chore: ref auth e2e test updates (#2346)

awsluja · web-flow · commit cf342cc2eaf9 · 2024-12-17T14:11:28.000-08:00
* fix: add required pb to ref auth e2e test

* chore: add changeset
diff --git a/.changeset/plenty-mugs-learn.md b/.changeset/plenty-mugs-learn.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/integration-tests/src/resource-creation/auth_resource_creator.ts b/packages/integration-tests/src/resource-creation/auth_resource_creator.ts
@@ -277,14 +277,16 @@ export class AuthResourceCreator {
   setupUserPoolGroup = async (
     groupName: string,
     userPoolId: string,
-    identityPoolId: string
+    identityPoolId: string,
+    permissionBoundaryArn: string
   ) => {
     const groupRole = await this.createRoleBase({
       RoleName: 'ref-auth-group-role',
       AssumeRolePolicyDocument: this.getIdentityPoolAssumeRolePolicyDocument(
         identityPoolId,
         'authenticated'
       ),
+      PermissionsBoundary: permissionBoundaryArn,
     });
     const group = await this.createUserPoolGroupBase({
       GroupName: groupName,
@@ -304,21 +306,24 @@ export class AuthResourceCreator {
   setupIdentityPoolRoles = async (
     userPoolId: string,
     userPoolClientId: string,
-    identityPoolId: string
+    identityPoolId: string,
+    permissionBoundaryArn: string
   ) => {
     const authRole = await this.createRoleBase({
       RoleName: `ref-auth-role`,
       AssumeRolePolicyDocument: this.getIdentityPoolAssumeRolePolicyDocument(
         identityPoolId,
         'authenticated'
       ),
+      PermissionsBoundary: permissionBoundaryArn,
     });
     const unauthRole = await this.createRoleBase({
       RoleName: `ref-unauth-role`,
       AssumeRolePolicyDocument: this.getIdentityPoolAssumeRolePolicyDocument(
         identityPoolId,
         'unauthenticated'
       ),
+      PermissionsBoundary: permissionBoundaryArn,
     });
     const region = await this.cognitoIdentityClient.config.region();
     await this.cognitoIdentityClient.send(
diff --git a/packages/integration-tests/src/test-project-setup/reference_auth_project.ts b/packages/integration-tests/src/test-project-setup/reference_auth_project.ts
@@ -183,6 +183,9 @@ class ReferenceAuthTestProject extends TestProjectBase {
         DeletionProtection: 'INACTIVE',
       });
 
+      const accountId = userPool.Arn!.split(':')[4]; // arn:aws:cognito-idp:<region>:<account>:userpool/<userpoolid>
+      const permissionBoundaryArn = `arn:aws:iam::${accountId}:policy/CreateRolePermissionBoundaryPolicy`;
+
       const domain = await this.authResourceCreator.createUserPoolDomainBase({
         UserPoolId: userPool.Id,
         Domain: `ref-auth`,
@@ -307,13 +310,15 @@ class ReferenceAuthTestProject extends TestProjectBase {
       const roles = await this.authResourceCreator.setupIdentityPoolRoles(
         userPool.Id!,
         userPoolClient.ClientId!,
-        identityPool.IdentityPoolId
+        identityPool.IdentityPoolId,
+        permissionBoundaryArn
       );
 
       const adminGroup = await this.authResourceCreator.setupUserPoolGroup(
         'ADMINS',
         userPool.Id!,
-        identityPool.IdentityPoolId
+        identityPool.IdentityPoolId,
+        permissionBoundaryArn
       );
       return {
         userPool,
