remove describeUserpoolCommand

Author: Vieltojarvi

packages/cli/package.json

@@ -47,6 +47,7 @@
     "@aws-sdk/client-cloudformation": "^3.624.0",
     "@aws-sdk/client-cognito-identity-provider": "^3.624.0",
     "@aws-sdk/client-s3": "^3.624.0",
+    "@aws-sdk/client-sts": "^3.758.0",
     "@aws-sdk/credential-provider-ini": "^3.624.0",
     "@aws-sdk/credential-providers": "^3.624.0",
     "@aws-sdk/region-config-resolver": "^3.614.0",

packages/cli/src/seed-policy-generation/generate_seed_policy_template.test.ts

@@ -2,18 +2,17 @@ import { beforeEach, describe, it, mock } from 'node:test';
 import assert from 'assert';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
 import { AWSAmplifyBackendOutputs } from '../../../client-config/src/client-config-schema/client_config_v1.3.js';
-import {
-  CognitoIdentityProviderClient,
-  DescribeUserPoolClientCommandInput,
-  DescribeUserPoolClientCommandOutput,
-  UserPoolType,
-} from '@aws-sdk/client-cognito-identity-provider';
 import { generateSeedPolicyTemplate } from './generate_seed_policy_template.js';
 import { generateClientConfig } from '@aws-amplify/client-config';
 import { AmplifyUserError } from '@aws-amplify/platform-core';
 import { App, Stack } from 'aws-cdk-lib';
 import { AccountPrincipal, Policy, Role } from 'aws-cdk-lib/aws-iam';
 import { Template } from 'aws-cdk-lib/assertions';
+import {
+  GetCallerIdentityCommandInput,
+  GetCallerIdentityCommandOutput,
+  STSClient,
+} from '@aws-sdk/client-sts';
 
 const testBackendId = 'testBackendId';
 const testSandboxName = 'testSandboxName';
@@ -42,35 +41,34 @@ void describe('generate inline policy for seed', () => {
       },
     } as AWSAmplifyBackendOutputs)
   );
-  const mockCognitoIdProviderClient = {
+
+  const mockStsClient = {
     send: mock.fn<
       (
-        input: DescribeUserPoolClientCommandInput
-      ) => Promise<DescribeUserPoolClientCommandOutput>
+        input: GetCallerIdentityCommandInput
+      ) => Promise<GetCallerIdentityCommandOutput>
     >(async () =>
       Promise.resolve({
-        $metadata: {},
-        UserPool: {
-          UserPoolId: testUserpoolId,
-          Arn: testArn,
-        } as UserPoolType,
-      })
+        Account: '123456789012',
+        Arn: '',
+        UserId: '',
+      } as GetCallerIdentityCommandOutput)
     ),
   };
 
   const app = new App();
   const stack = new Stack(app);
 
   beforeEach(() => {
-    mockCognitoIdProviderClient.send.mock.resetCalls();
     mockConfigGenerator.mock.resetCalls();
+    mockStsClient.send.mock.resetCalls();
   });
 
   void it('returns a policy with expected seed permissions', async () => {
     const policyDoc = await generateSeedPolicyTemplate(
       testBackendIdentifier,
       mockConfigGenerator as unknown as typeof generateClientConfig,
-      mockCognitoIdProviderClient as unknown as CognitoIdentityProviderClient
+      mockStsClient as unknown as STSClient
     );
 
     const policy = new Policy(stack, 'testSeedPolicy', { document: policyDoc });

packages/cli/src/seed-policy-generation/generate_seed_policy_template.ts

@@ -2,14 +2,10 @@ import { Effect, PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { generateClientConfig } from '@aws-amplify/client-config';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
 import {
-  CognitoIdentityProviderClient,
-  DescribeUserPoolCommand,
-} from '@aws-sdk/client-cognito-identity-provider';
-import {
-  AmplifyFault,
   AmplifyUserError,
   ParameterPathConversions,
 } from '@aws-amplify/platform-core';
+import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
 
 /**
  * Generates policy template which allows seed to be run
@@ -19,7 +15,7 @@ import {
 export const generateSeedPolicyTemplate = async (
   backendId: BackendIdentifier,
   generateClientConfiguration = generateClientConfig,
-  cognitoIdProvider = new CognitoIdentityProviderClient()
+  stsClient = new STSClient()
 ): Promise<PolicyDocument> => {
   const seedPolicy = new PolicyDocument();
   const clientConfig = await generateClientConfiguration(backendId, '1.3');
@@ -31,9 +27,11 @@ export const generateSeedPolicyTemplate = async (
         'Please add an auth resource to your sandbox and rerun this command',
     });
   }
-  const userPoolId = clientConfig.auth?.user_pool_id;
+  // /const userPoolId = clientConfig.auth?.user_pool_id;
 
-  const userpoolOutput = await cognitoIdProvider.send(
+  const stsResponse = await stsClient.send(new GetCallerIdentityCommand({}));
+  const arn = `arn:aws:cognito-idp:${clientConfig.auth.aws_region}:${stsResponse.Account}:userpool/${clientConfig.auth.user_pool_id}`;
+  /*const userpoolOutput = await cognitoIdProvider.send(
     new DescribeUserPoolCommand({ UserPoolId: userPoolId })
   );
   const userpoolArn = userpoolOutput.UserPool?.Arn;
@@ -44,11 +42,11 @@ export const generateSeedPolicyTemplate = async (
         'Either the userpool is missing or the userpool exists but it is missing an arn',
       resolution: 'Ensure your userpool exists and has an arn',
     });
-  }
+  }*/
   const cognitoGrant = new PolicyStatement({
     effect: Effect.ALLOW,
     actions: ['cognito-idp:AdminCreateUser', 'cognito-idp:AdminAddUserToGroup'],
-    resources: [userpoolArn],
+    resources: [arn],
   });
 
   const backendParamPrefix =