Seed

.changeset/little-kids-double.md

@@ -1,5 +1,5 @@
 ---
-'@aws-amplify/seed': minor
+'@aws-amplify/seed': major
 '@aws-amplify/backend-cli': minor
 ---
 

packages/cli/package.json

@@ -31,27 +31,28 @@
   },
   "homepage": "https://github.com/aws-amplify/amplify-backend#readme",
   "dependencies": {
-    "@aws-amplify/backend-deployer": "^1.1.17",
-    "@aws-amplify/backend-output-schemas": "^1.4.0",
-    "@aws-amplify/backend-secret": "^1.1.6",
-    "@aws-amplify/cli-core": "^1.2.4",
-    "@aws-amplify/client-config": "^1.5.7",
-    "@aws-amplify/deployed-backend-client": "^1.5.0",
-    "@aws-amplify/form-generator": "^1.0.4",
-    "@aws-amplify/model-generator": "^1.0.12",
-    "@aws-amplify/platform-core": "^1.6.3",
-    "@aws-amplify/plugin-types": "^1.8.0",
-    "@aws-amplify/sandbox": "^1.2.10",
-    "@aws-amplify/schema-generator": "^1.2.7",
-    "@aws-sdk/client-amplify": "^3.624.0",
-    "@aws-sdk/client-cloudformation": "^3.624.0",
-    "@aws-sdk/client-cognito-identity-provider": "^3.624.0",
-    "@aws-sdk/client-s3": "^3.624.0",
-    "@aws-sdk/credential-provider-ini": "^3.624.0",
-    "@aws-sdk/credential-providers": "^3.624.0",
-    "@aws-sdk/region-config-resolver": "^3.614.0",
-    "@smithy/node-config-provider": "^2.1.3",
-    "@smithy/shared-ini-file-loader": "^2.2.5",
+    "@aws-amplify/backend-deployer": "^1.1.20",
+    "@aws-amplify/backend-output-schemas": "^1.4.1",
+    "@aws-amplify/backend-secret": "^1.2.0",
+    "@aws-amplify/cli-core": "^1.4.1",
+    "@aws-amplify/client-config": "^1.5.8",
+    "@aws-amplify/deployed-backend-client": "^1.5.2",
+    "@aws-amplify/form-generator": "^1.0.5",
+    "@aws-amplify/model-generator": "^1.0.13",
+    "@aws-amplify/platform-core": "^1.6.5",
+    "@aws-amplify/plugin-types": "^1.8.1",
+    "@aws-amplify/sandbox": "^1.2.12",
+    "@aws-amplify/schema-generator": "^1.2.8",
+    "@aws-sdk/client-amplify": "^3.750.0",
+    "@aws-sdk/client-cloudformation": "^3.750.0",
+    "@aws-sdk/client-s3": "^3.750.0",
+    "@aws-sdk/client-sts": "^3.750.0",
+    "@aws-sdk/credential-provider-ini": "^3.750.0",
+    "@aws-sdk/credential-providers": "^3.750.0",
+    "@aws-sdk/region-config-resolver": "^3.734.0",
+    "@smithy/node-config-provider": "^4.0.1",
+    "@smithy/shared-ini-file-loader": "^4.0.1",
+    "@aws-cdk/toolkit-lib": "0.1.5",
     "envinfo": "^7.11.0",
     "execa": "^9.5.1",
     "is-ci": "^4.1.0",
@@ -61,8 +62,8 @@
     "zod": "^3.22.2"
   },
   "peerDependencies": {
-    "@aws-sdk/types": "^3.609.0",
-    "aws-cdk-lib": "^2.168.0"
+    "@aws-sdk/types": "^3.734.0",
+    "aws-cdk-lib": "^2.180.0"
   },
   "devDependencies": {
     "@types/envinfo": "^7.8.3",

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_command.test.ts

@@ -44,9 +44,11 @@ void describe('sandbox seed command', () => {
   const mockHandleProfile = mock.method(
     commandMiddleware,
     'ensureAwsCredentialAndRegion',
-    () => null
+    () => null,
   );
 
+  const mockProfileResolver = mock.fn();
+
   let amplifySeedDir: string;
   let fullPath: string;
 
@@ -57,8 +59,9 @@ void describe('sandbox seed command', () => {
   before(async () => {
     const sandboxFactory = new SandboxSingletonFactory(
       () => Promise.resolve(testBackendId),
+      mockProfileResolver,
       printer,
-      format
+      format,
     );
 
     const sandboxSeedCommand = new SandboxSeedCommand(sandboxIdResolver, [
@@ -78,7 +81,7 @@ void describe('sandbox seed command', () => {
         successfulDeployment: [clientConfigGenerationMock],
         successfulDeletion: [clientConfigDeletionMock],
         failedDeployment: [],
-      })
+      }),
     );
     const parser = yargs().command(sandboxCommand as unknown as CommandModule);
     commandRunner = new TestCommandRunner(parser);
@@ -102,11 +105,16 @@ void describe('sandbox seed command', () => {
       }
     });
 
-    // this is deceptively hard to test because mocking open/read did not work on Linux/Mac
     void it('runs seed if seed script is found', async () => {
       const output = await commandRunner.runCommand('sandbox seed');
 
+      const cleanedOutput = output.trimEnd().trimStart();
+
       assert.ok(output !== undefined);
+      assert.deepStrictEqual(
+        cleanedOutput,
+        '✔ seed has successfully completed',
+      );
       assert.strictEqual(mockHandleProfile.mock.callCount(), 1);
     });
   });
@@ -130,15 +138,14 @@ void describe('sandbox seed command', () => {
       await assert.rejects(
         () => commandRunner.runCommand('sandbox seed'),
         (err: TestCommandError) => {
-          // file differences between Unix and Windows makes it tricky to add the path
           assert.match(err.output, /SeedScriptNotFoundError/);
           assert.match(err.output, /There is no file that corresponds to/);
           assert.match(
             err.output,
-            /Please make a file that corresponds to (.*) and put your seed logic in it/
+            /Please make a file that corresponds to (.*) and put your seed logic in it/,
           );
           return true;
-        }
+        },
       );
     });
   });

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_command.ts

@@ -5,6 +5,7 @@ import { execa } from 'execa';
 import { SandboxBackendIdResolver } from '../sandbox_id_resolver.js';
 import { AmplifyUserError } from '@aws-amplify/platform-core';
 import { SandboxCommandGlobalOptions } from '../option_types.js';
+import { format, printer } from '@aws-amplify/cli-core';
 
 /**
  * Command that runs seed in sandbox environment
@@ -25,7 +26,7 @@ export class SandboxSeedCommand implements CommandModule<object> {
    */
   constructor(
     private readonly backendIDResolver: SandboxBackendIdResolver,
-    private readonly seedSubCommands: CommandModule[]
+    private readonly seedSubCommands: CommandModule[],
   ) {
     this.command = 'seed';
     this.describe = 'Seeds sandbox environment';
@@ -35,15 +36,22 @@ export class SandboxSeedCommand implements CommandModule<object> {
    * @inheritDoc
    */
   handler = async (): Promise<void> => {
+    printer.startSpinner('');
     const backendID = await this.backendIDResolver.resolve();
     const seedPath = path.join('amplify', 'seed', 'seed.ts');
-    await execa('tsx', [seedPath], {
-      cwd: process.cwd(),
-      stdio: 'inherit',
-      env: {
-        AMPLIFY_BACKEND_IDENTIFIER: JSON.stringify(backendID),
-      },
-    });
+    try {
+      await execa('tsx', [seedPath], {
+        cwd: process.cwd(),
+        stdio: 'inherit',
+        env: {
+          AMPLIFY_BACKEND_IDENTIFIER: JSON.stringify(backendID),
+        },
+      });
+    } finally {
+      printer.stopSpinner();
+    }
+    printer.printNewLine();
+    printer.print(`${format.success('✔')} seed has successfully completed`);
   };
 
   /**
@@ -53,7 +61,6 @@ export class SandboxSeedCommand implements CommandModule<object> {
     return yargs.command(this.seedSubCommands).check(() => {
       const seedPath = path.join(process.cwd(), 'amplify', 'seed', 'seed.ts');
       if (!existsSync(seedPath)) {
-        // this only gets sent to outputs
         throw new AmplifyUserError('SeedScriptNotFoundError', {
           message: `There is no file that corresponds to ${seedPath}`,
           resolution: `Please make a file that corresponds to ${seedPath} and put your seed logic in it`,

packages/cli/src/commands/sandbox/sandbox-seed/sandbox_seed_policy_command.ts

@@ -31,7 +31,7 @@ export class SandboxSeedGeneratePolicyCommand implements CommandModule<object> {
   handler = async (): Promise<void> => {
     const backendId = await this.backendIdResolver.resolve();
     const policyDocument = await generateSeedPolicyTemplate(backendId);
-    printer.print(JSON.stringify(policyDocument.toJSON(), null, 1));
+    printer.print(JSON.stringify(policyDocument.toJSON(), null, 2));
   };
 
   /**

packages/cli/src/commands/sandbox/sandbox_command_factory.ts

@@ -25,7 +25,9 @@ import {
 import { S3Client } from '@aws-sdk/client-s3';
 import { AmplifyClient } from '@aws-sdk/client-amplify';
 import { CloudFormationClient } from '@aws-sdk/client-cloudformation';
+import { NoticesRenderer } from '../../notices/notices_renderer.js';
 import { SandboxSeedGeneratePolicyCommand } from './sandbox-seed/sandbox_seed_policy_command.js';
+import { SDKProfileResolverProvider } from '../../sdk_profile_resolver_provider.js';
 
 /**
  * Creates wired sandbox command.

packages/cli/src/seed-policy-generation/generate_seed_policy_template.test.ts

@@ -2,18 +2,17 @@ import { beforeEach, describe, it, mock } from 'node:test';
 import assert from 'assert';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
 import { AWSAmplifyBackendOutputs } from '../../../client-config/src/client-config-schema/client_config_v1.3.js';
-import {
-  CognitoIdentityProviderClient,
-  DescribeUserPoolClientCommandInput,
-  DescribeUserPoolClientCommandOutput,
-  UserPoolType,
-} from '@aws-sdk/client-cognito-identity-provider';
 import { generateSeedPolicyTemplate } from './generate_seed_policy_template.js';
 import { generateClientConfig } from '@aws-amplify/client-config';
 import { AmplifyUserError } from '@aws-amplify/platform-core';
 import { App, Stack } from 'aws-cdk-lib';
 import { AccountPrincipal, Policy, Role } from 'aws-cdk-lib/aws-iam';
 import { Template } from 'aws-cdk-lib/assertions';
+import {
+  GetCallerIdentityCommandInput,
+  GetCallerIdentityCommandOutput,
+  STSClient,
+} from '@aws-sdk/client-sts';
 
 const testBackendId = 'testBackendId';
 const testSandboxName = 'testSandboxName';
@@ -22,7 +21,7 @@ const testUserpoolId = 'us-east-1_userpoolTest';
 const testUserpoolClient = 'userPoolClientId';
 const testRegion = 'us-east-1';
 const testArn =
-  'arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1234567489';
+  'arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_userpoolTest';
 
 const testBackendIdentifier: BackendIdentifier = {
   namespace: testBackendId,
@@ -40,43 +39,42 @@ void describe('generate inline policy for seed', () => {
         user_pool_id: testUserpoolId,
         user_pool_client_id: testUserpoolClient,
       },
-    } as AWSAmplifyBackendOutputs)
+    } as AWSAmplifyBackendOutputs),
   );
-  const mockCognitoIdProviderClient = {
+
+  const mockStsClient = {
     send: mock.fn<
       (
-        input: DescribeUserPoolClientCommandInput
-      ) => Promise<DescribeUserPoolClientCommandOutput>
+        input: GetCallerIdentityCommandInput,
+      ) => Promise<GetCallerIdentityCommandOutput>
     >(async () =>
       Promise.resolve({
-        $metadata: {},
-        UserPool: {
-          UserPoolId: testUserpoolId,
-          Arn: testArn,
-        } as UserPoolType,
-      })
+        Account: '123456789012',
+        Arn: '',
+        UserId: '',
+      } as GetCallerIdentityCommandOutput),
     ),
   };
 
   const app = new App();
   const stack = new Stack(app);
 
   beforeEach(() => {
-    mockCognitoIdProviderClient.send.mock.resetCalls();
     mockConfigGenerator.mock.resetCalls();
+    mockStsClient.send.mock.resetCalls();
   });
 
   void it('returns a policy with expected seed permissions', async () => {
     const policyDoc = await generateSeedPolicyTemplate(
       testBackendIdentifier,
       mockConfigGenerator as unknown as typeof generateClientConfig,
-      mockCognitoIdProviderClient as unknown as CognitoIdentityProviderClient
+      mockStsClient as unknown as STSClient,
     );
 
     const policy = new Policy(stack, 'testSeedPolicy', { document: policyDoc });
     // we have to attach the policy to a role, otherwise CDK erases the policy from the stack
     policy.attachToRole(
-      new Role(stack, 'testRole', { assumedBy: new AccountPrincipal('1234') })
+      new Role(stack, 'testRole', { assumedBy: new AccountPrincipal('1234') }),
     );
 
     assert.ok(policy instanceof Policy);
@@ -113,7 +111,7 @@ void describe('generate inline policy for seed', () => {
           aws_region: testRegion,
           bucket_name: 'my-cool-bucket',
         },
-      } as AWSAmplifyBackendOutputs)
+      } as AWSAmplifyBackendOutputs),
     );
 
     const expectedErr = new AmplifyUserError('MissingAuthError', {
@@ -126,14 +124,14 @@ void describe('generate inline policy for seed', () => {
       async () =>
         generateSeedPolicyTemplate(
           testBackendIdentifier,
-          mockConfigGenerator as unknown as typeof generateClientConfig
+          mockConfigGenerator as unknown as typeof generateClientConfig,
         ),
       (err: AmplifyUserError) => {
         assert.strictEqual(err.name, expectedErr.name);
         assert.strictEqual(err.message, expectedErr.message);
         assert.strictEqual(err.resolution, expectedErr.resolution);
         return true;
-      }
+      },
     );
   });
 });

packages/cli/src/seed-policy-generation/generate_seed_policy_template.ts

@@ -2,14 +2,10 @@ import { Effect, PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { generateClientConfig } from '@aws-amplify/client-config';
 import { BackendIdentifier } from '@aws-amplify/plugin-types';
 import {
-  CognitoIdentityProviderClient,
-  DescribeUserPoolCommand,
-} from '@aws-sdk/client-cognito-identity-provider';
-import {
-  AmplifyFault,
   AmplifyUserError,
   ParameterPathConversions,
 } from '@aws-amplify/platform-core';
+import { GetCallerIdentityCommand, STSClient } from '@aws-sdk/client-sts';
 
 /**
  * Generates policy template which allows seed to be run
@@ -19,7 +15,7 @@ import {
 export const generateSeedPolicyTemplate = async (
   backendId: BackendIdentifier,
   generateClientConfiguration = generateClientConfig,
-  cognitoIdProvider = new CognitoIdentityProviderClient()
+  stsClient = new STSClient(),
 ): Promise<PolicyDocument> => {
   const seedPolicy = new PolicyDocument();
   const clientConfig = await generateClientConfiguration(backendId, '1.3');
@@ -31,30 +27,20 @@ export const generateSeedPolicyTemplate = async (
         'Please add an auth resource to your sandbox and rerun this command',
     });
   }
-  const userPoolId = clientConfig.auth?.user_pool_id;
 
-  const userpoolOutput = await cognitoIdProvider.send(
-    new DescribeUserPoolCommand({ UserPoolId: userPoolId })
-  );
-  const userpoolArn = userpoolOutput.UserPool?.Arn;
-  // so long as there is an auth resource we should always be able to get an Arn for the userpool
-  if (!userpoolArn) {
-    throw new AmplifyFault('MissingUserpoolArnFault', {
-      message:
-        'Either the userpool is missing or the userpool exists but it is missing an arn',
-      resolution: 'Ensure your userpool exists and has an arn',
-    });
-  }
+  const stsResponse = await stsClient.send(new GetCallerIdentityCommand({}));
+  const arn = `arn:aws:cognito-idp:${clientConfig.auth.aws_region}:${stsResponse.Account}:userpool/${clientConfig.auth.user_pool_id}`;
+
   const cognitoGrant = new PolicyStatement({
     effect: Effect.ALLOW,
     actions: ['cognito-idp:AdminCreateUser', 'cognito-idp:AdminAddUserToGroup'],
-    resources: [userpoolArn],
+    resources: [arn],
   });
 
   const backendParamPrefix =
     ParameterPathConversions.toParameterPrefix(backendId);
   const sharedParamPrefix = ParameterPathConversions.toParameterPrefix(
-    backendId.namespace
+    backendId.namespace,
   );
 
   const secretsGrant = new PolicyStatement({

packages/integration-tests/package.json

@@ -16,6 +16,7 @@
     "@aws-amplify/deployed-backend-client": "^1.5.2",
     "@aws-amplify/platform-core": "^1.6.5",
     "@aws-amplify/plugin-types": "^1.8.1",
+    "@aws-amplify/seed": "^0.1.0",
     "@aws-sdk/client-accessanalyzer": "^3.750.0",
     "@aws-sdk/client-amplify": "^3.750.0",
     "@aws-sdk/client-bedrock-runtime": "3.622.0",

packages/integration-tests/src/test-e2e/sandbox/seed_test_project.sandbox.test.ts

@@ -0,0 +1,4 @@
+import { SeedTestProjectCreator } from '../../test-project-setup/seed_test_project.js';
+import { defineSandboxTest } from './sandbox.test.template.js';
+
+defineSandboxTest(new SeedTestProjectCreator());