 +5,47 @@ Parameters:
   TracingParamActive:
     Type: String
     Default: Active
+  TracingParamDisabled:
+    Type: String
+    Default: Disabled
 
 Resources:
+  DisabledTracingFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs14.x
+      InlineCode: |
+        exports.handler = async (event, context, callback) => {
+            return {
+              statusCode: 200,
+              body: 'Success'
+            }
+          }
+      MemorySize: 128
+      Policies:
+      - AWSLambdaRole
+      - AmazonS3ReadOnlyAccess
+      Tracing: Disabled
+
+  DisabledIntrinsicsTracingFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs14.x
+      InlineCode: |
+        exports.handler = async (event, context, callback) => {
+            return {
+              statusCode: 200,
+              body: 'Success'
+            }
+          }
+      MemorySize: 128
+      Policies:
+      - AWSLambdaRole
+      - AmazonS3ReadOnlyAccess
+      Tracing: !Ref TracingParamDisabled
+
   RandomValueTracingFunction:
     Type: AWS::Serverless::Function
     Properties:

tests/translator/output/aws-cn/function_with_tracing.json

@@ -4,6 +4,10 @@
       "Default": "Active",
       "Type": "String"
     },
+    "TracingParamDisabled": {
+      "Default": "Disabled",
+      "Type": "String"
+    },
     "TracingParamPassThrough": {
       "Default": "PassThrough",
       "Type": "String"
@@ -130,6 +134,116 @@
       },
       "Type": "AWS::IAM::Role"
     },
+    "DisabledIntrinsicsTracingFunction": {
+      "Properties": {
+        "Code": {
+          "ZipFile": "exports.handler = async (event, context, callback) => {\n    return {\n      statusCode: 200,\n      body: 'Success'\n    }\n  }\n"
+        },
+        "Handler": "index.handler",
+        "MemorySize": 128,
+        "Role": {
+          "Fn::GetAtt": [
+            "DisabledIntrinsicsTracingFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "nodejs14.x",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "DisabledIntrinsicsTracingFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole",
+          "arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    },
+    "DisabledTracingFunction": {
+      "Properties": {
+        "Code": {
+          "ZipFile": "exports.handler = async (event, context, callback) => {\n    return {\n      statusCode: 200,\n      body: 'Success'\n    }\n  }\n"
+        },
+        "Handler": "index.handler",
+        "MemorySize": 128,
+        "Role": {
+          "Fn::GetAtt": [
+            "DisabledTracingFunctionRole",
+            "Arn"
+          ]
+        },
+        "Runtime": "nodejs14.x",
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::Lambda::Function"
+    },
+    "DisabledTracingFunctionRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "lambda.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+          "arn:aws-cn:iam::aws:policy/service-role/AWSLambdaRole",
+          "arn:aws-cn:iam::aws:policy/AmazonS3ReadOnlyAccess"
+        ],
+        "Tags": [
+          {
+            "Key": "lambda:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    },
     "EmptyTracingFunction": {
       "Properties": {
         "Code": {