aws
diff --git a/‎integration/combination/test_api_with_disable_execute_api_endpoint.py
Lines changed: 30 additions & 0 deletions b/‎integration/combination/test_api_with_disable_execute_api_endpoint.py
Lines changed: 30 additions & 0 deletions
diff --git a/‎integration/resources/expected/combination/api_with_disable_execute_api_endpoint.json
Lines changed: 8 additions & 0 deletions b/‎integration/resources/expected/combination/api_with_disable_execute_api_endpoint.json
Lines changed: 8 additions & 0 deletions
diff --git a/‎integration/resources/templates/combination/api_with_disable_execute_api_endpoint.yaml
Lines changed: 39 additions & 0 deletions b/‎integration/resources/templates/combination/api_with_disable_execute_api_endpoint.yaml
Lines changed: 39 additions & 0 deletions
diff --git a/‎samtranslator/__init__.py
Lines changed: 1 addition & 1 deletion b/‎samtranslator/__init__.py
Lines changed: 1 addition & 1 deletion
diff --git a/‎samtranslator/model/api/api_generator.py
Lines changed: 24 additions & 0 deletions b/‎samtranslator/model/api/api_generator.py
Lines changed: 24 additions & 0 deletions
diff --git a/‎samtranslator/model/api/http_api_generator.py
Lines changed: 6 additions & 0 deletions b/‎samtranslator/model/api/http_api_generator.py
Lines changed: 6 additions & 0 deletions
diff --git a/‎samtranslator/model/apigateway.py
Lines changed: 1 addition & 0 deletions b/‎samtranslator/model/apigateway.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎samtranslator/model/eventsources/pull.py
Lines changed: 20 additions & 0 deletions b/‎samtranslator/model/eventsources/pull.py
Lines changed: 20 additions & 0 deletions
diff --git a/‎samtranslator/model/lambda_.py
Lines changed: 1 addition & 0 deletions b/‎samtranslator/model/lambda_.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎samtranslator/model/sam_resources.py
Lines changed: 2 additions & 0 deletions b/‎samtranslator/model/sam_resources.py
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,30 @@
+from parameterized import parameterized
+
+from integration.helpers.base_test import BaseTest
+
+
+class TestApiWithDisableExecuteApiEndpoint(BaseTest):
+    @parameterized.expand(
+        [
+            ("combination/api_with_disable_execute_api_endpoint", True),
+            ("combination/api_with_disable_execute_api_endpoint", False),
+        ]
+    )
+    def test_end_point_configuration(self, file_name, disable_value):
+        parameters = [
+            {
+                "ParameterKey": "DisableExecuteApiEndpointValue",
+                "ParameterValue": "true" if disable_value else "false",
+                "UsePreviousValue": False,
+                "ResolvedValue": "string",
+            }
+        ]
+
+        self.create_and_verify_stack(file_name, parameters)
+
+        rest_api_id = self.get_physical_id_by_type("AWS::ApiGateway::RestApi")
+        apigw_client = self.client_provider.api_client
+
+        response = apigw_client.get_rest_api(restApiId=rest_api_id)
+        api_result = response["disableExecuteApiEndpoint"]
+        self.assertEqual(api_result, disable_value)
@@ -0,0 +1,8 @@
+[
+    {"LogicalResourceId": "RestApiGateway", "ResourceType": "AWS::ApiGateway::RestApi"},
+    {"LogicalResourceId": "RestApiGatewayDeployment", "ResourceType": "AWS::ApiGateway::Deployment"},
+    {"LogicalResourceId": "RestApiGatewayProdStage", "ResourceType": "AWS::ApiGateway::Stage"},
+    {"LogicalResourceId": "RestApiFunction", "ResourceType": "AWS::Lambda::Function"},
+    {"LogicalResourceId": "RestApiFunctionIamPermissionProd", "ResourceType": "AWS::Lambda::Permission"},
+    {"LogicalResourceId": "RestApiFunctionRole", "ResourceType": "AWS::IAM::Role"}
+]
@@ -0,0 +1,39 @@
+Parameters:
+  DisableExecuteApiEndpointValue:
+    Description: Variable to define if client can access default API endpoint.
+    Type: String
+    AllowedValues: [true, false]
+
+Resources:
+  RestApiGateway:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: Prod
+      DisableExecuteApiEndpoint:
+        Ref: DisableExecuteApiEndpointValue
+
+  RestApiFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      InlineCode: |
+        exports.handler = async (event) => {
+          const response = {
+            statusCode: 200,
+            body: JSON.stringify('Hello from Lambda!'),
+          };
+          return response;
+        };
+      Handler: index.handler
+      Runtime: nodejs12.x
+      Events:
+        Iam:
+          Type: Api
+          Properties:
+            RestApiId: !Ref RestApiGateway
+            Method: GET
+            Path: /
+Outputs:
+  ApiUrl:
+    Description: "API endpoint URL for Prod environment"
+    Value:
+      Fn::Sub: 'https://${RestApiGateway}.execute-api.${AWS::Region}.${AWS::URLSuffix}/Prod/'
@@ -1 +1 @@
-__version__ = "1.41.0"
+__version__ = "1.42.0"
@@ -170,6 +170,7 @@ def __init__(
         method_settings=None,
         binary_media=None,
         minimum_compression_size=None,
+        disable_execute_api_endpoint=None,
         cors=None,
         auth=None,
         gateway_responses=None,
@@ -218,6 +219,7 @@ def __init__(
         self.method_settings = method_settings
         self.binary_media = binary_media
         self.minimum_compression_size = minimum_compression_size
+        self.disable_execute_api_endpoint = disable_execute_api_endpoint
         self.cors = cors
         self.auth = auth
         self.gateway_responses = gateway_responses
@@ -290,8 +292,27 @@ def _construct_rest_api(self):
         if self.mode:
             rest_api.Mode = self.mode
 
+        if self.disable_execute_api_endpoint is not None:
+            self._add_endpoint_extension()
+
         return rest_api
 
+    def _add_endpoint_extension(self):
+        """Add disableExecuteApiEndpoint if it is set in SAM
+        Note:
+        If neither DefinitionUri nor DefinitionBody are specified,
+        SAM will generate a openapi definition body based on template configuration.
+        https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-definitionbody
+        For this reason, we always put DisableExecuteApiEndpoint into openapi object irrespective of origin of DefinitionBody.
+        """
+        if self.disable_execute_api_endpoint and not self.definition_body:
+            raise InvalidResourceException(
+                self.logical_id, "DisableExecuteApiEndpoint works only within 'DefinitionBody' property."
+            )
+        editor = SwaggerEditor(self.definition_body)
+        editor.add_disable_execute_api_endpoint_extension(self.disable_execute_api_endpoint)
+        self.definition_body = editor.swagger
+
     def _construct_body_s3_dict(self):
         """Constructs the RestApi's `BodyS3Location property`_, from the SAM Api's DefinitionUri property.
 
@@ -444,6 +465,9 @@ def _construct_api_domain(self, rest_api):
         if self.domain.get("SecurityPolicy", None):
             domain.SecurityPolicy = self.domain["SecurityPolicy"]
 
+        if self.domain.get("OwnershipVerificationCertificateArn", None):
+            domain.OwnershipVerificationCertificateArn = self.domain["OwnershipVerificationCertificateArn"]
+
         # Create BasepathMappings
         if self.domain.get("BasePath") and isinstance(self.domain.get("BasePath"), string_types):
             basepaths = [self.domain.get("BasePath")]
 
@@ -253,6 +253,12 @@ def _construct_api_domain(self, http_api):
                 "EndpointConfiguration for Custom Domains must be one of {}.".format(["REGIONAL"]),
             )
         domain_config["EndpointType"] = endpoint
+
+        if self.domain.get("OwnershipVerificationCertificateArn", None):
+            domain_config["OwnershipVerificationCertificateArn"] = self.domain.get(
+                "OwnershipVerificationCertificateArn"
+            )
+
         domain_config["CertificateArn"] = self.domain.get("CertificateArn")
         if self.domain.get("SecurityPolicy", None):
             domain_config["SecurityPolicy"] = self.domain.get("SecurityPolicy")
 
@@ -169,6 +169,7 @@ class ApiGatewayDomainName(Resource):
         "MutualTlsAuthentication": PropertyType(False, is_type(dict)),
         "SecurityPolicy": PropertyType(False, is_str()),
         "CertificateArn": PropertyType(False, is_str()),
+        "OwnershipVerificationCertificateArn": PropertyType(False, is_str()),
     }
 
 
 
@@ -21,6 +21,9 @@ class PullEventSource(ResourceMacro):
     :cvar str policy_arn: The ARN of the AWS managed role policy corresponding to this pull event source
     """
 
+    # Event types that support `FilterCriteria`, stored as a list to keep the alphabetical order
+    RESOURCE_TYPES_WITH_EVENT_FILTERING = ["DynamoDB", "Kinesis", "SQS"]
+
     resource_type = None
     requires_stream_queue_broker = True
     property_types = {
@@ -43,6 +46,7 @@ class PullEventSource(ResourceMacro):
         "TumblingWindowInSeconds": PropertyType(False, is_type(int)),
         "FunctionResponseTypes": PropertyType(False, is_type(list)),
         "KafkaBootstrapServers": PropertyType(False, is_type(list)),
+        "FilterCriteria": PropertyType(False, is_type(dict)),
     }
 
     def get_policy_arn(self):
@@ -102,6 +106,8 @@ def to_cloudformation(self, **kwargs):
         lambda_eventsourcemapping.SourceAccessConfigurations = self.SourceAccessConfigurations
         lambda_eventsourcemapping.TumblingWindowInSeconds = self.TumblingWindowInSeconds
         lambda_eventsourcemapping.FunctionResponseTypes = self.FunctionResponseTypes
+        lambda_eventsourcemapping.FilterCriteria = self.FilterCriteria
+        self._validate_filter_criteria()
 
         if self.KafkaBootstrapServers:
             lambda_eventsourcemapping.SelfManagedEventSource = {
@@ -169,6 +175,20 @@ def _link_policy(self, role, destination_config_policy=None):
                 if not destination_config_policy.get("PolicyDocument") in [d["PolicyDocument"] for d in role.Policies]:
                     role.Policies.append(destination_config_policy)
 
+    def _validate_filter_criteria(self):
+        if not self.FilterCriteria or is_intrinsic(self.FilterCriteria):
+            return
+        if self.resource_type not in self.RESOURCE_TYPES_WITH_EVENT_FILTERING:
+            raise InvalidEventException(
+                self.relative_id,
+                "FilterCriteria is only available for {} events.".format(
+                    ", ".join(self.RESOURCE_TYPES_WITH_EVENT_FILTERING)
+                ),
+            )
+        # FilterCriteria is either empty or only has "Filters"
+        if list(self.FilterCriteria.keys()) not in [[], ["Filters"]]:
+            raise InvalidEventException(self.relative_id, "FilterCriteria field has a wrong format")
+
 
 class Kinesis(PullEventSource):
     """Kinesis event source."""
 
@@ -79,6 +79,7 @@ class LambdaEventSourceMapping(Resource):
         "TumblingWindowInSeconds": PropertyType(False, is_type(int)),
         "FunctionResponseTypes": PropertyType(False, is_type(list)),
         "SelfManagedEventSource": PropertyType(False, is_type(dict)),
+        "FilterCriteria": PropertyType(False, is_type(dict)),
     }
 
     runtime_attrs = {"name": lambda self: ref(self.logical_id)}
 
@@ -878,6 +878,7 @@ class SamApi(SamResourceMacro):
         "Domain": PropertyType(False, is_type(dict)),
         "Description": PropertyType(False, is_str()),
         "Mode": PropertyType(False, is_str()),
+        "DisableExecuteApiEndpoint": PropertyType(False, is_type(bool)),
     }
 
     referable_properties = {
@@ -925,6 +926,7 @@ def to_cloudformation(self, **kwargs):
             method_settings=self.MethodSettings,
             binary_media=self.BinaryMediaTypes,
             minimum_compression_size=self.MinimumCompressionSize,
+            disable_execute_api_endpoint=self.DisableExecuteApiEndpoint,
             cors=self.Cors,
             auth=self.Auth,
             gateway_responses=self.GatewayResponses,
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "1.41.0"`
	`1`	`+__version__ = "1.42.0"`
Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,7 @@ class ApiGatewayDomainName(Resource):`
`169`	`169`	`"MutualTlsAuthentication": PropertyType(False, is_type(dict)),`
`170`	`170`	`"SecurityPolicy": PropertyType(False, is_str()),`
`171`	`171`	`"CertificateArn": PropertyType(False, is_str()),`
	`172`	`+ "OwnershipVerificationCertificateArn": PropertyType(False, is_str()),`
`172`	`173`	`}`
`173`	`174`
`174`	`175`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ class LambdaEventSourceMapping(Resource):`
`79`	`79`	`"TumblingWindowInSeconds": PropertyType(False, is_type(int)),`
`80`	`80`	`"FunctionResponseTypes": PropertyType(False, is_type(list)),`
`81`	`81`	`"SelfManagedEventSource": PropertyType(False, is_type(dict)),`
	`82`	`+ "FilterCriteria": PropertyType(False, is_type(dict)),`
`82`	`83`	`}`
`83`	`84`
`84`	`85`	`runtime_attrs = {"name": lambda self: ref(self.logical_id)}`