Skip to content

Add support for Lambda Tenants #608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 21, 2025
Merged

Add support for Lambda Tenants #608

merged 12 commits into from
Nov 21, 2025

Conversation

@sebsto
Copy link
Collaborator

@sebsto sebsto commented Nov 20, 2025
edited
Loading

Address #605

NEW Lambda Tenant isolation capability:
https://docs.aws.amazon.com/lambda/latest/dg/tenant-isolation.html

Add Support for Lambda Tenant Isolation Mode

Summary

This PR adds support for AWS Lambda's tenant isolation mode to the Swift AWS Lambda Runtime, enabling developers to build multi-tenant applications with strict execution environment isolation per tenant.

Changes

Runtime Support

  • Added tenantID property to LambdaContext to expose the tenant identifier
  • Extended InvocationMetadata to capture the Lambda-Runtime-Aws-Tenant-Id header
  • Added AmazonHeaders.tenantID constant for the tenant ID header
  • Added trace logging for invocation headers to aid debugging

New Example: MultiTenant

A complete working example demonstrating tenant isolation mode:

  • Request tracking system that maintains separate counters and histories per tenant
  • Actor-based storage (TenantDataStore) for thread-safe tenant data management
  • Immutable data structures (TenantData) following Swift best practices
  • API Gateway integration with tenant ID passed via query parameter
  • SAM template configured with TenancyConfig.TenantIsolationMode: PER_TENANT
  • Comprehensive documentation covering architecture, deployment, testing, and best practices

Testing

  • Added unit test for tenant ID extraction from invocation headers
  • Integrated MultiTenant example into CI/CD pipeline

Documentation

The example includes detailed documentation on:

  • When to use tenant isolation (user code execution, sensitive data processing)
  • How tenant isolation works (dedicated environments, no cross-tenant reuse)
  • Concurrency limits and scaling considerations
  • Pricing implications
  • Security best practices
  • CloudWatch monitoring with tenant dimensions

Files Changed

  • Sources/AWSLambdaRuntime/LambdaContext.swift - Added tenantID property
  • Sources/AWSLambdaRuntime/ControlPlaneRequest.swift - Capture tenant ID from headers
  • Sources/AWSLambdaRuntime/Utils.swift - Added tenantID header constant
  • Sources/AWSLambdaRuntime/Lambda.swift - Pass tenant ID to context
  • Sources/AWSLambdaRuntime/LambdaRuntimeClient+ChannelHandler.swift - Added trace logging
  • Tests/AWSLambdaRuntimeTests/InvocationTests.swift - Added tenant ID test
  • Examples/MultiTenant/* - New complete example with SAM template
  • .github/workflows/pull_request.yml - Added MultiTenant to CI pipeline

Testing Instructions

  1. Build and deploy the example:
    bash
    cd Examples/MultiTenant
    swift package archive --allow-network-connections docker
    sam deploy --guided

  2. Test with different tenants:
    bash
    curl "https://.execute-api..amazonaws.com/Prod?tenant-id=
    alice"
    curl "https://.execute-api..amazonaws.com/Prod?tenant-id=
    bob"

  3. Verify isolation by checking that each tenant maintains separate request counts

Related Documentation

@sebsto sebsto self-assigned this Nov 20, 2025
@sebsto sebsto added the 🆕 semver/minor Adds new public API. label Nov 20, 2025
@sebsto sebsto linked an issue Nov 20, 2025 that may be closed by this pull request
Add support for Lambda Tenants #605
Closed
2 tasks
@sebsto
Copy link
Collaborator Author

sebsto commented Nov 20, 2025
edited
Loading

API Breakage on LambdaContext.__forTestOnly can be ignored. This function is package and is documented to not be part of the public API and semver versioning.

Copilot finished reviewing on behalf of sebsto November 20, 2025 21:29
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for AWS Lambda's tenant isolation mode to the Swift AWS Lambda Runtime, enabling developers to build multi-tenant applications with strict execution environment isolation per tenant. The implementation exposes tenant IDs through the LambdaContext and includes a comprehensive working example.

  • Added tenantID property to LambdaContext to expose tenant identifiers from the Lambda runtime
  • Extended runtime internals to capture and propagate the Lambda-Runtime-Aws-Tenant-Id header through the invocation pipeline
  • Created a complete MultiTenant example demonstrating tenant isolation with actor-based storage and API Gateway integration

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
Sources/AWSLambdaRuntime/LambdaContext.swift Added tenantID property to context storage and public API
Sources/AWSLambdaRuntime/ControlPlaneRequest.swift Extended InvocationMetadata to capture tenant ID from invocation headers
Sources/AWSLambdaRuntime/Utils.swift Added tenantID header constant for Lambda runtime
Sources/AWSLambdaRuntime/Lambda.swift Updated context initialization to pass tenant ID
Sources/AWSLambdaRuntime/LambdaRuntimeClient+ChannelHandler.swift Added trace logging for invocation headers
Tests/AWSLambdaRuntimeTests/InvocationTests.swift Added unit test for tenant ID extraction
Examples/MultiTenant/Sources/main.swift Complete example with actor-based tenant data store and API Gateway handler
Examples/MultiTenant/template.yaml SAM template configured with TenantIsolationMode: PER_TENANT and API Gateway integration
Examples/MultiTenant/README.md Comprehensive documentation covering architecture, deployment, and best practices
Examples/MultiTenant/Package.swift Package manifest for the MultiTenant example
Examples/MultiTenant/event.json Sample API Gateway event for local testing
Examples/MultiTenant/.gitignore Git ignore rules for generated files
Examples/HelloWorldNoTraits/.gitignore Added Dockerfile to ignore list
.github/workflows/pull_request.yml Added MultiTenant example to CI pipeline

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sebsto sebsto requested a review from 0xTim November 21, 2025 18:13
0xTim
0xTim approved these changes Nov 21, 2025
View reviewed changes
Copy link
Collaborator

@0xTim 0xTim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of nits, nothing blocking

@sebsto sebsto removed the request for review from adam-fowler November 21, 2025 20:06
@sebsto sebsto merged commit 2abe7eb into main Nov 21, 2025
41 of 42 checks passed
@sebsto sebsto deleted the sebsto/multi-tenant branch November 21, 2025 20:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@0xTim 0xTim 0xTim approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@sebsto sebsto

Labels

🆕 semver/minor Adds new public API.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Lambda Tenants

2 participants

@sebsto @0xTim