test: add e2e test for perm bound

aws-amplify · Apr 20, 2021 · 838f7dc · 838f7dc
1 parent dd28cf3
commit 838f7dc
Show file tree

Hide file tree

Showing 6 changed files with 104 additions and 24 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1119,30 +1119,38 @@ jobs:
     environment:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
+  iam-permission-boundary-amplify_e2e_tests:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    steps: *ref_4
+    environment:
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
   function_5-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
   configure-project-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
   api_4-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
   schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1803,6 +1811,16 @@ jobs:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
     steps: *ref_5
+  iam-permission-boundary-amplify_e2e_tests_pkg_linux:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    environment:
+      AMPLIFY_DIR: /home/circleci/repo/out
+      AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
+    steps: *ref_5
   function_5-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1811,7 +1829,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
     steps: *ref_5
   configure-project-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1821,7 +1839,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
     steps: *ref_5
   api_4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1831,7 +1849,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
     steps: *ref_5
 workflows:
   version: 2
@@ -1944,19 +1962,19 @@ workflows:
             - predictions-amplify_e2e_tests
             - schema-predictions-amplify_e2e_tests
             - amplify-configure-amplify_e2e_tests
-            - function_5-amplify_e2e_tests
+            - iam-permission-boundary-amplify_e2e_tests
             - containers-api-amplify_e2e_tests
             - interactions-amplify_e2e_tests
             - datastore-modelgen-amplify_e2e_tests
-            - configure-project-amplify_e2e_tests
+            - function_5-amplify_e2e_tests
             - schema-iterative-update-2-amplify_e2e_tests
             - schema-data-access-patterns-amplify_e2e_tests
             - init-special-case-amplify_e2e_tests
-            - api_4-amplify_e2e_tests
-            - auth_1-amplify_e2e_tests
+            - configure-project-amplify_e2e_tests
             - feature-flags-amplify_e2e_tests
             - schema-versioned-amplify_e2e_tests
             - plugin-amplify_e2e_tests
+            - api_4-amplify_e2e_tests
       - done_with_pkg_linux_e2e_tests:
           requires:
             - schema-key-amplify_e2e_tests_pkg_linux
@@ -1974,19 +1992,19 @@ workflows:
             - predictions-amplify_e2e_tests_pkg_linux
             - schema-predictions-amplify_e2e_tests_pkg_linux
             - amplify-configure-amplify_e2e_tests_pkg_linux
-            - function_5-amplify_e2e_tests_pkg_linux
+            - iam-permission-boundary-amplify_e2e_tests_pkg_linux
             - containers-api-amplify_e2e_tests_pkg_linux
             - interactions-amplify_e2e_tests_pkg_linux
             - datastore-modelgen-amplify_e2e_tests_pkg_linux
-            - configure-project-amplify_e2e_tests_pkg_linux
+            - function_5-amplify_e2e_tests_pkg_linux
             - schema-iterative-update-2-amplify_e2e_tests_pkg_linux
             - schema-data-access-patterns-amplify_e2e_tests_pkg_linux
             - init-special-case-amplify_e2e_tests_pkg_linux
-            - api_4-amplify_e2e_tests_pkg_linux
-            - auth_1-amplify_e2e_tests_pkg_linux
+            - configure-project-amplify_e2e_tests_pkg_linux
             - feature-flags-amplify_e2e_tests_pkg_linux
             - schema-versioned-amplify_e2e_tests_pkg_linux
             - plugin-amplify_e2e_tests_pkg_linux
+            - api_4-amplify_e2e_tests_pkg_linux
       - amplify_migration_tests_latest:
           context:
             - amplify-ecr-image-pull
@@ -2339,7 +2357,7 @@ workflows:
           filters: *ref_9
           requires:
             - auth_4-amplify_e2e_tests
-      - function_5-amplify_e2e_tests:
+      - iam-permission-boundary-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2399,7 +2417,7 @@ workflows:
           filters: *ref_9
           requires:
             - migration-api-key-migration1-amplify_e2e_tests
-      - configure-project-amplify_e2e_tests:
+      - function_5-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2459,7 +2477,7 @@ workflows:
           filters: *ref_9
           requires:
             - layer-amplify_e2e_tests
-      - api_4-amplify_e2e_tests:
+      - configure-project-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2519,6 +2537,12 @@ workflows:
           filters: *ref_9
           requires:
             - auth_3-amplify_e2e_tests
+      - api_4-amplify_e2e_tests:
+          context: *ref_7
+          post-steps: *ref_8
+          filters: *ref_9
+          requires:
+            - auth_1-amplify_e2e_tests
       - schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
           context: &ref_10
             - amplify-ecr-image-pull
@@ -2777,7 +2801,7 @@ workflows:
           filters: *ref_12
           requires:
             - auth_4-amplify_e2e_tests_pkg_linux
-      - function_5-amplify_e2e_tests_pkg_linux:
+      - iam-permission-boundary-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2841,7 +2865,7 @@ workflows:
           filters: *ref_12
           requires:
             - migration-api-key-migration1-amplify_e2e_tests_pkg_linux
-      - configure-project-amplify_e2e_tests_pkg_linux:
+      - function_5-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2905,7 +2929,7 @@ workflows:
           filters: *ref_12
           requires:
             - layer-amplify_e2e_tests_pkg_linux
-      - api_4-amplify_e2e_tests_pkg_linux:
+      - configure-project-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2969,3 +2993,9 @@ workflows:
           filters: *ref_12
           requires:
             - auth_3-amplify_e2e_tests_pkg_linux
+      - api_4-amplify_e2e_tests_pkg_linux:
+          context: *ref_10
+          post-steps: *ref_11
+          filters: *ref_12
+          requires:
+            - auth_1-amplify_e2e_tests_pkg_linux
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -21,6 +21,5 @@ export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
   } else {
     _.set(backendConfig, backendConfigObjectPath, arn);
   }
-  const backendConfigPath = pathManager.getBackendConfigFilePath();
-  JSONUtilities.writeJson(backendConfigPath, backendConfig);
+  stateManager.setBackendConfig(undefined, backendConfig);
 };
diff --git a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
@@ -68,7 +68,7 @@ function displayProfileSetting(context, profileName) {
 }
 
 function displayAdvancedSettings(context) {
-  context.print.info('Advanced:');
+  context.print.info('Advanced');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
   const permissionBoundaryArnDisplay = getPermissionBoundaryArn() ?? '';

diff --git a/packages/amplify-e2e-core/src/configure/index.ts b/packages/amplify-e2e-core/src/configure/index.ts
@@ -28,7 +28,7 @@ export const amplifyRegions = [
   'ca-central-1',
 ];
 
-const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced: Container-based deployments'];
+const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced'];
 const profileOptions = ['No', 'Update AWS Profile', 'Remove AWS Profile'];
 const authenticationOptions = ['AWS profile', 'AWS access keys'];
 
@@ -82,6 +82,7 @@ export function amplifyConfigureProject(settings: {
   profileOption?: string;
   authenticationOption?: string;
   region?: string;
+  permissionBoundaryArn?: string;
 }): Promise<void> {
   const {
     cwd,
@@ -90,6 +91,7 @@ export function amplifyConfigureProject(settings: {
     authenticationOption,
     configLevel = 'project',
     region = defaultSettings.region,
+    permissionBoundaryArn,
   } = settings;
 
   return new Promise((resolve, reject) => {
@@ -98,6 +100,10 @@ export function amplifyConfigureProject(settings: {
     if (enableContainers) {
       singleSelect(chain, configurationOptions[2], configurationOptions);
       chain.wait('Do you want to enable container-based deployments?').sendConfirmYes();
+    } else if (permissionBoundaryArn !== undefined) {
+      singleSelect(chain, configurationOptions[2], configurationOptions);
+      chain.wait('Do you want to enable container-based deployments?').sendConfirmNo();
+      chain.wait('Specify an IAM Policy ARN to use as a Permission Boundary').sendLine(permissionBoundaryArn);
     } else {
       singleSelect(chain, configurationOptions[1], configurationOptions);
 

diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -310,3 +310,8 @@ export const listAttachedRolePolicies = async (roleName: string, region: string)
   const service = new IAM({ region });
   return (await service.listAttachedRolePolicies({ RoleName: roleName }).promise()).AttachedPolicies;
 };
+
+export const getPermissionBoundary = async (roleName: string, region) => {
+  const iamClient = new IAM({ region });
+  return (await iamClient.getRole({ RoleName: roleName }).promise())?.Role?.PermissionsBoundary?.PermissionsBoundaryArn;
+};
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
@@ -0,0 +1,40 @@
+import {
+  addFunction,
+  amplifyConfigureProject,
+  amplifyPushAuth,
+  createNewProjectDir,
+  deleteProject,
+  deleteProjectDir,
+  getPermissionBoundary,
+  getProjectMeta,
+  initJSProjectWithProfile,
+} from 'amplify-e2e-core';
+import { addSimpleFunction } from '../schema-api-directives/functionTester';
+
+// Using a random AWS managed policy as a permission boundary
+const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
+
+describe('iam permission boundary', () => {
+  let projRoot: string;
+  beforeEach(async () => {
+    projRoot = await createNewProjectDir('init');
+  });
+
+  afterEach(async () => {
+    await deleteProject(projRoot);
+    deleteProjectDir(projRoot);
+  });
+  test('permission boundary is applied to roles created by the CLI', async () => {
+    await initJSProjectWithProfile(projRoot, {});
+    await amplifyConfigureProject({ cwd: projRoot, permissionBoundaryArn });
+    // adding a function isn't strictly part of the test, it just causes the project to have changes to push
+    await addFunction(projRoot, { functionTemplate: 'Hello World' }, 'nodejs');
+    await amplifyPushAuth(projRoot);
+    const meta = getProjectMeta(projRoot);
+    const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
+    const region = meta?.providers?.awscloudformation?.Region;
+
+    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+  });
+});