Migrate Lambda functions to ARM64, upgrade dependencies

Now that AWS Lambda SnapStart supports ARM64, we can
migrate our Lambda functions from x86 to ARM64 to take
advantage of lower hardware costs and performance
improvements without losing the significant cold start
reduction advantage of SnapStart.

Ref: https://aws.amazon.com/about-aws/whats-new/2024/07/aws-lambda-snapstart-java-functions-arm64-architecture/

Update our base AWS Lambda Function component to use
the ARM64 architecture for all functions.

Upgrade CDK dependencies to the latest stable versions.

Author: msayson

cdk.json

@@ -17,56 +17,73 @@
     ]
   },
   "context": {
-    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
-    "@aws-cdk/core:checkSecretUsage": true,
-    "@aws-cdk/core:target-partitions": [
-      "aws",
-      "aws-cn"
-    ],
-    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
-    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
-    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
-    "@aws-cdk/aws-iam:minimizePolicies": true,
-    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
-    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
-    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
-    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
-    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
-    "@aws-cdk/core:enablePartitionLiterals": true,
-    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
-    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
-    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
-    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
-    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
-    "@aws-cdk/aws-route53-patters:useCertificate": true,
-    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
-    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
-    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
     "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
-    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
-    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
-    "@aws-cdk/aws-redshift:columnId": true,
-    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
-    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
     "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
-    "@aws-cdk/aws-kms:aliasNameRef": true,
-    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
-    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
-    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
-    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
-    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
-    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
-    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermissions": true,
     "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
-    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
-    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
     "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
     "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
     "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
-    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
-    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": false,
+    "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": true,
     "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
     "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
-    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false
+    "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupIds": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroups": true,
+    "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/core:explicitStackTags": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/pipelines:reduceAssetRoleTrustScope": true,
+    "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": true,
+    "@aws-cdk/pipelines:reduceStageRoleTrustScope": true,
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true
   }
 }

lib/constructs/CustomLambdaFunction.ts

@@ -1,13 +1,13 @@
 import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
-import { Function, FunctionProps } from 'aws-cdk-lib/aws-lambda';
+import { Architecture, Function, FunctionProps } from 'aws-cdk-lib/aws-lambda';
 import { LogGroup, RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { Construct } from 'constructs';
 
 export interface CustomLambdaFunctionProps extends FunctionProps {}
 
 /**
  * Custom Lambda function that extends the default AWS Lambda Function construct with default configurations.
- * 
+ *
  * Project configurations:
  * - Standardize AWS CloudWatch log group names and expiration policies, expiring after 18 months.
  * - Grant the Lambda function permissions to emit custom CloudWatch metrics.
@@ -16,6 +16,7 @@ export class CustomLambdaFunction extends Function {
   constructor(scope: Construct, readonly id: string, readonly props: CustomLambdaFunctionProps) {
     super(scope, id, {
       ...props,
+      architecture: Architecture.ARM_64,
       logGroup: new LogGroup(scope, `${id}LogGroup`, {
         logGroupName: `${id}-ApplicationLogs`,
         retention: RetentionDays.EIGHTEEN_MONTHS

package-lock.json

@@ -16,15 +16,15 @@
   "devDependencies": {
     "@types/jest": "^29.5.14",
     "@types/node": "^20.12.7",
-    "aws-cdk": "~2.1010.0",
+    "aws-cdk": "~2.1031.1",
     "jest": "^29.7.0",
     "ts-jest": "^29.2.6",
     "ts-node": "^10.9.2",
     "typescript": "~5.4.5"
   },
   "dependencies": {
-    "aws-cdk-lib": "~2.190",
-    "cdk-monitoring-constructs": "^9.2.0",
+    "aws-cdk-lib": "~2.221",
+    "cdk-monitoring-constructs": "^9.16.0",
     "constructs": "^10.4.2"
   }
 }

package.json

@@ -27,7 +27,7 @@ exports[`CodePipelineStack creates the expected CloudFormation template from CDK
             "Arn",
           ],
         },
-        "Runtime": "nodejs20.x",
+        "Runtime": "nodejs22.x",
         "Timeout": 900,
       },
       "Type": "AWS::Lambda::Function",

test/stacks/__snapshots__/CodePipelineStack.test.ts.snap

@@ -16,6 +16,9 @@ exports[`ConsentManagementApiStack creates the expected CloudFormation template
         "ConsentExpiryProcessorLambdaServiceRole855DC305",
       ],
       "Properties": {
+        "Architectures": [
+          "arm64",
+        ],
         "Description": "Consent Expiry Processor Lambda",
         "Handler": "com.consentframework.consentexpiryprocessor.ConsentExpiryProcessor::handleRequest",
         "LoggingConfig": {

test/stacks/__snapshots__/ConsentExpiryProcessorStack.test.ts.snap

@@ -550,6 +550,9 @@ exports[`ConsentHistoryApiStack creates the expected CloudFormation template fro
       "UpdateReplacePolicy": "Retain",
     },
     "ConsentHistoryAPIGatewayDeployment": {
+      "Metadata": {
+        "aws:cdk:do-not-refactor": true,
+      },
       "Properties": {
         "Description": "Consent History API, see documentation at https://consent-management-platform.github.io/consent-history-api-models/v1/docs.html",
         "RestApiId": {
@@ -587,6 +590,9 @@ exports[`ConsentHistoryApiStack creates the expected CloudFormation template fro
         "ConsentHistoryApiLambdaServiceRoleA0D24C3A",
       ],
       "Properties": {
+        "Architectures": [
+          "arm64",
+        ],
         "Description": "Consent History API Lambda",
         "Handler": "com.consentframework.consenthistory.api.ConsentHistoryApiService::handleRequest",
         "LoggingConfig": {

test/stacks/__snapshots__/ConsentHistoryApiStack.test.ts.snap

@@ -16,6 +16,9 @@ exports[`ConsentHistoryProcessorStack creates the expected CloudFormation templa
         "ConsentHistoryProcessorLambdaServiceRoleE9DE128F",
       ],
       "Properties": {
+        "Architectures": [
+          "arm64",
+        ],
         "Description": "Consent History Processor Lambda",
         "Environment": {
           "Variables": {