[feat] Account-based endpoints (#178)

Author: jplock

Cargo.lock

@@ -1,4 +1,4 @@
-aws-lambda-powertools[tracer,parser]==3.10.0
+aws-lambda-powertools[tracer,parser]==3.11.0
 cryptography==43.0.3
 hpke==0.3.2
 pksuid==1.1.2

api/dependencies/requirements.txt

@@ -1,3 +1,3 @@
 black==25.1.0
-aws-lambda-powertools[all,aws-sdk]==3.10.0
+aws-lambda-powertools[all,aws-sdk]==3.11.0
 boto3-stubs[dynamodb,kms]

api/requirements-dev.txt

@@ -376,6 +376,7 @@ Resources:
       Description: !Sub "${AWS::StackName} - API"
       Environment:
         Variables:
+          AWS_ACCOUNT_ID: !Ref "AWS::AccountId" # use account-based endpoints
           AWS_STS_REGIONAL_ENDPOINTS: regional
           LOG_LEVEL: DEBUG
           POWERTOOLS_LOGGER_SAMPLE_RATE: 0.1

api/template.yml

@@ -1 +1 @@
-aws-lambda-powertools==3.10.0
+aws-lambda-powertools==3.11.0

canary/dependencies/requirements.txt

@@ -1,3 +1,3 @@
 black==25.1.0
-aws-lambda-powertools[all,aws-sdk]==3.10.0
+aws-lambda-powertools[all,aws-sdk]==3.11.0
 boto3-stubs[dynamodb,kms]

canary/requirements-dev.txt

@@ -43,6 +43,7 @@ Globals:
     CodeUri: src/
     Environment:
       Variables:
+        AWS_ACCOUNT_ID: !Ref "AWS::AccountId" # use account-based endpoints
         AWS_STS_REGIONAL_ENDPOINTS: regional
         POWERTOOLS_METRICS_NAMESPACE: NitroVault
         TABLE_NAME: !Ref pTableName

canary/template.yml

@@ -16,8 +16,8 @@ path = "src/main.rs"
 anyhow = { version = "=1.0.98", default-features = false }
 aws-lc-rs = { version = "=1.13.0", default-features = false }
 byteorder = { version = "=1.5.0", default-features = false }
-cel-interpreter = { version = "=0.9.0", default-features = false, features = ["json", "chrono"] }
-chrono = { version = "=0.4.40", default-features = false, features = ["now"] }
+cel-interpreter = { version = "=0.9.1", default-features = false, features = ["json", "chrono"] }
+chrono = { version = "=0.4.41", default-features = false, features = ["now"] }
 data-encoding = { version = "=2.9.0", default-features = false, features = ["alloc"] }
 serde = { version = "=1.0.219", default-features = false, features = ["derive"] }
 serde_json = { version = "=1.0.140", default-features = false }

enclave/Cargo.toml

@@ -15,10 +15,10 @@ path = "src/main.rs"
 
 [dependencies]
 anyhow = { version = "=1.0.98", default-features = false }
-aws-config = { version = "=1.6.1", default-features = false, features = ["rt-tokio", "behavior-version-latest", "default-https-client"] }
-aws-credential-types = { version = "=1.2.2", default-features = false }
-aws-smithy-runtime-api = { version = "=1.7.4", default-features = false, features = ["client"] }
-axum = { version = "=0.8.3", default-features = false, features = ["http1", "json", "tokio", "tracing"] }
+aws-config = { version = "=1.6.2", default-features = false, features = ["rt-tokio", "behavior-version-latest", "default-https-client"] }
+aws-credential-types = { version = "=1.2.3", default-features = false }
+aws-smithy-runtime-api = { version = "=1.8.0", default-features = false, features = ["client"] }
+axum = { version = "=0.8.4", default-features = false, features = ["http1", "json", "tokio", "tracing"] }
 byteorder = { version = "=1.5.0", default-features = false }
 clap = { version = "=4.5.37", default-features = false, features = ["std", "derive", "env"] }
 fastrand = { version = "=2.3.0", default-features = false }

parent/Cargo.toml

@@ -519,7 +519,8 @@ Resources:
     Properties:
       Domains:
         - !Ref pDomainName
-        - !Sub "*.${AWS::URLSuffix}"
+        - !Sub "*.${AWS::URLSuffix}"  # IPv4 endpoints
+        - "*.api.aws"  # dualstack (IPv4/IPv6) endpoints
       Name: !Sub "${pResourcePrefix}-AllowDomains"
       Tags:
         - Key: "aws-cloudformation:stack-name"