✨ feat(infra): add declarative limits management via YAML and Lambda provisioner (#405)#409
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #409 +/- ##
===========================================
+ Coverage 53.58% 92.12% +38.54%
===========================================
Files 33 35 +2
Lines 7383 7672 +289
===========================================
+ Hits 3956 7068 +3112
+ Misses 3427 604 -2823
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Design for YAML-based limit declarations applied through a Lambda provisioner, serving both CLI and CloudFormation paths with Terraform-style state tracking. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
12-task TDD implementation plan covering schema, repository, manifest parsing, diff engine, applier, Lambda handler, builder, CFN template, CLI commands, stack manager, integration tests, and documentation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ord (#405) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…imits (#405) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…405) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…405) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Also fix mypy errors in applier.py (assert target not None for resource/entity levels) and add types-PyYAML to dev deps and pre-commit mypy hook. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…te (#405) Adds EnableProvisioner parameter, ProvisionerRole, ProvisionerLogGroup, ProvisionerFunction, and corresponding outputs (ARN, Name). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New `limits` command group for declarative limits management: - `limits plan`: Preview changes (terraform plan style) - `limits apply`: Apply changes from YAML file - `limits diff`: Show drift between YAML and live state - `limits cfn-template`: Generate CFN template from YAML Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…er (#405) Tests verify against LocalStack: - Apply creates limits readable via Repository API - Idempotent apply produces update (not create) actions - Removal deletes managed items, leaves unmanaged alone Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Document the new `limits` CLI command group (plan, apply, diff, cfn-template), provisioner package structure, DynamoDB schema additions, and declarative limits workflow in CLAUDE.md, cli.md, and deployment.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nd CLI (#405) Add tests for uncovered edge cases: provisioner builder metadata fallback and placeholder removal, stack manager endpoint_url passthrough and error handling (waiter failures, ClientError), CLI diff/apply commands, cfn-template entity/burst fields, _load_yaml validation, and _invoke_provisioner Lambda integration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…#405) Add tests for dest dir collision cleanup in provisioner_builder and successful namespace resolution path in _invoke_provisioner. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When `_invoke_provisioner()` resolves the namespace, if the requested namespace doesn't exist yet (NamespaceNotFoundError), it now connects to the default namespace, auto-registers the new namespace, and returns the scoped namespace ID. This enables `limits apply` to work on first run without requiring manual namespace setup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…405) After rebasing on main, Repository.connect() was renamed to Repository.open() with a new signature (namespace as first positional arg, stack= kwarg). Update limits_cli.py and all affected tests. Also fix pre-existing test failures in test_cli.py where 3 TestLimitParsing tests still used mock_repo_class.connect instead of .open. Fix integration test_provisioner.py to unpack get_system_defaults() tuple return type after the burst field refactor. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
7981ac3 to
49c7d7b
Compare
Align with the Limit model refactor (PR #408) that removed the redundant `burst` field — `capacity` now serves as the bucket ceiling. - Remove `burst` from LimitDecl (accept it in YAML for backwards compat, treating it as capacity override) - Stop writing `bx` attribute to DynamoDB in applier - Remove Burst from CFN template generation and handler parsing - Update docs to remove burst references from YAML examples Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ler (#405) Integration tests (LocalStack): - Handler plan returns changes without modifying state - Handler apply persists provisioner state (#PROVISIONER record) - Handler apply creates entity-level limits - Handler removal flow deletes items removed from manifest - Handler CFN create and delete lifecycle - Handler on_unavailable setting persistence AWS e2e tests: - Full provisioner lifecycle (apply → verify → modify → verify → delete) - CFN event lifecycle (Create → Update → Delete) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The provisioner role name was hardcoded as ${StackName}-prov, which
fails in environments requiring role names matching a prefix pattern
(e.g., PowerUserPB-*). Now uses the RoleNameFormat parameter like
all other IAM roles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add end-to-end test that exercises the full CloudFormation custom resource lifecycle: deploy main stack with provisioner Lambda, upload real code, then create/update/delete a second CFN stack with Custom::ZaeLimiterLimits. Handler changes to support CFN integration: - Add CFN response protocol (_send_cfn_response) to POST SUCCESS/FAILED to CloudFormation's pre-signed ResponseURL - Add namespace name-to-ID resolution (_resolve_namespace_id) so CFN templates only need Namespace (name), not NamespaceId - Wrap _handle_cfn with _handle_cfn_with_response for error handling - Return physical_resource_id for stable custom resource identity Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
zae-limiter limitsCLI command group withplan,apply,diff, andcfn-templatesubcommands for managing limits declarativelyzae_limiter_provisionerLambda package with manifest parsing, diff engine, applier, and handler supporting both CLI invocations and CloudFormation Custom Resource events#PROVISIONERstate record in DynamoDB to track managed vs unmanaged limits, enabling safe removal of limits deleted from YAML without clobbering manual overridesget_provisioner_state()/put_provisioner_state()to Repository andsk_provisioner()key builder to schemaTest plan
uv run pytest tests/unit/ -v)uv run pytest tests/integration/test_provisioner.py -v)limits planprints human-readable diff without modifying DynamoDBlimits applyapplies limits idempotently (second run produces zero changes)limits diffdetects out-of-band drift between YAML and live statelimits cfn-templategenerates valid CloudFormation template withCustom::ZaeLimiterLimitsresourceapplydeletes it only if tracked in#PROVISIONERrecordCloses #405
🤖 Generated with Claude Code