Revert "Revert "fix: fix policies with overridden table names (#3075)" (

#3088)" This reverts commit e592dba.
aws-amplify · Jan 6, 2025 · 611edb0 · 611edb0
1 parent e592dba
commit 611edb0
Show file tree

Hide file tree

Showing 6 changed files with 342 additions and 8 deletions.
diff --git a/packages/amplify-category-api/package.json b/packages/amplify-category-api/package.json
@@ -103,7 +103,7 @@
     "coverageProvider": "v8",
     "coverageThreshold": {
       "global": {
-        "branches": 68,
+        "branches": 67,
         "functions": 42,
         "lines": 40
       }

diff --git a/...ests__/graphql-transformer/override/__snapshots__/model-transformer-override.test.ts.snap b/...ests__/graphql-transformer/override/__snapshots__/model-transformer-override.test.ts.snap
@@ -755,6 +755,50 @@ $util.toJson({})",
       },
       "Type": "AWS::IAM::Role",
     },
+    "PostIAMRoleDefaultPolicy04190CA0": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "dynamodb:BatchGetItem",
+                "dynamodb:GetRecords",
+                "dynamodb:GetShardIterator",
+                "dynamodb:Query",
+                "dynamodb:GetItem",
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
+                "dynamodb:BatchWriteItem",
+                "dynamodb:PutItem",
+                "dynamodb:UpdateItem",
+                "dynamodb:DeleteItem",
+                "dynamodb:DescribeTable",
+              ],
+              "Effect": "Allow",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "PostTable",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Ref": "AWS::NoValue",
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "PostIAMRoleDefaultPolicy04190CA0",
+        "Roles": Array [
+          Object {
+            "Ref": "PostIAMRole83BF708F",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "PostTable": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {
@@ -1525,6 +1569,50 @@ Object {
       },
       "Type": "AWS::IAM::Role",
     },
+    "CommentIAMRoleDefaultPolicyA8D6F6B5": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "dynamodb:BatchGetItem",
+                "dynamodb:GetRecords",
+                "dynamodb:GetShardIterator",
+                "dynamodb:Query",
+                "dynamodb:GetItem",
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
+                "dynamodb:BatchWriteItem",
+                "dynamodb:PutItem",
+                "dynamodb:UpdateItem",
+                "dynamodb:DeleteItem",
+                "dynamodb:DescribeTable",
+              ],
+              "Effect": "Allow",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "CommentTable",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Ref": "AWS::NoValue",
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "CommentIAMRoleDefaultPolicyA8D6F6B5",
+        "Roles": Array [
+          Object {
+            "Ref": "CommentIAMRoleD5EC5F51",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "CommentTable": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {
@@ -3006,6 +3094,50 @@ $util.toJson({})",
       },
       "Type": "AWS::IAM::Role",
     },
+    "PostIAMRoleDefaultPolicy04190CA0": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "dynamodb:BatchGetItem",
+                "dynamodb:GetRecords",
+                "dynamodb:GetShardIterator",
+                "dynamodb:Query",
+                "dynamodb:GetItem",
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
+                "dynamodb:BatchWriteItem",
+                "dynamodb:PutItem",
+                "dynamodb:UpdateItem",
+                "dynamodb:DeleteItem",
+                "dynamodb:DescribeTable",
+              ],
+              "Effect": "Allow",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "PostTable",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Ref": "AWS::NoValue",
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "PostIAMRoleDefaultPolicy04190CA0",
+        "Roles": Array [
+          Object {
+            "Ref": "PostIAMRole83BF708F",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "PostTable": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {
@@ -3748,6 +3880,50 @@ Object {
       },
       "Type": "AWS::IAM::Role",
     },
+    "CommentIAMRoleDefaultPolicyA8D6F6B5": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "dynamodb:BatchGetItem",
+                "dynamodb:GetRecords",
+                "dynamodb:GetShardIterator",
+                "dynamodb:Query",
+                "dynamodb:GetItem",
+                "dynamodb:Scan",
+                "dynamodb:ConditionCheckItem",
+                "dynamodb:BatchWriteItem",
+                "dynamodb:PutItem",
+                "dynamodb:UpdateItem",
+                "dynamodb:DeleteItem",
+                "dynamodb:DescribeTable",
+              ],
+              "Effect": "Allow",
+              "Resource": Array [
+                Object {
+                  "Fn::GetAtt": Array [
+                    "CommentTable",
+                    "Arn",
+                  ],
+                },
+                Object {
+                  "Ref": "AWS::NoValue",
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "CommentIAMRoleDefaultPolicyA8D6F6B5",
+        "Roles": Array [
+          Object {
+            "Ref": "CommentIAMRoleD5EC5F51",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
     "CommentTable": Object {
       "DeletionPolicy": "Delete",
       "Properties": Object {

diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -201,7 +201,35 @@ export const getAmplifyBackendJobStatus = async (jobId: string, appId: string, e
     .promise();
 };
 
-export const listRolePolicies = async (roleName: string, region: string) => {
+export const listRoleNamesContaining = async (searchString: string, region: string): Promise<string[]> => {
+  const service = new IAM({ region });
+
+  const roles: string[] = [];
+  let isTruncated = true;
+  let marker: string | undefined;
+
+  while (isTruncated) {
+    const params = marker ? { Marker: marker } : {};
+    const response = await service.listRoles(params).promise();
+
+    const matchingRoles = response.Roles.filter((role) => role.RoleName.includes(searchString));
+    roles.push(...matchingRoles.map((r) => r.RoleName));
+
+    isTruncated = response.IsTruncated;
+    marker = response.Marker;
+  }
+
+  return roles;
+};
+
+export const getRolePolicy = async (roleName: string, policyName: string, region: string): Promise<any> => {
+  const service = new IAM({ region });
+  const rawDocument = (await service.getRolePolicy({ PolicyName: policyName, RoleName: roleName }).promise()).PolicyDocument;
+  const decodedDocument = decodeURIComponent(rawDocument);
+  return JSON.parse(decodedDocument);
+};
+
+export const listRolePolicies = async (roleName: string, region: string): Promise<string[]> => {
   const service = new IAM({ region });
   return (await service.listRolePolicies({ RoleName: roleName }).promise()).PolicyNames;
 };

diff --git a/packages/amplify-e2e-tests/src/__tests__/api-override-ddb-table-name.test.ts b/packages/amplify-e2e-tests/src/__tests__/api-override-ddb-table-name.test.ts
@@ -0,0 +1,119 @@
+import path from 'path';
+import * as fs from 'fs-extra';
+import {
+  addApiWithoutSchema,
+  amplifyOverrideApi,
+  amplifyPush,
+  amplifyPushOverride,
+  createNewProjectDir,
+  deleteProject,
+  deleteProjectDir,
+  getAppSyncApi,
+  getDDBTable,
+  getProjectMeta,
+  getRolePolicy,
+  initJSProjectWithProfile,
+  listRolePolicies,
+  listRoleNamesContaining,
+  replaceOverrideFileWithProjectInfo,
+  updateApiSchema,
+  updateSchema,
+} from 'amplify-category-api-e2e-core';
+
+describe('Override table name', () => {
+  let projRoot: string;
+  let projFolderName: string;
+  beforeEach(async () => {
+    projFolderName = 'overridename';
+    projRoot = await createNewProjectDir(projFolderName);
+  });
+
+  afterEach(async () => {
+    const metaFilePath = path.join(projRoot, 'amplify', '#current-cloud-backend', 'amplify-meta.json');
+    if (fs.existsSync(metaFilePath)) {
+      await deleteProject(projRoot);
+    }
+    deleteProjectDir(projRoot);
+  });
+
+  it('Generates correct permissions policies for DynamoDB tables with overridden names', async () => {
+    const now = Math.floor(Date.now() / 1000);
+    const modelName = `Override${now}`;
+
+    const schema = /* GraphQL */ `
+      type ${modelName} @model {
+        id: ID!
+        content: String
+      }
+    `;
+
+    const envName = 'integtest';
+    const projName = 'overridetest';
+    const cliInputsFilePath = path.join(projRoot, 'amplify', 'backend', 'api', `${projName}`, 'cli-inputs.json');
+    await initJSProjectWithProfile(projRoot, { name: projName, envName });
+    await addApiWithoutSchema(projRoot);
+
+    updateSchema(projRoot, projName, schema);
+    expect(fs.existsSync(cliInputsFilePath)).toBe(true);
+
+    await amplifyPush(projRoot);
+
+    await amplifyOverrideApi(projRoot, {});
+
+    const overriddenTableName = `OverrideTest${now}Custom`;
+    const overrideCode = /* TypeScript */ `
+      export function override(props: any) {
+        props.models['${modelName}'].modelDDBTable.tableName = '${overriddenTableName}';
+      }
+    `;
+    const destOverrideFilePath = path.join(projRoot, 'amplify', 'backend', 'api', `${projName}`, 'override.ts');
+    fs.writeFileSync(destOverrideFilePath, overrideCode);
+
+    await amplifyPushOverride(projRoot);
+
+    const meta = getProjectMeta(projRoot);
+    const region = meta.providers.awscloudformation.Region;
+    const { output } = meta.api.overridetest;
+    const { GraphQLAPIIdOutput, GraphQLAPIEndpointOutput, GraphQLAPIKeyOutput } = output;
+    const { graphqlApi } = await getAppSyncApi(GraphQLAPIIdOutput, region);
+
+    expect(graphqlApi).toBeDefined();
+    expect(graphqlApi.apiId).toEqual(GraphQLAPIIdOutput);
+    expect(GraphQLAPIIdOutput).toBeDefined();
+    expect(GraphQLAPIEndpointOutput).toBeDefined();
+    expect(GraphQLAPIKeyOutput).toBeDefined();
+
+    const defaultTableName = `${modelName}-${graphqlApi.apiId}-${envName}`;
+    const error = { message: null };
+    try {
+      const defaultTable = await getDDBTable(defaultTableName, region);
+      expect(defaultTable).toBeUndefined();
+    } catch (ex) {
+      Object.assign(error, ex);
+    }
+    expect(error).toBeDefined();
+    expect(error.message).toContain(`${defaultTableName} not found`);
+
+    const actualTable = await getDDBTable(overriddenTableName, region);
+    expect(actualTable).toBeDefined();
+
+    // Validate policy. The role will be created with the prefix {modelName}IAMRole. It should have 2 policies: one created by Amplify, one
+    // created by AppSync's CDK call during the `addDynamoDbDataSource` flow. We expect the policy statements for the latter to refer to the
+    // overridden table name.
+    const matchingRoleNames = await listRoleNamesContaining(modelName, region);
+    expect(matchingRoleNames).toBeDefined();
+    expect(matchingRoleNames.length).toEqual(1);
+    const roleName = matchingRoleNames[0];
+
+    const policies = await listRolePolicies(roleName, region);
+    expect(policies).toBeDefined();
+    expect(policies.length).toBe(2);
+
+    const defaultPolicy = policies.find((p) => p.startsWith(`${modelName}IAMRoleDefault`));
+    expect(defaultPolicy).toBeDefined();
+
+    const policyObject = await getRolePolicy(roleName, defaultPolicy, region);
+    expect(policyObject).toBeDefined();
+    expect(policyObject.Statement[0].Resource[0]).toContain(overriddenTableName);
+  });
+});
diff --git a/packages/amplify-graphql-auth-transformer/package.json b/packages/amplify-graphql-auth-transformer/package.json
@@ -70,7 +70,7 @@
     "coverageProvider": "v8",
     "coverageThreshold": {
       "global": {
-        "branches": 88,
+        "branches": 87,
         "functions": 90,
         "lines": 90
       }