feat: Data client generation using SSM/S3 to provide the MIS to the runtime

Author: stocaaro

package-lock.json

@@ -14,7 +14,10 @@ export class AppSyncPolicyGenerator {
   /**
    * Initialize with the GraphqlAPI that the policies will be scoped to
    */
-  constructor(private readonly graphqlApi: IGraphqlApi) {
+  constructor(
+    private readonly graphqlApi: IGraphqlApi,
+    private readonly modelIntrospectionSchemaArn?: string
+  ) {
     this.stack = Stack.of(graphqlApi);
   }
   /**
@@ -29,13 +32,25 @@ export class AppSyncPolicyGenerator {
       .map((action) => actionToTypeMap[action])
       // convert Type to resourceName
       .map((type) => [this.graphqlApi.arn, 'types', type, '*'].join('/'));
-    return new Policy(this.stack, `${this.policyPrefix}${this.policyCount++}`, {
-      statements: [
+
+    const statements = [
+      new PolicyStatement({
+        actions: ['appsync:GraphQL'],
+        resources,
+      }),
+    ];
+
+    if (this.modelIntrospectionSchemaArn) {
+      statements.push(
         new PolicyStatement({
-          actions: ['appsync:GraphQL'],
-          resources,
-        }),
-      ],
+          actions: ['s3:GetObject'],
+          resources: [this.modelIntrospectionSchemaArn],
+        })
+      );
+    }
+
+    return new Policy(this.stack, `${this.policyPrefix}${this.policyCount++}`, {
+      statements,
     });
   }
 }

packages/backend-data/src/app_sync_policy_generator.ts

@@ -46,6 +46,10 @@ import {
   FunctionSchemaAccess,
   JsResolver,
 } from '@aws-amplify/data-schema-types';
+import { Bucket } from 'aws-cdk-lib/aws-s3';
+import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
+
+const modelIntrospectionSchemaKey = 'modelIntrospectionSchema.json';
 
 /**
  * Singleton factory for AmplifyGraphqlApi constructs that can be used in Amplify project files.
@@ -234,13 +238,14 @@ class DataGenerator implements ConstructContainerEntryGenerator {
       ...schemasLambdaFunctions,
     });
     let amplifyApi = undefined;
+    let modelIntrospectionSchema: string | undefined = undefined;
 
     const isSandboxDeployment =
       scope.node.tryGetContext(CDKContextKey.DEPLOYMENT_TYPE) === 'sandbox';
 
     try {
       const combinedSchema = combineCDKSchemas(amplifyGraphqlDefinitions);
-      const modelIntrospectionSchema = generateModelsSync({
+      modelIntrospectionSchema = generateModelsSync({
         schema: combinedSchema.schema,
         target: 'introspection',
       })['model-introspection.json'];
@@ -260,7 +265,6 @@ class DataGenerator implements ConstructContainerEntryGenerator {
           allowDestructiveGraphqlSchemaUpdates: true,
           _provisionHotswapFriendlyResources: isSandboxDeployment,
         },
-        modelIntrospectionSchema,
       });
     } catch (error) {
       throw new AmplifyUserError(
@@ -273,6 +277,21 @@ class DataGenerator implements ConstructContainerEntryGenerator {
       );
     }
 
+    // TODO Any risk that this throws?
+    const modelIntrospectionSchemaBucket = new Bucket(
+      scope,
+      'modelIntrospectionSchemaBucket',
+      { enforceSSL: true }
+    );
+    new BucketDeployment(scope, 'modelIntrospectionSchemaBucketDeployment', {
+      // See https://github.com/aws-amplify/amplify-category-api/pull/1939
+      memoryLimit: 1536,
+      destinationBucket: modelIntrospectionSchemaBucket,
+      sources: [
+        Source.data(modelIntrospectionSchemaKey, modelIntrospectionSchema),
+      ],
+    });
+
     Tags.of(amplifyApi).add(TagName.FRIENDLY_NAME, this.name);
 
     /**;
@@ -289,10 +308,15 @@ class DataGenerator implements ConstructContainerEntryGenerator {
       ssmEnvironmentEntriesGenerator.generateSsmEnvironmentEntries({
         [`${this.name}_GRAPHQL_ENDPOINT`]:
           amplifyApi.resources.cfnResources.cfnGraphqlApi.attrGraphQlUrl,
+        [`${this.name}_MODEL_INTROSPECTION_SCHEMA_BUCKET_NAME`]:
+          modelIntrospectionSchemaBucket.bucketName,
+        [`${this.name}_MODEL_INTROSPECTION_SCHEMA_KEY`]:
+          modelIntrospectionSchemaKey,
       });
 
     const policyGenerator = new AppSyncPolicyGenerator(
-      amplifyApi.resources.graphqlApi
+      amplifyApi.resources.graphqlApi,
+      `${modelIntrospectionSchemaBucket.bucketArn}/${modelIntrospectionSchemaKey}`
     );
 
     schemasFunctionSchemaAccess.forEach((accessDefinition) => {

packages/backend-data/src/factory.ts

@@ -0,0 +1,8 @@
+{
+  "name": "@aws-amplify/backend-function/internal",
+  "main": "../dist/cjs/internal/index.js",
+  "react-native": "../src/internal/index.ts",
+  "browser": "../dist/esm/internal/index.mjs",
+  "module": "../dist/esm/internal/index.mjs",
+  "typings": "../dist/esm/internal/index.d.ts"
+}

packages/backend-function/internal/package.json

@@ -10,6 +10,11 @@
       "types": "./lib/index.d.ts",
       "import": "./lib/index.js",
       "require": "./lib/index.js"
+    },
+    "./internal": {
+      "types": "./lib/internal/index.d.ts",
+      "import": "./lib/internal/index.js",
+      "require": "./lib/internal/index.js"
     }
   },
   "main": "lib/index.js",
@@ -27,6 +32,7 @@
   "devDependencies": {
     "@aws-amplify/backend-platform-test-stubs": "^0.3.6",
     "@aws-amplify/platform-core": "^1.1.0",
+    "@aws-sdk/client-s3": "^3.624.0",
     "@aws-sdk/client-ssm": "^3.624.0",
     "aws-sdk": "^2.1550.0",
     "uuid": "^9.0.1"