From aab701f491cc245d18a4805fb72acde8b5a208dd Mon Sep 17 00:00:00 2001 From: John Ferlito Date: Mon, 12 Feb 2024 11:18:49 +1100 Subject: [PATCH 1/2] fix(amplify): Add the default amplify policy to the auto-generated role --- packages/@aws-cdk/aws-amplify-alpha/lib/app.ts | 5 +++-- .../@aws-cdk/aws-amplify-alpha/test/app.test.ts | 15 +++++++++++++++ .../cdk-amplify-app-asset-deployment.assets.json | 4 ++-- ...dk-amplify-app-asset-deployment.template.json | 16 +++++++++++++++- .../manifest.json | 2 +- .../tree.json | 16 +++++++++++++++- .../cdk-amplify-codecommit-app.assets.json | 4 ++-- .../cdk-amplify-codecommit-app.template.json | 16 +++++++++++++++- .../manifest.json | 2 +- .../integ.app-codecommit.js.snapshot/tree.json | 16 +++++++++++++++- .../cdk-amplify-app.assets.json | 4 ++-- .../cdk-amplify-app.template.json | 16 +++++++++++++++- .../test/integ.app.js.snapshot/manifest.json | 2 +- .../test/integ.app.js.snapshot/tree.json | 16 +++++++++++++++- 14 files changed, 117 insertions(+), 17 deletions(-) diff --git a/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts b/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts index db9dfae461c80..e54066f3f2283 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts +++ b/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts @@ -155,7 +155,7 @@ export interface AppProps { * The IAM service role to associate with the application. The App * implements IGrantable. * - * @default - a new role is created + * @default - a new role is created with the AdministratorAccess-Amplify managed policy attached */ readonly role?: iam.IRole; @@ -224,6 +224,7 @@ export class App extends Resource implements IApp, iam.IGrantable { const role = props.role || new iam.Role(this, 'Role', { assumedBy: new iam.ServicePrincipal('amplify.amazonaws.com'), + managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess-Amplify')], }); this.grantPrincipal = role; @@ -239,7 +240,7 @@ export class App extends Resource implements IApp, iam.IGrantable { buildSpec: props.autoBranchCreation.buildSpec && props.autoBranchCreation.buildSpec.toBuildSpec(), enableAutoBranchCreation: true, enableAutoBuild: props.autoBranchCreation.autoBuild ?? true, - environmentVariables: Lazy.any({ produce: () => renderEnvironmentVariables(this.autoBranchEnvironmentVariables ) }, { omitEmptyArray: true }), // eslint-disable-line max-len + environmentVariables: Lazy.any({ produce: () => renderEnvironmentVariables(this.autoBranchEnvironmentVariables) }, { omitEmptyArray: true }), // eslint-disable-line max-len enablePullRequestPreview: props.autoBranchCreation.pullRequestPreview ?? true, pullRequestEnvironmentName: props.autoBranchCreation.pullRequestEnvironmentName, stage: props.autoBranchCreation.stage, diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/app.test.ts b/packages/@aws-cdk/aws-amplify-alpha/test/app.test.ts index b5c800bf387d6..0a195c5294012 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/app.test.ts +++ b/packages/@aws-cdk/aws-amplify-alpha/test/app.test.ts @@ -113,6 +113,21 @@ test('create an app connected to a GitLab repository', () => { ], Version: '2012-10-17', }, + ManagedPolicyArns: [ + { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':iam::aws:policy/AdministratorAccess-Amplify', + ], + ], + }, + ], + }); }); diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.assets.json index 381eca94d9224..be1ee46e04b18 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.assets.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.assets.json @@ -53,7 +53,7 @@ } } }, - "a5f4e08a00f3b97399f4d43e03f818248ed756ab76990394e3703c0173a5222f": { + "1f0da1480c0a8ab04e172b3e7e723a1b6cddbada4e2fd66aaea349bb64fbfc28": { "source": { "path": "cdk-amplify-app-asset-deployment.template.json", "packaging": "file" @@ -61,7 +61,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a5f4e08a00f3b97399f4d43e03f818248ed756ab76990394e3703c0173a5222f.json", + "objectKey": "1f0da1480c0a8ab04e172b3e7e723a1b6cddbada4e2fd66aaea349bb64fbfc28.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.template.json index ca4786d55a9f9..1e9b342788696 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.template.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/cdk-amplify-app-asset-deployment.template.json @@ -14,7 +14,21 @@ } ], "Version": "2012-10-17" - } + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "AppF1B96344": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/manifest.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/manifest.json index a5ff3f0f222ac..ab65104e4a407 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a5f4e08a00f3b97399f4d43e03f818248ed756ab76990394e3703c0173a5222f.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1f0da1480c0a8ab04e172b3e7e723a1b6cddbada4e2fd66aaea349bb64fbfc28.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/tree.json index 359b627ccc7fb..c661df6bc62e8 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-asset-deployment.js.snapshot/tree.json @@ -67,7 +67,21 @@ } ], "Version": "2012-10-17" - } + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.assets.json index 2a441522a8c50..e30dd1352f30a 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.assets.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "d2697b970b8a26f59203a7427affe250439c407e695e88e5d45aef3ac4c4b744": { + "1d64a320937571052c26bf0c8ddb1bc88b640ec25b465e250f06a41bdcd1e144": { "source": { "path": "cdk-amplify-codecommit-app.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d2697b970b8a26f59203a7427affe250439c407e695e88e5d45aef3ac4c4b744.json", + "objectKey": "1d64a320937571052c26bf0c8ddb1bc88b640ec25b465e250f06a41bdcd1e144.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.template.json index 7042075be0d02..dc4e488230d7e 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.template.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/cdk-amplify-codecommit-app.template.json @@ -20,7 +20,21 @@ } ], "Version": "2012-10-17" - } + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "AppRoleDefaultPolicy9CADBAA1": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/manifest.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/manifest.json index f18b5538d2d71..4fc92f5f9682c 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d2697b970b8a26f59203a7427affe250439c407e695e88e5d45aef3ac4c4b744.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1d64a320937571052c26bf0c8ddb1bc88b640ec25b465e250f06a41bdcd1e144.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/tree.json index 570197dc70056..0593a94be4817 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app-codecommit.js.snapshot/tree.json @@ -65,7 +65,21 @@ } ], "Version": "2012-10-17" - } + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "constructInfo": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.assets.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.assets.json index 8f3d1c9f81f4e..990fcfe32bece 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.assets.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "22e02c42ac809ba771ca721849e50315beb137290c42d32c9e8a905e09ed1c74": { + "c3af15f8353e235b49388e23cbb339edc53171b5f341eb089cc1dc29cc6df47c": { "source": { "path": "cdk-amplify-app.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "22e02c42ac809ba771ca721849e50315beb137290c42d32c9e8a905e09ed1c74.json", + "objectKey": "c3af15f8353e235b49388e23cbb339edc53171b5f341eb089cc1dc29cc6df47c.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json index 46c16f533d69b..bc81c3c693a0c 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json @@ -14,7 +14,21 @@ } ], "Version": "2012-10-17" - } + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "AppAppBasicAuthE743F015": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/manifest.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/manifest.json index 51a6c03d5a853..e588a3e1e9c23 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/22e02c42ac809ba771ca721849e50315beb137290c42d32c9e8a905e09ed1c74.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c3af15f8353e235b49388e23cbb339edc53171b5f341eb089cc1dc29cc6df47c.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json index c63b69aacd030..b998005a748c5 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json @@ -41,7 +41,21 @@ } ], "Version": "2012-10-17" - } + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/AdministratorAccess-Amplify" + ] + ] + } + ] } }, "constructInfo": { From c6db37ba2982004abdf46af9a488740aba828d83 Mon Sep 17 00:00:00 2001 From: John Ferlito Date: Mon, 12 Feb 2024 15:42:21 +1100 Subject: [PATCH 2/2] fix(amplify): Work around cloudformation status bug --- .../test/integ.app.js.snapshot/cdk-amplify-app.template.json | 1 + .../aws-amplify-alpha/test/integ.app.js.snapshot/tree.json | 3 ++- packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json index bc81c3c693a0c..800a4d1302e66 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/cdk-amplify-app.template.json @@ -84,6 +84,7 @@ "CustomRules": [ { "Source": "/source", + "Status": "302", "Target": "/target" } ], diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json index b998005a748c5..874cda5d6a71c 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.js.snapshot/tree.json @@ -141,7 +141,8 @@ "customRules": [ { "source": "/source", - "target": "/target" + "target": "/target", + "status": "302" } ], "iamServiceRole": { diff --git a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts index e0fa9ec65447b..2322dacd8f2f6 100644 --- a/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts +++ b/packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts @@ -31,6 +31,9 @@ class TestStack extends Stack { amplifyApp.addCustomRule({ source: '/source', target: '/target', + // NOTE: This is optional according to the API but Cloudformation is breaking without it + // Resource handler returned message: "Invalid request provided: Status field in rewrite custom rules should not be empty + status: amplify.RedirectStatus.TEMPORARY_REDIRECT, }); const mainBranch = amplifyApp.addBranch('main');