enable configuring functions to access GraphQL API in defineData (#1116)

Author: edwardfoyle

.changeset/breezy-eyes-appear.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/backend-data': minor
+---
+
+plumb function access definition from schema into IAM policies attached to the functions

package-lock.json

@@ -18,7 +18,7 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@aws-amplify/data-schema": "^0.13.8",
+    "@aws-amplify/data-schema": "^0.13.11",
     "@aws-amplify/backend-platform-test-stubs": "^0.3.3-beta.0",
     "@aws-amplify/platform-core": "^0.5.0-beta.1"
   },
@@ -31,6 +31,6 @@
     "@aws-amplify/backend-output-schemas": "^0.7.0-beta.0",
     "@aws-amplify/data-construct": "^1.4.1",
     "@aws-amplify/plugin-types": "^0.9.0-beta.0",
-    "@aws-amplify/data-schema-types": "^0.7.6"
+    "@aws-amplify/data-schema-types": "^0.7.7"
   }
 }

packages/backend-data/package.json

@@ -0,0 +1,147 @@
+import { beforeEach, describe, it } from 'node:test';
+import {
+  AppSyncApiAction,
+  AppSyncPolicyGenerator,
+} from './app_sync_policy_generator.js';
+import { App, Stack } from 'aws-cdk-lib';
+import { GraphqlApi } from 'aws-cdk-lib/aws-appsync';
+import { AccountPrincipal, Role } from 'aws-cdk-lib/aws-iam';
+import { Template } from 'aws-cdk-lib/assertions';
+
+void describe('AppSyncPolicyGenerator', () => {
+  let stack: Stack;
+  let graphqlApi: GraphqlApi;
+
+  beforeEach(() => {
+    const app = new App();
+    stack = new Stack(app, 'testStack');
+    graphqlApi = new GraphqlApi(stack, 'testApi', {
+      name: 'testName',
+      definition: {
+        schema: {
+          bind: () => ({
+            apiId: 'testApi',
+            definition: 'test schema',
+          }),
+        },
+      },
+    });
+  });
+  const singleActionTestCases: {
+    action: AppSyncApiAction;
+    expectedResourceSuffix: string;
+  }[] = [
+    {
+      action: 'query',
+      expectedResourceSuffix: 'Query/*',
+    },
+    {
+      action: 'mutate',
+      expectedResourceSuffix: 'Mutation/*',
+    },
+    {
+      action: 'listen',
+      expectedResourceSuffix: 'Subscription/*',
+    },
+  ];
+
+  singleActionTestCases.forEach(({ action, expectedResourceSuffix }) => {
+    void it(`generates policy for ${action} action`, () => {
+      const policyGenerator = new AppSyncPolicyGenerator(graphqlApi);
+
+      const queryPolicy = policyGenerator.generateGraphqlAccessPolicy([action]);
+
+      // we have to attach the policy to a role, otherwise CDK erases the policy from the stack
+      queryPolicy.attachToRole(
+        new Role(stack, 'testRole', {
+          assumedBy: new AccountPrincipal('1234'),
+        })
+      );
+
+      const template = Template.fromStack(stack);
+      template.hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: {
+          Statement: [
+            {
+              Action: 'appsync:GraphQL',
+              Resource: {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': ['testApiD6ECAB50', 'Arn'],
+                    },
+                    `/types/${expectedResourceSuffix}`,
+                  ],
+                ],
+              },
+            },
+          ],
+        },
+      });
+    });
+  });
+
+  void it('generates policy for multiple actions', () => {
+    const policyGenerator = new AppSyncPolicyGenerator(graphqlApi);
+
+    const queryPolicy = policyGenerator.generateGraphqlAccessPolicy([
+      'query',
+      'mutate',
+      'listen',
+    ]);
+
+    // we have to attach the policy to a role, otherwise CDK erases the policy from the stack
+    queryPolicy.attachToRole(
+      new Role(stack, 'testRole', {
+        assumedBy: new AccountPrincipal('1234'),
+      })
+    );
+
+    const template = Template.fromStack(stack);
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: {
+        Statement: [
+          {
+            Action: 'appsync:GraphQL',
+            Resource: [
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': ['testApiD6ECAB50', 'Arn'],
+                    },
+                    `/types/Query/*`,
+                  ],
+                ],
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': ['testApiD6ECAB50', 'Arn'],
+                    },
+                    `/types/Mutation/*`,
+                  ],
+                ],
+              },
+              {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      'Fn::GetAtt': ['testApiD6ECAB50', 'Arn'],
+                    },
+                    `/types/Subscription/*`,
+                  ],
+                ],
+              },
+            ],
+          },
+        ],
+      },
+    });
+  });
+});

packages/backend-data/src/app_sync_policy_generator.test.ts

@@ -0,0 +1,47 @@
+import { Stack } from 'aws-cdk-lib';
+import { IGraphqlApi } from 'aws-cdk-lib/aws-appsync';
+import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+
+export type AppSyncApiAction = 'query' | 'mutate' | 'listen';
+
+/**
+ * Generates policies for accessing an AppSync GraphQL API
+ */
+export class AppSyncPolicyGenerator {
+  private readonly stack: Stack;
+  private readonly policyPrefix = 'GraphqlAccessPolicy';
+  private policyCount = 1;
+  /**
+   * Initialize with the GraphqlAPI that the policies will be scoped to
+   */
+  constructor(private readonly graphqlApi: IGraphqlApi) {
+    this.stack = Stack.of(graphqlApi);
+  }
+  /**
+   * Generates a policy that grants GraphQL data-plane access to the provided actions
+   *
+   * The naming is a bit wonky here because the IAM action is always "appsync:GraphQL".
+   * The input "action" maps to the "type" in the resource name part of the ARN which is "Query", "Mutation" or "Subscription"
+   */
+  generateGraphqlAccessPolicy(actions: AppSyncApiAction[]) {
+    const resources = actions
+      // convert from actions to GraphQL Type
+      .map((action) => actionToTypeMap[action])
+      // convert Type to resourceName
+      .map((type) => [this.graphqlApi.arn, 'types', type, '*'].join('/'));
+    return new Policy(this.stack, `${this.policyPrefix}${this.policyCount++}`, {
+      statements: [
+        new PolicyStatement({
+          actions: ['appsync:GraphQL'],
+          resources,
+        }),
+      ],
+    });
+  }
+}
+
+const actionToTypeMap: Record<AppSyncApiAction, string> = {
+  query: 'Query',
+  mutate: 'Mutation',
+  listen: 'Subscription',
+};

packages/backend-data/src/app_sync_policy_generator.ts

@@ -11,12 +11,12 @@ import {
   convertAuthorizationModesToCDK,
   isUsingDefaultApiKeyAuth,
 } from './convert_authorization_modes.js';
-import { Code, Function, IFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
-import { FunctionInstanceProvider } from './convert_functions.js';
+import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
 import {
   AmplifyFunction,
   AuthResources,
   ConstructFactory,
+  ConstructFactoryGetInstanceProps,
   ResourceProvider,
 } from '@aws-amplify/plugin-types';
 
@@ -60,13 +60,10 @@ void describe('convertAuthorizationModesToCDK', () => {
   let authenticatedUserRole: IRole;
   let unauthenticatedUserRole: IRole;
   let providedAuthConfig: ProvidedAuthConfig;
-  let functionInstanceProvider: FunctionInstanceProvider;
+  const getInstancePropsStub: ConstructFactoryGetInstanceProps =
+    {} as unknown as ConstructFactoryGetInstanceProps;
 
   void beforeEach(() => {
-    functionInstanceProvider = {
-      provide: (func: ConstructFactory<AmplifyFunction>): IFunction =>
-        func as unknown as IFunction,
-    };
     stack = new Stack();
     userPool = new UserPool(stack, 'TestPool');
     authenticatedUserRole = Role.fromRoleName(stack, 'AuthRole', 'MyAuthRole');
@@ -92,7 +89,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         undefined,
         undefined
       ),
@@ -114,7 +111,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         providedAuthConfig,
         undefined
       ),
@@ -147,7 +144,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         undefined,
         authModes
       ),
@@ -172,7 +169,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         undefined,
         authModes
       ),
@@ -195,9 +192,6 @@ void describe('convertAuthorizationModesToCDK', () => {
         },
       }),
     };
-    functionInstanceProvider = {
-      provide: (): IFunction => authFn,
-    };
 
     const authModes: AuthorizationModes = {
       lambdaAuthorizationMode: {
@@ -215,7 +209,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         undefined,
         authModes
       ),
@@ -240,7 +234,7 @@ void describe('convertAuthorizationModesToCDK', () => {
 
     assert.deepStrictEqual(
       convertAuthorizationModesToCDK(
-        functionInstanceProvider,
+        getInstancePropsStub,
         providedAuthConfig,
         authModes
       ),
@@ -254,7 +248,7 @@ void describe('convertAuthorizationModesToCDK', () => {
     };
 
     const convertedOutput = convertAuthorizationModesToCDK(
-      functionInstanceProvider,
+      getInstancePropsStub,
       providedAuthConfig,
       authModes
     );