From 7af7dd9663e717e885919a79114425ebce9c0107 Mon Sep 17 00:00:00 2001
From: Justin Daines <33838396+dainesj@users.noreply.github.com>
Date: Wed, 29 May 2024 14:49:49 -0400
Subject: [PATCH 1/4] feat: Update for apigatewayv2

Adding apigatewayv2 as default.
---
 .gitignore                    | 2 ++
 README.md                     | 2 +-
 modules/snapshot/README.md    | 2 +-
 modules/snapshot/variables.tf | 1 +
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 64ba6a7..4ac5c7f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@ terraform.tfstate
 terraform.tfvars
 
 .terraform.lock.hcl
+
+.idea
diff --git a/README.md b/README.md
index 36b181e..bb3ff33 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Additionally, this repository provides submodules to interact with the lambda fu
 
 * [Upload S3 objects using S3 bucket notifications](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/s3_bucket_subscription)
 * [Subscribe CloudWatch Logs to Observe Lambda](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/cloudwatch_logs_subscription)
-* [Collect API snapshots](https://github.com/observeinc/terraform-aws-lambda/tree/main/snapshot)
+* [Collect API snapshots](https://github.com/observeinc/terraform-aws-lambda/tree/main/modules/snapshot)
 
 ## Examples
 
diff --git a/modules/snapshot/README.md b/modules/snapshot/README.md
index 4f3306c..086298c 100644
--- a/modules/snapshot/README.md
+++ b/modules/snapshot/README.md
@@ -123,7 +123,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_action"></a> [action](#input\_action) | List of actions allowed by policy and periodically triggered. By default,<br>this list contains all policies which the lambda can act upon. You should<br>only override this list if you do not want to execute more actions as they<br>become available in future lambda upgrades. If you instead wish to extend<br>this list, or ignore a subset of actions, use \"include\" and \"exclude\". | `list(string)` | <pre>[<br>  "apigateway:Get*",<br>  "autoscaling:Describe*",<br>  "cloudformation:Describe*",<br>  "cloudformation:List*",<br>  "cloudfront:List*",<br>  "dynamodb:Describe*",<br>  "dynamodb:List*",<br>  "ec2:Describe*",<br>  "ecs:Describe*",<br>  "ecs:List*",<br>  "eks:Describe*",<br>  "eks:List*",<br>  "elasticbeanstalk:Describe*",<br>  "elasticache:Describe*",<br>  "elasticfilesystem:Describe*",<br>  "elasticloadbalancing:Describe*",<br>  "elasticmapreduce:Describe*",<br>  "elasticmapreduce:List*",<br>  "events:List*",<br>  "firehose:Describe*",<br>  "firehose:List*",<br>  "iam:Get*",<br>  "iam:List*",<br>  "kinesis:Describe*",<br>  "kinesis:List*",<br>  "kms:Describe*",<br>  "kms:List*",<br>  "lambda:List*",<br>  "logs:Describe*",<br>  "organizations:Describe*",<br>  "organizations:List*",<br>  "rds:Describe*",<br>  "redshift:Describe*",<br>  "route53:List*",<br>  "s3:GetBucket*",<br>  "s3:List*",<br>  "secretsmanager:List*",<br>  "sns:Get*",<br>  "sns:List*",<br>  "sqs:Get*",<br>  "sqs:List*",<br>  "synthetics:Describe*",<br>  "synthetics:List*"<br>]</pre> | no |
+| <a name="input_action"></a> [action](#input\_action) | List of actions allowed by policy and periodically triggered. By default,<br>this list contains all policies which the lambda can act upon. You should<br>only override this list if you do not want to execute more actions as they<br>become available in future lambda upgrades. If you instead wish to extend<br>this list, or ignore a subset of actions, use \"include\" and \"exclude\". | `list(string)` | <pre>[<br>  "apigateway:Get*",<br>  "apigatewayv2:Get*",<br>  "autoscaling:Describe*",<br>  "cloudformation:Describe*",<br>  "cloudformation:List*",<br>  "cloudfront:List*",<br>  "dynamodb:Describe*",<br>  "dynamodb:List*",<br>  "ec2:Describe*",<br>  "ecs:Describe*",<br>  "ecs:List*",<br>  "eks:Describe*",<br>  "eks:List*",<br>  "elasticbeanstalk:Describe*",<br>  "elasticache:Describe*",<br>  "elasticfilesystem:Describe*",<br>  "elasticloadbalancing:Describe*",<br>  "elasticmapreduce:Describe*",<br>  "elasticmapreduce:List*",<br>  "events:List*",<br>  "firehose:Describe*",<br>  "firehose:List*",<br>  "iam:Get*",<br>  "iam:List*",<br>  "kinesis:Describe*",<br>  "kinesis:List*",<br>  "kms:Describe*",<br>  "kms:List*",<br>  "lambda:List*",<br>  "logs:Describe*",<br>  "organizations:Describe*",<br>  "organizations:List*",<br>  "rds:Describe*",<br>  "redshift:Describe*",<br>  "route53:List*",<br>  "s3:GetBucket*",<br>  "s3:List*",<br>  "secretsmanager:List*",<br>  "sns:Get*",<br>  "sns:List*",<br>  "sqs:Get*",<br>  "sqs:List*",<br>  "synthetics:Describe*",<br>  "synthetics:List*"<br>]</pre> | no |
 | <a name="input_eventbridge_name_prefix"></a> [eventbridge\_name\_prefix](#input\_eventbridge\_name\_prefix) | Prefix used for EventBridge Rule | `string` | `"observe-lambda-snapshot-"` | no |
 | <a name="input_eventbridge_schedule_event_bus_name"></a> [eventbridge\_schedule\_event\_bus\_name](#input\_eventbridge\_schedule\_event\_bus\_name) | Event Bus for EventBridge scheduled events | `string` | `"default"` | no |
 | <a name="input_eventbridge_schedule_expression"></a> [eventbridge\_schedule\_expression](#input\_eventbridge\_schedule\_expression) | Rate at which snapshot is triggered. Must be valid EventBridge expression | `string` | `"rate(3 hours)"` | no |
diff --git a/modules/snapshot/variables.tf b/modules/snapshot/variables.tf
index 50a2700..0ff13a4 100644
--- a/modules/snapshot/variables.tf
+++ b/modules/snapshot/variables.tf
@@ -41,6 +41,7 @@ variable "action" {
   nullable    = false
   default = [
     "apigateway:Get*",
+    "apigatewayv2:Get*",
     "autoscaling:Describe*",
     "cloudformation:Describe*",
     "cloudformation:List*",

From 26eb8386f1331d4ffd94146d3b56a055f89c5de6 Mon Sep 17 00:00:00 2001
From: Justin Daines <justin.daines@observeinc.com>
Date: Wed, 7 May 2025 09:35:14 -0400
Subject: [PATCH 2/4] fix: Fix S3 Bucket Notification Configuration Validation
 Error OBSSD-612

Fix S3 Bucket Notification Configuration Validation Error OBSSD-612 to resolve

Error: creating S3 Bucket (<BUCKET>) Notification: operation error S3:
PutBucketNotificationConfiguration, https response error StatusCode: 400, RequestID: <ID>, HostID:
<HOST>, api error InvalidArgument: Unable to
validate the following destination configurations

  with module.<MODULE>.module.observe_lambda_s3_subscription.aws_s3_bucket_notification.notification[0],
  on .terraform/modules/<MODULE>.observe_lambda_s3_subscription/modules/s3_bucket_subscription/main.tf line 20, in
  resource "aws_s3_bucket_notification" "notification":
  20: resource "aws_s3_bucket_notification" "notification" {
---
 modules/s3_bucket_subscription/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/s3_bucket_subscription/main.tf b/modules/s3_bucket_subscription/main.tf
index 07344c5..938010c 100644
--- a/modules/s3_bucket_subscription/main.tf
+++ b/modules/s3_bucket_subscription/main.tf
@@ -28,6 +28,7 @@ resource "aws_s3_bucket_notification" "notification" {
     filter_prefix       = var.filter_prefix
     filter_suffix       = var.filter_suffix
   }
+  depends_on = [aws_lambda_permission.allow_bucket]
 }
 
 resource "aws_iam_policy" "s3_bucket_read" {

From 47e33f579aa56ad9f9b6267cd9ccb101b1bc86c2 Mon Sep 17 00:00:00 2001
From: Conventional Changelog Action <conventional.changelog.action@github.com>
Date: Wed, 7 May 2025 14:54:57 +0000
Subject: [PATCH 3/4] chore(release): v3.7.0 [skip ci]

---
 CHANGELOG.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d6d9225..7b43f46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,14 @@
-# [3.6.0](https://github.com/observeinc/terraform-aws-lambda/compare/v3.5.1...v3.6.0) (2024-05-01)
+# [3.7.0](https://github.com/observeinc/terraform-aws-lambda/compare/v3.6.0...v3.7.0) (2025-05-07)
+
+
+### Bug Fixes
+
+* Fix S3 Bucket Notification Configuration Validation Error OBSSD-612 ([a708fc6](https://github.com/observeinc/terraform-aws-lambda/commit/a708fc6f17fadf1330c048d4165a1a3385de8a9b))
 
 
 ### Features
 
-* allow KMS encryption of token environment variable ([#83](https://github.com/observeinc/terraform-aws-lambda/issues/83)) ([5d209d5](https://github.com/observeinc/terraform-aws-lambda/commit/5d209d56d478e3e810d4e65bc26eb6daed95beca))
-* bump min terraform version to 1.1.1 ([#85](https://github.com/observeinc/terraform-aws-lambda/issues/85)) ([c660124](https://github.com/observeinc/terraform-aws-lambda/commit/c660124248bc0a3a3ef2a2d96dcef982e85af68e))
+* Update for apigatewayv2 ([a191b9c](https://github.com/observeinc/terraform-aws-lambda/commit/a191b9c8678d9f2c3aecfce14e6d0a5d8e7371fb))
 
 
 

From 230ef163f75c81ebbd0e25b86f0964dece4c0c59 Mon Sep 17 00:00:00 2001
From: Justin Daines <justin.daines@observeinc.com>
Date: Mon, 23 Feb 2026 17:52:01 -0500
Subject: [PATCH 4/4] chore: Update Lambda Runtime to provided.al2023

---
 examples/vpc_config/vpc.tf |  2 +-
 main.tf                    | 12 ++++++------
 modules/s3_bucket/main.tf  | 10 ++++------
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/examples/vpc_config/vpc.tf b/examples/vpc_config/vpc.tf
index 4a23a16..8ab2d43 100644
--- a/examples/vpc_config/vpc.tf
+++ b/examples/vpc_config/vpc.tf
@@ -9,7 +9,7 @@ resource "aws_internet_gateway" "gw" {
 }
 
 resource "aws_eip" "nat" {
-  vpc        = true
+  domain     = "vpc"
   depends_on = [aws_internet_gateway.gw]
 }
 
diff --git a/main.tf b/main.tf
index 2b9f889..d9b1aaf 100644
--- a/main.tf
+++ b/main.tf
@@ -1,8 +1,8 @@
 locals {
-  default_lambda_bucket = format("observeinc-%s", data.aws_region.current.name)
+  default_lambda_bucket = format("observeinc-%s", data.aws_region.current.id)
   lambda_iam_role_arn   = var.lambda_iam_role_arn != "" ? var.lambda_iam_role_arn : aws_iam_role.lambda[0].arn
   lambda_iam_role_name  = regex(".*role/(?P<role_name>.*)$", local.lambda_iam_role_arn)["role_name"]
-  s3_bucket             = var.s3_bucket != "" ? var.s3_bucket : lookup(var.s3_regional_buckets, data.aws_region.current.name, local.default_lambda_bucket)
+  s3_bucket             = var.s3_bucket != "" ? var.s3_bucket : lookup(var.s3_regional_buckets, data.aws_region.current.id, local.default_lambda_bucket)
   s3_key                = var.s3_key != "" ? var.s3_key : join("/", [var.s3_key_prefix, format("%s.zip", var.lambda_version)])
   observe_token         = var.kms_key != null ? aws_kms_ciphertext.token[0].ciphertext_blob : var.observe_token
   goarch = lookup(
@@ -10,19 +10,19 @@ locals {
       "amd64" : {
         architectures = ["x86_64"]
         handler       = "bootstrap"
-        runtime       = "provided.al2"
+        runtime       = "provided.al2023"
       }
       "arm64" : {
         architectures = ["arm64"]
         handler       = "bootstrap"
-        runtime       = "provided.al2"
+        runtime       = "provided.al2023"
       }
     },
     split("/", var.lambda_version)[0],
     {
       architectures = null
-      handler       = "main"
-      runtime       = "go1.x"
+      handler       = "bootstrap"
+      runtime       = "provided.al2023"
     },
   )
 }
diff --git a/modules/s3_bucket/main.tf b/modules/s3_bucket/main.tf
index 123465c..4bb73b5 100644
--- a/modules/s3_bucket/main.tf
+++ b/modules/s3_bucket/main.tf
@@ -42,8 +42,6 @@ module "s3_bucket" {
   tags = var.tags
 }
 
-data "aws_redshift_service_account" "this" {}
-
 data "aws_iam_policy_document" "bucket" {
   statement {
     sid    = "AWSCloudTrailWrite"
@@ -134,8 +132,8 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type        = "AWS"
-      identifiers = [data.aws_redshift_service_account.this.arn]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
 
     actions = [
@@ -152,8 +150,8 @@ data "aws_iam_policy_document" "bucket" {
     effect = "Allow"
 
     principals {
-      type        = "AWS"
-      identifiers = [data.aws_redshift_service_account.this.arn]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
 
     actions = [