feat: add support for generating user pool groups (#1002)

* feat: add support for generating user pool groups

* chore: fix tests

* chore: add changeset

* chore: update api

* chore: fix lint

* chore: fix bug with assumeBy conditions

* fix: bug with group role policy

* fix: conditions on role

* chore: cleanup

* chore: add precedence to group roles

* chore: add tests for generating groups and group roles

* chore: cleanup

* chore: cleanup constructor code by moving code blocks to functions

* chore: fix test

* chore: change the access pattern for groups to use group names instead of array index

* chore: fix test

* chore: update api

* chore: cleanup, docs

* chore: cleanup

Author: awsluja

.changeset/mean-frogs-visit.md

@@ -0,0 +1,7 @@
+---
+'@aws-amplify/auth-construct-alpha': patch
+'@aws-amplify/backend-data': patch
+'@aws-amplify/plugin-types': patch
+---
+
+Add support for generating user pool groups.

packages/auth-construct/API.md

@@ -40,6 +40,7 @@ export type AuthProps = {
     userAttributes?: StandardAttributes;
     multifactor?: MFA;
     accountRecovery?: keyof typeof aws_cognito.AccountRecovery;
+    groups?: string[];
     outputStorageStrategy?: BackendOutputStorageStrategy<AuthOutput>;
 };
 

packages/auth-construct/src/construct.test.ts

@@ -142,6 +142,70 @@ void describe('Auth construct', () => {
     });
   });
 
+  void it('creates user groups and group roles', () => {
+    const app = new App();
+    const stack = new Stack(app);
+    const auth = new AmplifyAuth(stack, 'test', {
+      loginWith: { email: true },
+      groups: ['admins', 'managers'],
+    });
+    // validate the generated resources
+    assert.equal(Object.keys(auth.resources.groups).length, 2);
+    assert.equal(
+      auth.resources.groups['admins'].cfnUserGroup.groupName,
+      'admins'
+    );
+    assert.equal(
+      auth.resources.groups['managers'].cfnUserGroup.groupName,
+      'managers'
+    );
+    // validate generated template
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::Cognito::UserPool', {
+      UsernameAttributes: ['email'],
+      AutoVerifiedAttributes: ['email'],
+    });
+    template.hasResourceProperties('AWS::Cognito::UserPoolGroup', {
+      GroupName: 'admins',
+      Precedence: 0,
+    });
+    template.hasResourceProperties('AWS::Cognito::UserPoolGroup', {
+      GroupName: 'managers',
+      Precedence: 1,
+    });
+    // validate the generated policies
+    const idpRef = template['template']['Outputs']['identityPoolId']['Value'];
+    // There should be 3 matching roles, one for the auth role,
+    // and one for each of the 'admins' and 'managers' roles
+    const matchingRoleCount = 3;
+    template.resourcePropertiesCountIs(
+      'AWS::IAM::Role',
+      {
+        AssumeRolePolicyDocument: {
+          Version: '2012-10-17',
+          Statement: [
+            {
+              Action: 'sts:AssumeRoleWithWebIdentity',
+              Effect: 'Allow',
+              Principal: {
+                Federated: 'cognito-identity.amazonaws.com',
+              },
+              Condition: {
+                'ForAnyValue:StringLike': {
+                  'cognito-identity.amazonaws.com:amr': 'authenticated',
+                },
+                StringEquals: {
+                  'cognito-identity.amazonaws.com:aud': idpRef,
+                },
+              },
+            },
+          ],
+        },
+      },
+      matchingRoleCount
+    );
+  });
+
   void it('creates email login mechanism if settings is empty object', () => {
     const app = new App();
     const stack = new Stack(app);
@@ -1774,7 +1838,7 @@ void describe('Auth construct', () => {
               email: true,
               externalProviders: {
                 scopes: ['EMAIL', 'PROFILE'],
-                callbackUrls: [],
+                callbackUrls: ['http://localhost'],
                 logoutUrls: ['http://localhost'],
                 domainPrefix: 'https://localhost',
               },