Skip to content

follow-up to #7987, update remaining override examples with updated ergonomics #7988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 24, 2024
Merged

follow-up to #7987, update remaining override examples with updated ergonomics #7988

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0c268d
follow-up to #7987, update remaining override examples with updated e…
josefaidt Sep 23, 2024
8b2c1c8
Update src/pages/[platform]/build-a-backend/add-aws-services/overridi…
josefaidt Sep 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 24 additions & 29 deletions ...ages/[platform]/build-a-backend/add-aws-services/overriding-resources/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,47 +57,44 @@ The `backend` object exposes a `resources` property with objects for each of the
For example, here is how you can access the Cognito user pool that is created by `defineAuth` and set a custom removal policy on the resource.

```ts title="amplify/backend.ts"
import { RemovalPolicy } from 'aws-cdk-lib';
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { UserPool } from 'aws-cdk-lib/aws-cognito';
import { RemovalPolicy } from 'aws-cdk-lib';

const backend = defineBackend({
auth
});

const userPool = backend.auth.resources.userPool as UserPool;
const userPool = backend.auth.resources.userPool;
userPool.applyRemovalPolicy(RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE);
```

Most L1 and L2 AWS CDK constructs that are used by the `define*` functions are accessible in this way.

## Example - Grant access permissions between resources

Consider the case that we want to grant a function created by `defineFunction` access to call the Cognito user pool created by `defineAuth`. This can be accomplished with the following overrides.
Consider the case that we want to grant a function created by `defineFunction` access to call the Cognito user pool created by `defineAuth`. For most cases it is recommended to use the [`access` property on `defineAuth`](/[platform]/build-a-backend/auth/grant-access-to-auth-resources/), however for permissions not exposed by this property, access can be accomplished with the following overrides.

```ts title="amplify/backend.ts"
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { demoFunction } from './functions/demo-function/resource';
import { UserPool } from 'aws-cdk-lib/aws-cognito';
import { Function } from 'aws-cdk-lib/aws-lambda';
import { authAuditorFunction } from './functions/auth-auditor-function/resource';

const backend = defineBackend({
auth,
data,
demoFunction
authAuditorFunction,
});

const userPool = backend.auth.resources.userPool as UserPool;
const lambdaFunction = backend.demoFunction.resources.lambda as Function;
const userPool = backend.auth.resources.userPool;
const lambdaFunction = backend.authAuditorFunction.resources.lambda;

// grant the lambdaFunction read access to users
userPool.grant(lambdaFunction, 'cognito:GetUser', 'cognito:ListUsers');
// grant the lambdaFunction access to list auth events for a particular user
userPool.grant(lambdaFunction, 'cognito:AdminListUserAuthEvents');

// pass the Lambda the UserPool ID so that the Lambda can use it to make SDK calls
lambdaFunction.addEnvironment('USER_POOL_ID', userPool.userPoolId);
backend.authAuditorFunction.addEnvironment('USER_POOL_ID', userPool.userPoolId);
```

## Example - Mutate synthesized CloudFormation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: not this PR change, but we are not mutating synthesized cloudformation templates. We are modifying L1 constructs that get eventually synthesized to CFN template

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good callout, added a change to this heading

Expand All @@ -109,23 +106,21 @@ import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';

const backend = defineBackend({
auth
auth,
});

// override user pool password policies
backend.auth.resources.cfnResources.cfnUserPool.addPropertyOverride(
'Policies',
{
PasswordPolicy: {
MinimumLength: 10,
RequireLowercase: true,
RequireNumbers: true,
RequireSymbols: true,
RequireUppercase: true,
TemporaryPasswordValidityDays: 20
}
}
);
// extract L1 CfnUserPool resources
const { cfnUserPool } = backend.auth.resources.cfnResources;
// modify cfnUserPool policies directly
cfnUserPool.policies = {
passwordPolicy: {
minimumLength: 10,
requireLowercase: true,
requireNumbers: true,
requireSymbols: true,
requireUppercase: true,
temporaryPasswordValidityDays: 20,
},
};
```

Note the usage of `auth.resources.cfnResources`. This property exposes [L1 CDK constructs](https://docs.aws.amazon.com/cdk/v2/guide/constructs.html#constructs_l1_using) that map one-to-one with the underlying CloudFormation properties.
Expand Down