Seed (#2546)

* seed setup and seed secrets

* skeleton of sandbox seed command

* seed policy generation

* grants for storage

* changed seed policy name to amplifySeedPolicy

* test for secrets

* removed managed seed policy

* set secret and seed command

* generate seed policy command

* auth APIs - incomplete

* created folders, getting data from generateConfig

* removed static, changed name of AuthOutputsReader to ConfigReader

* fixed seed commands, figured out callback for TOTP

* conditional typing

* mfa updates and seed command test

* adjustments and tests added

* update to user group type

* changeset

* update api

* unit tests

* adjust MFA type

* remove edit to construct container

* removed unnecessary changeset

* fixed some tests

* fix dependencies tests

* adjust seed command test

* fix dep inconsistencies

* updated challenge response to use secretValue instead of input

* PR feedback

* more PR feedback

* even more PR feedback

* testing something

* reverted

* e2e tests

* e2e-tests

* revert some package-lock changes

* e2e tests

* removed user check from seed test

* remove describeUserpoolCommand

* update test

* sts package-lock update

* e2e tests

* fix package versions

* fixing permissions

* import crypto

* appeasing json

* fixing json

* cleaned up e2e file

* crpyto polyfill in e2e test seed script

* added context

* fix dependency issues

* added spinner and success message to seed command

* updated success message

* lint fixes from prettier update

* updated some tests

* adjustments

* fixes after prettier sandbox merge

* small api adjustment

* seed version bump changed to major

* reverted some package changes

* PR feedback

* make codeQL happy

* Potential fix for code scanning alert no. 327: Insecure randomness

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* e2e tests did not like readFile, using import

* fixed seed e2e tests

* removed outputs import

* Update packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_command.ts

Co-authored-by: Amplifiyer <[email protected]>

* fixed tests

---------

Co-authored-by: Vieltojarvi <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Amplifiyer <[email protected]>

Author: 4 people

.changeset/little-kids-double.md

@@ -0,0 +1,6 @@
+---
+'@aws-amplify/seed': major
+'@aws-amplify/backend-cli': minor
+---
+
+adding seed feature

package-lock.json

@@ -46,6 +46,7 @@
     "@aws-sdk/client-amplify": "^3.750.0",
     "@aws-sdk/client-cloudformation": "^3.750.0",
     "@aws-sdk/client-s3": "^3.750.0",
+    "@aws-sdk/client-sts": "^3.750.0",
     "@aws-sdk/credential-provider-ini": "^3.750.0",
     "@aws-sdk/credential-providers": "^3.750.0",
     "@aws-sdk/region-config-resolver": "^3.734.0",
@@ -61,7 +62,8 @@
     "zod": "^3.22.2"
   },
   "peerDependencies": {
-    "@aws-sdk/types": "^3.734.0"
+    "@aws-sdk/types": "^3.734.0",
+    "aws-cdk-lib": "^2.180.0"
   },
   "devDependencies": {
     "@types/envinfo": "^7.8.3",

packages/cli/package.json

@@ -0,0 +1,152 @@
+import { after, before, describe, it, mock } from 'node:test';
+import fsp from 'fs/promises';
+import * as path from 'path';
+import { SandboxSeedCommand } from './sandbox_seed_command.js';
+import yargs, { CommandModule } from 'yargs';
+import {
+  TestCommandError,
+  TestCommandRunner,
+} from '../../../test-utils/command_runner.js';
+import { createSandboxSecretCommand } from '../sandbox-secret/sandbox_secret_command_factory.js';
+import { EventHandler, SandboxCommand } from '../sandbox_command.js';
+import { SandboxSingletonFactory } from '@aws-amplify/sandbox';
+import { SandboxDeleteCommand } from '../sandbox-delete/sandbox_delete_command.js';
+import { ClientConfigGeneratorAdapter } from '../../../client-config/client_config_generator_adapter.js';
+import { format, printer } from '@aws-amplify/cli-core';
+import { CommandMiddleware } from '../../../command_middleware.js';
+import { SandboxSeedGeneratePolicyCommand } from './sandbox_seed_policy_command.js';
+import assert from 'node:assert';
+import { BackendIdentifier } from '@aws-amplify/plugin-types';
+import { SandboxBackendIdResolver } from '../sandbox_id_resolver.js';
+
+const seedFileContents = 'console.log(`seed has been run`);';
+
+const testBackendNameSpace = 'testSandboxId';
+const testSandboxName = 'testSandboxName';
+
+const testBackendId: BackendIdentifier = {
+  namespace: testBackendNameSpace,
+  name: testSandboxName,
+  type: 'sandbox',
+};
+
+void describe('sandbox seed command', () => {
+  let commandRunner: TestCommandRunner;
+
+  const clientConfigGenerationMock = mock.fn<EventHandler>();
+  const clientConfigDeletionMock = mock.fn<EventHandler>();
+
+  const clientConfigGeneratorAdapterMock = {
+    generateClientConfigToFile: clientConfigGenerationMock,
+  } as unknown as ClientConfigGeneratorAdapter;
+
+  const commandMiddleware = new CommandMiddleware(printer);
+  const mockHandleProfile = mock.method(
+    commandMiddleware,
+    'ensureAwsCredentialAndRegion',
+    () => null,
+  );
+
+  const mockProfileResolver = mock.fn();
+
+  let amplifySeedDir: string;
+  let fullPath: string;
+
+  const sandboxIdResolver: SandboxBackendIdResolver = {
+    resolve: () => Promise.resolve(testBackendId),
+  } as SandboxBackendIdResolver;
+
+  before(async () => {
+    const sandboxFactory = new SandboxSingletonFactory(
+      () => Promise.resolve(testBackendId),
+      mockProfileResolver,
+      printer,
+      format,
+    );
+
+    const sandboxSeedCommand = new SandboxSeedCommand(sandboxIdResolver, [
+      new SandboxSeedGeneratePolicyCommand(sandboxIdResolver),
+    ]);
+
+    const sandboxCommand = new SandboxCommand(
+      sandboxFactory,
+      [
+        new SandboxDeleteCommand(sandboxFactory),
+        createSandboxSecretCommand(),
+        sandboxSeedCommand,
+      ],
+      clientConfigGeneratorAdapterMock,
+      commandMiddleware,
+      () => ({
+        successfulDeployment: [clientConfigGenerationMock],
+        successfulDeletion: [clientConfigDeletionMock],
+        failedDeployment: [],
+      }),
+    );
+    const parser = yargs().command(sandboxCommand as unknown as CommandModule);
+    commandRunner = new TestCommandRunner(parser);
+    mockHandleProfile.mock.resetCalls();
+  });
+
+  void describe('seed script exists', () => {
+    before(async () => {
+      await fsp.mkdir(path.join(process.cwd(), 'amplify', 'seed'), {
+        recursive: true,
+      });
+      amplifySeedDir = path.join(process.cwd(), 'amplify');
+      fullPath = path.join(process.cwd(), 'amplify', 'seed', 'seed.ts');
+      await fsp.writeFile(fullPath, seedFileContents, 'utf8');
+    });
+
+    after(async () => {
+      await fsp.rm(amplifySeedDir, { recursive: true, force: true });
+      if (process.env.AMPLIFY_BACKEND_IDENTIFIER) {
+        delete process.env.AMPLIFY_BACKEND_IDENTIFIER;
+      }
+    });
+
+    void it('runs seed if seed script is found', async () => {
+      const output = await commandRunner.runCommand('sandbox seed');
+
+      const successMessage = output.trimEnd().split('\n')[2].trimStart();
+
+      assert.ok(output !== undefined);
+      assert.deepStrictEqual(
+        successMessage,
+        '✔ seed has successfully completed',
+      );
+      assert.strictEqual(mockHandleProfile.mock.callCount(), 1);
+    });
+  });
+
+  void describe('seed script does not exist', () => {
+    before(async () => {
+      await fsp.mkdir(path.join(process.cwd(), 'amplify', 'seed'), {
+        recursive: true,
+      });
+      amplifySeedDir = path.join(process.cwd(), 'amplify');
+    });
+
+    after(async () => {
+      await fsp.rm(amplifySeedDir, { recursive: true, force: true });
+      if (process.env.AMPLIFY_BACKEND_IDENTIFIER) {
+        delete process.env.AMPLIFY_BACKEND_IDENTIFIER;
+      }
+    });
+
+    void it('throws error if seed script does not exist', async () => {
+      await assert.rejects(
+        () => commandRunner.runCommand('sandbox seed'),
+        (err: TestCommandError) => {
+          assert.match(err.output, /SeedScriptNotFoundError/);
+          assert.match(err.output, /There is no file that corresponds to/);
+          assert.match(
+            err.output,
+            /Please make a file that corresponds to (.*) and put your seed logic in it/,
+          );
+          return true;
+        },
+      );
+    });
+  });
+});

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_command.test.ts

@@ -0,0 +1,72 @@
+import { Argv, CommandModule } from 'yargs';
+import path from 'path';
+import { existsSync } from 'fs';
+import { execa } from 'execa';
+import { SandboxBackendIdResolver } from '../sandbox_id_resolver.js';
+import { AmplifyUserError } from '@aws-amplify/platform-core';
+import { SandboxCommandGlobalOptions } from '../option_types.js';
+import { format, printer } from '@aws-amplify/cli-core';
+
+/**
+ * Command that runs seed in sandbox environment
+ */
+export class SandboxSeedCommand implements CommandModule<object> {
+  /**
+   * @inheritDoc
+   */
+  readonly command: string;
+
+  /**
+   * @inheritDoc
+   */
+  readonly describe: string;
+
+  /**
+   * Seeds sandbox environment.
+   */
+  constructor(
+    private readonly backendIDResolver: SandboxBackendIdResolver,
+    private readonly seedSubCommands: CommandModule[],
+  ) {
+    this.command = 'seed';
+    this.describe = 'Seeds sandbox environment';
+  }
+
+  /**
+   * @inheritDoc
+   */
+  handler = async (): Promise<void> => {
+    printer.startSpinner('Running seed...');
+    const backendID = await this.backendIDResolver.resolve();
+    const seedPath = path.join('amplify', 'seed', 'seed.ts');
+    try {
+      await execa('tsx', [seedPath], {
+        cwd: process.cwd(),
+        stdio: 'inherit',
+        env: {
+          AMPLIFY_BACKEND_IDENTIFIER: JSON.stringify(backendID),
+        },
+      });
+    } finally {
+      printer.stopSpinner();
+    }
+    printer.printNewLine();
+    printer.print(`${format.success('✔')} seed has successfully completed`);
+  };
+
+  /**
+   * @inheritDoc
+   */
+  builder = (yargs: Argv): Argv<SandboxCommandGlobalOptions> => {
+    return yargs.command(this.seedSubCommands).check(() => {
+      const seedPath = path.join(process.cwd(), 'amplify', 'seed', 'seed.ts');
+      if (!existsSync(seedPath)) {
+        throw new AmplifyUserError('SeedScriptNotFoundError', {
+          message: `There is no file that corresponds to ${seedPath}`,
+          resolution: `Please make a file that corresponds to ${seedPath} and put your seed logic in it`,
+        });
+      }
+      return true;
+    });
+  };
+}

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_command.ts

@@ -0,0 +1,43 @@
+import { Argv, CommandModule } from 'yargs';
+import { printer } from '@aws-amplify/cli-core';
+import { SandboxBackendIdResolver } from '../sandbox_id_resolver.js';
+import { generateSeedPolicyTemplate } from '../../../seed-policy-generation/generate_seed_policy_template.js';
+
+/**
+ * Command that generates policy template with permissions to be able to run seed in sandbox environment
+ */
+export class SandboxSeedGeneratePolicyCommand implements CommandModule<object> {
+  /**
+   * @inheritDoc
+   */
+  readonly command: string;
+
+  /**
+   * @inheritDoc
+   */
+  readonly describe: string;
+
+  /**
+   * Generates policy to run seed, is a subcommand of seed
+   */
+  constructor(private readonly backendIdResolver: SandboxBackendIdResolver) {
+    this.command = 'generate-policy';
+    this.describe = 'Generates policy for seeding';
+  }
+
+  /**
+   * @inheritDoc
+   */
+  handler = async (): Promise<void> => {
+    const backendId = await this.backendIdResolver.resolve();
+    const policyDocument = await generateSeedPolicyTemplate(backendId);
+    printer.print(JSON.stringify(policyDocument.toJSON(), null, 2));
+  };
+
+  /**
+   * @inheritDoc
+   */
+  builder = (yargs: Argv) => {
+    return yargs;
+  };
+}

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_policy_command.ts

@@ -6,6 +6,7 @@ import {
 } from './sandbox_command.js';
 import { SandboxSingletonFactory } from '@aws-amplify/sandbox';
 import { SandboxDeleteCommand } from './sandbox-delete/sandbox_delete_command.js';
+import { SandboxSeedCommand } from './sandbox-seed/sandbox_seed_command.js';
 import { SandboxBackendIdResolver } from './sandbox_id_resolver.js';
 import { ClientConfigGeneratorAdapter } from '../../client-config/client_config_generator_adapter.js';
 import { LocalNamespaceResolver } from '../../backend-identifier/local_namespace_resolver.js';
@@ -25,6 +26,7 @@ import { S3Client } from '@aws-sdk/client-s3';
 import { AmplifyClient } from '@aws-sdk/client-amplify';
 import { CloudFormationClient } from '@aws-sdk/client-cloudformation';
 import { NoticesRenderer } from '../../notices/notices_renderer.js';
+import { SandboxSeedGeneratePolicyCommand } from './sandbox-seed/sandbox_seed_policy_command.js';
 import { SDKProfileResolverProvider } from '../../sdk_profile_resolver_provider.js';
 
 /**
@@ -78,7 +80,13 @@ export const createSandboxCommand = (
   const commandMiddleWare = new CommandMiddleware(printer);
   return new SandboxCommand(
     sandboxFactory,
-    [new SandboxDeleteCommand(sandboxFactory), createSandboxSecretCommand()],
+    [
+      new SandboxDeleteCommand(sandboxFactory),
+      createSandboxSecretCommand(),
+      new SandboxSeedCommand(sandboxBackendIdPartsResolver, [
+        new SandboxSeedGeneratePolicyCommand(sandboxBackendIdPartsResolver),
+      ]),
+    ],
     clientConfigGeneratorAdapter,
     commandMiddleWare,
     eventHandlerFactory.getSandboxEventHandlers,