Reference Auth (#2118)

* feat: reference auth basic setup

* chore: factory basic tests

* chore: update api

* chore: add ref auth package as dependency to backend-auth

* chore: lint

* chore: add tests for construct

* chore: cleanup tsconfig

* chore: add changeset

* chore: fix tests inputs

* chore: update tests

* fix: update resource provider types

* chore: update api

* feat: reference auth outputs

* chore: add tests

* chore: fix test

* chore: cleanup reused variables

* chore: changeset

* chore: cleanup changeset

* chore: cleanup

* chore: cleanup changesets, lockfile, and api

* chore: fix mismatched output structure

* chore: refactor and add tests

* chore: add more tests for identity pool errors

* chore: cleanup

* chore: fix test

* chore: add role tests

* chore: add tests for user pool client

* chore: cleanup

* chore: refactor

* chore: fix api

* chore: undo changes to concurrent workspace script

* chore: add missing roles permission

* chore: update expected IAM policy permissions for identity pool

* fix: make sure to throw on errors when using Provider framework

* chore: refactor

* chore: cleanup

* chore: more cleanup

* chore: check for alias attributes and fix tests

* chore: add support for validating group roles exist for user pool

* chore: update package-lock file

* chore: add checks for oauth validation

* chore: fix typo

* chore: eliminate forcing updates on any change

* chore: remove commented out code

* chore: merge factory count into single count for all auth factories

* chore: move sample data and npmignore it

* chore: cleanup

* chore: fix path

* chore: update package lock

* chore: update package-lock

* chore: move construct into backend-auth

* chore: update api

* chore: update changeset

* chore: cleanup

* chore: move props type to factory

* chore: add working setup for e2e resources in ref auth (#2122)

* chore: add working setup for e2e resources in ref auth

* feed pr base sha and ref into envs before scripts (#2168)

* feed pr base sha and ref into envs before scripts

* removing empty file

* chore: update names to use test prefix

* chore: remove extra hyphen

* chore: fix cleanup and add sandbox test

* chore: make sure to throw if error describing stack is unknown

---------

Co-authored-by: Roshane Pascual <[email protected]>

* chore: add bsd-3-clause-clear license to allow list

* chore: cleanup

* chore: make lambda deps dev dependencies

* chore: revert license changes

* chore: remove tag mechanism as not needed for cleanup

---------

Co-authored-by: Roshane Pascual <[email protected]>

Author: awsluja

.changeset/good-pugs-rescue.md

@@ -0,0 +1,9 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend-data': minor
+'@aws-amplify/plugin-types': minor
+'@aws-amplify/backend': minor
+---
+
+Add support for referenceAuth.

.changeset/spicy-rules-speak.md

@@ -0,0 +1,2 @@
+---
+---

CONTRIBUTING.md

@@ -82,6 +82,8 @@ For local testing we recommend writing unit tests that exercise the code you are
 npm run test:dir packages/<package name>/lib/<file-name>.test.ts
 ```
 
+> Note: If your test depends on \_\_dirname or import.meta.url paths, you may see errors resolving paths if you specify the entire path to the test file. You should specify just the `packages/<package name>` portion of the test you are running.
+
 > Note: You must rebuild using `npm run build` for tests to pick up your changes.
 
 Sometimes it's nice to have a test project to use as a testing environment for local changes. You can create test projects in the `local-testing` directory using

package-lock.json

@@ -223,6 +223,7 @@ export class AmplifyAuth
       userPoolClient,
       authenticatedUserIamRole: auth,
       unauthenticatedUserIamRole: unAuth,
+      identityPoolId: identityPool.ref,
       cfnResources: {
         cfnUserPool,
         cfnUserPoolClient,

packages/auth-construct/src/construct.ts

@@ -10,5 +10,6 @@
 # Then ignore test js and ts declaration files
 *.test.js
 *.test.d.ts
+**/test-resources/**
 
 # This leaves us with including only js and ts declaration files of functional code

packages/backend-auth/.npmignore

@@ -7,9 +7,11 @@
 import { AmazonProviderProps } from '@aws-amplify/auth-construct';
 import { AmplifyFunction } from '@aws-amplify/plugin-types';
 import { AppleProviderProps } from '@aws-amplify/auth-construct';
+import { AuthOutput } from '@aws-amplify/backend-output-schemas';
 import { AuthProps } from '@aws-amplify/auth-construct';
 import { AuthResources } from '@aws-amplify/plugin-types';
 import { AuthRoleName } from '@aws-amplify/plugin-types';
+import { BackendOutputStorageStrategy } from '@aws-amplify/plugin-types';
 import { BackendSecret } from '@aws-amplify/plugin-types';
 import { ConstructFactory } from '@aws-amplify/plugin-types';
 import { ConstructFactoryGetInstanceProps } from '@aws-amplify/plugin-types';
@@ -19,6 +21,7 @@ import { FunctionResources } from '@aws-amplify/plugin-types';
 import { GoogleProviderProps } from '@aws-amplify/auth-construct';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import { OidcProviderProps } from '@aws-amplify/auth-construct';
+import { ReferenceAuthResources } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptor } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
@@ -48,6 +51,11 @@ export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' |
     };
 }>;
 
+// @public (undocumented)
+export type AmplifyReferenceAuthProps = Expand<Omit<ReferenceAuthProps, 'outputStorageStrategy'> & {
+    access?: AuthAccessGenerator;
+}>;
+
 // @public
 export type AppleProviderFactoryProps = Omit<AppleProviderProps, 'clientId' | 'teamId' | 'keyId' | 'privateKey'> & {
     clientId: BackendSecret;
@@ -86,6 +94,9 @@ export type AuthLoginWithFactoryProps = Omit<AuthProps['loginWith'], 'externalPr
 // @public (undocumented)
 export type BackendAuth = ResourceProvider<AuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
 
+// @public (undocumented)
+export type BackendReferenceAuth = ResourceProvider<ReferenceAuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
+
 // @public
 export type CustomEmailSender = {
     handler: ConstructFactory<AmplifyFunction> | IFunction;
@@ -130,6 +141,22 @@ export type OidcProviderFactoryProps = Omit<OidcProviderProps, 'clientId' | 'cli
     clientSecret: BackendSecret;
 };
 
+// @public
+export const referenceAuth: (props: AmplifyReferenceAuthProps) => ConstructFactory<BackendReferenceAuth>;
+
+// @public (undocumented)
+export type ReferenceAuthProps = {
+    outputStorageStrategy?: BackendOutputStorageStrategy<AuthOutput>;
+    userPoolId: string;
+    identityPoolId: string;
+    userPoolClientId: string;
+    authRoleArn: string;
+    unauthRoleArn: string;
+    groups?: {
+        [groupName: string]: string;
+    };
+};
+
 // (No @packageDocumentation comment for this package)
 
 ```

packages/backend-auth/API.md

@@ -20,12 +20,17 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@aws-amplify/auth-construct": "^1.4.0",
+    "@aws-amplify/backend-output-schemas": "^1.4.0",
     "@aws-amplify/backend-output-storage": "^1.1.3",
     "@aws-amplify/plugin-types": "^1.3.1"
   },
   "devDependencies": {
     "@aws-amplify/backend-platform-test-stubs": "^0.3.6",
-    "@aws-amplify/platform-core": "^1.0.6"
+    "@aws-amplify/platform-core": "^1.0.6",
+    "@aws-sdk/client-cognito-identity-provider": "^3.624.0",
+    "@aws-sdk/client-cognito-identity": "^3.624.0",
+    "@types/aws-lambda": "^8.10.119",
+    "aws-lambda": "^1.0.7"
   },
   "peerDependencies": {
     "aws-cdk-lib": "^2.158.0",

packages/backend-auth/package.json

@@ -153,8 +153,8 @@ void describe('AmplifyAuthFactory', () => {
       },
       new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       })
     );
   });

packages/backend-auth/src/factory.test.ts

@@ -103,8 +103,8 @@ export class AmplifyAuthFactory implements ConstructFactory<BackendAuth> {
     if (AmplifyAuthFactory.factoryCount > 0) {
       throw new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       });
     }
     AmplifyAuthFactory.factoryCount++;