Initial iteration of platform support for resource access mechanism (#969)

Author: edwardfoyle

.changeset/smooth-tigers-double.md

@@ -0,0 +1,14 @@
+---
+'@aws-amplify/backend-function': minor
+'@aws-amplify/backend-storage': minor
+'@aws-amplify/auth-construct-alpha': minor
+'@aws-amplify/platform-core': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend-data': minor
+'@aws-amplify/plugin-types': minor
+'@aws-amplify/backend': minor
+'@aws-amplify/backend-cli': minor
+---
+
+Introduce initial iteration of access control mechanism between backend resources.
+The APIs and functioality are NOT final and are subject to change without notice.

.eslint_dictionary.json

@@ -1,4 +1,6 @@
 [
+  "acceptor",
+  "acceptors",
   "aggregator",
   "amazonaws",
   "amazoncognito",

.prettierignore

@@ -11,5 +11,5 @@ expected-cdk-out
 .changeset/pre.json
 concurrent_workspace_script_cache.json
 scripts/components/api-changes-validator/test-resources/working-directory
-test-projects
+/test-projects
 testDir

package-lock.json

@@ -4,13 +4,11 @@
 
 ```ts
 
-import { AmplifyFunction } from '@aws-amplify/plugin-types';
 import { AuthOutput } from '@aws-amplify/backend-output-schemas';
 import { AuthResources } from '@aws-amplify/plugin-types';
 import { aws_cognito } from 'aws-cdk-lib';
 import { BackendOutputStorageStrategy } from '@aws-amplify/plugin-types';
 import { Construct } from 'constructs';
-import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
 import { SecretValue } from 'aws-cdk-lib';
 import { StandardAttributes } from 'aws-cdk-lib/aws-cognito';
@@ -22,7 +20,6 @@ export type AmazonProviderProps = Omit<aws_cognito.UserPoolIdentityProviderAmazo
 // @public
 export class AmplifyAuth extends Construct implements ResourceProvider<AuthResources> {
     constructor(scope: Construct, id: string, props?: AuthProps);
-    addTrigger: (event: TriggerEvent, handler: IFunction | AmplifyFunction) => void;
     readonly resources: AuthResources;
 }
 

packages/auth-construct/API.md

@@ -4,7 +4,6 @@ import { App, SecretValue, Stack } from 'aws-cdk-lib';
 import { Match, Template } from 'aws-cdk-lib/assertions';
 import assert from 'node:assert';
 import {
-  AmplifyFunction,
   BackendOutputEntry,
   BackendOutputStorageStrategy,
 } from '@aws-amplify/plugin-types';
@@ -16,7 +15,6 @@ import {
   UserPoolClient,
 } from 'aws-cdk-lib/aws-cognito';
 import { authOutputKey } from '@aws-amplify/backend-output-schemas';
-import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
 import { DEFAULTS } from './defaults.js';
 
 const googleClientId = 'googleClientId';
@@ -2423,83 +2421,4 @@ void describe('Auth construct', () => {
       assert.equal(name.startsWith(expectedPrefix), true);
     });
   });
-
-  void describe('addTrigger', () => {
-    void it('attaches lambda function to UserPool Lambda config', () => {
-      const app = new App();
-      const stack = new Stack(app);
-      const testFunc = new Function(stack, 'testFunc', {
-        code: Code.fromInline('test code'),
-        handler: 'index.handler',
-        runtime: Runtime.NODEJS_18_X,
-      });
-      const authConstruct = new AmplifyAuth(stack, 'testAuth', {
-        loginWith: { email: true },
-      });
-      authConstruct.addTrigger('createAuthChallenge', testFunc);
-      const template = Template.fromStack(stack);
-      const lambdas = template.findResources('AWS::Lambda::Function');
-      if (Object.keys(lambdas).length !== 1) {
-        assert.fail(
-          'Expected one and only one lambda function in the template'
-        );
-      }
-      const handlerLogicalId = Object.keys(lambdas)[0];
-      template.hasResourceProperties('AWS::Cognito::UserPool', {
-        LambdaConfig: {
-          CreateAuthChallenge: {
-            ['Fn::GetAtt']: [handlerLogicalId, 'Arn'],
-          },
-        },
-      });
-    });
-
-    void it('attaches AmplifyFunction to UserPool Lambda config', () => {
-      const app = new App();
-      const stack = new Stack(app);
-      const testFunc = new Function(stack, 'testFunc', {
-        code: Code.fromInline('test code'),
-        handler: 'index.handler',
-        runtime: Runtime.NODEJS_18_X,
-      });
-      const amplifyFuncStub: AmplifyFunction = {
-        resources: {
-          lambda: testFunc,
-        },
-      };
-      const authConstruct = new AmplifyAuth(stack, 'testAuth', {
-        loginWith: { email: true },
-      });
-      authConstruct.addTrigger('createAuthChallenge', amplifyFuncStub);
-      const template = Template.fromStack(stack);
-      const lambdas = template.findResources('AWS::Lambda::Function');
-      if (Object.keys(lambdas).length !== 1) {
-        assert.fail(
-          'Expected one and only one lambda function in the template'
-        );
-      }
-      const handlerLogicalId = Object.keys(lambdas)[0];
-      template.hasResourceProperties('AWS::Cognito::UserPool', {
-        LambdaConfig: {
-          CreateAuthChallenge: {
-            ['Fn::GetAtt']: [handlerLogicalId, 'Arn'],
-          },
-        },
-      });
-    });
-
-    void it('stores attribution data in stack', () => {
-      const app = new App();
-      const stack = new Stack(app);
-      new AmplifyAuth(stack, 'testAuth', {
-        loginWith: { email: true },
-      });
-
-      const template = Template.fromStack(stack);
-      assert.equal(
-        JSON.parse(template.toJSON().Description).stackType,
-        'auth-Cognito'
-      );
-    });
-  });
 });

packages/auth-construct/src/construct.test.ts

@@ -1,7 +1,6 @@
 import { Construct } from 'constructs';
 import { RemovalPolicy, Stack, aws_cognito as cognito } from 'aws-cdk-lib';
 import {
-  AmplifyFunction,
   AuthResources,
   BackendOutputStorageStrategy,
   ResourceProvider,
@@ -24,7 +23,6 @@ import {
   UserPoolIdentityProviderOidc,
   UserPoolIdentityProviderSaml,
   UserPoolIdentityProviderSamlMetadataType,
-  UserPoolOperation,
   UserPoolProps,
 } from 'aws-cdk-lib/aws-cognito';
 import { FederatedPrincipal, Role } from 'aws-cdk-lib/aws-iam';
@@ -33,10 +31,8 @@ import {
   AuthProps,
   EmailLoginSettings,
   ExternalProviderOptions,
-  TriggerEvent,
 } from './types.js';
 import { DEFAULTS } from './defaults.js';
-import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import {
   AttributionMetadataStorage,
   StackMetadataBackendOutputStorageStrategy,
@@ -194,26 +190,6 @@ export class AmplifyAuth
     );
   }
 
-  /**
-   * Attach a Lambda function trigger handler to the UserPool in this construct
-   * @param event - The trigger event operation
-   * @param handler - The function that will handle the event
-   */
-  addTrigger = (
-    event: TriggerEvent,
-    handler: IFunction | AmplifyFunction
-  ): void => {
-    if ('resources' in handler) {
-      this.userPool.addTrigger(
-        UserPoolOperation.of(event),
-        handler.resources.lambda
-      );
-    } else {
-      // handler is an IFunction
-      this.userPool.addTrigger(UserPoolOperation.of(event), handler);
-    }
-  };
-
   /**
    * Create Auth/UnAuth Roles
    * @returns DefaultRoles

packages/auth-construct/src/construct.ts

@@ -5,16 +5,18 @@
 ```ts
 
 import { AmazonProviderProps } from '@aws-amplify/auth-construct-alpha';
-import { AmplifyAuth } from '@aws-amplify/auth-construct-alpha';
 import { AppleProviderProps } from '@aws-amplify/auth-construct-alpha';
 import { AuthProps } from '@aws-amplify/auth-construct-alpha';
+import { AuthResources } from '@aws-amplify/plugin-types';
+import { AuthRoleName } from '@aws-amplify/plugin-types';
 import { BackendSecret } from '@aws-amplify/plugin-types';
 import { ConstructFactory } from '@aws-amplify/plugin-types';
 import { ExternalProviderOptions } from '@aws-amplify/auth-construct-alpha';
 import { FacebookProviderProps } from '@aws-amplify/auth-construct-alpha';
 import { FunctionResources } from '@aws-amplify/plugin-types';
 import { GoogleProviderProps } from '@aws-amplify/auth-construct-alpha';
 import { OidcProviderProps } from '@aws-amplify/auth-construct-alpha';
+import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
 import { TriggerEvent } from '@aws-amplify/auth-construct-alpha';
 
@@ -43,8 +45,11 @@ export type AuthLoginWithFactoryProps = Omit<AuthProps['loginWith'], 'externalPr
     externalProviders?: ExternalProviderSpecificFactoryProps;
 };
 
+// @public (undocumented)
+export type BackendAuth = ResourceProvider<AuthResources> & ResourceAccessAcceptorFactory<AuthRoleName>;
+
 // @public
-export const defineAuth: (props: AmplifyAuthProps) => ConstructFactory<AmplifyAuth>;
+export const defineAuth: (props: AmplifyAuthProps) => ConstructFactory<BackendAuth>;
 
 // @public
 export type Expand<T> = T extends infer O ? {