From 6f0c6c7553f7b1a79276aaf42f0d11fd2ce3e8f4 Mon Sep 17 00:00:00 2001
From: Raj Rajhans <me@rajrajhans.com>
Date: Sun, 11 Apr 2021 04:04:26 +0530
Subject: [PATCH 01/35] fix(amplify-provider-awscloudformation): fix tests
 failing due to system-config-manager.js (#7053)

---
 .../src/configuration-manager.ts              |  2 +-
 ...ig-manager.js => system-config-manager.ts} | 24 ++++++-------------
 2 files changed, 8 insertions(+), 18 deletions(-)
 rename packages/amplify-provider-awscloudformation/src/{system-config-manager.js => system-config-manager.ts} (95%)

diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index 4fc145249c1..da9dad4961a 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -9,7 +9,7 @@ import awsRegions from './aws-regions';
 import constants from './constants';
 import setupNewUser from './setup-new-user';
 import obfuscateUtil from './utility-obfuscate';
-import systemConfigManager from './system-config-manager';
+import * as systemConfigManager from './system-config-manager';
 import { doAdminTokensExist, getTempCredsWithAdminTokens, isAmplifyAdminApp } from './utils/admin-helpers';
 import { resolveAppId } from './utils/resolve-appId';
 import { AuthFlow, AuthFlowConfig, AwsSdkConfig } from './utils/auth-types';
diff --git a/packages/amplify-provider-awscloudformation/src/system-config-manager.js b/packages/amplify-provider-awscloudformation/src/system-config-manager.ts
similarity index 95%
rename from packages/amplify-provider-awscloudformation/src/system-config-manager.js
rename to packages/amplify-provider-awscloudformation/src/system-config-manager.ts
index 4c36cd7e99c..65ab061ca44 100644
--- a/packages/amplify-provider-awscloudformation/src/system-config-manager.js
+++ b/packages/amplify-provider-awscloudformation/src/system-config-manager.ts
@@ -12,7 +12,7 @@ const logger = fileLogger('system-config-manager');
 const credentialsFilePath = pathManager.getAWSCredentialsFilePath();
 const configFilePath = pathManager.getAWSConfigFilePath();
 
-function setProfile(awsConfig, profileName) {
+export function setProfile(awsConfig, profileName) {
   fs.ensureDirSync(pathManager.getDotAWSDirPath());
 
   let credentials = {};
@@ -64,7 +64,7 @@ function setProfile(awsConfig, profileName) {
   fs.writeFileSync(configFilePath, ini.stringify(config), { mode: SecretFileMode });
 }
 
-async function getProfiledAwsConfig(context, profileName, isRoleSourceProfile) {
+export async function getProfiledAwsConfig(context, profileName, isRoleSourceProfile?) {
   let awsConfig;
   const httpProxy = process.env.HTTP_PROXY || process.env.HTTPS_PROXY;
   const profileConfig = getProfileConfig(profileName);
@@ -218,15 +218,14 @@ function isCredentialsExpired(roleCredentials) {
 
   if (roleCredentials && roleCredentials.expiration) {
     const TOTAL_MILLISECONDS_IN_ONE_MINUTE = 1000 * 60;
-    const now = new Date();
     const expirationDate = new Date(roleCredentials.expiration);
-    isExpired = expirationDate - now < TOTAL_MILLISECONDS_IN_ONE_MINUTE;
+    isExpired = expirationDate.getTime() - Date.now() < TOTAL_MILLISECONDS_IN_ONE_MINUTE;
   }
 
   return isExpired;
 }
 
-async function resetCache(context, profileName) {
+export async function resetCache(context, profileName) {
   let awsConfig;
   const profileConfig = getProfileConfig(profileName);
   const cacheFilePath = getCacheFilePath(context);
@@ -271,7 +270,7 @@ function getProfileConfig(profileName) {
   return normalizeKeys(profileConfig);
 }
 
-function getProfileCredentials(profileName) {
+export function getProfileCredentials(profileName) {
   let profileCredentials;
   logger('getProfileCredentials', [profileName])();
   if (fs.existsSync(credentialsFilePath)) {
@@ -317,7 +316,7 @@ function normalizeKeys(config) {
   return config;
 }
 
-function getProfileRegion(profileName) {
+export function getProfileRegion(profileName) {
   let profileRegion;
   logger('getProfileRegion', [profileName])();
   const profileConfig = getProfileConfig(profileName);
@@ -329,7 +328,7 @@ function getProfileRegion(profileName) {
   return profileRegion;
 }
 
-function getNamedProfiles() {
+export function getNamedProfiles() {
   let namedProfiles;
   if (fs.existsSync(configFilePath)) {
     const config = ini.parse(fs.readFileSync(configFilePath, 'utf-8'));
@@ -343,12 +342,3 @@ function getNamedProfiles() {
   }
   return namedProfiles;
 }
-
-module.exports = {
-  setProfile,
-  getProfiledAwsConfig,
-  getProfileCredentials,
-  getProfileRegion,
-  getNamedProfiles,
-  resetCache,
-};

From 7228ddbe2921e3aead8f21a2676cf295e6351a4c Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 7 Apr 2021 16:28:44 -0700
Subject: [PATCH 02/35] feat: s3 sse by default

---
 packages/amplify-cli-core/package.json        |   2 +
 packages/amplify-cli-core/src/cfnUtilities.ts | 176 +++++++++++++++++
 packages/amplify-cli-core/src/index.ts        |   1 +
 packages/amplify-cli/package.json             |   3 +-
 .../src/project-config-version-check.ts       | 186 ++----------------
 .../src/aws-utils/aws-cfn.js                  |   6 +-
 .../src/initializer.js                        |  12 +-
 .../cfn-pre-processor.ts                      |  33 ++++
 .../modifiers/s3-sse-modifier.ts              |  21 ++
 .../pre-push-cfn-modifier.ts                  |  29 +++
 .../src/push-resources.ts                     |  23 +--
 11 files changed, 298 insertions(+), 194 deletions(-)
 create mode 100644 packages/amplify-cli-core/src/cfnUtilities.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts

diff --git a/packages/amplify-cli-core/package.json b/packages/amplify-cli-core/package.json
index cc1356af0de..c2011326bca 100644
--- a/packages/amplify-cli-core/package.json
+++ b/packages/amplify-cli-core/package.json
@@ -27,9 +27,11 @@
     "ajv": "^6.12.3",
     "amplify-cli-logger": "1.1.0",
     "ci-info": "^2.0.0",
+    "cloudform-types": "^4.2.0",
     "dotenv": "^8.2.0",
     "fs-extra": "^8.1.0",
     "hjson": "^3.2.1",
+    "js-yaml": "^4.0.0",
     "lodash": "^4.17.19",
     "open": "^7.3.1"
   },
diff --git a/packages/amplify-cli-core/src/cfnUtilities.ts b/packages/amplify-cli-core/src/cfnUtilities.ts
new file mode 100644
index 00000000000..0df88f57399
--- /dev/null
+++ b/packages/amplify-cli-core/src/cfnUtilities.ts
@@ -0,0 +1,176 @@
+import * as yaml from 'js-yaml';
+import { Template } from 'cloudform-types';
+import { JSONUtilities } from './jsonUtilities';
+import * as fs from 'fs-extra';
+
+// Register custom tags for yaml parser
+const CF_SCHEMA = new yaml.Schema([
+  new yaml.Type('!Ref', {
+    kind: 'scalar',
+    construct: function (data) {
+      return { Ref: data };
+    },
+  }),
+  new yaml.Type('!Condition', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { Condition: data };
+    },
+  }),
+  new yaml.Type('!Equals', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Equals': data };
+    },
+  }),
+  new yaml.Type('!Not', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Not': data };
+    },
+  }),
+  new yaml.Type('!Sub', {
+    kind: 'scalar',
+    construct: function (data) {
+      return { 'Fn::Sub': data };
+    },
+  }),
+  new yaml.Type('!Sub', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Sub': data };
+    },
+  }),
+  new yaml.Type('!If', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::If': data };
+    },
+  }),
+  new yaml.Type('!Join', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Join': data };
+    },
+  }),
+  new yaml.Type('!Select', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Select': data };
+    },
+  }),
+  new yaml.Type('!FindInMap', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::FindInMap': data };
+    },
+  }),
+  new yaml.Type('!GetAtt', {
+    kind: 'scalar',
+    construct: function (data) {
+      return { 'Fn::GetAtt': Array.isArray(data) ? data : data.split('.') };
+    },
+  }),
+  new yaml.Type('!GetAtt', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::GetAtt': Array.isArray(data) ? data : data.split('.') };
+    },
+  }),
+  new yaml.Type('!GetAZs', {
+    kind: 'scalar',
+    construct: function (data) {
+      return { 'Fn::GetAZs': data };
+    },
+  }),
+  new yaml.Type('!Base64', {
+    kind: 'mapping',
+    construct: function (data) {
+      return { 'Fn::Base64': data };
+    },
+  }),
+  new yaml.Type('!Split', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Split': data };
+    },
+  }),
+  new yaml.Type('!Cidr', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Cidr': data };
+    },
+  }),
+  new yaml.Type('!ImportValue', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::ImportValue': data };
+    },
+  }),
+  new yaml.Type('!Transform', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Transform': data };
+    },
+  }),
+  new yaml.Type('!And', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::And': data };
+    },
+  }),
+  new yaml.Type('!Or', {
+    kind: 'sequence',
+    construct: function (data) {
+      return { 'Fn::Or': data };
+    },
+  }),
+]);
+
+function isJsonFileContent(fileContent: string): boolean {
+  // We use the first character to determine if the content is json or yaml because historically the CLI could
+  // have emitted JSON with YML extension, so we can't rely on filename extension.
+  return fileContent?.trim()[0] === '{'; // CFN templates are always objects, never arrays
+}
+
+export async function readCFNTemplate(filePath: string): Promise<{ templateFormat: CFNTemplateFormat; cfnTemplate: Template }> {
+  if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile) {
+    throw new Error(`No CloudFormation template found at ${filePath}`);
+  }
+  const fileContent = await fs.readFile(filePath, 'utf8');
+  // We use the first character to determine if the content is json or yaml because historically the CLI could
+  // have emitted JSON with YML extension, so we can't rely on filename extension.
+  const isJson = isJsonFileContent(fileContent);
+  const cfnTemplate = isJson ? JSONUtilities.parse<Template>(fileContent) : (yaml.load(fileContent, { schema: CF_SCHEMA }) as Template);
+  const templateFormat = isJson ? CFNTemplateFormat.JSON : CFNTemplateFormat.YAML;
+  return { templateFormat, cfnTemplate };
+}
+
+export enum CFNTemplateFormat {
+  JSON = 'json',
+  YAML = 'yaml',
+}
+
+export type WriteCFNTemplateOptions = {
+  templateFormat?: CFNTemplateFormat;
+};
+
+const writeCFNTemplateDefaultOptions: Required<WriteCFNTemplateOptions> = {
+  templateFormat: CFNTemplateFormat.JSON,
+};
+
+export function writeCFNTemplate(template: object, filePath: string, options?: WriteCFNTemplateOptions): Promise<void> {
+  const mergedOptions = { ...writeCFNTemplateDefaultOptions, ...options };
+  let serializedTemplate: string | undefined;
+  switch (mergedOptions.templateFormat) {
+    case CFNTemplateFormat.JSON:
+      serializedTemplate = JSONUtilities.stringify(template);
+      break;
+    case CFNTemplateFormat.YAML:
+      serializedTemplate = yaml.dump(template);
+      break;
+    default:
+      throw new Error(`Unexpected CFN template format ${mergedOptions.templateFormat}`);
+  }
+  return fs.writeFile(filePath, serializedTemplate);
+}
diff --git a/packages/amplify-cli-core/src/index.ts b/packages/amplify-cli-core/src/index.ts
index 0127fea71f0..7e6ebdb1b3a 100644
--- a/packages/amplify-cli-core/src/index.ts
+++ b/packages/amplify-cli-core/src/index.ts
@@ -1,5 +1,6 @@
 import { ServiceSelection } from './serviceSelection';
 
+export * from './cfnUtilities';
 export * from './cliContext';
 export * from './cliContextEnvironmentProvider';
 export * from './cliEnvironmentProvider';
diff --git a/packages/amplify-cli/package.json b/packages/amplify-cli/package.json
index 85a7b5c50db..c2b4dbebb92 100644
--- a/packages/amplify-cli/package.json
+++ b/packages/amplify-cli/package.json
@@ -70,6 +70,7 @@
     "chalk": "^3.0.0",
     "ci-info": "^2.0.0",
     "cli-table3": "^0.6.0",
+    "cloudform-types": "^4.2.0",
     "colors": "^1.4.0",
     "ejs": "^3.0.1",
     "enquirer": "^2.3.6",
@@ -85,7 +86,6 @@
     "hidefile": "^3.0.0",
     "ini": "^1.3.5",
     "inquirer": "^7.3.3",
-    "js-yaml": "^4.0.0",
     "lodash": "^4.17.19",
     "node-fetch": "^2.6.1",
     "open": "^7.4.0",
@@ -106,7 +106,6 @@
     "@types/glob": "^7.1.1",
     "@types/global-prefix": "^3.0.0",
     "@types/gunzip-maybe": "^1.4.0",
-    "@types/js-yaml": "^4.0.0",
     "@types/node": "^10.17.13",
     "@types/node-fetch": "^2.5.7",
     "@types/parse-json": "^4.0.0",
diff --git a/packages/amplify-cli/src/project-config-version-check.ts b/packages/amplify-cli/src/project-config-version-check.ts
index 043e40b3d49..aa5c8d3c7ed 100644
--- a/packages/amplify-cli/src/project-config-version-check.ts
+++ b/packages/amplify-cli/src/project-config-version-check.ts
@@ -1,141 +1,18 @@
 import * as path from 'path';
 import * as fs from 'fs-extra';
 import * as inquirer from 'inquirer';
-import * as yaml from 'js-yaml';
 import _ from 'lodash';
 import glob from 'glob';
 import { coerce, lt } from 'semver';
 import { Context } from './domain/context';
 import { ConfirmQuestion } from 'inquirer';
-import { JSONUtilities, pathManager, stateManager } from 'amplify-cli-core';
+import { pathManager, stateManager, readCFNTemplate, writeCFNTemplate } from 'amplify-cli-core';
+import Resource from 'cloudform-types/types/resource';
+import Lambda from 'cloudform-types/types/lambda';
 
 const previousLambdaRuntimeVersions = ['nodejs8.10', 'nodejs10.x'];
 const lambdaRuntimeVersion = 'nodejs12.x';
 
-// Register custom tags for yaml parser
-const CF_SCHEMA = new yaml.Schema([
-  new yaml.Type('!Ref', {
-    kind: 'scalar',
-    construct: function (data) {
-      return { Ref: data };
-    },
-  }),
-  new yaml.Type('!Condition', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { Condition: data };
-    },
-  }),
-  new yaml.Type('!Equals', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Equals': data };
-    },
-  }),
-  new yaml.Type('!Not', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Not': data };
-    },
-  }),
-  new yaml.Type('!Sub', {
-    kind: 'scalar',
-    construct: function (data) {
-      return { 'Fn::Sub': data };
-    },
-  }),
-  new yaml.Type('!Sub', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Sub': data };
-    },
-  }),
-  new yaml.Type('!If', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::If': data };
-    },
-  }),
-  new yaml.Type('!Join', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Join': data };
-    },
-  }),
-  new yaml.Type('!Select', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Select': data };
-    },
-  }),
-  new yaml.Type('!FindInMap', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::FindInMap': data };
-    },
-  }),
-  new yaml.Type('!GetAtt', {
-    kind: 'scalar',
-    construct: function (data) {
-      return { 'Fn::GetAtt': Array.isArray(data) ? data : data.split('.') };
-    },
-  }),
-  new yaml.Type('!GetAtt', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::GetAtt': Array.isArray(data) ? data : data.split('.') };
-    },
-  }),
-  new yaml.Type('!GetAZs', {
-    kind: 'scalar',
-    construct: function (data) {
-      return { 'Fn::GetAZs': data };
-    },
-  }),
-  new yaml.Type('!Base64', {
-    kind: 'mapping',
-    construct: function (data) {
-      return { 'Fn::Base64': data };
-    },
-  }),
-  new yaml.Type('!Split', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Split': data };
-    },
-  }),
-  new yaml.Type('!Cidr', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Cidr': data };
-    },
-  }),
-  new yaml.Type('!ImportValue', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::ImportValue': data };
-    },
-  }),
-  new yaml.Type('!Transform', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Transform': data };
-    },
-  }),
-  new yaml.Type('!And', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::And': data };
-    },
-  }),
-  new yaml.Type('!Or', {
-    kind: 'sequence',
-    construct: function (data) {
-      return { 'Fn::Or': data };
-    },
-  }),
-]);
-
 export async function checkProjectConfigVersion(context: Context): Promise<void> {
   const { constants } = context.amplify;
   const projectPath = pathManager.findProjectRoot();
@@ -196,9 +73,8 @@ async function checkLambdaCustomResourceNodeVersion(context: Context, projectPat
 
     for (const templateFileName of templateFileNames) {
       const absolutePath = path.join(backendDirPath, templateFileName);
-      const fileContent = fs.readFileSync(absolutePath, 'utf8');
 
-      if (checkFileContent(fileContent)) {
+      if (await checkFileContent(absolutePath)) {
         filesToUpdate.push(templateFileName);
       }
     }
@@ -210,11 +86,7 @@ async function checkLambdaCustomResourceNodeVersion(context: Context, projectPat
     if (confirmed) {
       for (const fileName of filesToUpdate) {
         const absolutePath = path.join(backendDirPath, fileName);
-        const fileContent = fs.readFileSync(absolutePath, 'utf8');
-
-        const newFileContent = updateFileContent(fileContent);
-
-        fs.writeFileSync(absolutePath, newFileContent, 'utf8');
+        await updateFileContent(absolutePath);
       }
 
       context.print.info('');
@@ -231,60 +103,32 @@ async function checkLambdaCustomResourceNodeVersion(context: Context, projectPat
   return result;
 }
 
-function checkFileContent(fileContent: string): boolean {
-  const { cfnTemplate } = getCFNTemplate(fileContent);
+async function checkFileContent(filePath: string): Promise<boolean> {
+  const { cfnTemplate } = await readCFNTemplate(filePath);
 
   const resources = _.get(cfnTemplate, 'Resources', {});
   const lambdaFunctions = _.filter(
     resources,
-    r => r.Type === 'AWS::Lambda::Function' && previousLambdaRuntimeVersions.includes(_.get(r, ['Properties', 'Runtime'], undefined)),
+    (r: Resource) =>
+      r.Type === 'AWS::Lambda::Function' && previousLambdaRuntimeVersions.includes(_.get(r, ['Properties', 'Runtime'], undefined)),
   );
 
   return lambdaFunctions.length > 0;
 }
 
-function updateFileContent(fileContent: string): string {
-  const { isJson, cfnTemplate } = getCFNTemplate(fileContent);
+async function updateFileContent(filePath: string): Promise<void> {
+  const { templateFormat, cfnTemplate } = await readCFNTemplate(filePath);
 
   const resources = _.get(cfnTemplate, 'Resources', {});
-  const lambdaFunctions = _.filter(
+  const lambdaFunctions: Lambda.Function[] = _.filter(
     resources,
-    r => r.Type === 'AWS::Lambda::Function' && previousLambdaRuntimeVersions.includes(_.get(r, ['Properties', 'Runtime'], undefined)),
+    (r: Resource) =>
+      r.Type === 'AWS::Lambda::Function' && previousLambdaRuntimeVersions.includes(_.get(r, ['Properties', 'Runtime'], undefined)),
   );
 
   lambdaFunctions.map(f => (f.Properties.Runtime = lambdaRuntimeVersion));
 
-  let result: string | undefined;
-
-  if (isJson) {
-    result = JSONUtilities.stringify(cfnTemplate);
-  } else {
-    result = yaml.dump(cfnTemplate);
-  }
-
-  return result!;
-}
-
-function isJsonFileContent(fileContent: string): boolean {
-  // We use the first character to determine if the content is json or yaml because historically the CLI could
-  // have emitted JSON with YML extension, so we can't rely on filename extension.
-  return fileContent?.trim()[0] === '{'; // CFN templates are always objects, never arrays
-}
-
-function getCFNTemplate(fileContent: string): { isJson; cfnTemplate: Record<string, any> } {
-  // We use the first character to determine if the content is json or yaml because historically the CLI could
-  // have emitted JSON with YML extension, so we can't rely on filename extension.
-  const isJson = isJsonFileContent(fileContent);
-
-  let cfnTemplate: Record<string, any>;
-
-  if (isJson) {
-    cfnTemplate = JSONUtilities.parse<Record<string, any>>(fileContent);
-  } else {
-    cfnTemplate = yaml.load(fileContent, { schema: CF_SCHEMA }) as Record<string, any>;
-  }
-
-  return { isJson, cfnTemplate };
+  return writeCFNTemplate(cfnTemplate, filePath, { templateFormat });
 }
 
 async function promptForConfirmation(context: Context, filesToUpdate: string[]): Promise<boolean> {
diff --git a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-cfn.js b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-cfn.js
index 7d056c36016..6b620c0be0d 100644
--- a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-cfn.js
+++ b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-cfn.js
@@ -5,7 +5,7 @@ const BottleNeck = require('bottleneck');
 const chalk = require('chalk');
 const columnify = require('columnify');
 
-const aws = require('./aws.js');
+const aws = require('./aws');
 const { S3 } = require('./aws-s3');
 const providerName = require('../constants').ProviderName;
 const { formUserAgentParam } = require('./user-agent');
@@ -211,8 +211,8 @@ class CloudFormation {
       });
   }
 
-  updateResourceStack(dir, cfnFile) {
-    const filePath = path.normalize(path.join(dir, cfnFile));
+  updateResourceStack(filePath) {
+    const cfnFile = path.parse(filePath).base;
     const projectDetails = this.context.amplify.getProjectDetails();
     const stackName = projectDetails.amplifyMeta.providers ? projectDetails.amplifyMeta.providers[providerName].StackName : '';
     const deploymentBucketName = projectDetails.amplifyMeta.providers
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.js b/packages/amplify-provider-awscloudformation/src/initializer.js
index ff475698165..74135bb0031 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.js
+++ b/packages/amplify-provider-awscloudformation/src/initializer.js
@@ -1,6 +1,6 @@
 const moment = require('moment');
 const path = require('path');
-const { pathManager, PathConstants, stateManager } = require('amplify-cli-core');
+const { pathManager, PathConstants, stateManager, JSONUtilities } = require('amplify-cli-core');
 const glob = require('glob');
 const archiver = require('./utils/archiver');
 const fs = require('fs-extra');
@@ -13,6 +13,7 @@ const configurationManager = require('./configuration-manager');
 const amplifyServiceManager = require('./amplify-service-manager');
 const amplifyServiceMigrate = require('./amplify-service-migrate');
 const { fileLogger } = require('./utils/aws-logger');
+const { preProcessCFNTemplate } = require('./pre-push-cfn-processor/cfn-pre-processor');
 const logger = fileLogger('attach-backend');
 
 async function run(context) {
@@ -41,17 +42,18 @@ async function run(context) {
     const authRoleName = `${stackName}-authRole`;
     const unauthRoleName = `${stackName}-unauthRole`;
 
-    let nestedStack = context.amplify.readJsonFile(initTemplateFilePath);
+    const transformedCFNPath = await preProcessCFNTemplate(initTemplateFilePath);
+
+    const rootStack = JSONUtilities.readJson(transformedCFNPath);
     // Track Amplify Console generated stacks
     if (!!process.env.CLI_DEV_INTERNAL_DISABLE_AMPLIFY_APP_DELETION) {
-      nestedStack.Description = 'Root Stack for AWS Amplify Console';
+      rootStack.Description = 'Root Stack for AWS Amplify Console';
     }
-    nestedStack = JSON.stringify(nestedStack);
 
     const params = {
       StackName: stackName,
       Capabilities: ['CAPABILITY_NAMED_IAM', 'CAPABILITY_AUTO_EXPAND'],
-      TemplateBody: nestedStack,
+      TemplateBody: JSON.stringify(rootStack),
       Parameters: [
         {
           ParameterKey: 'DeploymentBucketName',
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
new file mode 100644
index 00000000000..ce73c01ca6d
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
@@ -0,0 +1,33 @@
+import { pathManager, readCFNTemplate, writeCFNTemplate } from 'amplify-cli-core';
+import * as fs from 'fs-extra';
+import * as path from 'path';
+import { ProviderName as providerName } from '../constants';
+import { prePushCfnTemplateModifier } from './pre-push-cfn-modifier';
+
+const buildDir = 'build';
+
+/**
+ * Runs transformations on a CFN template and returns a path to the transformed template
+ * @param filePath the original template path (expects a path within the Amplify backend directory)
+ * @returns The file path of the modified template
+ */
+export async function preProcessCFNTemplate(filePath: string): Promise<string> {
+  const pathPrefix = pathManager.getBackendDirPath();
+  if (!filePath.startsWith(pathPrefix)) {
+    throw new Error(`Expected ${filePath} to be under ${pathPrefix}`);
+  }
+  const { templateFormat, cfnTemplate } = await readCFNTemplate(filePath);
+
+  await prePushCfnTemplateModifier(cfnTemplate);
+
+  // ensure the destination exists
+  const pathSuffix = filePath.slice(pathPrefix.length);
+  const parsedSuffix = path.parse(pathSuffix);
+  const destDir = path.join(pathPrefix, providerName, buildDir, parsedSuffix.dir);
+  const destFilename = parsedSuffix.base;
+  await fs.ensureDir(destDir);
+  const newPath = path.join(destDir, destFilename);
+
+  await writeCFNTemplate(cfnTemplate, newPath, { templateFormat });
+  return newPath;
+}
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
new file mode 100644
index 00000000000..fca2d6420d0
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
@@ -0,0 +1,21 @@
+import Bucket, { BucketEncryption, ServerSideEncryptionByDefault, ServerSideEncryptionRule } from 'cloudform-types/types/s3/bucket';
+import _ from 'lodash';
+import { ResourceModifier } from '../pre-push-cfn-modifier';
+
+export const applyS3SSEModification: ResourceModifier = async (resource: Bucket) => {
+  if (resource.Properties?.BucketEncryption) {
+    return; // don't overwrite existing encryption config if present
+  }
+  if (!resource.Properties || typeof resource.Properties !== 'object') {
+    resource.Properties = {};
+  }
+  resource.Properties.BucketEncryption = new BucketEncryption({
+    ServerSideEncryptionConfiguration: [
+      new ServerSideEncryptionRule({
+        ServerSideEncryptionByDefault: new ServerSideEncryptionByDefault({
+          SSEAlgorithm: 'AES256',
+        }),
+      }),
+    ],
+  });
+};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
new file mode 100644
index 00000000000..15629c9e9c1
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -0,0 +1,29 @@
+import Resource from 'cloudform-types/types/resource';
+import _ from 'lodash';
+import { applyS3SSEModification } from './modifiers/s3-sse-modifier';
+import { Template } from 'cloudform-types';
+
+// modifies the template in-place
+export type TemplateModifier = (template: Template) => Promise<void>;
+
+// modifies the resource in-place
+export type ResourceModifier = (resource: Resource) => Promise<void>;
+
+export const prePushCfnTemplateModifier: TemplateModifier = async template => {
+  await Promise.all(
+    Object.values(template.Resources).map(async resource => {
+      const transformers = getResourceModifiers(resource.Type);
+      await Promise.all(transformers.map(transformer => transformer(resource)));
+    }),
+  );
+};
+
+const getResourceModifiers = (type: string) => {
+  return _.get(resourceTransformerRegistry, type, [noopResourceTransformer]);
+};
+
+const resourceTransformerRegistry: Record<string, ResourceModifier[]> = {
+  'AWS::S3::Bucket': [applyS3SSEModification],
+};
+
+const noopResourceTransformer: ResourceModifier = async () => {};
diff --git a/packages/amplify-provider-awscloudformation/src/push-resources.ts b/packages/amplify-provider-awscloudformation/src/push-resources.ts
index 22d620125ea..153f973f0fa 100644
--- a/packages/amplify-provider-awscloudformation/src/push-resources.ts
+++ b/packages/amplify-provider-awscloudformation/src/push-resources.ts
@@ -43,6 +43,7 @@ import { isAmplifyAdminApp } from './utils/admin-helpers';
 import { fileLogger } from './utils/aws-logger';
 import { createEnvLevelConstructs } from './utils/env-level-constructs';
 import { NETWORK_STACK_LOGICAL_ID } from './network/stack';
+import { preProcessCFNTemplate } from './pre-push-cfn-processor/cfn-pre-processor';
 
 const logger = fileLogger('push-resources');
 
@@ -584,13 +585,15 @@ async function updateCloudFormationNestedStack(
 
   JSONUtilities.writeJson(nestedStackFilepath, nestedStack);
 
+  const transformedStackPath = await preProcessCFNTemplate(nestedStackFilepath);
+
   const cfnItem = await new Cloudformation(context, generateUserAgentAction(resourcesToBeCreated, resourcesToBeUpdated));
   const providerDirectory = path.normalize(path.join(backEndDir, providerName));
 
-  const log = logger('updateCloudFormationNestedStack', [providerDirectory, nestedStackFilepath]);
+  const log = logger('updateCloudFormationNestedStack', [providerDirectory, transformedStackPath]);
   try {
     log();
-    await cfnItem.updateResourceStack(path.normalize(path.join(backEndDir, providerName)), nestedStackFileName);
+    await cfnItem.updateResourceStack(transformedStackPath);
   } catch (error) {
     log(error);
     throw error;
@@ -667,29 +670,23 @@ function getCfnFiles(category: string, resourceName: string) {
   };
 }
 
-function updateS3Templates(context: $TSContext, resourcesToBeUpdated: $TSAny, amplifyMeta: $TSMeta) {
+async function updateS3Templates(context: $TSContext, resourcesToBeUpdated: $TSAny, amplifyMeta: $TSMeta) {
   const promises = [];
 
   for (const { category, resourceName } of resourcesToBeUpdated) {
     const { resourceDir, cfnFiles } = getCfnFiles(category, resourceName);
 
     for (const cfnFile of cfnFiles) {
-      promises.push(uploadTemplateToS3(context, resourceDir, cfnFile, category, resourceName, amplifyMeta));
+      const transformedCFNPath = await preProcessCFNTemplate(path.join(resourceDir, cfnFile));
+      promises.push(uploadTemplateToS3(context, transformedCFNPath, category, resourceName, amplifyMeta));
     }
   }
 
   return Promise.all(promises);
 }
 
-async function uploadTemplateToS3(
-  context: $TSContext,
-  resourceDir: string,
-  cfnFile: string,
-  category: string,
-  resourceName: string,
-  amplifyMeta: $TSMeta,
-) {
-  const filePath = path.normalize(path.join(resourceDir, cfnFile));
+async function uploadTemplateToS3(context: $TSContext, filePath: string, category: string, resourceName: string, amplifyMeta: $TSMeta) {
+  const cfnFile = path.parse(filePath).base;
   const s3 = await S3.getInstance(context);
 
   const s3Params = {

From 707a370eabae74e12af4c633a2f3c0899b92365b Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 8 Apr 2021 13:40:01 -0700
Subject: [PATCH 03/35] chore: fix init push issue

---
 packages/amplify-cli-core/src/cfnUtilities.ts | 91 ++++++++++---------
 .../src/initializer.js                        |  7 +-
 .../cfn-pre-processor.ts                      | 17 +---
 3 files changed, 57 insertions(+), 58 deletions(-)

diff --git a/packages/amplify-cli-core/src/cfnUtilities.ts b/packages/amplify-cli-core/src/cfnUtilities.ts
index 0df88f57399..df0fc6f44af 100644
--- a/packages/amplify-cli-core/src/cfnUtilities.ts
+++ b/packages/amplify-cli-core/src/cfnUtilities.ts
@@ -2,6 +2,55 @@ import * as yaml from 'js-yaml';
 import { Template } from 'cloudform-types';
 import { JSONUtilities } from './jsonUtilities';
 import * as fs from 'fs-extra';
+import * as path from 'path';
+
+export async function readCFNTemplate(filePath: string): Promise<TemplateAndFormatTuple> {
+  if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile) {
+    throw new Error(`No CloudFormation template found at ${filePath}`);
+  }
+  const fileContent = await fs.readFile(filePath, 'utf8');
+  // We use the first character to determine if the content is json or yaml because historically the CLI could
+  // have emitted JSON with YML extension, so we can't rely on filename extension.
+  const isJson = isJsonFileContent(fileContent);
+  const cfnTemplate = isJson ? JSONUtilities.parse<Template>(fileContent) : (yaml.load(fileContent, { schema: CF_SCHEMA }) as Template);
+  const templateFormat = isJson ? CFNTemplateFormat.JSON : CFNTemplateFormat.YAML;
+  return { templateFormat, cfnTemplate };
+}
+
+export type TemplateAndFormatTuple = {
+  templateFormat: CFNTemplateFormat;
+  cfnTemplate: Template;
+};
+
+export enum CFNTemplateFormat {
+  JSON = 'json',
+  YAML = 'yaml',
+}
+
+export type WriteCFNTemplateOptions = {
+  templateFormat?: CFNTemplateFormat;
+};
+
+const writeCFNTemplateDefaultOptions: Required<WriteCFNTemplateOptions> = {
+  templateFormat: CFNTemplateFormat.JSON,
+};
+
+export async function writeCFNTemplate(template: object, filePath: string, options?: WriteCFNTemplateOptions): Promise<void> {
+  const mergedOptions = { ...writeCFNTemplateDefaultOptions, ...options };
+  let serializedTemplate: string | undefined;
+  switch (mergedOptions.templateFormat) {
+    case CFNTemplateFormat.JSON:
+      serializedTemplate = JSONUtilities.stringify(template);
+      break;
+    case CFNTemplateFormat.YAML:
+      serializedTemplate = yaml.dump(template);
+      break;
+    default:
+      throw new Error(`Unexpected CFN template format ${mergedOptions.templateFormat}`);
+  }
+  await fs.ensureDir(path.parse(filePath).dir);
+  return fs.writeFile(filePath, serializedTemplate);
+}
 
 // Register custom tags for yaml parser
 const CF_SCHEMA = new yaml.Schema([
@@ -132,45 +181,3 @@ function isJsonFileContent(fileContent: string): boolean {
   // have emitted JSON with YML extension, so we can't rely on filename extension.
   return fileContent?.trim()[0] === '{'; // CFN templates are always objects, never arrays
 }
-
-export async function readCFNTemplate(filePath: string): Promise<{ templateFormat: CFNTemplateFormat; cfnTemplate: Template }> {
-  if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile) {
-    throw new Error(`No CloudFormation template found at ${filePath}`);
-  }
-  const fileContent = await fs.readFile(filePath, 'utf8');
-  // We use the first character to determine if the content is json or yaml because historically the CLI could
-  // have emitted JSON with YML extension, so we can't rely on filename extension.
-  const isJson = isJsonFileContent(fileContent);
-  const cfnTemplate = isJson ? JSONUtilities.parse<Template>(fileContent) : (yaml.load(fileContent, { schema: CF_SCHEMA }) as Template);
-  const templateFormat = isJson ? CFNTemplateFormat.JSON : CFNTemplateFormat.YAML;
-  return { templateFormat, cfnTemplate };
-}
-
-export enum CFNTemplateFormat {
-  JSON = 'json',
-  YAML = 'yaml',
-}
-
-export type WriteCFNTemplateOptions = {
-  templateFormat?: CFNTemplateFormat;
-};
-
-const writeCFNTemplateDefaultOptions: Required<WriteCFNTemplateOptions> = {
-  templateFormat: CFNTemplateFormat.JSON,
-};
-
-export function writeCFNTemplate(template: object, filePath: string, options?: WriteCFNTemplateOptions): Promise<void> {
-  const mergedOptions = { ...writeCFNTemplateDefaultOptions, ...options };
-  let serializedTemplate: string | undefined;
-  switch (mergedOptions.templateFormat) {
-    case CFNTemplateFormat.JSON:
-      serializedTemplate = JSONUtilities.stringify(template);
-      break;
-    case CFNTemplateFormat.YAML:
-      serializedTemplate = yaml.dump(template);
-      break;
-    default:
-      throw new Error(`Unexpected CFN template format ${mergedOptions.templateFormat}`);
-  }
-  return fs.writeFile(filePath, serializedTemplate);
-}
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.js b/packages/amplify-provider-awscloudformation/src/initializer.js
index 74135bb0031..bb18f3aa0e8 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.js
+++ b/packages/amplify-provider-awscloudformation/src/initializer.js
@@ -13,7 +13,7 @@ const configurationManager = require('./configuration-manager');
 const amplifyServiceManager = require('./amplify-service-manager');
 const amplifyServiceMigrate = require('./amplify-service-migrate');
 const { fileLogger } = require('./utils/aws-logger');
-const { preProcessCFNTemplate } = require('./pre-push-cfn-processor/cfn-pre-processor');
+const { prePushCfnTemplateModifier } = require('./pre-push-cfn-processor/pre-push-cfn-modifier');
 const logger = fileLogger('attach-backend');
 
 async function run(context) {
@@ -42,9 +42,8 @@ async function run(context) {
     const authRoleName = `${stackName}-authRole`;
     const unauthRoleName = `${stackName}-unauthRole`;
 
-    const transformedCFNPath = await preProcessCFNTemplate(initTemplateFilePath);
-
-    const rootStack = JSONUtilities.readJson(transformedCFNPath);
+    const rootStack = JSONUtilities.readJson(initTemplateFilePath);
+    await prePushCfnTemplateModifier(rootStack);
     // Track Amplify Console generated stacks
     if (!!process.env.CLI_DEV_INTERNAL_DISABLE_AMPLIFY_APP_DELETION) {
       rootStack.Description = 'Root Stack for AWS Amplify Console';
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
index ce73c01ca6d..16abb874518 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
@@ -1,6 +1,6 @@
 import { pathManager, readCFNTemplate, writeCFNTemplate } from 'amplify-cli-core';
-import * as fs from 'fs-extra';
 import * as path from 'path';
+import * as fs from 'fs-extra';
 import { ProviderName as providerName } from '../constants';
 import { prePushCfnTemplateModifier } from './pre-push-cfn-modifier';
 
@@ -12,21 +12,14 @@ const buildDir = 'build';
  * @returns The file path of the modified template
  */
 export async function preProcessCFNTemplate(filePath: string): Promise<string> {
-  const pathPrefix = pathManager.getBackendDirPath();
-  if (!filePath.startsWith(pathPrefix)) {
-    throw new Error(`Expected ${filePath} to be under ${pathPrefix}`);
-  }
   const { templateFormat, cfnTemplate } = await readCFNTemplate(filePath);
 
   await prePushCfnTemplateModifier(cfnTemplate);
 
-  // ensure the destination exists
-  const pathSuffix = filePath.slice(pathPrefix.length);
-  const parsedSuffix = path.parse(pathSuffix);
-  const destDir = path.join(pathPrefix, providerName, buildDir, parsedSuffix.dir);
-  const destFilename = parsedSuffix.base;
-  await fs.ensureDir(destDir);
-  const newPath = path.join(destDir, destFilename);
+  const backendDir = pathManager.getBackendDirPath();
+  const pathSuffix = filePath.startsWith(backendDir) ? filePath.slice(backendDir.length) : path.parse(filePath).base;
+  const newPath = path.join(backendDir, providerName, buildDir, pathSuffix);
+  await fs.ensureDir(path.parse(newPath).dir);
 
   await writeCFNTemplate(cfnTemplate, newPath, { templateFormat });
   return newPath;

From d9603075e510a9d5482d429f6b9f2b2d3ba971ed Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 8 Apr 2021 13:50:43 -0700
Subject: [PATCH 04/35] chore: cleanup

---
 packages/amplify-cli-core/src/cfnUtilities.ts              | 7 +------
 .../src/pre-push-cfn-processor/cfn-pre-processor.ts        | 4 +++-
 .../pre-push-cfn-processor/modifiers/s3-sse-modifier.ts    | 1 -
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/packages/amplify-cli-core/src/cfnUtilities.ts b/packages/amplify-cli-core/src/cfnUtilities.ts
index df0fc6f44af..387c2049b33 100644
--- a/packages/amplify-cli-core/src/cfnUtilities.ts
+++ b/packages/amplify-cli-core/src/cfnUtilities.ts
@@ -4,7 +4,7 @@ import { JSONUtilities } from './jsonUtilities';
 import * as fs from 'fs-extra';
 import * as path from 'path';
 
-export async function readCFNTemplate(filePath: string): Promise<TemplateAndFormatTuple> {
+export async function readCFNTemplate(filePath: string): Promise<{ templateFormat: CFNTemplateFormat; cfnTemplate: Template }> {
   if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile) {
     throw new Error(`No CloudFormation template found at ${filePath}`);
   }
@@ -17,11 +17,6 @@ export async function readCFNTemplate(filePath: string): Promise<TemplateAndForm
   return { templateFormat, cfnTemplate };
 }
 
-export type TemplateAndFormatTuple = {
-  templateFormat: CFNTemplateFormat;
-  cfnTemplate: Template;
-};
-
 export enum CFNTemplateFormat {
   JSON = 'json',
   YAML = 'yaml',
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
index 16abb874518..14d4615c0a2 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
@@ -8,7 +8,9 @@ const buildDir = 'build';
 
 /**
  * Runs transformations on a CFN template and returns a path to the transformed template
- * @param filePath the original template path (expects a path within the Amplify backend directory)
+ *
+ * Expects to be run in an initialized Amplify project
+ * @param filePath the original template path
  * @returns The file path of the modified template
  */
 export async function preProcessCFNTemplate(filePath: string): Promise<string> {
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
index fca2d6420d0..ba880a081c7 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
@@ -1,5 +1,4 @@
 import Bucket, { BucketEncryption, ServerSideEncryptionByDefault, ServerSideEncryptionRule } from 'cloudform-types/types/s3/bucket';
-import _ from 'lodash';
 import { ResourceModifier } from '../pre-push-cfn-modifier';
 
 export const applyS3SSEModification: ResourceModifier = async (resource: Bucket) => {

From aab797604814cd50cdef2ec630a67d34d0b2024e Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 9 Apr 2021 16:34:01 -0700
Subject: [PATCH 05/35] test: whole lotta tests

---
 .circleci/config.yml                          | 70 ++++++++++++------
 .../src/__tests__/cfnUtilities.test.ts        | 71 +++++++++++++++++++
 .../amplify-e2e-core/src/utils/sdk-calls.ts   | 15 ++++
 .../src/__tests__/s3-sse.test.ts              | 46 ++++++++++++
 .../package.json                              |  2 +-
 .../src/__tests__/aws-utils/aws-cfn.test.js   | 28 +++++---
 .../src/__tests__/initializer.test.ts         | 59 +++++++++++++++
 .../cfn-pre-processor.test.ts                 | 56 +++++++++++++++
 .../modifiers/s3-sse-modifier.test.ts         | 36 ++++++++++
 .../pre-push-cfn-modifier.test.ts             | 43 +++++++++++
 .../cfn-pre-processor.ts                      |  2 -
 .../src/utils/env-level-constructs.ts         |  2 +
 12 files changed, 398 insertions(+), 32 deletions(-)
 create mode 100644 packages/amplify-cli-core/src/__tests__/cfnUtilities.test.ts
 create mode 100644 packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/cfn-pre-processor.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 2dd2842f6e0..c7ccd59f52a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1085,6 +1085,14 @@ jobs:
     environment:
       TEST_SUITE: src/__tests__/schema-iterative-update-locking.test.ts
       CLI_REGION: ap-southeast-1
+  s3-sse-amplify_e2e_tests:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    steps: *ref_4
+    environment:
+      TEST_SUITE: src/__tests__/s3-sse.test.ts
+      CLI_REGION: ap-southeast-2
   migration-node-function-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1092,7 +1100,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
-      CLI_REGION: ap-southeast-2
+      CLI_REGION: us-east-2
   function_5-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1100,7 +1108,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: us-east-2
+      CLI_REGION: us-west-2
   api_4-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1108,7 +1116,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: us-west-2
+      CLI_REGION: eu-west-2
   schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1729,6 +1737,16 @@ jobs:
       TEST_SUITE: src/__tests__/schema-iterative-update-locking.test.ts
       CLI_REGION: ap-southeast-1
     steps: *ref_5
+  s3-sse-amplify_e2e_tests_pkg_linux:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    environment:
+      AMPLIFY_DIR: /home/circleci/repo/out
+      AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
+      TEST_SUITE: src/__tests__/s3-sse.test.ts
+      CLI_REGION: ap-southeast-2
+    steps: *ref_5
   migration-node-function-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1737,7 +1755,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
-      CLI_REGION: ap-southeast-2
+      CLI_REGION: us-east-2
     steps: *ref_5
   function_5-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1747,7 +1765,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: us-east-2
+      CLI_REGION: us-west-2
     steps: *ref_5
   api_4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1757,7 +1775,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: us-west-2
+      CLI_REGION: eu-west-2
     steps: *ref_5
 workflows:
   version: 2
@@ -1854,15 +1872,15 @@ workflows:
             - hostingPROD-amplify_e2e_tests
             - amplify-app-amplify_e2e_tests
             - init-amplify_e2e_tests
-            - function_5-amplify_e2e_tests
+            - migration-node-function-amplify_e2e_tests
             - predictions-amplify_e2e_tests
             - schema-predictions-amplify_e2e_tests
             - amplify-configure-amplify_e2e_tests
-            - api_4-amplify_e2e_tests
-            - function_3-amplify_e2e_tests
+            - function_5-amplify_e2e_tests
             - containers-api-amplify_e2e_tests
             - interactions-amplify_e2e_tests
             - datastore-modelgen-amplify_e2e_tests
+            - api_4-amplify_e2e_tests
             - auth_5-amplify_e2e_tests
             - schema-iterative-update-2-amplify_e2e_tests
             - schema-data-access-patterns-amplify_e2e_tests
@@ -1878,22 +1896,22 @@ workflows:
             - schema-auth-10-amplify_e2e_tests
             - hosting-amplify_e2e_tests
             - tags-amplify_e2e_tests
-            - migration-node-function-amplify_e2e_tests
+            - s3-sse-amplify_e2e_tests
       - done_with_pkg_linux_e2e_tests:
           context: amplify-cli-ecr
           requires:
             - hostingPROD-amplify_e2e_tests_pkg_linux
             - amplify-app-amplify_e2e_tests_pkg_linux
             - init-amplify_e2e_tests_pkg_linux
-            - function_5-amplify_e2e_tests_pkg_linux
+            - migration-node-function-amplify_e2e_tests_pkg_linux
             - predictions-amplify_e2e_tests_pkg_linux
             - schema-predictions-amplify_e2e_tests_pkg_linux
             - amplify-configure-amplify_e2e_tests_pkg_linux
-            - api_4-amplify_e2e_tests_pkg_linux
-            - function_3-amplify_e2e_tests_pkg_linux
+            - function_5-amplify_e2e_tests_pkg_linux
             - containers-api-amplify_e2e_tests_pkg_linux
             - interactions-amplify_e2e_tests_pkg_linux
             - datastore-modelgen-amplify_e2e_tests_pkg_linux
+            - api_4-amplify_e2e_tests_pkg_linux
             - auth_5-amplify_e2e_tests_pkg_linux
             - schema-iterative-update-2-amplify_e2e_tests_pkg_linux
             - schema-data-access-patterns-amplify_e2e_tests_pkg_linux
@@ -1909,7 +1927,7 @@ workflows:
             - schema-auth-10-amplify_e2e_tests_pkg_linux
             - hosting-amplify_e2e_tests_pkg_linux
             - tags-amplify_e2e_tests_pkg_linux
-            - migration-node-function-amplify_e2e_tests_pkg_linux
+            - s3-sse-amplify_e2e_tests_pkg_linux
       - amplify_migration_tests_latest:
           context: amplify-cli-ecr
           filters:
@@ -2059,7 +2077,7 @@ workflows:
           filters: *ref_8
           requires:
             - schema-auth-7-amplify_e2e_tests
-      - function_5-amplify_e2e_tests:
+      - migration-node-function-amplify_e2e_tests:
           context: amplify-cli-ecr
           post-steps: *ref_7
           filters: *ref_8
@@ -2119,7 +2137,7 @@ workflows:
           filters: *ref_8
           requires:
             - auth_4-amplify_e2e_tests
-      - api_4-amplify_e2e_tests:
+      - function_5-amplify_e2e_tests:
           context: amplify-cli-ecr
           post-steps: *ref_7
           filters: *ref_8
@@ -2179,6 +2197,12 @@ workflows:
           filters: *ref_8
           requires:
             - migration-api-key-migration1-amplify_e2e_tests
+      - api_4-amplify_e2e_tests:
+          context: amplify-cli-ecr
+          post-steps: *ref_7
+          filters: *ref_8
+          requires:
+            - function_3-amplify_e2e_tests
       - schema-auth-5-amplify_e2e_tests:
           context: amplify-cli-ecr
           post-steps: *ref_7
@@ -2389,7 +2413,7 @@ workflows:
           filters: *ref_8
           requires:
             - schema-auth-8-amplify_e2e_tests
-      - migration-node-function-amplify_e2e_tests:
+      - s3-sse-amplify_e2e_tests:
           context: amplify-cli-ecr
           post-steps: *ref_7
           filters: *ref_8
@@ -2457,7 +2481,7 @@ workflows:
           filters: *ref_10
           requires:
             - schema-auth-7-amplify_e2e_tests_pkg_linux
-      - function_5-amplify_e2e_tests_pkg_linux:
+      - migration-node-function-amplify_e2e_tests_pkg_linux:
           context: amplify-cli-ecr
           post-steps: *ref_9
           filters: *ref_10
@@ -2521,7 +2545,7 @@ workflows:
           filters: *ref_10
           requires:
             - auth_4-amplify_e2e_tests_pkg_linux
-      - api_4-amplify_e2e_tests_pkg_linux:
+      - function_5-amplify_e2e_tests_pkg_linux:
           context: amplify-cli-ecr
           post-steps: *ref_9
           filters: *ref_10
@@ -2585,6 +2609,12 @@ workflows:
           filters: *ref_10
           requires:
             - migration-api-key-migration1-amplify_e2e_tests_pkg_linux
+      - api_4-amplify_e2e_tests_pkg_linux:
+          context: amplify-cli-ecr
+          post-steps: *ref_9
+          filters: *ref_10
+          requires:
+            - function_3-amplify_e2e_tests_pkg_linux
       - schema-auth-5-amplify_e2e_tests_pkg_linux:
           context: amplify-cli-ecr
           post-steps: *ref_9
@@ -2811,7 +2841,7 @@ workflows:
           filters: *ref_10
           requires:
             - schema-auth-8-amplify_e2e_tests_pkg_linux
-      - migration-node-function-amplify_e2e_tests_pkg_linux:
+      - s3-sse-amplify_e2e_tests_pkg_linux:
           context: amplify-cli-ecr
           post-steps: *ref_9
           filters: *ref_10
diff --git a/packages/amplify-cli-core/src/__tests__/cfnUtilities.test.ts b/packages/amplify-cli-core/src/__tests__/cfnUtilities.test.ts
new file mode 100644
index 00000000000..3d1c352adfa
--- /dev/null
+++ b/packages/amplify-cli-core/src/__tests__/cfnUtilities.test.ts
@@ -0,0 +1,71 @@
+import * as fs from 'fs-extra';
+import * as path from 'path';
+import { CFNTemplateFormat, JSONUtilities, readCFNTemplate, writeCFNTemplate } from '../../lib';
+
+jest.mock('fs-extra');
+
+const fs_mock = fs as jest.Mocked<typeof fs>;
+
+fs_mock.existsSync.mockReturnValue(true);
+fs_mock.statSync.mockReturnValue(({ isFile: true } as unknown) as fs.Stats);
+
+const testPath = '/this/is/a/test/path.json';
+
+const testTemplate = {
+  test: 'content',
+};
+
+const jsonContent = JSONUtilities.stringify(testTemplate) as string;
+
+const yamlContent = 'test: content\n';
+
+type TwoArgReadFile = (p: string, e: string) => Promise<string>;
+
+describe('readCFNTemplate', () => {
+  beforeEach(() => jest.clearAllMocks());
+  it('throws if specified file does not exist', async () => {
+    fs_mock.existsSync.mockReturnValueOnce(false);
+    await expect(readCFNTemplate(testPath)).rejects.toMatchInlineSnapshot(
+      `[Error: No CloudFormation template found at /this/is/a/test/path.json]`,
+    );
+    fs_mock.existsSync.mockReturnValueOnce(true);
+    fs_mock.statSync.mockReturnValueOnce(({ isFile: false } as unknown) as fs.Stats);
+    await expect(readCFNTemplate(testPath)).rejects.toMatchInlineSnapshot(
+      `[Error: No CloudFormation template found at /this/is/a/test/path.json]`,
+    );
+  });
+
+  it('returns template with json format', async () => {
+    ((fs_mock.readFile as unknown) as jest.MockedFunction<TwoArgReadFile>).mockResolvedValueOnce(jsonContent);
+    const result = await readCFNTemplate(testPath);
+    expect(result.templateFormat).toEqual(CFNTemplateFormat.JSON);
+    expect(result.cfnTemplate).toEqual(testTemplate);
+  });
+
+  it('returns template with yaml format', async () => {
+    ((fs_mock.readFile as unknown) as jest.MockedFunction<TwoArgReadFile>).mockResolvedValueOnce(yamlContent);
+    const result = await readCFNTemplate(testPath);
+    expect(result.templateFormat).toEqual(CFNTemplateFormat.YAML);
+    expect(result.cfnTemplate).toEqual(testTemplate);
+  });
+});
+
+describe('writeCFNTemplate', () => {
+  beforeEach(() => jest.clearAllMocks());
+  it('creates destination if it does not exist', async () => {
+    await writeCFNTemplate(testTemplate, testPath);
+    expect(fs_mock.ensureDir.mock.calls[0][0]).toEqual('/this/is/a/test');
+  });
+
+  it('writes json templates by default', async () => {
+    await writeCFNTemplate(testTemplate, testPath);
+    expect(fs_mock.writeFile.mock.calls[0][0]).toEqual(testPath);
+    expect(fs_mock.writeFile.mock.calls[0][1]).toEqual(jsonContent);
+  });
+
+  it('writes yaml templates if specified', async () => {
+    await writeCFNTemplate(testTemplate, testPath, { templateFormat: CFNTemplateFormat.YAML });
+    expect(fs_mock.writeFile.mock.calls[0][0]).toEqual(testPath);
+    expect(fs_mock.writeFile.mock.calls[0][1]).toEqual(yamlContent);
+  });
+});
diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
index f29210974b7..d0bb81b2e93 100644
--- a/packages/amplify-e2e-core/src/utils/sdk-calls.ts
+++ b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -42,6 +42,21 @@ export const bucketNotExists = async (bucket: string) => {
   }
 };
 
+export const getBucketEncryption = async (bucket: string) => {
+  const s3 = new S3();
+  const params = {
+    Bucket: bucket,
+  };
+  const result = await s3.getBucketEncryption(params).promise();
+  if (result.$response.error) {
+    throw new Error(result.$response.error.message);
+  }
+  if (!result.$response.data) {
+    throw new Error(`no response data from getBucketEncryption on bucket ${bucket}`);
+  }
+  return result.$response.data;
+};
+
 export const deleteS3Bucket = async (bucket: string) => {
   const s3 = new S3();
   let continuationToken: Required<Pick<S3.ListObjectVersionsOutput, 'KeyMarker' | 'VersionIdMarker'>> = undefined;
diff --git a/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts b/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
new file mode 100644
index 00000000000..1fbee2442d8
--- /dev/null
+++ b/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
@@ -0,0 +1,46 @@
+import {
+  addAuthWithDefault,
+  addDEVHosting,
+  addS3,
+  amplifyPushAuth,
+  createNewProjectDir,
+  deleteProject,
+  deleteProjectDir,
+  getBucketEncryption,
+  getProjectMeta,
+  initJSProjectWithProfile,
+} from 'amplify-e2e-core';
+
+describe('amplify always enables SSE on S3 buckets', () => {
+  let projRoot: string;
+  beforeEach(async () => {
+    projRoot = await createNewProjectDir('s3-test');
+  });
+
+  afterEach(async () => {
+    await deleteProject(projRoot);
+    deleteProjectDir(projRoot);
+  });
+  it('enables SSE on the deployment, category and hosting buckets', async () => {
+    // setup
+    await initJSProjectWithProfile(projRoot, {});
+    await addAuthWithDefault(projRoot, {});
+    await addS3(projRoot, {});
+    await addDEVHosting(projRoot);
+    await amplifyPushAuth(projRoot);
+
+    const meta = getProjectMeta(projRoot);
+    const deploymentBucket = meta?.providers?.awscloudformation?.DeploymentBucketName;
+    const hostingBucket = (Object.values(meta?.hosting)?.[0] as any)?.output?.HostingBucketName;
+    const categoryBucket = (Object.values(meta?.storage)?.[0] as any)?.output?.BucketName;
+    expectSSEEnabledForBucket(deploymentBucket);
+    expectSSEEnabledForBucket(hostingBucket);
+    expectSSEEnabledForBucket(categoryBucket);
+  });
+});
+
+const expectSSEEnabledForBucket = async (bucket?: string) => {
+  expect(bucket).toBeDefined();
+  const result = await getBucketEncryption(bucket);
+  expect(result?.ServerSideEncryptionConfiguration?.Rules?.[0]?.ApplyServerSideEncryptionByDefault?.SSEAlgorithm).toBe('AES256');
+};
diff --git a/packages/amplify-provider-awscloudformation/package.json b/packages/amplify-provider-awscloudformation/package.json
index 4552656ad7c..e28c3493b4c 100644
--- a/packages/amplify-provider-awscloudformation/package.json
+++ b/packages/amplify-provider-awscloudformation/package.json
@@ -123,7 +123,7 @@
     "transform": {
       "^.+\\.tsx?$": "ts-jest"
     },
-    "testRegex": "(src/__tests__/.*.test.ts)$",
+    "testRegex": "(src/__tests__/.*.test.(t|j)s)$",
     "moduleFileExtensions": [
       "ts",
       "tsx",
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js b/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
index 8e558a90efb..4787a6f4787 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
@@ -1,31 +1,41 @@
-const { CloudFormation } = require('../../aws-utils/aws-cfn');
-const columnify = require('columnify');
-
 jest.mock('columnify');
-const cfn = new CloudFormation();
+
+const CloudFormation = require('../../aws-utils/aws-cfn');
+const columnify = require('columnify');
 
 describe('CloudFormation', () => {
-  test('showNewEvents shows events order by Timestamp', () => {
+  test('showNewEvents shows events order by Timestamp', async () => {
+    const cfn = await new CloudFormation();
     const events = [
       {
         StackId: 'test',
-        EventId: 'test',
+        EventId: 'test1',
         StackName: 'test',
         Timestamp: new Date('2021-01-01'),
       },
       {
         StackId: 'test',
-        EventId: 'test',
+        EventId: 'test2',
         StackName: 'test',
         Timestamp: new Date('2020-01-01'),
       },
     ];
     cfn.showNewEvents(events);
-    const times = [{ Timestamp: new Date('2020-01-01').toString() }, { Timestamp: new Date('2021-01-01').toString() }];
     const columns = {
       columns: ['ResourceStatus', 'LogicalResourceId', 'ResourceType', 'Timestamp', 'ResourceStatusReason'],
       showHeaders: false,
     };
-    expect(columnify).toBeCalledWith(times, columns);
+    expect(columnify).toBeCalledTimes(1);
+    expect(columnify.mock.calls[0][0]).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "Timestamp": "Tue Dec 31 2019 16:00:00 GMT-0800 (Pacific Standard Time)",
+        },
+        Object {
+          "Timestamp": "Thu Dec 31 2020 16:00:00 GMT-0800 (Pacific Standard Time)",
+        },
+      ]
+    `);
+    expect(columnify.mock.calls[0][1]).toEqual(columns);
   });
 });
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
new file mode 100644
index 00000000000..606349b6408
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
@@ -0,0 +1,59 @@
+import { run } from '../initializer';
+import { prePushCfnTemplateModifier } from '../pre-push-cfn-processor/pre-push-cfn-modifier';
+import CloudFormation from '../aws-utils/aws-cfn';
+import * as amplifyServiceManager from '../amplify-service-manager';
+import { JSONUtilities, stateManager } from 'amplify-cli-core';
+
+jest.mock('../pre-push-cfn-processor/pre-push-cfn-modifier');
+jest.mock('../configuration-manager');
+jest.mock('../aws-utils/aws-cfn');
+jest.mock('fs-extra');
+jest.mock('../amplify-service-manager');
+jest.mock('amplify-cli-core');
+
+const CloudFormation_mock = CloudFormation as jest.MockedClass<typeof CloudFormation>;
+const amplifyServiceManager_mock = amplifyServiceManager as jest.Mocked<typeof amplifyServiceManager>;
+const JSONUtilities_mock = JSONUtilities as jest.Mocked<typeof JSONUtilities>;
+const stateManager_mock = stateManager as jest.Mocked<typeof stateManager>;
+
+describe('run', () => {
+  it('transforms the root stack using the pre-push modifier', async () => {
+    // setup
+    const context_stub = {
+      exeInfo: {
+        isNewEnv: true,
+        projectConfig: {
+          projectName: 'test',
+        },
+        localEnvInfo: {
+          envName: 'testenv',
+        },
+        teamProviderInfo: {},
+      },
+      amplify: {
+        getTags: jest.fn(),
+      },
+    };
+    CloudFormation_mock.mockImplementation(
+      () =>
+        (({
+          createResourceStack: jest.fn().mockResolvedValue({
+            Stacks: [
+              {
+                Outputs: [],
+              },
+            ],
+          }),
+        } as unknown) as CloudFormation),
+    );
+    amplifyServiceManager_mock.init.mockResolvedValueOnce({} as any);
+    JSONUtilities_mock.readJson.mockReturnValueOnce({});
+    stateManager_mock.getLocalEnvInfo.mockReturnValueOnce({});
+
+    // execute
+    await run(context_stub);
+
+    // verify
+    expect(prePushCfnTemplateModifier).toBeCalled();
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/cfn-pre-processor.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/cfn-pre-processor.test.ts
new file mode 100644
index 00000000000..86f1740b3d4
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/cfn-pre-processor.test.ts
@@ -0,0 +1,56 @@
+import { CFNTemplateFormat, readCFNTemplate, writeCFNTemplate, pathManager } from 'amplify-cli-core';
+import { Template } from 'cloudform-types';
+import { prePushCfnTemplateModifier } from '../../pre-push-cfn-processor/pre-push-cfn-modifier';
+import { preProcessCFNTemplate } from '../../pre-push-cfn-processor/cfn-pre-processor';
+import * as path from 'path';
+
+jest.mock('amplify-cli-core');
+jest.mock('../../pre-push-cfn-processor/pre-push-cfn-modifier');
+
+const readCFNTemplate_mock = readCFNTemplate as jest.MockedFunction<typeof readCFNTemplate>;
+const writeCFNTemplate_mock = writeCFNTemplate as jest.MockedFunction<typeof writeCFNTemplate>;
+const prePushCfnTemplateModifier_mock = prePushCfnTemplateModifier as jest.MockedFunction<typeof prePushCfnTemplateModifier>;
+const pathManager_mock = pathManager as jest.Mocked<typeof pathManager>;
+
+const cfnTemplate = ({
+  test: 'content',
+} as unknown) as Template;
+const templateFormat = CFNTemplateFormat.JSON;
+
+readCFNTemplate_mock.mockResolvedValue({
+  templateFormat,
+  cfnTemplate,
+});
+
+prePushCfnTemplateModifier_mock.mockImplementation(async (template: any) => {
+  template.test = 'modified';
+});
+
+const backendPath = '/project/amplify/backend';
+const resourcePath = 'api/resourceName/cfn-template-name.json';
+
+pathManager_mock.getBackendDirPath.mockReturnValue(backendPath);
+
+describe('preProcessCFNTemplate', () => {
+  beforeEach(jest.clearAllMocks);
+  it('writes the modified template and returns the path', async () => {
+    const newPath = await preProcessCFNTemplate(path.join(backendPath, resourcePath));
+    expect(writeCFNTemplate_mock.mock.calls[0]).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "test": "modified",
+        },
+        "/project/amplify/backend/awscloudformation/build/api/resourceName/cfn-template-name.json",
+        Object {
+          "templateFormat": "json",
+        },
+      ]
+    `);
+    expect(newPath).toMatchInlineSnapshot(`"/project/amplify/backend/awscloudformation/build/api/resourceName/cfn-template-name.json"`);
+  });
+
+  it('writes to root build directory if path is not within backend dir', async () => {
+    const newPath = await preProcessCFNTemplate(path.join('/something/else', resourcePath));
+    expect(newPath).toMatchInlineSnapshot(`"/project/amplify/backend/awscloudformation/build/cfn-template-name.json"`);
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
new file mode 100644
index 00000000000..9fbf76a6911
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
@@ -0,0 +1,36 @@
+import Bucket from 'cloudform-types/types/s3/bucket';
+import _ from 'lodash';
+import { applyS3SSEModification } from '../../../pre-push-cfn-processor/modifiers/s3-sse-modifier';
+
+describe('applyS3SSEModification', () => {
+  it('does not overwrite existing SSE configuration', async () => {
+    const bucketBefore = {
+      Properties: {
+        BucketEncryption: {},
+      },
+    } as Bucket;
+
+    const bucket = _.cloneDeep(bucketBefore);
+
+    applyS3SSEModification(bucket);
+    expect(bucket).toStrictEqual(bucketBefore);
+  });
+
+  it('assigns config when no Parameters were present before', async () => {
+    const bucket = {} as Bucket;
+
+    applyS3SSEModification(bucket);
+
+    expect(bucket.Properties.BucketEncryption).toMatchInlineSnapshot(`
+      BucketEncryption {
+        "ServerSideEncryptionConfiguration": Array [
+          ServerSideEncryptionRule {
+            "ServerSideEncryptionByDefault": ServerSideEncryptionByDefault {
+              "SSEAlgorithm": "AES256",
+            },
+          },
+        ],
+      }
+    `);
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
new file mode 100644
index 00000000000..158314f22a6
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
@@ -0,0 +1,43 @@
+import { Template } from 'cloudform-types';
+import { applyS3SSEModification } from '../../pre-push-cfn-processor/modifiers/s3-sse-modifier';
+import { prePushCfnTemplateModifier } from '../../pre-push-cfn-processor/pre-push-cfn-modifier';
+
+jest.mock('../../pre-push-cfn-processor/modifiers/s3-sse-modifier');
+
+const applyS3SSEModification_mock = applyS3SSEModification as jest.MockedFunction<typeof applyS3SSEModification>;
+
+applyS3SSEModification_mock.mockImplementation(async bucket => {
+  bucket.Properties = {};
+  bucket.Properties.something = 'test';
+});
+
+describe('prePushCfnTemplateModifier', () => {
+  it('iterates through template resources and calls the appropriate resource modifier', async () => {
+    const template: Template = {
+      Resources: {
+        TestResource1: {
+          Type: 'AWS::IAM::Role',
+        },
+        TestResource2: {
+          Type: 'AWS::S3::Bucket',
+        },
+      },
+    };
+    await prePushCfnTemplateModifier(template);
+    expect(template).toMatchInlineSnapshot(`
+      Object {
+        "Resources": Object {
+          "TestResource1": Object {
+            "Type": "AWS::IAM::Role",
+          },
+          "TestResource2": Object {
+            "Properties": Object {
+              "something": "test",
+            },
+            "Type": "AWS::S3::Bucket",
+          },
+        },
+      }
+    `);
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
index 14d4615c0a2..1bad094eeb5 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/cfn-pre-processor.ts
@@ -1,6 +1,5 @@
 import { pathManager, readCFNTemplate, writeCFNTemplate } from 'amplify-cli-core';
 import * as path from 'path';
-import * as fs from 'fs-extra';
 import { ProviderName as providerName } from '../constants';
 import { prePushCfnTemplateModifier } from './pre-push-cfn-modifier';
 
@@ -21,7 +20,6 @@ export async function preProcessCFNTemplate(filePath: string): Promise<string> {
   const backendDir = pathManager.getBackendDirPath();
   const pathSuffix = filePath.startsWith(backendDir) ? filePath.slice(backendDir.length) : path.parse(filePath).base;
   const newPath = path.join(backendDir, providerName, buildDir, pathSuffix);
-  await fs.ensureDir(path.parse(newPath).dir);
 
   await writeCFNTemplate(cfnTemplate, newPath, { templateFormat });
   return newPath;
diff --git a/packages/amplify-provider-awscloudformation/src/utils/env-level-constructs.ts b/packages/amplify-provider-awscloudformation/src/utils/env-level-constructs.ts
index 86d4f4f9194..a679138e836 100644
--- a/packages/amplify-provider-awscloudformation/src/utils/env-level-constructs.ts
+++ b/packages/amplify-provider-awscloudformation/src/utils/env-level-constructs.ts
@@ -4,6 +4,7 @@ import { S3 } from '../aws-utils/aws-s3';
 import constants from '../constants';
 import { NetworkStack } from '../network/stack';
 import { getEnvironmentNetworkInfo } from '../network/environment-info';
+import { prePushCfnTemplateModifier } from '../pre-push-cfn-processor/pre-push-cfn-modifier';
 
 const { ProviderName: providerName } = constants;
 
@@ -51,6 +52,7 @@ async function createNetworkResources(context: any, stackName: string, needsVpc:
   });
 
   const cfn = stack.toCloudFormation();
+  await prePushCfnTemplateModifier(cfn);
 
   const cfnFile = 'networkingStackTemplate.json';
 

From 61659bc76b6be833d95b7a66f795aa9671e99eae Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Mon, 12 Apr 2021 10:49:26 -0700
Subject: [PATCH 06/35] test: update nondeterministic test

---
 .../src/__tests__/aws-utils/aws-cfn.test.js      | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js b/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
index 4787a6f4787..756f6990d4a 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/aws-cfn.test.js
@@ -2,6 +2,7 @@ jest.mock('columnify');
 
 const CloudFormation = require('../../aws-utils/aws-cfn');
 const columnify = require('columnify');
+const { times } = require('lodash');
 
 describe('CloudFormation', () => {
   test('showNewEvents shows events order by Timestamp', async () => {
@@ -26,14 +27,15 @@ describe('CloudFormation', () => {
       showHeaders: false,
     };
     expect(columnify).toBeCalledTimes(1);
-    expect(columnify.mock.calls[0][0]).toMatchInlineSnapshot(`
+    const timestamps = columnify.mock.calls[0][0];
+    expect(timestamps.map(obj => Object.keys(obj))).toMatchInlineSnapshot(`
       Array [
-        Object {
-          "Timestamp": "Tue Dec 31 2019 16:00:00 GMT-0800 (Pacific Standard Time)",
-        },
-        Object {
-          "Timestamp": "Thu Dec 31 2020 16:00:00 GMT-0800 (Pacific Standard Time)",
-        },
+        Array [
+          "Timestamp",
+        ],
+        Array [
+          "Timestamp",
+        ],
       ]
     `);
     expect(columnify.mock.calls[0][1]).toEqual(columns);

From 733301dd77fb20a605ab70ec236fdb36d6cd16b8 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 13 Apr 2021 16:46:45 -0700
Subject: [PATCH 07/35] fix: serialize modifiers and improve test error
 handling

---
 .../amplify-e2e-core/src/utils/sdk-calls.ts   | 12 +++++------
 .../src/__tests__/s3-sse.test.ts              |  8 ++++----
 .../pre-push-cfn-modifier.test.ts             |  1 +
 .../modifiers/s3-sse-modifier.ts              |  1 +
 .../pre-push-cfn-modifier.ts                  | 20 ++++++++++---------
 5 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
index d0bb81b2e93..bd6fb19c25b 100644
--- a/packages/amplify-e2e-core/src/utils/sdk-calls.ts
+++ b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -47,14 +47,12 @@ export const getBucketEncryption = async (bucket: string) => {
   const params = {
     Bucket: bucket,
   };
-  const result = await s3.getBucketEncryption(params).promise();
-  if (result.$response.error) {
-    throw new Error(result.$response.error.message);
-  }
-  if (!result.$response.data) {
-    throw new Error(`no response data from getBucketEncryption on bucket ${bucket}`);
+  try {
+    const result = await s3.getBucketEncryption(params).promise();
+    return result.ServerSideEncryptionConfiguration;
+  } catch (err) {
+    throw new Error(`Error fetching SSE info for bucket ${bucket}. Underlying error was [${err.message}]`);
   }
-  return result.$response.data;
 };
 
 export const deleteS3Bucket = async (bucket: string) => {
diff --git a/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts b/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
index 1fbee2442d8..3228cf2faed 100644
--- a/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/s3-sse.test.ts
@@ -33,14 +33,14 @@ describe('amplify always enables SSE on S3 buckets', () => {
     const deploymentBucket = meta?.providers?.awscloudformation?.DeploymentBucketName;
     const hostingBucket = (Object.values(meta?.hosting)?.[0] as any)?.output?.HostingBucketName;
     const categoryBucket = (Object.values(meta?.storage)?.[0] as any)?.output?.BucketName;
-    expectSSEEnabledForBucket(deploymentBucket);
-    expectSSEEnabledForBucket(hostingBucket);
-    expectSSEEnabledForBucket(categoryBucket);
+    await expectSSEEnabledForBucket(deploymentBucket);
+    await expectSSEEnabledForBucket(hostingBucket);
+    await expectSSEEnabledForBucket(categoryBucket);
   });
 });
 
 const expectSSEEnabledForBucket = async (bucket?: string) => {
   expect(bucket).toBeDefined();
   const result = await getBucketEncryption(bucket);
-  expect(result?.ServerSideEncryptionConfiguration?.Rules?.[0]?.ApplyServerSideEncryptionByDefault?.SSEAlgorithm).toBe('AES256');
+  expect(result?.Rules?.[0]?.ApplyServerSideEncryptionByDefault?.SSEAlgorithm).toBe('AES256');
 };
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
index 158314f22a6..73dd4f1fc19 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
@@ -9,6 +9,7 @@ const applyS3SSEModification_mock = applyS3SSEModification as jest.MockedFunctio
 applyS3SSEModification_mock.mockImplementation(async bucket => {
   bucket.Properties = {};
   bucket.Properties.something = 'test';
+  return bucket;
 });
 
 describe('prePushCfnTemplateModifier', () => {
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
index ba880a081c7..ac9d7fa3075 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
@@ -17,4 +17,5 @@ export const applyS3SSEModification: ResourceModifier = async (resource: Bucket)
       }),
     ],
   });
+  return resource;
 };
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
index 15629c9e9c1..430132a6fb4 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -7,23 +7,25 @@ import { Template } from 'cloudform-types';
 export type TemplateModifier = (template: Template) => Promise<void>;
 
 // modifies the resource in-place
-export type ResourceModifier = (resource: Resource) => Promise<void>;
+export type ResourceModifier = (resource: Resource) => Promise<Resource>;
 
 export const prePushCfnTemplateModifier: TemplateModifier = async template => {
-  await Promise.all(
-    Object.values(template.Resources).map(async resource => {
-      const transformers = getResourceModifiers(resource.Type);
-      await Promise.all(transformers.map(transformer => transformer(resource)));
-    }),
-  );
+  for (const [resourceName, resource] of Object.entries(template.Resources)) {
+    const modifiers = getResourceModifiers(resource.Type);
+    let mutatedResource = _.cloneDeep(resource);
+    for (const modifier of modifiers) {
+      mutatedResource = await modifier(mutatedResource);
+    }
+    template.Resources[resourceName] = mutatedResource;
+  }
 };
 
 const getResourceModifiers = (type: string) => {
-  return _.get(resourceTransformerRegistry, type, [noopResourceTransformer]);
+  return _.get(resourceTransformerRegistry, type, [identityResourceModifier]);
 };
 
 const resourceTransformerRegistry: Record<string, ResourceModifier[]> = {
   'AWS::S3::Bucket': [applyS3SSEModification],
 };
 
-const noopResourceTransformer: ResourceModifier = async () => {};
+const identityResourceModifier: ResourceModifier = async resource => resource;

From 921038e0fe34e2674fb210472f554c5342b95b64 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 13 Apr 2021 18:46:28 -0700
Subject: [PATCH 08/35] fix: add parameterization to ResourceModifier

---
 .../pre-push-cfn-processor/modifiers/s3-sse-modifier.ts    | 6 +++---
 .../src/pre-push-cfn-processor/pre-push-cfn-modifier.ts    | 7 +++----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
index ac9d7fa3075..22a290021a0 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/s3-sse-modifier.ts
@@ -1,9 +1,9 @@
 import Bucket, { BucketEncryption, ServerSideEncryptionByDefault, ServerSideEncryptionRule } from 'cloudform-types/types/s3/bucket';
 import { ResourceModifier } from '../pre-push-cfn-modifier';
 
-export const applyS3SSEModification: ResourceModifier = async (resource: Bucket) => {
-  if (resource.Properties?.BucketEncryption) {
-    return; // don't overwrite existing encryption config if present
+export const applyS3SSEModification: ResourceModifier<Bucket> = async resource => {
+  if (resource?.Properties?.BucketEncryption) {
+    return resource; // don't overwrite existing encryption config if present
   }
   if (!resource.Properties || typeof resource.Properties !== 'object') {
     resource.Properties = {};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
index 430132a6fb4..fe04db69a18 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -6,8 +6,7 @@ import { Template } from 'cloudform-types';
 // modifies the template in-place
 export type TemplateModifier = (template: Template) => Promise<void>;
 
-// modifies the resource in-place
-export type ResourceModifier = (resource: Resource) => Promise<Resource>;
+export type ResourceModifier<T extends Resource> = (resource: T) => Promise<T>;
 
 export const prePushCfnTemplateModifier: TemplateModifier = async template => {
   for (const [resourceName, resource] of Object.entries(template.Resources)) {
@@ -24,8 +23,8 @@ const getResourceModifiers = (type: string) => {
   return _.get(resourceTransformerRegistry, type, [identityResourceModifier]);
 };
 
-const resourceTransformerRegistry: Record<string, ResourceModifier[]> = {
+const resourceTransformerRegistry: Record<string, ResourceModifier<Resource>[]> = {
   'AWS::S3::Bucket': [applyS3SSEModification],
 };
 
-const identityResourceModifier: ResourceModifier = async resource => resource;
+const identityResourceModifier: ResourceModifier<Resource> = async resource => resource;

From a71caabd8bf1c3c4370f3fabbd6f556ecdf0a439 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 13 Apr 2021 18:48:43 -0700
Subject: [PATCH 09/35] fix: add type to sig

---
 .../src/pre-push-cfn-processor/pre-push-cfn-modifier.ts         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
index fe04db69a18..0ccac723c57 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -19,7 +19,7 @@ export const prePushCfnTemplateModifier: TemplateModifier = async template => {
   }
 };
 
-const getResourceModifiers = (type: string) => {
+const getResourceModifiers = (type: string): ResourceModifier<Resource>[] => {
   return _.get(resourceTransformerRegistry, type, [identityResourceModifier]);
 };
 

From 2a59d5a023e728d606c5a41f8d63a61bd4b69d65 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 13 Apr 2021 18:53:58 -0700
Subject: [PATCH 10/35] test: update test with new modifier structure

---
 .../modifiers/s3-sse-modifier.test.ts                     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
index 9fbf76a6911..ada7ecbb040 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/s3-sse-modifier.test.ts
@@ -12,16 +12,16 @@ describe('applyS3SSEModification', () => {
 
     const bucket = _.cloneDeep(bucketBefore);
 
-    applyS3SSEModification(bucket);
-    expect(bucket).toStrictEqual(bucketBefore);
+    const result = await applyS3SSEModification(bucket);
+    expect(result).toStrictEqual(bucketBefore);
   });
 
   it('assigns config when no Parameters were present before', async () => {
     const bucket = {} as Bucket;
 
-    applyS3SSEModification(bucket);
+    const result = await applyS3SSEModification(bucket);
 
-    expect(bucket.Properties.BucketEncryption).toMatchInlineSnapshot(`
+    expect(result.Properties.BucketEncryption).toMatchInlineSnapshot(`
       BucketEncryption {
         "ServerSideEncryptionConfiguration": Array [
           ServerSideEncryptionRule {

From 7561636320135a6c4435206ec827a9469d4f3352 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 14 Apr 2021 00:09:27 -0700
Subject: [PATCH 11/35] test: fix test

---
 .../pre-push-cfn-processor/pre-push-cfn-modifier.test.ts        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
index 73dd4f1fc19..3066375b8a4 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/pre-push-cfn-modifier.test.ts
@@ -8,7 +8,7 @@ const applyS3SSEModification_mock = applyS3SSEModification as jest.MockedFunctio
 
 applyS3SSEModification_mock.mockImplementation(async bucket => {
   bucket.Properties = {};
-  bucket.Properties.something = 'test';
+  (bucket.Properties as any).something = 'test';
   return bucket;
 });
 

From 2fe418776da7c2f4d5ae83ff026b5a24051bdf6a Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Mon, 12 Apr 2021 17:59:29 -0700
Subject: [PATCH 12/35] feat: add permission boundary to IAM roles

---
 packages/amplify-cli-core/src/index.ts        |  1 +
 .../src/permissionBoundaryState.ts            | 21 +++++++++++++
 .../src/config-steps/c0-analyzeProject.ts     | 18 ++++++-----
 .../src/configuration-manager.ts              | 31 +++++++++++++++++--
 .../iam-role-permission-boundary-modifier.ts  | 14 +++++++++
 .../pre-push-cfn-modifier.ts                  |  2 ++
 6 files changed, 77 insertions(+), 10 deletions(-)
 create mode 100644 packages/amplify-cli-core/src/permissionBoundaryState.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts

diff --git a/packages/amplify-cli-core/src/index.ts b/packages/amplify-cli-core/src/index.ts
index 7e6ebdb1b3a..ae89a75ef1f 100644
--- a/packages/amplify-cli-core/src/index.ts
+++ b/packages/amplify-cli-core/src/index.ts
@@ -5,6 +5,7 @@ export * from './cliContext';
 export * from './cliContextEnvironmentProvider';
 export * from './cliEnvironmentProvider';
 export * from './feature-flags';
+export * from './permissionBoundaryState';
 export * from './jsonUtilities';
 export * from './jsonValidationError';
 export * from './serviceSelection';
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
new file mode 100644
index 00000000000..29531a716e2
--- /dev/null
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -0,0 +1,21 @@
+import { JSONUtilities } from './jsonUtilities';
+import { pathManager, stateManager } from './state-manager';
+import _ from 'lodash';
+
+const backendConfigObjectPath = ['providers', 'awscloudformation', 'PermissionBoundaryPolicyArn'];
+
+export const getPermissionBoundaryArn: () => string | undefined = () => {
+  const backendConfig = stateManager.getBackendConfig();
+  return _.get(backendConfig, backendConfigObjectPath) as string | undefined;
+};
+
+export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
+  const backendConfig = stateManager.getBackendConfig();
+  if (!arn) {
+    _.unset(backendConfig, backendConfigObjectPath);
+  } else {
+    _.set(backendConfig, backendConfigObjectPath, arn);
+  }
+  const backendConfigPath = pathManager.getBackendConfigFilePath();
+  JSONUtilities.writeJson(backendConfigPath, backendConfig);
+};
diff --git a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
index 9ac5b3dbcf9..5cf298d4139 100644
--- a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
+++ b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
@@ -6,7 +6,7 @@ import { getEnvInfo } from '../extensions/amplify-helpers/get-env-info';
 import { displayConfigurationDefaults } from '../init-steps/s0-analyzeProject';
 import { getFrontendPlugins } from '../extensions/amplify-helpers/get-frontend-plugins';
 import { isContainersEnabled } from '../execution-manager';
-import { stateManager } from 'amplify-cli-core';
+import { getPermissionBoundaryArn, stateManager } from 'amplify-cli-core';
 
 export async function analyzeProject(context) {
   context.exeInfo.projectConfig = stateManager.getProjectConfig(undefined, {
@@ -42,14 +42,14 @@ export async function analyzeProject(context) {
     }
   }
 
-  await displayContainersInfo(context);
+  await displayAdvancedSettings(context);
   context.print.info('');
 
   const configurationSetting = await getConfigurationSetting();
 
-  if (configurationSetting === 'containers') {
+  if (configurationSetting === 'advanced') {
     context.exeInfo.inputParams.yes = true;
-    context.exeInfo.inputParams.containerSetting = true;
+    context.exeInfo.inputParams.advanced = true;
   }
   if (configurationSetting === 'profile') {
     context.exeInfo.inputParams.yes = true;
@@ -67,10 +67,12 @@ function displayProfileSetting(context, profileName) {
   context.print.info(`| Selected profile: ${profileName}`);
 }
 
-function displayContainersInfo(context) {
-  context.print.info('Advanced: Container-based deployments');
+function displayAdvancedSettings(context) {
+  context.print.info('Advanced:');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
+  const permissionBoundaryArnDisplay = getPermissionBoundaryArn() ?? '';
+  context.print.info(`| IAM Role Permission Boundary Policy ARN: ${permissionBoundaryArnDisplay}`);
 }
 
 async function getConfigurationSetting() {
@@ -81,13 +83,13 @@ async function getConfigurationSetting() {
     choices: [
       { name: 'Project information', value: 'project' },
       { name: 'AWS Profile setting', value: 'profile' },
-      { name: 'Advanced: Container-based deployments', value: 'containers' },
+      { name: 'Advanced', value: 'advanced' },
     ],
     default: 'project',
   };
 
   const { configurationSetting } = await inquirer.prompt(configureSettingQuestion);
-  return configurationSetting;
+  return configurationSetting as 'project' | 'profile' | 'advanced';
 }
 
 async function configureProjectName(context) {
diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index da9dad4961a..1c3d1aee631 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -1,4 +1,13 @@
-import { exitOnNextTick, JSONUtilities, pathManager, stateManager, $TSAny, $TSContext } from 'amplify-cli-core';
+import {
+  exitOnNextTick,
+  JSONUtilities,
+  pathManager,
+  stateManager,
+  $TSAny,
+  $TSContext,
+  setPermissionBoundaryArn,
+  getPermissionBoundaryArn,
+} from 'amplify-cli-core';
 import fs from 'fs-extra';
 import chalk from 'chalk';
 import { prompt } from 'inquirer';
@@ -77,8 +86,9 @@ export async function configure(context: $TSContext) {
   context.exeInfo = context.exeInfo || context.amplify.getProjectDetails();
   normalizeInputParams(context);
   context.exeInfo.awsConfigInfo = getCurrentConfig(context);
-  if (context.exeInfo.inputParams.containerSetting) {
+  if (context.exeInfo.inputParams.advanced) {
     await enableServerlessContainers(context);
+    await updatePermissionBoundaryArn(context);
   }
 
   if (context.exeInfo.inputParams.profileSetting) {
@@ -107,6 +117,23 @@ async function enableServerlessContainers(context: $TSContext) {
   context.exeInfo.projectConfig[frontend].config = { ...config, ServerlessContainers };
 }
 
+const updatePermissionBoundaryArn = async (context: $TSContext) => {
+  const { permissionBoundaryArn } = await prompt({
+    type: 'input',
+    name: 'permissionBoundaryArn',
+    message:
+      'Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the project (leave blank to remove the Permission Boundary configuration):',
+    default: getPermissionBoundaryArn(),
+    validate: context.amplify.inputValidation({
+      operator: 'regex',
+      value: '^(|arn:aws:iam::(d{12}|aws):policy/.+)$',
+      onErrorMsg: 'Specify a valid IAM Policy ARN',
+      required: false,
+    }),
+  });
+  setPermissionBoundaryArn(permissionBoundaryArn);
+};
+
 function doesAwsConfigExists(context: $TSContext) {
   let configExists = false;
   const { envName } = context?.exeInfo?.localEnvInfo || context.amplify.getEnvInfo();
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
new file mode 100644
index 00000000000..861e84c634b
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
@@ -0,0 +1,14 @@
+import { getPermissionBoundaryArn } from 'amplify-cli-core';
+import Role from 'cloudform-types/types/iam/role';
+import { ResourceModifier } from '../pre-push-cfn-modifier';
+
+export const iamRolePermissionBoundaryModifier: ResourceModifier = async (resource: Role) => {
+  if (resource?.Properties?.PermissionsBoundary) {
+    return; // don't modify an existing permission boundary
+  }
+  const policyArn = getPermissionBoundaryArn();
+  if (!policyArn) {
+    return; // exit if no permission boundary specified
+  }
+  resource.Properties.PermissionsBoundary = policyArn;
+};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
index 0ccac723c57..c87aeaeded4 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -2,6 +2,7 @@ import Resource from 'cloudform-types/types/resource';
 import _ from 'lodash';
 import { applyS3SSEModification } from './modifiers/s3-sse-modifier';
 import { Template } from 'cloudform-types';
+import { iamRolePermissionBoundaryModifier } from './modifiers/iam-role-permission-boundary-modifier';
 
 // modifies the template in-place
 export type TemplateModifier = (template: Template) => Promise<void>;
@@ -25,6 +26,7 @@ const getResourceModifiers = (type: string): ResourceModifier<Resource>[] => {
 
 const resourceTransformerRegistry: Record<string, ResourceModifier<Resource>[]> = {
   'AWS::S3::Bucket': [applyS3SSEModification],
+  'AWS::IAM::Role': [iamRolePermissionBoundaryModifier],
 };
 
 const identityResourceModifier: ResourceModifier<Resource> = async resource => resource;

From abba2a2578de74ee218fbe58ea5d7e05bb347d10 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 14 Apr 2021 13:11:06 -0700
Subject: [PATCH 13/35] fix: update iam role modifier

---
 packages/amplify-cli-core/src/permissionBoundaryState.ts | 9 +++++++--
 .../modifiers/iam-role-permission-boundary-modifier.ts   | 7 ++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 29531a716e2..60c36331679 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -5,8 +5,13 @@ import _ from 'lodash';
 const backendConfigObjectPath = ['providers', 'awscloudformation', 'PermissionBoundaryPolicyArn'];
 
 export const getPermissionBoundaryArn: () => string | undefined = () => {
-  const backendConfig = stateManager.getBackendConfig();
-  return _.get(backendConfig, backendConfigObjectPath) as string | undefined;
+  try {
+    const backendConfig = stateManager.getBackendConfig();
+    return _.get(backendConfig, backendConfigObjectPath) as string | undefined;
+  } catch (err) {
+    // uninitialized project
+    return undefined;
+  }
 };
 
 export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
index 861e84c634b..d170978a44a 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
@@ -2,13 +2,14 @@ import { getPermissionBoundaryArn } from 'amplify-cli-core';
 import Role from 'cloudform-types/types/iam/role';
 import { ResourceModifier } from '../pre-push-cfn-modifier';
 
-export const iamRolePermissionBoundaryModifier: ResourceModifier = async (resource: Role) => {
+export const iamRolePermissionBoundaryModifier: ResourceModifier<Role> = async resource => {
   if (resource?.Properties?.PermissionsBoundary) {
-    return; // don't modify an existing permission boundary
+    return resource; // don't modify an existing permission boundary
   }
   const policyArn = getPermissionBoundaryArn();
   if (!policyArn) {
-    return; // exit if no permission boundary specified
+    return resource; // exit if no permission boundary specified
   }
   resource.Properties.PermissionsBoundary = policyArn;
+  return resource;
 };

From 838f7dcd7bd1112ac3cd7d486c9320e152333bd4 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 20 Apr 2021 15:29:30 -0700
Subject: [PATCH 14/35] test: add e2e test for perm bound

---
 .circleci/config.yml                          | 70 +++++++++++++------
 .../src/permissionBoundaryState.ts            |  3 +-
 .../src/config-steps/c0-analyzeProject.ts     |  2 +-
 .../amplify-e2e-core/src/configure/index.ts   |  8 ++-
 .../amplify-e2e-core/src/utils/sdk-calls.ts   |  5 ++
 .../__tests__/iam-permission-boundary.test.ts | 40 +++++++++++
 6 files changed, 104 insertions(+), 24 deletions(-)
 create mode 100644 packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 78e67df177f..a0b24fd25af 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1119,6 +1119,14 @@ jobs:
     environment:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
+  iam-permission-boundary-amplify_e2e_tests:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    steps: *ref_4
+    environment:
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
   function_5-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1126,7 +1134,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
   configure-project-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1134,7 +1142,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
   api_4-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
@@ -1142,7 +1150,7 @@ jobs:
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
   schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1803,6 +1811,16 @@ jobs:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
     steps: *ref_5
+  iam-permission-boundary-amplify_e2e_tests_pkg_linux:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    environment:
+      AMPLIFY_DIR: /home/circleci/repo/out
+      AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
+    steps: *ref_5
   function_5-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1811,7 +1829,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
     steps: *ref_5
   configure-project-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1821,7 +1839,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
     steps: *ref_5
   api_4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1831,7 +1849,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
     steps: *ref_5
 workflows:
   version: 2
@@ -1944,19 +1962,19 @@ workflows:
             - predictions-amplify_e2e_tests
             - schema-predictions-amplify_e2e_tests
             - amplify-configure-amplify_e2e_tests
-            - function_5-amplify_e2e_tests
+            - iam-permission-boundary-amplify_e2e_tests
             - containers-api-amplify_e2e_tests
             - interactions-amplify_e2e_tests
             - datastore-modelgen-amplify_e2e_tests
-            - configure-project-amplify_e2e_tests
+            - function_5-amplify_e2e_tests
             - schema-iterative-update-2-amplify_e2e_tests
             - schema-data-access-patterns-amplify_e2e_tests
             - init-special-case-amplify_e2e_tests
-            - api_4-amplify_e2e_tests
-            - auth_1-amplify_e2e_tests
+            - configure-project-amplify_e2e_tests
             - feature-flags-amplify_e2e_tests
             - schema-versioned-amplify_e2e_tests
             - plugin-amplify_e2e_tests
+            - api_4-amplify_e2e_tests
       - done_with_pkg_linux_e2e_tests:
           requires:
             - schema-key-amplify_e2e_tests_pkg_linux
@@ -1974,19 +1992,19 @@ workflows:
             - predictions-amplify_e2e_tests_pkg_linux
             - schema-predictions-amplify_e2e_tests_pkg_linux
             - amplify-configure-amplify_e2e_tests_pkg_linux
-            - function_5-amplify_e2e_tests_pkg_linux
+            - iam-permission-boundary-amplify_e2e_tests_pkg_linux
             - containers-api-amplify_e2e_tests_pkg_linux
             - interactions-amplify_e2e_tests_pkg_linux
             - datastore-modelgen-amplify_e2e_tests_pkg_linux
-            - configure-project-amplify_e2e_tests_pkg_linux
+            - function_5-amplify_e2e_tests_pkg_linux
             - schema-iterative-update-2-amplify_e2e_tests_pkg_linux
             - schema-data-access-patterns-amplify_e2e_tests_pkg_linux
             - init-special-case-amplify_e2e_tests_pkg_linux
-            - api_4-amplify_e2e_tests_pkg_linux
-            - auth_1-amplify_e2e_tests_pkg_linux
+            - configure-project-amplify_e2e_tests_pkg_linux
             - feature-flags-amplify_e2e_tests_pkg_linux
             - schema-versioned-amplify_e2e_tests_pkg_linux
             - plugin-amplify_e2e_tests_pkg_linux
+            - api_4-amplify_e2e_tests_pkg_linux
       - amplify_migration_tests_latest:
           context:
             - amplify-ecr-image-pull
@@ -2339,7 +2357,7 @@ workflows:
           filters: *ref_9
           requires:
             - auth_4-amplify_e2e_tests
-      - function_5-amplify_e2e_tests:
+      - iam-permission-boundary-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2399,7 +2417,7 @@ workflows:
           filters: *ref_9
           requires:
             - migration-api-key-migration1-amplify_e2e_tests
-      - configure-project-amplify_e2e_tests:
+      - function_5-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2459,7 +2477,7 @@ workflows:
           filters: *ref_9
           requires:
             - layer-amplify_e2e_tests
-      - api_4-amplify_e2e_tests:
+      - configure-project-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2519,6 +2537,12 @@ workflows:
           filters: *ref_9
           requires:
             - auth_3-amplify_e2e_tests
+      - api_4-amplify_e2e_tests:
+          context: *ref_7
+          post-steps: *ref_8
+          filters: *ref_9
+          requires:
+            - auth_1-amplify_e2e_tests
       - schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
           context: &ref_10
             - amplify-ecr-image-pull
@@ -2777,7 +2801,7 @@ workflows:
           filters: *ref_12
           requires:
             - auth_4-amplify_e2e_tests_pkg_linux
-      - function_5-amplify_e2e_tests_pkg_linux:
+      - iam-permission-boundary-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2841,7 +2865,7 @@ workflows:
           filters: *ref_12
           requires:
             - migration-api-key-migration1-amplify_e2e_tests_pkg_linux
-      - configure-project-amplify_e2e_tests_pkg_linux:
+      - function_5-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2905,7 +2929,7 @@ workflows:
           filters: *ref_12
           requires:
             - layer-amplify_e2e_tests_pkg_linux
-      - api_4-amplify_e2e_tests_pkg_linux:
+      - configure-project-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2969,3 +2993,9 @@ workflows:
           filters: *ref_12
           requires:
             - auth_3-amplify_e2e_tests_pkg_linux
+      - api_4-amplify_e2e_tests_pkg_linux:
+          context: *ref_10
+          post-steps: *ref_11
+          filters: *ref_12
+          requires:
+            - auth_1-amplify_e2e_tests_pkg_linux
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 60c36331679..dadbb558e7f 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -21,6 +21,5 @@ export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
   } else {
     _.set(backendConfig, backendConfigObjectPath, arn);
   }
-  const backendConfigPath = pathManager.getBackendConfigFilePath();
-  JSONUtilities.writeJson(backendConfigPath, backendConfig);
+  stateManager.setBackendConfig(undefined, backendConfig);
 };
diff --git a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
index 5cf298d4139..07a5d83ea97 100644
--- a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
+++ b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
@@ -68,7 +68,7 @@ function displayProfileSetting(context, profileName) {
 }
 
 function displayAdvancedSettings(context) {
-  context.print.info('Advanced:');
+  context.print.info('Advanced');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
   const permissionBoundaryArnDisplay = getPermissionBoundaryArn() ?? '';
diff --git a/packages/amplify-e2e-core/src/configure/index.ts b/packages/amplify-e2e-core/src/configure/index.ts
index de3d29e534f..67fda17ad4f 100644
--- a/packages/amplify-e2e-core/src/configure/index.ts
+++ b/packages/amplify-e2e-core/src/configure/index.ts
@@ -28,7 +28,7 @@ export const amplifyRegions = [
   'ca-central-1',
 ];
 
-const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced: Container-based deployments'];
+const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced'];
 const profileOptions = ['No', 'Update AWS Profile', 'Remove AWS Profile'];
 const authenticationOptions = ['AWS profile', 'AWS access keys'];
 
@@ -82,6 +82,7 @@ export function amplifyConfigureProject(settings: {
   profileOption?: string;
   authenticationOption?: string;
   region?: string;
+  permissionBoundaryArn?: string;
 }): Promise<void> {
   const {
     cwd,
@@ -90,6 +91,7 @@ export function amplifyConfigureProject(settings: {
     authenticationOption,
     configLevel = 'project',
     region = defaultSettings.region,
+    permissionBoundaryArn,
   } = settings;
 
   return new Promise((resolve, reject) => {
@@ -98,6 +100,10 @@ export function amplifyConfigureProject(settings: {
     if (enableContainers) {
       singleSelect(chain, configurationOptions[2], configurationOptions);
       chain.wait('Do you want to enable container-based deployments?').sendConfirmYes();
+    } else if (permissionBoundaryArn !== undefined) {
+      singleSelect(chain, configurationOptions[2], configurationOptions);
+      chain.wait('Do you want to enable container-based deployments?').sendConfirmNo();
+      chain.wait('Specify an IAM Policy ARN to use as a Permission Boundary').sendLine(permissionBoundaryArn);
     } else {
       singleSelect(chain, configurationOptions[1], configurationOptions);
 
diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
index 964d7598287..00b585d0542 100644
--- a/packages/amplify-e2e-core/src/utils/sdk-calls.ts
+++ b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -310,3 +310,8 @@ export const listAttachedRolePolicies = async (roleName: string, region: string)
   const service = new IAM({ region });
   return (await service.listAttachedRolePolicies({ RoleName: roleName }).promise()).AttachedPolicies;
 };
+
+export const getPermissionBoundary = async (roleName: string, region) => {
+  const iamClient = new IAM({ region });
+  return (await iamClient.getRole({ RoleName: roleName }).promise())?.Role?.PermissionsBoundary?.PermissionsBoundaryArn;
+};
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
new file mode 100644
index 00000000000..1cb03898a91
--- /dev/null
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
@@ -0,0 +1,40 @@
+import {
+  addFunction,
+  amplifyConfigureProject,
+  amplifyPushAuth,
+  createNewProjectDir,
+  deleteProject,
+  deleteProjectDir,
+  getPermissionBoundary,
+  getProjectMeta,
+  initJSProjectWithProfile,
+} from 'amplify-e2e-core';
+import { addSimpleFunction } from '../schema-api-directives/functionTester';
+
+// Using a random AWS managed policy as a permission boundary
+const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
+
+describe('iam permission boundary', () => {
+  let projRoot: string;
+  beforeEach(async () => {
+    projRoot = await createNewProjectDir('init');
+  });
+
+  afterEach(async () => {
+    await deleteProject(projRoot);
+    deleteProjectDir(projRoot);
+  });
+  test('permission boundary is applied to roles created by the CLI', async () => {
+    await initJSProjectWithProfile(projRoot, {});
+    await amplifyConfigureProject({ cwd: projRoot, permissionBoundaryArn });
+    // adding a function isn't strictly part of the test, it just causes the project to have changes to push
+    await addFunction(projRoot, { functionTemplate: 'Hello World' }, 'nodejs');
+    await amplifyPushAuth(projRoot);
+    const meta = getProjectMeta(projRoot);
+    const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
+    const region = meta?.providers?.awscloudformation?.Region;
+
+    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+  });
+});

From 08d81a50cd8f95c596c784ac2f8e9dbc680eccae Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 20 Apr 2021 16:15:03 -0700
Subject: [PATCH 15/35] test: add unit tests for perm bound modifier

---
 .../src/permissionBoundaryState.ts            |  3 +-
 ...-role-permission-boundary-modifier.test.ts | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index dadbb558e7f..c6e16bd9496 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -1,5 +1,4 @@
-import { JSONUtilities } from './jsonUtilities';
-import { pathManager, stateManager } from './state-manager';
+import { stateManager } from './state-manager';
 import _ from 'lodash';
 
 const backendConfigObjectPath = ['providers', 'awscloudformation', 'PermissionBoundaryPolicyArn'];
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts
new file mode 100644
index 00000000000..94fdedaf227
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts
@@ -0,0 +1,41 @@
+import { getPermissionBoundaryArn } from 'amplify-cli-core';
+import Role from 'cloudform-types/types/iam/role';
+import _ from 'lodash';
+import { iamRolePermissionBoundaryModifier } from '../../../pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier';
+
+jest.mock('amplify-cli-core');
+
+const getPermissionBoundaryArn_mock = getPermissionBoundaryArn as jest.MockedFunction<typeof getPermissionBoundaryArn>;
+
+describe('iamRolePermissionBoundaryModifier', () => {
+  it('does not overwrite existing permission boundary', async () => {
+    const origResource = {
+      Properties: {
+        PermissionsBoundary: 'something',
+      },
+    } as Role;
+    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource).toEqual(origResource);
+  });
+
+  it('does not modify the resource if no policy arn is specified', async () => {
+    const origResource = {
+      Type: 'something',
+      Properties: {},
+    } as Role;
+    getPermissionBoundaryArn_mock.mockReturnValue(undefined);
+    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource).toEqual(origResource);
+  });
+
+  it('applies the specified policy arn', async () => {
+    const origResource = {
+      Type: 'something',
+      Properties: {},
+    } as Role;
+    const testPermissionBoundaryArn = 'testPermissionBoundaryArn';
+    getPermissionBoundaryArn_mock.mockReturnValue(testPermissionBoundaryArn);
+    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource.Properties.PermissionsBoundary).toEqual(testPermissionBoundaryArn);
+  });
+});

From da7a4e7d86730fdb95853ffdfe27fcd7dcb6124a Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 21 Apr 2021 12:26:53 -0700
Subject: [PATCH 16/35] fix: fix regex

---
 .../src/configuration-manager.ts                                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index 1a660f1d39d..28bd0ef6571 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -128,7 +128,7 @@ const updatePermissionBoundaryArn = async (context: $TSContext) => {
     default: getPermissionBoundaryArn(),
     validate: context.amplify.inputValidation({
       operator: 'regex',
-      value: '^(|arn:aws:iam::(d{12}|aws):policy/.+)$',
+      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
       onErrorMsg: 'Specify a valid IAM Policy ARN',
       required: false,
     }),

From f51ebdd8fa289ebc7acf5ba6c6fba029b80ece25 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 29 Apr 2021 13:59:17 -0700
Subject: [PATCH 17/35] feat: switch to env-specific config

---
 .../src/permissionBoundaryState.ts            | 14 +++++-----
 .../amplify-cli/src/commands/env/update.ts    |  6 +++++
 .../src/config-steps/c0-analyzeProject.ts     | 12 ++++-----
 .../amplify-helpers/get-provider-plugins.ts   | 20 ++++++++++++--
 .../amplify-e2e-core/src/configure/index.ts   |  8 +-----
 .../__tests__/iam-permission-boundary.test.ts |  5 ++--
 .../amplify-e2e-tests/src/environment/env.ts  |  9 +++++++
 .../src/configuration-manager.ts              | 20 +-------------
 .../src/index.ts                              |  2 ++
 .../src/update-env.ts                         | 27 +++++++++++++++++++
 10 files changed, 78 insertions(+), 45 deletions(-)
 create mode 100644 packages/amplify-cli/src/commands/env/update.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/update-env.ts

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index c6e16bd9496..8c99c011a7e 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -1,12 +1,12 @@
 import { stateManager } from './state-manager';
 import _ from 'lodash';
 
-const backendConfigObjectPath = ['providers', 'awscloudformation', 'PermissionBoundaryPolicyArn'];
+const teamProviderInfoObjectPath = () => [stateManager.getLocalEnvInfo().envName, 'awscloudformation', 'PermissionBoundaryPolicyArn'];
 
 export const getPermissionBoundaryArn: () => string | undefined = () => {
   try {
-    const backendConfig = stateManager.getBackendConfig();
-    return _.get(backendConfig, backendConfigObjectPath) as string | undefined;
+    const teamProviderInfo = stateManager.getTeamProviderInfo();
+    return _.get(teamProviderInfo, teamProviderInfoObjectPath()) as string | undefined;
   } catch (err) {
     // uninitialized project
     return undefined;
@@ -14,11 +14,11 @@ export const getPermissionBoundaryArn: () => string | undefined = () => {
 };
 
 export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
-  const backendConfig = stateManager.getBackendConfig();
+  const teamProviderInfo = stateManager.getTeamProviderInfo();
   if (!arn) {
-    _.unset(backendConfig, backendConfigObjectPath);
+    _.unset(teamProviderInfo, teamProviderInfoObjectPath());
   } else {
-    _.set(backendConfig, backendConfigObjectPath, arn);
+    _.set(teamProviderInfo, teamProviderInfoObjectPath(), arn);
   }
-  stateManager.setBackendConfig(undefined, backendConfig);
+  stateManager.setTeamProviderInfo(undefined, teamProviderInfo);
 };
diff --git a/packages/amplify-cli/src/commands/env/update.ts b/packages/amplify-cli/src/commands/env/update.ts
new file mode 100644
index 00000000000..0d314b150b4
--- /dev/null
+++ b/packages/amplify-cli/src/commands/env/update.ts
@@ -0,0 +1,6 @@
+import { $TSContext } from 'amplify-cli-core';
+import { executeProviderCommand } from '../../extensions/amplify-helpers/get-provider-plugins';
+
+export const run = async (context: $TSContext) => {
+  return executeProviderCommand(context, 'updateEnv');
+};
diff --git a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
index 07a5d83ea97..2a2540b35c4 100644
--- a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
+++ b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
@@ -47,9 +47,9 @@ export async function analyzeProject(context) {
 
   const configurationSetting = await getConfigurationSetting();
 
-  if (configurationSetting === 'advanced') {
+  if (configurationSetting === 'containers') {
     context.exeInfo.inputParams.yes = true;
-    context.exeInfo.inputParams.advanced = true;
+    context.exeInfo.inputParams.containerSetting = true;
   }
   if (configurationSetting === 'profile') {
     context.exeInfo.inputParams.yes = true;
@@ -68,11 +68,9 @@ function displayProfileSetting(context, profileName) {
 }
 
 function displayAdvancedSettings(context) {
-  context.print.info('Advanced');
+  context.print.info('Advanced: Container-based deployments');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
-  const permissionBoundaryArnDisplay = getPermissionBoundaryArn() ?? '';
-  context.print.info(`| IAM Role Permission Boundary Policy ARN: ${permissionBoundaryArnDisplay}`);
 }
 
 async function getConfigurationSetting() {
@@ -83,13 +81,13 @@ async function getConfigurationSetting() {
     choices: [
       { name: 'Project information', value: 'project' },
       { name: 'AWS Profile setting', value: 'profile' },
-      { name: 'Advanced', value: 'advanced' },
+      { name: 'Advanced: Container-based deployments', value: 'containers' },
     ],
     default: 'project',
   };
 
   const { configurationSetting } = await inquirer.prompt(configureSettingQuestion);
-  return configurationSetting as 'project' | 'profile' | 'advanced';
+  return configurationSetting as 'project' | 'profile' | 'containers';
 }
 
 async function configureProjectName(context) {
diff --git a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
index 8b393ef1e43..d3c4d70eb52 100644
--- a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
+++ b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
@@ -1,6 +1,7 @@
-import { $TSContext } from 'amplify-cli-core';
+import { $TSContext, stateManager } from 'amplify-cli-core';
+import _ from 'lodash';
 
-export function getProviderPlugins(context: $TSContext) {
+export function getProviderPlugins(context: $TSContext): Record<string, string> {
   const providers = {};
   context.runtime.plugins.forEach(plugin => {
     if (plugin.pluginType === 'provider') {
@@ -9,3 +10,18 @@ export function getProviderPlugins(context: $TSContext) {
   });
   return providers;
 }
+
+export const getConfiguredProviders = (context: $TSContext) => {
+  const configuredProviders = stateManager.getProjectConfig()?.providers;
+  if (!Array.isArray(configuredProviders) || configuredProviders.length < 1) {
+    throw new Error('No providers are configured for the project');
+  }
+  return _.pick(getProviderPlugins(context), configuredProviders) as Record<string, string>;
+};
+
+export const executeProviderCommand = async (context: $TSContext, command: string, addtlArgs: any[] = []) => {
+  const providers = await Promise.all(Object.values(getConfiguredProviders(context)).map(providerPath => import(providerPath)));
+  return Promise.all(
+    providers.filter(provider => typeof provider?.[command] === 'function').map(provider => provider[command](context, ...addtlArgs)),
+  );
+};
diff --git a/packages/amplify-e2e-core/src/configure/index.ts b/packages/amplify-e2e-core/src/configure/index.ts
index 67fda17ad4f..de3d29e534f 100644
--- a/packages/amplify-e2e-core/src/configure/index.ts
+++ b/packages/amplify-e2e-core/src/configure/index.ts
@@ -28,7 +28,7 @@ export const amplifyRegions = [
   'ca-central-1',
 ];
 
-const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced'];
+const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced: Container-based deployments'];
 const profileOptions = ['No', 'Update AWS Profile', 'Remove AWS Profile'];
 const authenticationOptions = ['AWS profile', 'AWS access keys'];
 
@@ -82,7 +82,6 @@ export function amplifyConfigureProject(settings: {
   profileOption?: string;
   authenticationOption?: string;
   region?: string;
-  permissionBoundaryArn?: string;
 }): Promise<void> {
   const {
     cwd,
@@ -91,7 +90,6 @@ export function amplifyConfigureProject(settings: {
     authenticationOption,
     configLevel = 'project',
     region = defaultSettings.region,
-    permissionBoundaryArn,
   } = settings;
 
   return new Promise((resolve, reject) => {
@@ -100,10 +98,6 @@ export function amplifyConfigureProject(settings: {
     if (enableContainers) {
       singleSelect(chain, configurationOptions[2], configurationOptions);
       chain.wait('Do you want to enable container-based deployments?').sendConfirmYes();
-    } else if (permissionBoundaryArn !== undefined) {
-      singleSelect(chain, configurationOptions[2], configurationOptions);
-      chain.wait('Do you want to enable container-based deployments?').sendConfirmNo();
-      chain.wait('Specify an IAM Policy ARN to use as a Permission Boundary').sendLine(permissionBoundaryArn);
     } else {
       singleSelect(chain, configurationOptions[1], configurationOptions);
 
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
index 1cb03898a91..4c6762b5917 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
@@ -1,6 +1,5 @@
 import {
   addFunction,
-  amplifyConfigureProject,
   amplifyPushAuth,
   createNewProjectDir,
   deleteProject,
@@ -9,7 +8,7 @@ import {
   getProjectMeta,
   initJSProjectWithProfile,
 } from 'amplify-e2e-core';
-import { addSimpleFunction } from '../schema-api-directives/functionTester';
+import { updateEnvironment } from '../environment/env';
 
 // Using a random AWS managed policy as a permission boundary
 const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
@@ -26,7 +25,7 @@ describe('iam permission boundary', () => {
   });
   test('permission boundary is applied to roles created by the CLI', async () => {
     await initJSProjectWithProfile(projRoot, {});
-    await amplifyConfigureProject({ cwd: projRoot, permissionBoundaryArn });
+    await updateEnvironment(projRoot, { permissionBoundaryArn });
     // adding a function isn't strictly part of the test, it just causes the project to have changes to push
     await addFunction(projRoot, { functionTemplate: 'Hello World' }, 'nodejs');
     await amplifyPushAuth(projRoot);
diff --git a/packages/amplify-e2e-tests/src/environment/env.ts b/packages/amplify-e2e-tests/src/environment/env.ts
index ed3f4ad7cce..f49a522623b 100644
--- a/packages/amplify-e2e-tests/src/environment/env.ts
+++ b/packages/amplify-e2e-tests/src/environment/env.ts
@@ -26,6 +26,15 @@ export function addEnvironment(cwd: string, settings: { envName: string; numLaye
   });
 }
 
+export function updateEnvironment(cwd: string, settings: { permissionBoundaryArn: string }) {
+  return new Promise<void>((resolve, reject) => {
+    spawn(getCLIPath(), ['env', 'update'], { cwd, stripColors: true })
+      .wait('Specify an IAM Policy ARN')
+      .sendLine(settings.permissionBoundaryArn)
+      .run((err: Error) => (!!err ? reject(err) : resolve()));
+  });
+}
+
 export function addEnvironmentWithImportedAuth(cwd: string, settings: { envName: string; currentEnvName: string }): Promise<void> {
   return new Promise((resolve, reject) => {
     spawn(getCLIPath(), ['env', 'add'], { cwd, stripColors: true })
diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index 28bd0ef6571..04b5f891c0e 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -88,9 +88,8 @@ export async function configure(context: $TSContext) {
   context.exeInfo = context.exeInfo || context.amplify.getProjectDetails();
   normalizeInputParams(context);
   context.exeInfo.awsConfigInfo = getCurrentConfig(context);
-  if (context.exeInfo.inputParams.advanced) {
+  if (context.exeInfo.inputParams.containerSetting) {
     await enableServerlessContainers(context);
-    await updatePermissionBoundaryArn(context);
   }
 
   if (context.exeInfo.inputParams.profileSetting) {
@@ -119,23 +118,6 @@ async function enableServerlessContainers(context: $TSContext) {
   context.exeInfo.projectConfig[frontend].config = { ...config, ServerlessContainers };
 }
 
-const updatePermissionBoundaryArn = async (context: $TSContext) => {
-  const { permissionBoundaryArn } = await prompt({
-    type: 'input',
-    name: 'permissionBoundaryArn',
-    message:
-      'Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the project (leave blank to remove the Permission Boundary configuration):',
-    default: getPermissionBoundaryArn(),
-    validate: context.amplify.inputValidation({
-      operator: 'regex',
-      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
-      onErrorMsg: 'Specify a valid IAM Policy ARN',
-      required: false,
-    }),
-  });
-  setPermissionBoundaryArn(permissionBoundaryArn);
-};
-
 function doesAwsConfigExists(context: $TSContext) {
   let configExists = false;
   const { envName } = context?.exeInfo?.localEnvInfo || context.amplify.getEnvInfo();
diff --git a/packages/amplify-provider-awscloudformation/src/index.ts b/packages/amplify-provider-awscloudformation/src/index.ts
index 330c66c131a..2e2a26892ac 100644
--- a/packages/amplify-provider-awscloudformation/src/index.ts
+++ b/packages/amplify-provider-awscloudformation/src/index.ts
@@ -28,6 +28,7 @@ import { loadConfigurationForEnv } from './configuration-manager';
 
 export { resolveAppId } from './utils/resolve-appId';
 export { loadConfigurationForEnv } from './configuration-manager';
+import { updateEnv } from './update-env';
 
 function init(context) {
   return initializer.run(context);
@@ -135,4 +136,5 @@ module.exports = {
   createDynamoDBService,
   resolveAppId,
   loadConfigurationForEnv,
+  updateEnv,
 };
diff --git a/packages/amplify-provider-awscloudformation/src/update-env.ts b/packages/amplify-provider-awscloudformation/src/update-env.ts
new file mode 100644
index 00000000000..cd293a7d8fd
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/update-env.ts
@@ -0,0 +1,27 @@
+import { $TSContext, getPermissionBoundaryArn, setPermissionBoundaryArn, stateManager } from 'amplify-cli-core';
+import { prompt } from 'inquirer';
+
+export type UpdateEnvRequest = {
+  env: string;
+};
+
+export const updateEnv = async (context: $TSContext) => {
+  await updatePermissionBoundaryArn(context);
+};
+
+const updatePermissionBoundaryArn = async (context: $TSContext) => {
+  const { envName } = stateManager.getLocalEnvInfo();
+  const { permissionBoundaryArn } = await prompt({
+    type: 'input',
+    name: 'permissionBoundaryArn',
+    message: `Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the ${envName} environment (leave blank to remove the Permission Boundary configuration):`,
+    default: getPermissionBoundaryArn(),
+    validate: context.amplify.inputValidation({
+      operator: 'regex',
+      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
+      onErrorMsg: 'Specify a valid IAM Policy ARN',
+      required: false,
+    }),
+  });
+  setPermissionBoundaryArn(permissionBoundaryArn);
+};

From afbc857f5504eaf975fc182fe69d088f512ef5dc Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 30 Apr 2021 10:53:02 -0700
Subject: [PATCH 18/35] chore: dumping env perm bound changes

---
 .../src/permissionBoundaryState.ts            | 12 ++--
 .../src/aws-utils/aws-iam.ts                  | 20 +++++++
 .../permission-boundary.ts                    | 55 +++++++++++++++++++
 .../src/update-env.ts                         | 23 +-------
 4 files changed, 86 insertions(+), 24 deletions(-)
 create mode 100644 packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 8c99c011a7e..25fe2cdbcd6 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -1,7 +1,11 @@
 import { stateManager } from './state-manager';
 import _ from 'lodash';
 
-const teamProviderInfoObjectPath = () => [stateManager.getLocalEnvInfo().envName, 'awscloudformation', 'PermissionBoundaryPolicyArn'];
+const teamProviderInfoObjectPath = (env?: string) => [
+  env || (stateManager.getLocalEnvInfo().envName as string),
+  'awscloudformation',
+  'PermissionBoundaryPolicyArn',
+];
 
 export const getPermissionBoundaryArn: () => string | undefined = () => {
   try {
@@ -13,12 +17,12 @@ export const getPermissionBoundaryArn: () => string | undefined = () => {
   }
 };
 
-export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
+export const setPermissionBoundaryArn = (arn?: string, env?: string): void => {
   const teamProviderInfo = stateManager.getTeamProviderInfo();
   if (!arn) {
-    _.unset(teamProviderInfo, teamProviderInfoObjectPath());
+    _.unset(teamProviderInfo, teamProviderInfoObjectPath(env));
   } else {
-    _.set(teamProviderInfo, teamProviderInfoObjectPath(), arn);
+    _.set(teamProviderInfo, teamProviderInfoObjectPath(env), arn);
   }
   stateManager.setTeamProviderInfo(undefined, teamProviderInfo);
 };
diff --git a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
new file mode 100644
index 00000000000..65065afbd23
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
@@ -0,0 +1,20 @@
+import aws from './aws.js';
+import awstype from 'aws-sdk';
+import { IAM } from 'aws-sdk';
+import { AwsSdkConfig } from '../utils/auth-types.js';
+
+let instance: IAM;
+
+export const getInstance = async (sdkConfigProvider: () => Promise<AwsSdkConfig>) => {
+  if (instance) {
+    return instance;
+  }
+  let cred = {};
+  try {
+    cred = await sdkConfigProvider();
+  } catch (err) {
+    // ignore error
+  }
+  instance = new (aws as typeof awstype).IAM({ ...cred });
+  return instance;
+};
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
new file mode 100644
index 00000000000..09367499f08
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
@@ -0,0 +1,55 @@
+import { $TSContext, stateManager, getPermissionBoundaryArn, setPermissionBoundaryArn } from 'amplify-cli-core';
+import { prompt } from 'inquirer';
+import { getInstance as getIAMClient } from '../aws-utils/aws-iam';
+import { loadConfiguration } from '../configuration-manager';
+
+export const permissionBoundaryPrompt = async (context: $TSContext): Promise<string> => {
+  const { envName } = stateManager.getLocalEnvInfo();
+  const { permissionBoundaryArn } = await prompt<{ permissionBoundaryArn: string }>({
+    type: 'input',
+    name: 'permissionBoundaryArn',
+    message: `Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the ${envName} environment (leave blank to remove the Permission Boundary configuration):`,
+    default: getPermissionBoundaryArn(),
+    validate: context.amplify.inputValidation({
+      operator: 'regex',
+      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
+      onErrorMsg: 'Specify a valid IAM Policy ARN',
+      required: false,
+    }),
+  });
+  return permissionBoundaryArn;
+};
+
+/**
+ * This function expects to be called during the env add flow BEFORE the local-env-info file is overwritten with the new env
+ * (ie when it still contains info on the previous env)
+ * context.exeInfo.localEnvInfo.envName is expected to have the new env name
+ */
+export const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) => {
+  const newEnv = context.exeInfo.localEnvInfo.envName;
+  const currBoundary = getPermissionBoundaryArn();
+  if (!currBoundary) {
+    return; // if current env doesn't have a permission boundary, don't do anything
+  }
+  if (await isPolicyAccessible(context, currBoundary)) {
+    setPermissionBoundaryArn(currBoundary, newEnv);
+    context.print.info(
+      `Permission Boundary ${currBoundary} has automatically been applied to this environment. To modify this, run \`amplify env update\`.`,
+    );
+    return;
+  }
+  // previous policy is not accessible in the new environment
+  context.print.warning(`Permission Boundary ${currBoundary} cannot be applied to resources in this environment.`);
+  setPermissionBoundaryArn(await permissionBoundaryPrompt(context), newEnv);
+};
+
+const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
+  const iamClient = await getIAMClient(() => loadConfiguration(context));
+  try {
+    await iamClient.getPolicy({ PolicyArn: policyArn }).promise();
+  } catch (err) {
+    // if there's an error, then the policy wasn't accessible
+    return false;
+  }
+  return true;
+};
diff --git a/packages/amplify-provider-awscloudformation/src/update-env.ts b/packages/amplify-provider-awscloudformation/src/update-env.ts
index cd293a7d8fd..d748461d6b1 100644
--- a/packages/amplify-provider-awscloudformation/src/update-env.ts
+++ b/packages/amplify-provider-awscloudformation/src/update-env.ts
@@ -1,27 +1,10 @@
-import { $TSContext, getPermissionBoundaryArn, setPermissionBoundaryArn, stateManager } from 'amplify-cli-core';
-import { prompt } from 'inquirer';
+import { $TSContext, setPermissionBoundaryArn } from 'amplify-cli-core';
+import { permissionBoundaryPrompt } from './permission-boundary/permission-boundary';
 
 export type UpdateEnvRequest = {
   env: string;
 };
 
 export const updateEnv = async (context: $TSContext) => {
-  await updatePermissionBoundaryArn(context);
-};
-
-const updatePermissionBoundaryArn = async (context: $TSContext) => {
-  const { envName } = stateManager.getLocalEnvInfo();
-  const { permissionBoundaryArn } = await prompt({
-    type: 'input',
-    name: 'permissionBoundaryArn',
-    message: `Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the ${envName} environment (leave blank to remove the Permission Boundary configuration):`,
-    default: getPermissionBoundaryArn(),
-    validate: context.amplify.inputValidation({
-      operator: 'regex',
-      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
-      onErrorMsg: 'Specify a valid IAM Policy ARN',
-      required: false,
-    }),
-  });
-  setPermissionBoundaryArn(permissionBoundaryArn);
+  setPermissionBoundaryArn(await permissionBoundaryPrompt(context));
 };

From 70f85c4f1e48aa08a258cdf2d2b5148fc24f2134 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 4 May 2021 21:04:48 -0700
Subject: [PATCH 19/35] feat: fixup env-specific config and add headless
 support

---
 packages/amplify-cli-core/src/index.ts        |  2 +-
 .../src/permissionBoundaryState.ts            | 38 +++++++--
 .../amplify-helpers/get-provider-plugins.ts   |  4 +-
 .../src/initializer.js                        |  8 +-
 .../permission-boundary.ts                    | 81 ++++++++++++++++---
 .../src/update-env.ts                         |  6 +-
 packages/amplify-util-mock/src/func/index.ts  |  2 +-
 7 files changed, 112 insertions(+), 29 deletions(-)

diff --git a/packages/amplify-cli-core/src/index.ts b/packages/amplify-cli-core/src/index.ts
index 93dbf333e28..d9a1ee8375f 100644
--- a/packages/amplify-cli-core/src/index.ts
+++ b/packages/amplify-cli-core/src/index.ts
@@ -182,7 +182,7 @@ interface AmplifyToolkit {
   getResourceStatus: (category?: $TSAny, resourceName?: $TSAny, providerName?: $TSAny, filteredResources?: $TSAny) => $TSAny;
   getResourceOutputs: () => $TSAny;
   getWhen: () => $TSAny;
-  inputValidation: (input: $TSAny) => $TSAny;
+  inputValidation: (input: $TSAny) => (value: $TSAny) => boolean | string;
   listCategories: () => $TSAny;
   makeId: (n?: number) => string;
   openEditor: () => $TSAny;
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 25fe2cdbcd6..850375baaf9 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -1,5 +1,6 @@
 import { stateManager } from './state-manager';
 import _ from 'lodash';
+import { $TSObject } from '.';
 
 const teamProviderInfoObjectPath = (env?: string) => [
   env || (stateManager.getLocalEnvInfo().envName as string),
@@ -7,22 +8,43 @@ const teamProviderInfoObjectPath = (env?: string) => [
   'PermissionBoundaryPolicyArn',
 ];
 
-export const getPermissionBoundaryArn: () => string | undefined = () => {
+export const getPermissionBoundaryArn = (env?: string): string | undefined => {
   try {
-    const teamProviderInfo = stateManager.getTeamProviderInfo();
-    return _.get(teamProviderInfo, teamProviderInfoObjectPath()) as string | undefined;
+    const teamProviderInfo = (global as any).preInitTeamProviderInfo ?? stateManager.getTeamProviderInfo();
+    return _.get(teamProviderInfo, teamProviderInfoObjectPath(env)) as string | undefined;
   } catch (err) {
     // uninitialized project
     return undefined;
   }
 };
 
-export const setPermissionBoundaryArn = (arn?: string, env?: string): void => {
-  const teamProviderInfo = stateManager.getTeamProviderInfo();
+/**
+ * Stores the permission boundary ARN in team-provider-info
+ * If teamProviderInfo is not specified, the file is read, updated and written back to disk
+ * If teamProviderInfo is specified, then this function assumes that the env is not initialized
+ *    In this case, the teamProviderInfo object is updated but not written to disk. Instead "preInitTeamProviderInfo" is set
+ *    so that subsequent calls to getPermissionBoundaryArn will return the permission boundary arn of the pre-initialized env
+ * @param arn The permission boundary arn. If undefined or empty, the permission boundary is removed
+ * @param env The Amplify env to update. If not specified, defaults to the current checked out environment
+ * @param teamProviderInfo The team-provider-info object to update
+ */
+export const setPermissionBoundaryArn = (arn?: string, env?: string, teamProviderInfo?: $TSObject): void => {
+  let tpiGetter = () => stateManager.getTeamProviderInfo();
+  let tpiSetter = (tpi: $TSObject) => {
+    stateManager.setTeamProviderInfo(undefined, tpi);
+    delete (global as any).preInitTeamProviderInfo; // avoids a potential edge case where set permissions is called again w/o tpi
+  };
+  if (teamProviderInfo) {
+    tpiGetter = () => teamProviderInfo;
+    tpiSetter = (tpi: $TSObject) => {
+      (global as any).preInitTeamProviderInfo = tpi;
+    };
+  }
+  const tpi = tpiGetter();
   if (!arn) {
-    _.unset(teamProviderInfo, teamProviderInfoObjectPath(env));
+    _.unset(tpi, teamProviderInfoObjectPath(env));
   } else {
-    _.set(teamProviderInfo, teamProviderInfoObjectPath(env), arn);
+    _.set(tpi, teamProviderInfoObjectPath(env), arn);
   }
-  stateManager.setTeamProviderInfo(undefined, teamProviderInfo);
+  tpiSetter(tpi);
 };
diff --git a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
index d3c4d70eb52..48dc53c3bb0 100644
--- a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
+++ b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
@@ -19,9 +19,9 @@ export const getConfiguredProviders = (context: $TSContext) => {
   return _.pick(getProviderPlugins(context), configuredProviders) as Record<string, string>;
 };
 
-export const executeProviderCommand = async (context: $TSContext, command: string, addtlArgs: any[] = []) => {
+export const executeProviderCommand = async (context: $TSContext, command: string, args: any[] = []) => {
   const providers = await Promise.all(Object.values(getConfiguredProviders(context)).map(providerPath => import(providerPath)));
   return Promise.all(
-    providers.filter(provider => typeof provider?.[command] === 'function').map(provider => provider[command](context, ...addtlArgs)),
+    providers.filter(provider => typeof provider?.[command] === 'function').map(provider => provider[command](context, ...args)),
   );
 };
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.js b/packages/amplify-provider-awscloudformation/src/initializer.js
index bb18f3aa0e8..6ca6b96f3f1 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.js
+++ b/packages/amplify-provider-awscloudformation/src/initializer.js
@@ -15,6 +15,8 @@ const amplifyServiceMigrate = require('./amplify-service-migrate');
 const { fileLogger } = require('./utils/aws-logger');
 const { prePushCfnTemplateModifier } = require('./pre-push-cfn-processor/pre-push-cfn-modifier');
 const logger = fileLogger('attach-backend');
+const { configurePermissionBoundaryForInit } = require('./permission-boundary/permission-boundary');
+const _ = require('lodash');
 
 async function run(context) {
   await configurationManager.init(context);
@@ -27,6 +29,8 @@ async function run(context) {
     let stackName = normalizeStackName(`amplify-${projectName}-${envName}-${timeStamp}`);
     const awsConfig = await configurationManager.getAwsConfig(context);
 
+    await configurePermissionBoundaryForInit(context);
+
     const amplifyServiceParams = {
       context,
       awsConfig,
@@ -121,8 +125,8 @@ function processStackCreationData(context, amplifyAppId, stackDescriptiondata) {
 
   if (context.exeInfo.isNewEnv) {
     const { envName } = context.exeInfo.localEnvInfo;
-    context.exeInfo.teamProviderInfo[envName] = {};
-    context.exeInfo.teamProviderInfo[envName][constants.ProviderName] = metadata;
+    const existingProviderTPI = _.get(context.exeInfo.teamProviderInfo, [envName, constants.ProviderName]);
+    _.set(context.exeInfo.teamProviderInfo, [envName, constants.ProviderName], { ...existingProviderTPI, ...metadata });
   }
 }
 
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
index 09367499f08..4264c688b7c 100644
--- a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
@@ -3,19 +3,72 @@ import { prompt } from 'inquirer';
 import { getInstance as getIAMClient } from '../aws-utils/aws-iam';
 import { loadConfiguration } from '../configuration-manager';
 
-export const permissionBoundaryPrompt = async (context: $TSContext): Promise<string> => {
-  const { envName } = stateManager.getLocalEnvInfo();
+export const configurePermissionBoundaryForExistingEnv = async (context: $TSContext) => {
+  setPermissionBoundaryArn(await permissionBoundarySupplier(context));
+};
+
+export const configurePermissionBoundaryForInit = async (context: $TSContext) => {
+  const envName = context.exeInfo.localEnvInfo.envName; // the new environment name
+  if (context?.exeInfo?.isNewProject) {
+    // amplify init
+    // on init flow, set the permission boundary if specified in a cmd line arg, but don't prompt for it
+    setPermissionBoundaryArn(
+      await permissionBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => envName }),
+      envName,
+      context.exeInfo.teamProviderInfo,
+    );
+  } else {
+    // amplfiy env add
+    await rolloverPermissionBoundaryToNewEnvironment(context);
+  }
+};
+
+const permissionBoundarySupplierDefaultOptions = {
+  required: false,
+  doPrompt: true,
+  envNameSupplier: (): string => stateManager.getLocalEnvInfo().envName,
+};
+
+/**
+ * Supplies a permission boundary ARN by first checking headless parameters, then falling back to a CLI prompt
+ * @param context CLI context object
+ * @param options Additional options to control the supplier
+ * @returns string, the permission boundary ARN or an empty string
+ */
+const permissionBoundarySupplier = async (
+  context: $TSContext,
+  options?: Partial<typeof permissionBoundarySupplierDefaultOptions>,
+): Promise<string> => {
+  const { required, doPrompt, envNameSupplier } = { ...permissionBoundarySupplierDefaultOptions, ...options };
+  const headlessPermissionBoundary = context?.input?.options?.['permission-boundary'];
+
+  const validate = context.amplify.inputValidation({
+    operator: 'regex',
+    value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
+    onErrorMsg: 'Specify a valid IAM Policy ARN',
+    required: true,
+  });
+
+  if (typeof headlessPermissionBoundary === 'string') {
+    if (validate(headlessPermissionBoundary)) {
+      console.log(`${headlessPermissionBoundary} passed validation`);
+      return headlessPermissionBoundary;
+    } else {
+      context.print.error('The Permission Boundary ARN specified is not a valid IAM Policy ARN');
+    }
+  }
+
+  const isYes = context?.input?.options?.yes;
+  if (required && (isYes || !doPrompt)) {
+    throw new Error('A Permission Boundary ARN must be specified using --permission-boundary');
+  }
+  const envName = envNameSupplier();
   const { permissionBoundaryArn } = await prompt<{ permissionBoundaryArn: string }>({
     type: 'input',
     name: 'permissionBoundaryArn',
     message: `Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the ${envName} environment (leave blank to remove the Permission Boundary configuration):`,
-    default: getPermissionBoundaryArn(),
-    validate: context.amplify.inputValidation({
-      operator: 'regex',
-      value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
-      onErrorMsg: 'Specify a valid IAM Policy ARN',
-      required: false,
-    }),
+    default: getPermissionBoundaryArn(envName),
+    validate,
   });
   return permissionBoundaryArn;
 };
@@ -25,14 +78,14 @@ export const permissionBoundaryPrompt = async (context: $TSContext): Promise<str
  * (ie when it still contains info on the previous env)
  * context.exeInfo.localEnvInfo.envName is expected to have the new env name
  */
-export const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) => {
+const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) => {
   const newEnv = context.exeInfo.localEnvInfo.envName;
   const currBoundary = getPermissionBoundaryArn();
   if (!currBoundary) {
     return; // if current env doesn't have a permission boundary, don't do anything
   }
   if (await isPolicyAccessible(context, currBoundary)) {
-    setPermissionBoundaryArn(currBoundary, newEnv);
+    setPermissionBoundaryArn(currBoundary, newEnv, context.exeInfo.teamProviderInfo);
     context.print.info(
       `Permission Boundary ${currBoundary} has automatically been applied to this environment. To modify this, run \`amplify env update\`.`,
     );
@@ -40,7 +93,11 @@ export const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSCon
   }
   // previous policy is not accessible in the new environment
   context.print.warning(`Permission Boundary ${currBoundary} cannot be applied to resources in this environment.`);
-  setPermissionBoundaryArn(await permissionBoundaryPrompt(context), newEnv);
+  setPermissionBoundaryArn(
+    await permissionBoundarySupplier(context, { required: true, envNameSupplier: () => newEnv }),
+    newEnv,
+    context.exeInfo.teamProviderInfo,
+  );
 };
 
 const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
diff --git a/packages/amplify-provider-awscloudformation/src/update-env.ts b/packages/amplify-provider-awscloudformation/src/update-env.ts
index d748461d6b1..3416b1ecf62 100644
--- a/packages/amplify-provider-awscloudformation/src/update-env.ts
+++ b/packages/amplify-provider-awscloudformation/src/update-env.ts
@@ -1,10 +1,10 @@
-import { $TSContext, setPermissionBoundaryArn } from 'amplify-cli-core';
-import { permissionBoundaryPrompt } from './permission-boundary/permission-boundary';
+import { $TSContext } from 'amplify-cli-core';
+import { configurePermissionBoundaryForExistingEnv } from './permission-boundary/permission-boundary';
 
 export type UpdateEnvRequest = {
   env: string;
 };
 
 export const updateEnv = async (context: $TSContext) => {
-  setPermissionBoundaryArn(await permissionBoundaryPrompt(context));
+  await configurePermissionBoundaryForExistingEnv(context);
 };
diff --git a/packages/amplify-util-mock/src/func/index.ts b/packages/amplify-util-mock/src/func/index.ts
index 567de06936e..408dc20b5fd 100644
--- a/packages/amplify-util-mock/src/func/index.ts
+++ b/packages/amplify-util-mock/src/func/index.ts
@@ -100,7 +100,7 @@ const resolveEvent = async (context: $TSContext, resourceName: string): Promise<
     const validatorOutput = eventNameValidator(eventName);
     const isValid = typeof validatorOutput !== 'string';
     if (!isValid) {
-      context.print.warning(validatorOutput);
+      context.print.warning(validatorOutput as string);
     } else {
       promptForEvent = false;
     }

From 0e0999045eb60f60f4ec8faaa06c1b000f48a35f Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 5 May 2021 10:34:47 -0700
Subject: [PATCH 20/35] chore: cleaning up things

---
 .../amplify-cli-core/src/permissionBoundaryState.ts  | 12 ++++++------
 packages/amplify-cli/src/commands/env/update.ts      |  2 +-
 .../src/config-steps/c0-analyzeProject.ts            |  8 ++++----
 .../amplify-helpers/get-provider-plugins.ts          |  4 ++--
 .../src/aws-utils/aws-iam.ts                         |  2 +-
 .../src/permission-boundary/permission-boundary.ts   |  3 +--
 .../src/update-env.ts                                |  4 ----
 7 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 850375baaf9..e3149e1ebbe 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -2,12 +2,6 @@ import { stateManager } from './state-manager';
 import _ from 'lodash';
 import { $TSObject } from '.';
 
-const teamProviderInfoObjectPath = (env?: string) => [
-  env || (stateManager.getLocalEnvInfo().envName as string),
-  'awscloudformation',
-  'PermissionBoundaryPolicyArn',
-];
-
 export const getPermissionBoundaryArn = (env?: string): string | undefined => {
   try {
     const teamProviderInfo = (global as any).preInitTeamProviderInfo ?? stateManager.getTeamProviderInfo();
@@ -48,3 +42,9 @@ export const setPermissionBoundaryArn = (arn?: string, env?: string, teamProvide
   }
   tpiSetter(tpi);
 };
+
+const teamProviderInfoObjectPath = (env?: string) => [
+  env || (stateManager.getLocalEnvInfo().envName as string),
+  'awscloudformation',
+  'PermissionBoundaryPolicyArn',
+];
diff --git a/packages/amplify-cli/src/commands/env/update.ts b/packages/amplify-cli/src/commands/env/update.ts
index 0d314b150b4..27b785451d1 100644
--- a/packages/amplify-cli/src/commands/env/update.ts
+++ b/packages/amplify-cli/src/commands/env/update.ts
@@ -2,5 +2,5 @@ import { $TSContext } from 'amplify-cli-core';
 import { executeProviderCommand } from '../../extensions/amplify-helpers/get-provider-plugins';
 
 export const run = async (context: $TSContext) => {
-  return executeProviderCommand(context, 'updateEnv');
+  await executeProviderCommand(context, 'updateEnv');
 };
diff --git a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
index 2a2540b35c4..9ac5b3dbcf9 100644
--- a/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
+++ b/packages/amplify-cli/src/config-steps/c0-analyzeProject.ts
@@ -6,7 +6,7 @@ import { getEnvInfo } from '../extensions/amplify-helpers/get-env-info';
 import { displayConfigurationDefaults } from '../init-steps/s0-analyzeProject';
 import { getFrontendPlugins } from '../extensions/amplify-helpers/get-frontend-plugins';
 import { isContainersEnabled } from '../execution-manager';
-import { getPermissionBoundaryArn, stateManager } from 'amplify-cli-core';
+import { stateManager } from 'amplify-cli-core';
 
 export async function analyzeProject(context) {
   context.exeInfo.projectConfig = stateManager.getProjectConfig(undefined, {
@@ -42,7 +42,7 @@ export async function analyzeProject(context) {
     }
   }
 
-  await displayAdvancedSettings(context);
+  await displayContainersInfo(context);
   context.print.info('');
 
   const configurationSetting = await getConfigurationSetting();
@@ -67,7 +67,7 @@ function displayProfileSetting(context, profileName) {
   context.print.info(`| Selected profile: ${profileName}`);
 }
 
-function displayAdvancedSettings(context) {
+function displayContainersInfo(context) {
   context.print.info('Advanced: Container-based deployments');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
@@ -87,7 +87,7 @@ async function getConfigurationSetting() {
   };
 
   const { configurationSetting } = await inquirer.prompt(configureSettingQuestion);
-  return configurationSetting as 'project' | 'profile' | 'containers';
+  return configurationSetting;
 }
 
 async function configureProjectName(context) {
diff --git a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
index 48dc53c3bb0..f6eba9e70c7 100644
--- a/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
+++ b/packages/amplify-cli/src/extensions/amplify-helpers/get-provider-plugins.ts
@@ -19,9 +19,9 @@ export const getConfiguredProviders = (context: $TSContext) => {
   return _.pick(getProviderPlugins(context), configuredProviders) as Record<string, string>;
 };
 
-export const executeProviderCommand = async (context: $TSContext, command: string, args: any[] = []) => {
+export const executeProviderCommand = async (context: $TSContext, command: string, args: unknown[] = []) => {
   const providers = await Promise.all(Object.values(getConfiguredProviders(context)).map(providerPath => import(providerPath)));
-  return Promise.all(
+  await Promise.all(
     providers.filter(provider => typeof provider?.[command] === 'function').map(provider => provider[command](context, ...args)),
   );
 };
diff --git a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
index 65065afbd23..745ceec07b1 100644
--- a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
+++ b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
@@ -5,7 +5,7 @@ import { AwsSdkConfig } from '../utils/auth-types.js';
 
 let instance: IAM;
 
-export const getInstance = async (sdkConfigProvider: () => Promise<AwsSdkConfig>) => {
+export const getIAMClient = async (sdkConfigProvider: () => Promise<AwsSdkConfig>) => {
   if (instance) {
     return instance;
   }
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
index 4264c688b7c..8dbbc3c1163 100644
--- a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
@@ -1,6 +1,6 @@
 import { $TSContext, stateManager, getPermissionBoundaryArn, setPermissionBoundaryArn } from 'amplify-cli-core';
 import { prompt } from 'inquirer';
-import { getInstance as getIAMClient } from '../aws-utils/aws-iam';
+import { getIAMClient } from '../aws-utils/aws-iam';
 import { loadConfiguration } from '../configuration-manager';
 
 export const configurePermissionBoundaryForExistingEnv = async (context: $TSContext) => {
@@ -51,7 +51,6 @@ const permissionBoundarySupplier = async (
 
   if (typeof headlessPermissionBoundary === 'string') {
     if (validate(headlessPermissionBoundary)) {
-      console.log(`${headlessPermissionBoundary} passed validation`);
       return headlessPermissionBoundary;
     } else {
       context.print.error('The Permission Boundary ARN specified is not a valid IAM Policy ARN');
diff --git a/packages/amplify-provider-awscloudformation/src/update-env.ts b/packages/amplify-provider-awscloudformation/src/update-env.ts
index 3416b1ecf62..f317436465b 100644
--- a/packages/amplify-provider-awscloudformation/src/update-env.ts
+++ b/packages/amplify-provider-awscloudformation/src/update-env.ts
@@ -1,10 +1,6 @@
 import { $TSContext } from 'amplify-cli-core';
 import { configurePermissionBoundaryForExistingEnv } from './permission-boundary/permission-boundary';
 
-export type UpdateEnvRequest = {
-  env: string;
-};
-
 export const updateEnv = async (context: $TSContext) => {
   await configurePermissionBoundaryForExistingEnv(context);
 };

From 68228f38841896bc153db4bff3e50bfd0322d2c0 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 5 May 2021 13:28:30 -0700
Subject: [PATCH 21/35] test: more unit tests and e2e test

---
 .../__tests__/permissionBoundaryState.test.ts |  71 +++++++++
 .../src/init/initProjectHelper.ts             |  10 ++
 .../__tests__/iam-permission-boundary.test.ts |  11 ++
 .../permission-boundary.test.ts               | 138 ++++++++++++++++++
 .../permission-boundary.ts                    |  19 ++-
 5 files changed, 246 insertions(+), 3 deletions(-)
 create mode 100644 packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts

diff --git a/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts b/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
new file mode 100644
index 00000000000..b76abb2444d
--- /dev/null
+++ b/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
@@ -0,0 +1,71 @@
+import { getPermissionBoundaryArn, setPermissionBoundaryArn } from '..';
+import { stateManager } from '../state-manager';
+
+jest.mock('../state-manager');
+
+const testEnv = 'testEnv';
+
+const objKey = 'PermissionBoundaryPolicyArn';
+
+const stateManager_mock = stateManager as jest.Mocked<typeof stateManager>;
+stateManager_mock.getLocalEnvInfo.mockReturnValue({
+  envName: testEnv,
+});
+
+const testArn = 'testArn';
+
+const tpi_stub = {
+  [testEnv]: {
+    awscloudformation: {
+      [objKey]: testArn,
+    },
+  },
+};
+
+describe('get permission boundary arn', () => {
+  beforeEach(jest.clearAllMocks);
+  it('gets arn from team provider info file', () => {
+    stateManager_mock.getTeamProviderInfo.mockReturnValueOnce(tpi_stub);
+    expect(getPermissionBoundaryArn()).toEqual(testArn);
+  });
+
+  it('gets arn from preInitTeamProviderInfo', () => {
+    (global as any).preInitTeamProviderInfo = tpi_stub;
+    expect(getPermissionBoundaryArn()).toEqual(testArn);
+    delete (global as any).preInitTeamProviderInfo;
+  });
+
+  it('returns undefined if no value found', () => {
+    expect(getPermissionBoundaryArn()).toBeUndefined();
+  });
+});
+
+describe('set permission boundary arn', () => {
+  beforeEach(jest.clearAllMocks);
+  it('sets the ARN value in tpi file if specified', () => {
+    stateManager_mock.getTeamProviderInfo.mockReturnValueOnce({});
+    setPermissionBoundaryArn(testArn);
+    expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation[objKey]).toEqual(testArn);
+  });
+
+  it('sets the ARN for the specified env', () => {
+    stateManager_mock.getTeamProviderInfo.mockReturnValueOnce({});
+    setPermissionBoundaryArn(testArn, 'otherenv');
+    expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1].otherenv.awscloudformation[objKey]).toEqual(testArn);
+  });
+
+  it('removes the ARN value if not specified', () => {
+    stateManager_mock.getTeamProviderInfo.mockReturnValueOnce(tpi_stub);
+    setPermissionBoundaryArn();
+    expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation).toBeDefined();
+    expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation[objKey]).toBeUndefined();
+  });
+
+  it('if tpi object specified, sets arn in object and sets global preInitTeamProviderInfo', () => {
+    const tpi: Record<string, any> = {};
+    setPermissionBoundaryArn(testArn, undefined, tpi);
+    expect(tpi[testEnv].awscloudformation[objKey]).toEqual(testArn);
+    expect((global as any).preInitTeamProviderInfo).toEqual(tpi);
+    delete (global as any).preInitTeamProviderInfo;
+  });
+});
diff --git a/packages/amplify-e2e-core/src/init/initProjectHelper.ts b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
index f129161b888..7255e904d88 100644
--- a/packages/amplify-e2e-core/src/init/initProjectHelper.ts
+++ b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
@@ -367,6 +367,16 @@ export function amplifyInitSandbox(cwd: string, settings: {}): Promise<void> {
   });
 }
 
+export async function initWithPermissionBoundary(cwd: string, permissionBoundaryArn: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    spawn(getCLIPath(), ['init', '--yes', '--permission-boundary', permissionBoundaryArn], {
+      cwd,
+      stripColors: true,
+      env: { CLI_DEV_INTERNAL_DISABLE_AMPLIFY_APP_CREATION: '1' },
+    }).run((err: Error) => (err ? reject(err) : resolve()));
+  });
+}
+
 export function amplifyVersion(cwd: string, expectedVersion: string, testingWithLatestCodebase = false): Promise<void> {
   return new Promise((resolve, reject) => {
     spawn(getCLIPath(testingWithLatestCodebase), ['--version'], { cwd, stripColors: true })
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
index 4c6762b5917..94637214cdb 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
@@ -7,6 +7,7 @@ import {
   getPermissionBoundary,
   getProjectMeta,
   initJSProjectWithProfile,
+  initWithPermissionBoundary,
 } from 'amplify-e2e-core';
 import { updateEnvironment } from '../environment/env';
 
@@ -36,4 +37,14 @@ describe('iam permission boundary', () => {
     const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
     expect(actualPermBoundary).toEqual(permissionBoundaryArn);
   });
+
+  test('permission boundary is applied during headless init', async () => {
+    await initWithPermissionBoundary(projRoot, permissionBoundaryArn);
+    const meta = getProjectMeta(projRoot);
+    const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
+    const region = meta?.providers?.awscloudformation?.Region;
+
+    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+  });
 });
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
new file mode 100644
index 00000000000..8c5ffca0450
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
@@ -0,0 +1,138 @@
+import { $TSContext } from 'amplify-cli-core';
+import { configurePermissionBoundaryForInit } from '../../permission-boundary/permission-boundary';
+import { setPermissionBoundaryArn, getPermissionBoundaryArn } from 'amplify-cli-core';
+import { prompt } from 'inquirer';
+import { getIAMClient } from '../../aws-utils/aws-iam';
+import { IAM } from 'aws-sdk';
+
+const permissionBoundaryArn = 'arn:aws:iam::123456789012:policy/some-policy-name';
+const argName = 'permission-boundary';
+const envName = 'newEnvName';
+
+jest.mock('amplify-cli-core');
+jest.mock('inquirer');
+jest.mock('../../aws-utils/aws-iam');
+
+const setPermissionBoundaryArn_mock = setPermissionBoundaryArn as jest.MockedFunction<typeof setPermissionBoundaryArn>;
+const getPermissionBoundaryArn_mock = getPermissionBoundaryArn as jest.MockedFunction<typeof getPermissionBoundaryArn>;
+const prompt_mock = prompt as jest.MockedFunction<typeof prompt>;
+const getIAMClient_mock = getIAMClient as jest.MockedFunction<typeof getIAMClient>;
+
+describe('configure permission boundary on init', () => {
+  let context_stub: $TSContext;
+
+  beforeEach(() => {
+    context_stub = ({
+      amplify: {
+        inputValidation: () => () => true,
+      },
+      exeInfo: {
+        isNewProject: true,
+        isNewEnv: true,
+        localEnvInfo: {
+          envName,
+        },
+      },
+      input: {
+        options: {},
+      },
+      print: {
+        error: jest.fn(),
+        warning: jest.fn(),
+        info: jest.fn(),
+      },
+    } as unknown) as $TSContext;
+    jest.clearAllMocks();
+  });
+  it('applies policy specifed in cmd arg when present', async () => {
+    context_stub.input.options[argName] = permissionBoundaryArn;
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+  });
+
+  it('does not prompt for policy', async () => {
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toBeUndefined();
+    expect(prompt_mock).not.toHaveBeenCalled();
+  });
+});
+
+describe('configure permission boundary on env add', () => {
+  let context_stub: $TSContext;
+
+  beforeEach(() => {
+    context_stub = ({
+      amplify: {
+        inputValidation: () => () => true,
+      },
+      exeInfo: {
+        isNewProject: false,
+        isNewEnv: true,
+        localEnvInfo: {
+          envName,
+        },
+      },
+      input: {
+        options: {},
+      },
+      print: {
+        error: jest.fn(),
+        warning: jest.fn(),
+        info: jest.fn(),
+      },
+    } as unknown) as $TSContext;
+    jest.clearAllMocks();
+  });
+  it('applies policy specified in cmd arg when present', async () => {
+    context_stub.input.options[argName] = permissionBoundaryArn;
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+  });
+
+  it('does nothing when no cmd arg specified and no policy in current env', async () => {
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock).not.toHaveBeenCalled();
+    expect(prompt_mock).not.toHaveBeenCalled();
+  });
+
+  it('applies existing policy to new env when existing policy is accessible', async () => {
+    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getIAMClient_mock.mockResolvedValueOnce(({
+      getPolicy: jest.fn().mockReturnValueOnce({
+        promise: jest.fn(),
+      }),
+    } as unknown) as IAM);
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+    expect(prompt_mock).not.toHaveBeenCalled();
+  });
+
+  it('prompts for new policy when existing one is not accessible', async () => {
+    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getIAMClient_mock.mockResolvedValueOnce(({
+      getPolicy: jest.fn().mockReturnValueOnce({
+        promise: jest.fn().mockRejectedValueOnce('test error'),
+      }),
+    } as unknown) as IAM);
+    const newPermissionBoundaryArn = 'thisIsANewArn';
+    prompt_mock.mockResolvedValueOnce({
+      permissionBoundaryArn: newPermissionBoundaryArn,
+    });
+    await configurePermissionBoundaryForInit(context_stub);
+    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(newPermissionBoundaryArn);
+  });
+
+  it('fails when existing policy not accessible and --yes specified with no cmd arg', async () => {
+    context_stub.input.options.yes = true;
+    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getIAMClient_mock.mockResolvedValueOnce(({
+      getPolicy: jest.fn().mockReturnValueOnce({
+        promise: jest.fn().mockRejectedValueOnce('test error'),
+      }),
+    } as unknown) as IAM);
+    await expect(configurePermissionBoundaryForInit(context_stub)).rejects.toMatchInlineSnapshot(
+      `[Error: A Permission Boundary ARN must be specified using --permission-boundary]`,
+    );
+    expect(prompt_mock).not.toHaveBeenCalled();
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
index 8dbbc3c1163..82fc105b857 100644
--- a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
@@ -38,7 +38,7 @@ const permissionBoundarySupplierDefaultOptions = {
 const permissionBoundarySupplier = async (
   context: $TSContext,
   options?: Partial<typeof permissionBoundarySupplierDefaultOptions>,
-): Promise<string> => {
+): Promise<string | undefined> => {
   const { required, doPrompt, envNameSupplier } = { ...permissionBoundarySupplierDefaultOptions, ...options };
   const headlessPermissionBoundary = context?.input?.options?.['permission-boundary'];
 
@@ -61,6 +61,10 @@ const permissionBoundarySupplier = async (
   if (required && (isYes || !doPrompt)) {
     throw new Error('A Permission Boundary ARN must be specified using --permission-boundary');
   }
+  if (!doPrompt) {
+    // if we got here, the permission boundary is not required and we can't prompt so return undefined
+    return;
+  }
   const envName = envNameSupplier();
   const { permissionBoundaryArn } = await prompt<{ permissionBoundaryArn: string }>({
     type: 'input',
@@ -79,10 +83,19 @@ const permissionBoundarySupplier = async (
  */
 const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) => {
   const newEnv = context.exeInfo.localEnvInfo.envName;
+  const headlessPermissionBoundary = await permissionBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => newEnv });
+  // if headless policy specified, apply that and return
+  if (typeof headlessPermissionBoundary === 'string') {
+    setPermissionBoundaryArn(headlessPermissionBoundary, newEnv, context.exeInfo.teamProviderInfo);
+    return;
+  }
+
   const currBoundary = getPermissionBoundaryArn();
+  // if current env doesn't have a permission boundary, do nothing
   if (!currBoundary) {
-    return; // if current env doesn't have a permission boundary, don't do anything
+    return;
   }
+  // if existing policy is accessible in new env, apply that one
   if (await isPolicyAccessible(context, currBoundary)) {
     setPermissionBoundaryArn(currBoundary, newEnv, context.exeInfo.teamProviderInfo);
     context.print.info(
@@ -90,7 +103,7 @@ const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) =
     );
     return;
   }
-  // previous policy is not accessible in the new environment
+  // if existing policy policy is not accessible in the new environment, prompt for a new one
   context.print.warning(`Permission Boundary ${currBoundary} cannot be applied to resources in this environment.`);
   setPermissionBoundaryArn(
     await permissionBoundarySupplier(context, { required: true, envNameSupplier: () => newEnv }),

From 91ef0c4cf612018546d283fb01600761c1e156d3 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 5 May 2021 15:56:21 -0700
Subject: [PATCH 22/35] test: small test tweaks

---
 packages/amplify-cli-core/src/permissionBoundaryState.ts   | 7 ++++++-
 .../src/__tests__/iam-permission-boundary.test.ts          | 2 +-
 packages/amplify-e2e-tests/src/environment/env.ts          | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index e3149e1ebbe..08a9d419ffe 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -4,7 +4,12 @@ import { $TSObject } from '.';
 
 export const getPermissionBoundaryArn = (env?: string): string | undefined => {
   try {
-    const teamProviderInfo = (global as any).preInitTeamProviderInfo ?? stateManager.getTeamProviderInfo();
+    const preInitTpi = (global as any).preInitTeamProviderInfo;
+    const teamProviderInfo = preInitTpi ?? stateManager.getTeamProviderInfo();
+    // if the pre init team-provider-info only has one env (which should always be the case), default to that one
+    if (preInitTpi && Object.keys(preInitTpi).length === 1 && !env) {
+      env = Object.keys(preInitTpi)[0];
+    }
     return _.get(teamProviderInfo, teamProviderInfoObjectPath(env)) as string | undefined;
   } catch (err) {
     // uninitialized project
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
index 94637214cdb..49c909fa198 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
@@ -17,7 +17,7 @@ const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAcces
 describe('iam permission boundary', () => {
   let projRoot: string;
   beforeEach(async () => {
-    projRoot = await createNewProjectDir('init');
+    projRoot = await createNewProjectDir('perm-bound');
   });
 
   afterEach(async () => {
diff --git a/packages/amplify-e2e-tests/src/environment/env.ts b/packages/amplify-e2e-tests/src/environment/env.ts
index f49a522623b..66dbf4fef4b 100644
--- a/packages/amplify-e2e-tests/src/environment/env.ts
+++ b/packages/amplify-e2e-tests/src/environment/env.ts
@@ -29,7 +29,7 @@ export function addEnvironment(cwd: string, settings: { envName: string; numLaye
 export function updateEnvironment(cwd: string, settings: { permissionBoundaryArn: string }) {
   return new Promise<void>((resolve, reject) => {
     spawn(getCLIPath(), ['env', 'update'], { cwd, stripColors: true })
-      .wait('Specify an IAM Policy ARN')
+      .wait('Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles')
       .sendLine(settings.permissionBoundaryArn)
       .run((err: Error) => (!!err ? reject(err) : resolve()));
   });

From 4099db46d7d8501de65dd41eb1eb01bf2e0d322f Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 5 May 2021 16:16:34 -0700
Subject: [PATCH 23/35] chore: reverting some unintentional linting changes

---
 .../stack-event-monitor.test.ts               |  7 ++-
 .../utils/admin-login-server.test.ts          |  2 +-
 .../amplify-resource-state-utils.test.ts      | 54 +++++++++----------
 .../src/configuration-manager.ts              | 11 +---
 4 files changed, 30 insertions(+), 44 deletions(-)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/iterative-deployment/stack-event-monitor.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/iterative-deployment/stack-event-monitor.test.ts
index fba180fe1ed..b94a6b74c20 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/iterative-deployment/stack-event-monitor.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/iterative-deployment/stack-event-monitor.test.ts
@@ -9,10 +9,9 @@ const stackProgressPrinterStub = ({
 
 const cfn = ({
   describeStackEvents: () => ({
-    promise: () =>
-      Promise.resolve({
-        NextToken: undefined,
-      }),
+    promise: () => Promise.resolve({
+      NextToken: undefined,
+    }),
   }),
 } as unknown) as CloudFormation;
 
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/utils/admin-login-server.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/utils/admin-login-server.test.ts
index 506deaaed3b..6bf403a1d5e 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/utils/admin-login-server.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/utils/admin-login-server.test.ts
@@ -29,7 +29,7 @@ describe('AdminLoginServer', () => {
     expect(postMock).toBeCalled();
     expect(listenMock).toBeCalledWith(4242, '0.0.0.0');
   });
-
+  
   test('shut down running server', async () => {
     const adminLoginServer = new AdminLoginServer('appId', 'http://example.com', context_stub.print);
     listenMock.mockReturnValue({ close: serverCloseMock });
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/utils/amplify-resource-state-utils.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/utils/amplify-resource-state-utils.test.ts
index cae4a9c6c7e..7bc37f49c3f 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/utils/amplify-resource-state-utils.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/utils/amplify-resource-state-utils.test.ts
@@ -3,41 +3,37 @@ import { CloudFormation } from 'aws-sdk';
 
 const cfnClientStub = ({
   describeStackResources: ({ StackName }) => ({
-    promise: () =>
-      Promise.resolve({
-        StackResources: [
+    promise: () => Promise.resolve({
+      StackResources: [{
+        LogicalResourceId: 'LogicalResourceIdTest1',
+        PhysicalResourceId: 'PhysicalResourceIdTest',
+      }],
+    }),
+  }),
+  describeStacks: ({ StackName }) => ({
+    promise: () => Promise.resolve({
+      Stacks: [{
+        Outputs: [
+          {
+            OutputKey: 'GetAttLogicalResourceIdTest1TableName',
+            OutputValue: 'TestStackOutputValue1',
+          },
           {
-            LogicalResourceId: 'LogicalResourceIdTest1',
-            PhysicalResourceId: 'PhysicalResourceIdTest',
+            OutputKey: 'InvalidLogicalResourceIdTableName',
+            OutputValue: 'TestStackOutputValue2',
           },
         ],
-      }),
-  }),
-  describeStacks: ({ StackName }) => ({
-    promise: () =>
-      Promise.resolve({
-        Stacks: [
+        Parameters: [
           {
-            Outputs: [
-              {
-                OutputKey: 'GetAttLogicalResourceIdTest1TableName',
-                OutputValue: 'TestStackOutputValue1',
-              },
-              {
-                OutputKey: 'InvalidLogicalResourceIdTableName',
-                OutputValue: 'TestStackOutputValue2',
-              },
-            ],
-            Parameters: [
-              {
-                ParameterKey: 'TestParameterKey1',
-                ParameterValue: 'TestParameterValue1',
-              },
-            ],
-            Capabilities: ['CAPABILITY_IAM'],
+            ParameterKey: 'TestParameterKey1',
+            ParameterValue: 'TestParameterValue1',
           },
         ],
-      }),
+        Capabilities: [
+          'CAPABILITY_IAM',
+        ],
+      }],
+    }),
   }),
 } as unknown) as CloudFormation;
 
diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index 04b5f891c0e..b204ac534a1 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -1,13 +1,4 @@
-import {
-  exitOnNextTick,
-  JSONUtilities,
-  pathManager,
-  stateManager,
-  $TSAny,
-  $TSContext,
-  setPermissionBoundaryArn,
-  getPermissionBoundaryArn,
-} from 'amplify-cli-core';
+import { exitOnNextTick, JSONUtilities, pathManager, stateManager, $TSAny, $TSContext } from 'amplify-cli-core';
 import fs from 'fs-extra';
 import chalk from 'chalk';
 import { prompt } from 'inquirer';

From 56e10c8f3d04e9743f299a6aea144cba758eb03b Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Wed, 5 May 2021 16:26:07 -0700
Subject: [PATCH 24/35] fix: add update to env help text

---
 packages/amplify-cli/src/commands/env.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/amplify-cli/src/commands/env.ts b/packages/amplify-cli/src/commands/env.ts
index 9eaf2822740..e044c54c87c 100644
--- a/packages/amplify-cli/src/commands/env.ts
+++ b/packages/amplify-cli/src/commands/env.ts
@@ -82,6 +82,10 @@ function displayHelp(context) {
       name: 'import --name <env-name> --config <provider-configs> [--awsInfo <aws-configs>]',
       description: 'Imports an already existing Amplify project environment stack to your local backend',
     },
+    {
+      name: 'update [--permission-boundary <IAM Policy ARN>]',
+      description: 'Update the environment configuration',
+    },
     {
       name: 'remove <env-name>',
       description: 'Removes an environment from the Amplify project',

From cbe9a0f450a706b4ef72bd002e73ae31970c70b0 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 6 May 2021 10:54:50 -0700
Subject: [PATCH 25/35] test: add mock

---
 .../src/__tests__/initializer.test.ts                          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
index 606349b6408..b98f698168c 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
@@ -10,6 +10,9 @@ jest.mock('../aws-utils/aws-cfn');
 jest.mock('fs-extra');
 jest.mock('../amplify-service-manager');
 jest.mock('amplify-cli-core');
+jest.mock('../permission-boundary/permission-boundary', () => ({
+  configurePermissionBoundaryForInit: jest.fn(),
+}));
 
 const CloudFormation_mock = CloudFormation as jest.MockedClass<typeof CloudFormation>;
 const amplifyServiceManager_mock = amplifyServiceManager as jest.Mocked<typeof amplifyServiceManager>;

From 9ff685bf9492a0126084f761a88339dd3157e952 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 7 May 2021 14:07:34 -0700
Subject: [PATCH 26/35] chore: address PR comments

---
 .../src/__tests__/initializer.test.ts         |  4 +-
 .../permission-boundary.test.ts               | 40 +++++++++++--------
 .../src/aws-utils/aws-iam.ts                  | 33 +++++++++------
 .../permission-boundary.ts                    |  8 ++--
 4 files changed, 49 insertions(+), 36 deletions(-)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
index b98f698168c..71b2dd2bbe1 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
@@ -10,9 +10,7 @@ jest.mock('../aws-utils/aws-cfn');
 jest.mock('fs-extra');
 jest.mock('../amplify-service-manager');
 jest.mock('amplify-cli-core');
-jest.mock('../permission-boundary/permission-boundary', () => ({
-  configurePermissionBoundaryForInit: jest.fn(),
-}));
+jest.mock('../permission-boundary/permission-boundary');
 
 const CloudFormation_mock = CloudFormation as jest.MockedClass<typeof CloudFormation>;
 const amplifyServiceManager_mock = amplifyServiceManager as jest.Mocked<typeof amplifyServiceManager>;
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
index 8c5ffca0450..ad8e434fdee 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
@@ -2,7 +2,7 @@ import { $TSContext } from 'amplify-cli-core';
 import { configurePermissionBoundaryForInit } from '../../permission-boundary/permission-boundary';
 import { setPermissionBoundaryArn, getPermissionBoundaryArn } from 'amplify-cli-core';
 import { prompt } from 'inquirer';
-import { getIAMClient } from '../../aws-utils/aws-iam';
+import { IAMClient } from '../../aws-utils/aws-iam';
 import { IAM } from 'aws-sdk';
 
 const permissionBoundaryArn = 'arn:aws:iam::123456789012:policy/some-policy-name';
@@ -16,7 +16,7 @@ jest.mock('../../aws-utils/aws-iam');
 const setPermissionBoundaryArn_mock = setPermissionBoundaryArn as jest.MockedFunction<typeof setPermissionBoundaryArn>;
 const getPermissionBoundaryArn_mock = getPermissionBoundaryArn as jest.MockedFunction<typeof getPermissionBoundaryArn>;
 const prompt_mock = prompt as jest.MockedFunction<typeof prompt>;
-const getIAMClient_mock = getIAMClient as jest.MockedFunction<typeof getIAMClient>;
+const IAMClient_mock = IAMClient as jest.Mocked<typeof IAMClient>;
 
 describe('configure permission boundary on init', () => {
   let context_stub: $TSContext;
@@ -97,11 +97,13 @@ describe('configure permission boundary on env add', () => {
 
   it('applies existing policy to new env when existing policy is accessible', async () => {
     getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
-    getIAMClient_mock.mockResolvedValueOnce(({
-      getPolicy: jest.fn().mockReturnValueOnce({
-        promise: jest.fn(),
-      }),
-    } as unknown) as IAM);
+    IAMClient_mock.getInstance.mockResolvedValueOnce({
+      client: ({
+        getPolicy: jest.fn().mockReturnValueOnce({
+          promise: jest.fn(),
+        }),
+      } as unknown) as IAM,
+    });
     await configurePermissionBoundaryForInit(context_stub);
     expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
     expect(prompt_mock).not.toHaveBeenCalled();
@@ -109,11 +111,13 @@ describe('configure permission boundary on env add', () => {
 
   it('prompts for new policy when existing one is not accessible', async () => {
     getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
-    getIAMClient_mock.mockResolvedValueOnce(({
-      getPolicy: jest.fn().mockReturnValueOnce({
-        promise: jest.fn().mockRejectedValueOnce('test error'),
-      }),
-    } as unknown) as IAM);
+    IAMClient_mock.getInstance.mockResolvedValueOnce({
+      client: ({
+        getPolicy: jest.fn().mockReturnValueOnce({
+          promise: jest.fn().mockRejectedValueOnce('test error'),
+        }),
+      } as unknown) as IAM,
+    });
     const newPermissionBoundaryArn = 'thisIsANewArn';
     prompt_mock.mockResolvedValueOnce({
       permissionBoundaryArn: newPermissionBoundaryArn,
@@ -125,11 +129,13 @@ describe('configure permission boundary on env add', () => {
   it('fails when existing policy not accessible and --yes specified with no cmd arg', async () => {
     context_stub.input.options.yes = true;
     getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
-    getIAMClient_mock.mockResolvedValueOnce(({
-      getPolicy: jest.fn().mockReturnValueOnce({
-        promise: jest.fn().mockRejectedValueOnce('test error'),
-      }),
-    } as unknown) as IAM);
+    IAMClient_mock.getInstance.mockResolvedValueOnce({
+      client: ({
+        getPolicy: jest.fn().mockReturnValueOnce({
+          promise: jest.fn().mockRejectedValueOnce('test error'),
+        }),
+      } as unknown) as IAM,
+    });
     await expect(configurePermissionBoundaryForInit(context_stub)).rejects.toMatchInlineSnapshot(
       `[Error: A Permission Boundary ARN must be specified using --permission-boundary]`,
     );
diff --git a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
index 745ceec07b1..d641bc807c8 100644
--- a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
+++ b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
@@ -2,19 +2,28 @@ import aws from './aws.js';
 import awstype from 'aws-sdk';
 import { IAM } from 'aws-sdk';
 import { AwsSdkConfig } from '../utils/auth-types.js';
+import { loadConfiguration } from '../configuration-manager';
+import { $TSContext } from 'amplify-cli-core';
 
-let instance: IAM;
+export class IAMClient {
+  private static instance: IAMClient;
+  public readonly client: IAM;
 
-export const getIAMClient = async (sdkConfigProvider: () => Promise<AwsSdkConfig>) => {
-  if (instance) {
-    return instance;
+  static async getInstance(context: $TSContext, options: IAM.ClientConfiguration = {}): Promise<IAMClient> {
+    if (!IAMClient.instance) {
+      let cred: AwsSdkConfig;
+      try {
+        cred = await loadConfiguration(context);
+      } catch (e) {
+        // ignore missing config
+      }
+
+      IAMClient.instance = new IAMClient(cred, options);
+    }
+    return IAMClient.instance;
   }
-  let cred = {};
-  try {
-    cred = await sdkConfigProvider();
-  } catch (err) {
-    // ignore error
+
+  private constructor(creds: AwsSdkConfig, options: IAM.ClientConfiguration = {}) {
+    this.client = new (aws as typeof awstype).IAM({ ...creds, ...options });
   }
-  instance = new (aws as typeof awstype).IAM({ ...cred });
-  return instance;
-};
+}
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
index 82fc105b857..d9cc532428a 100644
--- a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
@@ -1,6 +1,6 @@
 import { $TSContext, stateManager, getPermissionBoundaryArn, setPermissionBoundaryArn } from 'amplify-cli-core';
 import { prompt } from 'inquirer';
-import { getIAMClient } from '../aws-utils/aws-iam';
+import { IAMClient } from '../aws-utils/aws-iam';
 import { loadConfiguration } from '../configuration-manager';
 
 export const configurePermissionBoundaryForExistingEnv = async (context: $TSContext) => {
@@ -18,7 +18,7 @@ export const configurePermissionBoundaryForInit = async (context: $TSContext) =>
       context.exeInfo.teamProviderInfo,
     );
   } else {
-    // amplfiy env add
+    // amplify env add
     await rolloverPermissionBoundaryToNewEnvironment(context);
   }
 };
@@ -113,9 +113,9 @@ const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) =
 };
 
 const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
-  const iamClient = await getIAMClient(() => loadConfiguration(context));
+  const iamClient = await IAMClient.getInstance(context);
   try {
-    await iamClient.getPolicy({ PolicyArn: policyArn }).promise();
+    await iamClient.client.getPolicy({ PolicyArn: policyArn }).promise();
   } catch (err) {
     // if there's an error, then the policy wasn't accessible
     return false;

From 95ec526c322c2bf5eb293958990215c452182067 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 20 May 2021 14:02:45 -0700
Subject: [PATCH 27/35] chore: use module var instead of global var

---
 .../__tests__/permissionBoundaryState.test.ts   | 11 ++++++++---
 .../src/permissionBoundaryState.ts              | 17 +++++++++--------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts b/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
index b76abb2444d..d9b1472e311 100644
--- a/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
+++ b/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
@@ -30,9 +30,14 @@ describe('get permission boundary arn', () => {
   });
 
   it('gets arn from preInitTeamProviderInfo', () => {
-    (global as any).preInitTeamProviderInfo = tpi_stub;
+    // setup
+    setPermissionBoundaryArn(testArn, testEnv, tpi_stub);
+
+    // test
     expect(getPermissionBoundaryArn()).toEqual(testArn);
-    delete (global as any).preInitTeamProviderInfo;
+
+    // reset
+    setPermissionBoundaryArn(testArn, testEnv);
   });
 
   it('returns undefined if no value found', () => {
@@ -65,7 +70,7 @@ describe('set permission boundary arn', () => {
     const tpi: Record<string, any> = {};
     setPermissionBoundaryArn(testArn, undefined, tpi);
     expect(tpi[testEnv].awscloudformation[objKey]).toEqual(testArn);
-    expect((global as any).preInitTeamProviderInfo).toEqual(tpi);
+    expect(getPermissionBoundaryArn()).toEqual(testArn);
     delete (global as any).preInitTeamProviderInfo;
   });
 });
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionBoundaryState.ts
index 08a9d419ffe..8ff0ce456b9 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionBoundaryState.ts
@@ -2,16 +2,17 @@ import { stateManager } from './state-manager';
 import _ from 'lodash';
 import { $TSObject } from '.';
 
+let preInitTeamProviderInfo: any;
+
 export const getPermissionBoundaryArn = (env?: string): string | undefined => {
   try {
-    const preInitTpi = (global as any).preInitTeamProviderInfo;
-    const teamProviderInfo = preInitTpi ?? stateManager.getTeamProviderInfo();
+    const tpi = preInitTeamProviderInfo ?? stateManager.getTeamProviderInfo();
     // if the pre init team-provider-info only has one env (which should always be the case), default to that one
-    if (preInitTpi && Object.keys(preInitTpi).length === 1 && !env) {
-      env = Object.keys(preInitTpi)[0];
+    if (preInitTeamProviderInfo && Object.keys(preInitTeamProviderInfo).length === 1 && !env) {
+      env = Object.keys(preInitTeamProviderInfo)[0];
     }
-    return _.get(teamProviderInfo, teamProviderInfoObjectPath(env)) as string | undefined;
-  } catch (err) {
+    return _.get(tpi, teamProviderInfoObjectPath(env)) as string | undefined;
+  } catch {
     // uninitialized project
     return undefined;
   }
@@ -31,12 +32,12 @@ export const setPermissionBoundaryArn = (arn?: string, env?: string, teamProvide
   let tpiGetter = () => stateManager.getTeamProviderInfo();
   let tpiSetter = (tpi: $TSObject) => {
     stateManager.setTeamProviderInfo(undefined, tpi);
-    delete (global as any).preInitTeamProviderInfo; // avoids a potential edge case where set permissions is called again w/o tpi
+    preInitTeamProviderInfo = undefined;
   };
   if (teamProviderInfo) {
     tpiGetter = () => teamProviderInfo;
     tpiSetter = (tpi: $TSObject) => {
-      (global as any).preInitTeamProviderInfo = tpi;
+      preInitTeamProviderInfo = tpi;
     };
   }
   const tpi = tpiGetter();

From 6aad5f1380bde1a1973d8a9f8db52caf45b88400 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Thu, 20 May 2021 16:54:33 -0700
Subject: [PATCH 28/35] chore: rename permission boundary -> permissions
 boundary

---
 .circleci/config.yml                          |  16 +--
 ...st.ts => permissionsBoundaryState.test.ts} |  28 ++--
 packages/amplify-cli-core/src/index.ts        |   2 +-
 ...ryState.ts => permissionsBoundaryState.ts} |  12 +-
 packages/amplify-cli/src/commands/env.ts      |   2 +-
 .../get-deployment-secrets-key.ts             |  24 ++++
 .../src/init/initProjectHelper.ts             |   4 +-
 .../amplify-e2e-core/src/utils/sdk-calls.ts   |   2 +-
 ...st.ts => iam-permissions-boundary.test.ts} |  26 ++--
 .../amplify-e2e-tests/src/environment/env.ts  |   6 +-
 .../src/__tests__/initializer.test.ts         |   2 +-
 .../permission-boundary.test.ts               |  58 ++++----
 ...-role-permission-boundary-modifier.test.ts |  41 ------
 ...role-permissions-boundary-modifier.test.ts |  41 ++++++
 .../src/initializer.js                        |   4 +-
 .../permission-boundary.ts                    | 124 ------------------
 .../permissions-boundary.ts                   | 123 +++++++++++++++++
 .../iam-role-permission-boundary-modifier.ts  |  15 ---
 .../iam-role-permissions-boundary-modifier.ts |  15 +++
 .../pre-push-cfn-modifier.ts                  |   4 +-
 .../src/update-env.ts                         |   4 +-
 21 files changed, 288 insertions(+), 265 deletions(-)
 rename packages/amplify-cli-core/src/__tests__/{permissionBoundaryState.test.ts => permissionsBoundaryState.test.ts} (71%)
 rename packages/amplify-cli-core/src/{permissionBoundaryState.ts => permissionsBoundaryState.ts} (77%)
 create mode 100644 packages/amplify-cli/src/extensions/amplify-helpers/get-deployment-secrets-key.ts
 rename packages/amplify-e2e-tests/src/__tests__/{iam-permission-boundary.test.ts => iam-permissions-boundary.test.ts} (56%)
 delete mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.test.ts
 delete mode 100644 packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
 delete mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
 create mode 100644 packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.ts

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 4c450170e96..3cacdab5b54 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1119,13 +1119,13 @@ jobs:
     environment:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
-  iam-permission-boundary-amplify_e2e_tests:
+  iam-permissions-boundary-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
-      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      TEST_SUITE: src/__tests__/iam-permissions-boundary.test.ts
       CLI_REGION: eu-central-1
   function_5-amplify_e2e_tests:
     working_directory: ~/repo
@@ -1811,14 +1811,14 @@ jobs:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
     steps: *ref_5
-  iam-permission-boundary-amplify_e2e_tests_pkg_linux:
+  iam-permissions-boundary-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     environment:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
-      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      TEST_SUITE: src/__tests__/iam-permissions-boundary.test.ts
       CLI_REGION: eu-central-1
     steps: *ref_5
   function_5-amplify_e2e_tests_pkg_linux:
@@ -1964,7 +1964,7 @@ workflows:
             - predictions-amplify_e2e_tests
             - schema-predictions-amplify_e2e_tests
             - amplify-configure-amplify_e2e_tests
-            - iam-permission-boundary-amplify_e2e_tests
+            - iam-permissions-boundary-amplify_e2e_tests
             - containers-api-amplify_e2e_tests
             - interactions-amplify_e2e_tests
             - datastore-modelgen-amplify_e2e_tests
@@ -1994,7 +1994,7 @@ workflows:
             - predictions-amplify_e2e_tests_pkg_linux
             - schema-predictions-amplify_e2e_tests_pkg_linux
             - amplify-configure-amplify_e2e_tests_pkg_linux
-            - iam-permission-boundary-amplify_e2e_tests_pkg_linux
+            - iam-permissions-boundary-amplify_e2e_tests_pkg_linux
             - containers-api-amplify_e2e_tests_pkg_linux
             - interactions-amplify_e2e_tests_pkg_linux
             - datastore-modelgen-amplify_e2e_tests_pkg_linux
@@ -2361,7 +2361,7 @@ workflows:
           filters: *ref_9
           requires:
             - auth_4-amplify_e2e_tests
-      - iam-permission-boundary-amplify_e2e_tests:
+      - iam-permissions-boundary-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2805,7 +2805,7 @@ workflows:
           filters: *ref_12
           requires:
             - auth_4-amplify_e2e_tests_pkg_linux
-      - iam-permission-boundary-amplify_e2e_tests_pkg_linux:
+      - iam-permissions-boundary-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
diff --git a/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts b/packages/amplify-cli-core/src/__tests__/permissionsBoundaryState.test.ts
similarity index 71%
rename from packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
rename to packages/amplify-cli-core/src/__tests__/permissionsBoundaryState.test.ts
index d9b1472e311..1f3dbe9caad 100644
--- a/packages/amplify-cli-core/src/__tests__/permissionBoundaryState.test.ts
+++ b/packages/amplify-cli-core/src/__tests__/permissionsBoundaryState.test.ts
@@ -1,11 +1,11 @@
-import { getPermissionBoundaryArn, setPermissionBoundaryArn } from '..';
+import { getPermissionsBoundaryArn, setPermissionsBoundaryArn } from '..';
 import { stateManager } from '../state-manager';
 
 jest.mock('../state-manager');
 
 const testEnv = 'testEnv';
 
-const objKey = 'PermissionBoundaryPolicyArn';
+const objKey = 'PermissionsBoundaryPolicyArn';
 
 const stateManager_mock = stateManager as jest.Mocked<typeof stateManager>;
 stateManager_mock.getLocalEnvInfo.mockReturnValue({
@@ -22,55 +22,55 @@ const tpi_stub = {
   },
 };
 
-describe('get permission boundary arn', () => {
+describe('get permissions boundary arn', () => {
   beforeEach(jest.clearAllMocks);
   it('gets arn from team provider info file', () => {
     stateManager_mock.getTeamProviderInfo.mockReturnValueOnce(tpi_stub);
-    expect(getPermissionBoundaryArn()).toEqual(testArn);
+    expect(getPermissionsBoundaryArn()).toEqual(testArn);
   });
 
   it('gets arn from preInitTeamProviderInfo', () => {
     // setup
-    setPermissionBoundaryArn(testArn, testEnv, tpi_stub);
+    setPermissionsBoundaryArn(testArn, testEnv, tpi_stub);
 
     // test
-    expect(getPermissionBoundaryArn()).toEqual(testArn);
+    expect(getPermissionsBoundaryArn()).toEqual(testArn);
 
     // reset
-    setPermissionBoundaryArn(testArn, testEnv);
+    setPermissionsBoundaryArn(testArn, testEnv);
   });
 
   it('returns undefined if no value found', () => {
-    expect(getPermissionBoundaryArn()).toBeUndefined();
+    expect(getPermissionsBoundaryArn()).toBeUndefined();
   });
 });
 
-describe('set permission boundary arn', () => {
+describe('set permissions boundary arn', () => {
   beforeEach(jest.clearAllMocks);
   it('sets the ARN value in tpi file if specified', () => {
     stateManager_mock.getTeamProviderInfo.mockReturnValueOnce({});
-    setPermissionBoundaryArn(testArn);
+    setPermissionsBoundaryArn(testArn);
     expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation[objKey]).toEqual(testArn);
   });
 
   it('sets the ARN for the specified env', () => {
     stateManager_mock.getTeamProviderInfo.mockReturnValueOnce({});
-    setPermissionBoundaryArn(testArn, 'otherenv');
+    setPermissionsBoundaryArn(testArn, 'otherenv');
     expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1].otherenv.awscloudformation[objKey]).toEqual(testArn);
   });
 
   it('removes the ARN value if not specified', () => {
     stateManager_mock.getTeamProviderInfo.mockReturnValueOnce(tpi_stub);
-    setPermissionBoundaryArn();
+    setPermissionsBoundaryArn();
     expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation).toBeDefined();
     expect(stateManager_mock.setTeamProviderInfo.mock.calls[0][1][testEnv].awscloudformation[objKey]).toBeUndefined();
   });
 
   it('if tpi object specified, sets arn in object and sets global preInitTeamProviderInfo', () => {
     const tpi: Record<string, any> = {};
-    setPermissionBoundaryArn(testArn, undefined, tpi);
+    setPermissionsBoundaryArn(testArn, undefined, tpi);
     expect(tpi[testEnv].awscloudformation[objKey]).toEqual(testArn);
-    expect(getPermissionBoundaryArn()).toEqual(testArn);
+    expect(getPermissionsBoundaryArn()).toEqual(testArn);
     delete (global as any).preInitTeamProviderInfo;
   });
 });
diff --git a/packages/amplify-cli-core/src/index.ts b/packages/amplify-cli-core/src/index.ts
index 84961ac83c2..1254dfee0b3 100644
--- a/packages/amplify-cli-core/src/index.ts
+++ b/packages/amplify-cli-core/src/index.ts
@@ -5,7 +5,7 @@ export * from './cliContext';
 export * from './cliContextEnvironmentProvider';
 export * from './cliEnvironmentProvider';
 export * from './feature-flags';
-export * from './permissionBoundaryState';
+export * from './permissionsBoundaryState';
 export * from './jsonUtilities';
 export * from './jsonValidationError';
 export * from './serviceSelection';
diff --git a/packages/amplify-cli-core/src/permissionBoundaryState.ts b/packages/amplify-cli-core/src/permissionsBoundaryState.ts
similarity index 77%
rename from packages/amplify-cli-core/src/permissionBoundaryState.ts
rename to packages/amplify-cli-core/src/permissionsBoundaryState.ts
index 8ff0ce456b9..9a4cab560fc 100644
--- a/packages/amplify-cli-core/src/permissionBoundaryState.ts
+++ b/packages/amplify-cli-core/src/permissionsBoundaryState.ts
@@ -4,7 +4,7 @@ import { $TSObject } from '.';
 
 let preInitTeamProviderInfo: any;
 
-export const getPermissionBoundaryArn = (env?: string): string | undefined => {
+export const getPermissionsBoundaryArn = (env?: string): string | undefined => {
   try {
     const tpi = preInitTeamProviderInfo ?? stateManager.getTeamProviderInfo();
     // if the pre init team-provider-info only has one env (which should always be the case), default to that one
@@ -19,16 +19,16 @@ export const getPermissionBoundaryArn = (env?: string): string | undefined => {
 };
 
 /**
- * Stores the permission boundary ARN in team-provider-info
+ * Stores the permissions boundary ARN in team-provider-info
  * If teamProviderInfo is not specified, the file is read, updated and written back to disk
  * If teamProviderInfo is specified, then this function assumes that the env is not initialized
  *    In this case, the teamProviderInfo object is updated but not written to disk. Instead "preInitTeamProviderInfo" is set
- *    so that subsequent calls to getPermissionBoundaryArn will return the permission boundary arn of the pre-initialized env
- * @param arn The permission boundary arn. If undefined or empty, the permission boundary is removed
+ *    so that subsequent calls to getPermissionsBoundaryArn will return the permissions boundary arn of the pre-initialized env
+ * @param arn The permissions boundary arn. If undefined or empty, the permissions boundary is removed
  * @param env The Amplify env to update. If not specified, defaults to the current checked out environment
  * @param teamProviderInfo The team-provider-info object to update
  */
-export const setPermissionBoundaryArn = (arn?: string, env?: string, teamProviderInfo?: $TSObject): void => {
+export const setPermissionsBoundaryArn = (arn?: string, env?: string, teamProviderInfo?: $TSObject): void => {
   let tpiGetter = () => stateManager.getTeamProviderInfo();
   let tpiSetter = (tpi: $TSObject) => {
     stateManager.setTeamProviderInfo(undefined, tpi);
@@ -52,5 +52,5 @@ export const setPermissionBoundaryArn = (arn?: string, env?: string, teamProvide
 const teamProviderInfoObjectPath = (env?: string) => [
   env || (stateManager.getLocalEnvInfo().envName as string),
   'awscloudformation',
-  'PermissionBoundaryPolicyArn',
+  'PermissionsBoundaryPolicyArn',
 ];
diff --git a/packages/amplify-cli/src/commands/env.ts b/packages/amplify-cli/src/commands/env.ts
index e044c54c87c..e1fd498e822 100644
--- a/packages/amplify-cli/src/commands/env.ts
+++ b/packages/amplify-cli/src/commands/env.ts
@@ -83,7 +83,7 @@ function displayHelp(context) {
       description: 'Imports an already existing Amplify project environment stack to your local backend',
     },
     {
-      name: 'update [--permission-boundary <IAM Policy ARN>]',
+      name: 'update [--permissions-boundary <IAM Policy ARN>]',
       description: 'Update the environment configuration',
     },
     {
diff --git a/packages/amplify-cli/src/extensions/amplify-helpers/get-deployment-secrets-key.ts b/packages/amplify-cli/src/extensions/amplify-helpers/get-deployment-secrets-key.ts
new file mode 100644
index 00000000000..881cd16434f
--- /dev/null
+++ b/packages/amplify-cli/src/extensions/amplify-helpers/get-deployment-secrets-key.ts
@@ -0,0 +1,24 @@
+import { stateManager } from 'amplify-cli-core';
+import { v4 as uuid } from 'uuid';
+import _ from 'lodash';
+
+const prePushKeyName = 'prePushDeploymentSecretsKey';
+
+export function getDeploymentSecretsKey(): string {
+  const teamProviderInfo = stateManager.getTeamProviderInfo();
+  const { envName } = stateManager.getLocalEnvInfo();
+  const envTeamProviderInfo = teamProviderInfo[envName];
+
+  const prePushKey = envTeamProviderInfo?.awscloudformation?.[prePushKeyName];
+  if (prePushKey) {
+    return prePushKey;
+  }
+  const stackId = envTeamProviderInfo?.awscloudformation?.StackId;
+  if (typeof stackId === 'string') {
+    return stackId.split('/')[2];
+  }
+  const newKey = uuid();
+  _.set(teamProviderInfo, [envName, 'awscloudformation', prePushKeyName], newKey);
+  stateManager.setTeamProviderInfo(undefined, teamProviderInfo);
+  return newKey;
+}
diff --git a/packages/amplify-e2e-core/src/init/initProjectHelper.ts b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
index ca148d9dc4a..6b3dcb5a81d 100644
--- a/packages/amplify-e2e-core/src/init/initProjectHelper.ts
+++ b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
@@ -367,9 +367,9 @@ export function amplifyInitSandbox(cwd: string, settings: {}): Promise<void> {
   });
 }
 
-export async function initWithPermissionBoundary(cwd: string, permissionBoundaryArn: string): Promise<void> {
+export async function initWithPermissionsBoundary(cwd: string, permissionsBoundaryArn: string): Promise<void> {
   return new Promise((resolve, reject) => {
-    spawn(getCLIPath(), ['init', '--yes', '--permission-boundary', permissionBoundaryArn], {
+    spawn(getCLIPath(), ['init', '--yes', '--permissions-boundary', permissionsBoundaryArn], {
       cwd,
       stripColors: true,
       env: { CLI_DEV_INTERNAL_DISABLE_AMPLIFY_APP_CREATION: '1' },
diff --git a/packages/amplify-e2e-core/src/utils/sdk-calls.ts b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
index 00b585d0542..0590769d289 100644
--- a/packages/amplify-e2e-core/src/utils/sdk-calls.ts
+++ b/packages/amplify-e2e-core/src/utils/sdk-calls.ts
@@ -311,7 +311,7 @@ export const listAttachedRolePolicies = async (roleName: string, region: string)
   return (await service.listAttachedRolePolicies({ RoleName: roleName }).promise()).AttachedPolicies;
 };
 
-export const getPermissionBoundary = async (roleName: string, region) => {
+export const getPermissionsBoundary = async (roleName: string, region) => {
   const iamClient = new IAM({ region });
   return (await iamClient.getRole({ RoleName: roleName }).promise())?.Role?.PermissionsBoundary?.PermissionsBoundaryArn;
 };
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
similarity index 56%
rename from packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
rename to packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
index 49c909fa198..e2b2a1d76a3 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
@@ -4,17 +4,17 @@ import {
   createNewProjectDir,
   deleteProject,
   deleteProjectDir,
-  getPermissionBoundary,
+  getPermissionsBoundary,
   getProjectMeta,
   initJSProjectWithProfile,
-  initWithPermissionBoundary,
+  initWithPermissionsBoundary,
 } from 'amplify-e2e-core';
 import { updateEnvironment } from '../environment/env';
 
-// Using a random AWS managed policy as a permission boundary
-const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
+// Using a random AWS managed policy as a permissions boundary
+const permissionsBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
 
-describe('iam permission boundary', () => {
+describe('iam permissions boundary', () => {
   let projRoot: string;
   beforeEach(async () => {
     projRoot = await createNewProjectDir('perm-bound');
@@ -24,9 +24,9 @@ describe('iam permission boundary', () => {
     await deleteProject(projRoot);
     deleteProjectDir(projRoot);
   });
-  test('permission boundary is applied to roles created by the CLI', async () => {
+  test('permissions boundary is applied to roles created by the CLI', async () => {
     await initJSProjectWithProfile(projRoot, {});
-    await updateEnvironment(projRoot, { permissionBoundaryArn });
+    await updateEnvironment(projRoot, { permissionsBoundaryArn });
     // adding a function isn't strictly part of the test, it just causes the project to have changes to push
     await addFunction(projRoot, { functionTemplate: 'Hello World' }, 'nodejs');
     await amplifyPushAuth(projRoot);
@@ -34,17 +34,17 @@ describe('iam permission boundary', () => {
     const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
     const region = meta?.providers?.awscloudformation?.Region;
 
-    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
-    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+    const actualPermBoundary = await getPermissionsBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionsBoundaryArn);
   });
 
-  test('permission boundary is applied during headless init', async () => {
-    await initWithPermissionBoundary(projRoot, permissionBoundaryArn);
+  test('permissions boundary is applied during headless init', async () => {
+    await initWithPermissionsBoundary(projRoot, permissionsBoundaryArn);
     const meta = getProjectMeta(projRoot);
     const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
     const region = meta?.providers?.awscloudformation?.Region;
 
-    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
-    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+    const actualPermBoundary = await getPermissionsBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionsBoundaryArn);
   });
 });
diff --git a/packages/amplify-e2e-tests/src/environment/env.ts b/packages/amplify-e2e-tests/src/environment/env.ts
index d1a564a7dc7..fd1e8b7ff20 100644
--- a/packages/amplify-e2e-tests/src/environment/env.ts
+++ b/packages/amplify-e2e-tests/src/environment/env.ts
@@ -26,11 +26,11 @@ export function addEnvironment(cwd: string, settings: { envName: string; numLaye
   });
 }
 
-export function updateEnvironment(cwd: string, settings: { permissionBoundaryArn: string }) {
+export function updateEnvironment(cwd: string, settings: { permissionsBoundaryArn: string }) {
   return new Promise<void>((resolve, reject) => {
     spawn(getCLIPath(), ['env', 'update'], { cwd, stripColors: true })
-      .wait('Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles')
-      .sendLine(settings.permissionBoundaryArn)
+      .wait('Specify an IAM Policy ARN to use as a permissions boundary for all IAM Roles')
+      .sendLine(settings.permissionsBoundaryArn)
       .run((err: Error) => (!!err ? reject(err) : resolve()));
   });
 }
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
index 71b2dd2bbe1..3d69f1af4ee 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/initializer.test.ts
@@ -10,7 +10,7 @@ jest.mock('../aws-utils/aws-cfn');
 jest.mock('fs-extra');
 jest.mock('../amplify-service-manager');
 jest.mock('amplify-cli-core');
-jest.mock('../permission-boundary/permission-boundary');
+jest.mock('../permissions-boundary/permissions-boundary');
 
 const CloudFormation_mock = CloudFormation as jest.MockedClass<typeof CloudFormation>;
 const amplifyServiceManager_mock = amplifyServiceManager as jest.Mocked<typeof amplifyServiceManager>;
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
index ad8e434fdee..7e0cfd2c7ff 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
@@ -1,24 +1,24 @@
 import { $TSContext } from 'amplify-cli-core';
-import { configurePermissionBoundaryForInit } from '../../permission-boundary/permission-boundary';
-import { setPermissionBoundaryArn, getPermissionBoundaryArn } from 'amplify-cli-core';
+import { configurePermissionsBoundaryForInit } from '../../permissions-boundary/permissions-boundary';
+import { setPermissionsBoundaryArn, getPermissionsBoundaryArn } from 'amplify-cli-core';
 import { prompt } from 'inquirer';
 import { IAMClient } from '../../aws-utils/aws-iam';
 import { IAM } from 'aws-sdk';
 
-const permissionBoundaryArn = 'arn:aws:iam::123456789012:policy/some-policy-name';
-const argName = 'permission-boundary';
+const permissionsBoundaryArn = 'arn:aws:iam::123456789012:policy/some-policy-name';
+const argName = 'permissions-boundary';
 const envName = 'newEnvName';
 
 jest.mock('amplify-cli-core');
 jest.mock('inquirer');
 jest.mock('../../aws-utils/aws-iam');
 
-const setPermissionBoundaryArn_mock = setPermissionBoundaryArn as jest.MockedFunction<typeof setPermissionBoundaryArn>;
-const getPermissionBoundaryArn_mock = getPermissionBoundaryArn as jest.MockedFunction<typeof getPermissionBoundaryArn>;
+const setPermissionsBoundaryArn_mock = setPermissionsBoundaryArn as jest.MockedFunction<typeof setPermissionsBoundaryArn>;
+const getPermissionsBoundaryArn_mock = getPermissionsBoundaryArn as jest.MockedFunction<typeof getPermissionsBoundaryArn>;
 const prompt_mock = prompt as jest.MockedFunction<typeof prompt>;
 const IAMClient_mock = IAMClient as jest.Mocked<typeof IAMClient>;
 
-describe('configure permission boundary on init', () => {
+describe('configure permissions boundary on init', () => {
   let context_stub: $TSContext;
 
   beforeEach(() => {
@@ -45,19 +45,19 @@ describe('configure permission boundary on init', () => {
     jest.clearAllMocks();
   });
   it('applies policy specifed in cmd arg when present', async () => {
-    context_stub.input.options[argName] = permissionBoundaryArn;
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+    context_stub.input.options[argName] = permissionsBoundaryArn;
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionsBoundaryArn);
   });
 
   it('does not prompt for policy', async () => {
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toBeUndefined();
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock.mock.calls[0][0]).toBeUndefined();
     expect(prompt_mock).not.toHaveBeenCalled();
   });
 });
 
-describe('configure permission boundary on env add', () => {
+describe('configure permissions boundary on env add', () => {
   let context_stub: $TSContext;
 
   beforeEach(() => {
@@ -84,19 +84,19 @@ describe('configure permission boundary on env add', () => {
     jest.clearAllMocks();
   });
   it('applies policy specified in cmd arg when present', async () => {
-    context_stub.input.options[argName] = permissionBoundaryArn;
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+    context_stub.input.options[argName] = permissionsBoundaryArn;
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionsBoundaryArn);
   });
 
   it('does nothing when no cmd arg specified and no policy in current env', async () => {
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock).not.toHaveBeenCalled();
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock).not.toHaveBeenCalled();
     expect(prompt_mock).not.toHaveBeenCalled();
   });
 
   it('applies existing policy to new env when existing policy is accessible', async () => {
-    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getPermissionsBoundaryArn_mock.mockReturnValueOnce(permissionsBoundaryArn);
     IAMClient_mock.getInstance.mockResolvedValueOnce({
       client: ({
         getPolicy: jest.fn().mockReturnValueOnce({
@@ -104,13 +104,13 @@ describe('configure permission boundary on env add', () => {
         }),
       } as unknown) as IAM,
     });
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionBoundaryArn);
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock.mock.calls[0][0]).toEqual(permissionsBoundaryArn);
     expect(prompt_mock).not.toHaveBeenCalled();
   });
 
   it('prompts for new policy when existing one is not accessible', async () => {
-    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getPermissionsBoundaryArn_mock.mockReturnValueOnce(permissionsBoundaryArn);
     IAMClient_mock.getInstance.mockResolvedValueOnce({
       client: ({
         getPolicy: jest.fn().mockReturnValueOnce({
@@ -118,17 +118,17 @@ describe('configure permission boundary on env add', () => {
         }),
       } as unknown) as IAM,
     });
-    const newPermissionBoundaryArn = 'thisIsANewArn';
+    const newPermissionsBoundaryArn = 'thisIsANewArn';
     prompt_mock.mockResolvedValueOnce({
-      permissionBoundaryArn: newPermissionBoundaryArn,
+      permissionsBoundaryArn: newPermissionsBoundaryArn,
     });
-    await configurePermissionBoundaryForInit(context_stub);
-    expect(setPermissionBoundaryArn_mock.mock.calls[0][0]).toEqual(newPermissionBoundaryArn);
+    await configurePermissionsBoundaryForInit(context_stub);
+    expect(setPermissionsBoundaryArn_mock.mock.calls[0][0]).toEqual(newPermissionsBoundaryArn);
   });
 
   it('fails when existing policy not accessible and --yes specified with no cmd arg', async () => {
     context_stub.input.options.yes = true;
-    getPermissionBoundaryArn_mock.mockReturnValueOnce(permissionBoundaryArn);
+    getPermissionsBoundaryArn_mock.mockReturnValueOnce(permissionsBoundaryArn);
     IAMClient_mock.getInstance.mockResolvedValueOnce({
       client: ({
         getPolicy: jest.fn().mockReturnValueOnce({
@@ -136,8 +136,8 @@ describe('configure permission boundary on env add', () => {
         }),
       } as unknown) as IAM,
     });
-    await expect(configurePermissionBoundaryForInit(context_stub)).rejects.toMatchInlineSnapshot(
-      `[Error: A Permission Boundary ARN must be specified using --permission-boundary]`,
+    await expect(configurePermissionsBoundaryForInit(context_stub)).rejects.toMatchInlineSnapshot(
+      `[Error: A permissions boundary ARN must be specified using --permissions-boundary]`,
     );
     expect(prompt_mock).not.toHaveBeenCalled();
   });
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts
deleted file mode 100644
index 94fdedaf227..00000000000
--- a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.test.ts
+++ /dev/null
@@ -1,41 +0,0 @@
-import { getPermissionBoundaryArn } from 'amplify-cli-core';
-import Role from 'cloudform-types/types/iam/role';
-import _ from 'lodash';
-import { iamRolePermissionBoundaryModifier } from '../../../pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier';
-
-jest.mock('amplify-cli-core');
-
-const getPermissionBoundaryArn_mock = getPermissionBoundaryArn as jest.MockedFunction<typeof getPermissionBoundaryArn>;
-
-describe('iamRolePermissionBoundaryModifier', () => {
-  it('does not overwrite existing permission boundary', async () => {
-    const origResource = {
-      Properties: {
-        PermissionsBoundary: 'something',
-      },
-    } as Role;
-    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
-    expect(newResource).toEqual(origResource);
-  });
-
-  it('does not modify the resource if no policy arn is specified', async () => {
-    const origResource = {
-      Type: 'something',
-      Properties: {},
-    } as Role;
-    getPermissionBoundaryArn_mock.mockReturnValue(undefined);
-    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
-    expect(newResource).toEqual(origResource);
-  });
-
-  it('applies the specified policy arn', async () => {
-    const origResource = {
-      Type: 'something',
-      Properties: {},
-    } as Role;
-    const testPermissionBoundaryArn = 'testPermissionBoundaryArn';
-    getPermissionBoundaryArn_mock.mockReturnValue(testPermissionBoundaryArn);
-    const newResource = await iamRolePermissionBoundaryModifier(_.cloneDeep(origResource));
-    expect(newResource.Properties.PermissionsBoundary).toEqual(testPermissionBoundaryArn);
-  });
-});
diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.test.ts
new file mode 100644
index 00000000000..7e5422e3fe8
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.test.ts
@@ -0,0 +1,41 @@
+import { getPermissionsBoundaryArn } from 'amplify-cli-core';
+import Role from 'cloudform-types/types/iam/role';
+import _ from 'lodash';
+import { iamRolePermissionsBoundaryModifier } from '../../../pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier';
+
+jest.mock('amplify-cli-core');
+
+const getPermissionsBoundaryArn_mock = getPermissionsBoundaryArn as jest.MockedFunction<typeof getPermissionsBoundaryArn>;
+
+describe('iamRolePermissionsBoundaryModifier', () => {
+  it('does not overwrite existing permissions boundary', async () => {
+    const origResource = {
+      Properties: {
+        PermissionsBoundary: 'something',
+      },
+    } as Role;
+    const newResource = await iamRolePermissionsBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource).toEqual(origResource);
+  });
+
+  it('does not modify the resource if no policy arn is specified', async () => {
+    const origResource = {
+      Type: 'something',
+      Properties: {},
+    } as Role;
+    getPermissionsBoundaryArn_mock.mockReturnValue(undefined);
+    const newResource = await iamRolePermissionsBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource).toEqual(origResource);
+  });
+
+  it('applies the specified policy arn', async () => {
+    const origResource = {
+      Type: 'something',
+      Properties: {},
+    } as Role;
+    const testPermissionsBoundaryArn = 'testPermissionsBoundaryArn';
+    getPermissionsBoundaryArn_mock.mockReturnValue(testPermissionsBoundaryArn);
+    const newResource = await iamRolePermissionsBoundaryModifier(_.cloneDeep(origResource));
+    expect(newResource.Properties.PermissionsBoundary).toEqual(testPermissionsBoundaryArn);
+  });
+});
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.js b/packages/amplify-provider-awscloudformation/src/initializer.js
index e4b99ce64a3..59538be7485 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.js
+++ b/packages/amplify-provider-awscloudformation/src/initializer.js
@@ -15,7 +15,7 @@ const amplifyServiceMigrate = require('./amplify-service-migrate');
 const { fileLogger } = require('./utils/aws-logger');
 const { prePushCfnTemplateModifier } = require('./pre-push-cfn-processor/pre-push-cfn-modifier');
 const logger = fileLogger('attach-backend');
-const { configurePermissionBoundaryForInit } = require('./permission-boundary/permission-boundary');
+const { configurePermissionsBoundaryForInit } = require('./permissions-boundary/permissions-boundary');
 
 async function run(context) {
   await configurationManager.init(context);
@@ -28,7 +28,7 @@ async function run(context) {
     let stackName = normalizeStackName(`amplify-${projectName}-${envName}-${timeStamp}`);
     const awsConfig = await configurationManager.getAwsConfig(context);
 
-    await configurePermissionBoundaryForInit(context);
+    await configurePermissionsBoundaryForInit(context);
 
     const amplifyServiceParams = {
       context,
diff --git a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts b/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
deleted file mode 100644
index d9cc532428a..00000000000
--- a/packages/amplify-provider-awscloudformation/src/permission-boundary/permission-boundary.ts
+++ /dev/null
@@ -1,124 +0,0 @@
-import { $TSContext, stateManager, getPermissionBoundaryArn, setPermissionBoundaryArn } from 'amplify-cli-core';
-import { prompt } from 'inquirer';
-import { IAMClient } from '../aws-utils/aws-iam';
-import { loadConfiguration } from '../configuration-manager';
-
-export const configurePermissionBoundaryForExistingEnv = async (context: $TSContext) => {
-  setPermissionBoundaryArn(await permissionBoundarySupplier(context));
-};
-
-export const configurePermissionBoundaryForInit = async (context: $TSContext) => {
-  const envName = context.exeInfo.localEnvInfo.envName; // the new environment name
-  if (context?.exeInfo?.isNewProject) {
-    // amplify init
-    // on init flow, set the permission boundary if specified in a cmd line arg, but don't prompt for it
-    setPermissionBoundaryArn(
-      await permissionBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => envName }),
-      envName,
-      context.exeInfo.teamProviderInfo,
-    );
-  } else {
-    // amplify env add
-    await rolloverPermissionBoundaryToNewEnvironment(context);
-  }
-};
-
-const permissionBoundarySupplierDefaultOptions = {
-  required: false,
-  doPrompt: true,
-  envNameSupplier: (): string => stateManager.getLocalEnvInfo().envName,
-};
-
-/**
- * Supplies a permission boundary ARN by first checking headless parameters, then falling back to a CLI prompt
- * @param context CLI context object
- * @param options Additional options to control the supplier
- * @returns string, the permission boundary ARN or an empty string
- */
-const permissionBoundarySupplier = async (
-  context: $TSContext,
-  options?: Partial<typeof permissionBoundarySupplierDefaultOptions>,
-): Promise<string | undefined> => {
-  const { required, doPrompt, envNameSupplier } = { ...permissionBoundarySupplierDefaultOptions, ...options };
-  const headlessPermissionBoundary = context?.input?.options?.['permission-boundary'];
-
-  const validate = context.amplify.inputValidation({
-    operator: 'regex',
-    value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
-    onErrorMsg: 'Specify a valid IAM Policy ARN',
-    required: true,
-  });
-
-  if (typeof headlessPermissionBoundary === 'string') {
-    if (validate(headlessPermissionBoundary)) {
-      return headlessPermissionBoundary;
-    } else {
-      context.print.error('The Permission Boundary ARN specified is not a valid IAM Policy ARN');
-    }
-  }
-
-  const isYes = context?.input?.options?.yes;
-  if (required && (isYes || !doPrompt)) {
-    throw new Error('A Permission Boundary ARN must be specified using --permission-boundary');
-  }
-  if (!doPrompt) {
-    // if we got here, the permission boundary is not required and we can't prompt so return undefined
-    return;
-  }
-  const envName = envNameSupplier();
-  const { permissionBoundaryArn } = await prompt<{ permissionBoundaryArn: string }>({
-    type: 'input',
-    name: 'permissionBoundaryArn',
-    message: `Specify an IAM Policy ARN to use as a Permission Boundary for all IAM Roles in the ${envName} environment (leave blank to remove the Permission Boundary configuration):`,
-    default: getPermissionBoundaryArn(envName),
-    validate,
-  });
-  return permissionBoundaryArn;
-};
-
-/**
- * This function expects to be called during the env add flow BEFORE the local-env-info file is overwritten with the new env
- * (ie when it still contains info on the previous env)
- * context.exeInfo.localEnvInfo.envName is expected to have the new env name
- */
-const rolloverPermissionBoundaryToNewEnvironment = async (context: $TSContext) => {
-  const newEnv = context.exeInfo.localEnvInfo.envName;
-  const headlessPermissionBoundary = await permissionBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => newEnv });
-  // if headless policy specified, apply that and return
-  if (typeof headlessPermissionBoundary === 'string') {
-    setPermissionBoundaryArn(headlessPermissionBoundary, newEnv, context.exeInfo.teamProviderInfo);
-    return;
-  }
-
-  const currBoundary = getPermissionBoundaryArn();
-  // if current env doesn't have a permission boundary, do nothing
-  if (!currBoundary) {
-    return;
-  }
-  // if existing policy is accessible in new env, apply that one
-  if (await isPolicyAccessible(context, currBoundary)) {
-    setPermissionBoundaryArn(currBoundary, newEnv, context.exeInfo.teamProviderInfo);
-    context.print.info(
-      `Permission Boundary ${currBoundary} has automatically been applied to this environment. To modify this, run \`amplify env update\`.`,
-    );
-    return;
-  }
-  // if existing policy policy is not accessible in the new environment, prompt for a new one
-  context.print.warning(`Permission Boundary ${currBoundary} cannot be applied to resources in this environment.`);
-  setPermissionBoundaryArn(
-    await permissionBoundarySupplier(context, { required: true, envNameSupplier: () => newEnv }),
-    newEnv,
-    context.exeInfo.teamProviderInfo,
-  );
-};
-
-const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
-  const iamClient = await IAMClient.getInstance(context);
-  try {
-    await iamClient.client.getPolicy({ PolicyArn: policyArn }).promise();
-  } catch (err) {
-    // if there's an error, then the policy wasn't accessible
-    return false;
-  }
-  return true;
-};
diff --git a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
new file mode 100644
index 00000000000..e0e91784836
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
@@ -0,0 +1,123 @@
+import { $TSContext, stateManager, getPermissionsBoundaryArn, setPermissionsBoundaryArn } from 'amplify-cli-core';
+import { prompt } from 'inquirer';
+import { IAMClient } from '../aws-utils/aws-iam';
+
+export const configurePermissionsBoundaryForExistingEnv = async (context: $TSContext) => {
+  setPermissionsBoundaryArn(await permissionsBoundarySupplier(context));
+};
+
+export const configurePermissionsBoundaryForInit = async (context: $TSContext) => {
+  const envName = context.exeInfo.localEnvInfo.envName; // the new environment name
+  if (context?.exeInfo?.isNewProject) {
+    // amplify init
+    // on init flow, set the permissions boundary if specified in a cmd line arg, but don't prompt for it
+    setPermissionsBoundaryArn(
+      await permissionsBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => envName }),
+      envName,
+      context.exeInfo.teamProviderInfo,
+    );
+  } else {
+    // amplify env add
+    await rolloverPermissionsBoundaryToNewEnvironment(context);
+  }
+};
+
+const permissionsBoundarySupplierDefaultOptions = {
+  required: false,
+  doPrompt: true,
+  envNameSupplier: (): string => stateManager.getLocalEnvInfo().envName,
+};
+
+/**
+ * Supplies a permissions boundary ARN by first checking headless parameters, then falling back to a CLI prompt
+ * @param context CLI context object
+ * @param options Additional options to control the supplier
+ * @returns string, the permissions boundary ARN or an empty string
+ */
+const permissionsBoundarySupplier = async (
+  context: $TSContext,
+  options?: Partial<typeof permissionsBoundarySupplierDefaultOptions>,
+): Promise<string | undefined> => {
+  const { required, doPrompt, envNameSupplier } = { ...permissionsBoundarySupplierDefaultOptions, ...options };
+  const headlessPermissionsBoundary = context?.input?.options?.['permissions-boundary'];
+
+  const validate = context.amplify.inputValidation({
+    operator: 'regex',
+    value: '^(|arn:aws:iam::(\\d{12}|aws):policy/.+)$',
+    onErrorMsg: 'Specify a valid IAM Policy ARN',
+    required: true,
+  });
+
+  if (typeof headlessPermissionsBoundary === 'string') {
+    if (validate(headlessPermissionsBoundary)) {
+      return headlessPermissionsBoundary;
+    } else {
+      context.print.error('The permissions boundary ARN specified is not a valid IAM Policy ARN');
+    }
+  }
+
+  const isYes = context?.input?.options?.yes;
+  if (required && (isYes || !doPrompt)) {
+    throw new Error('A permissions boundary ARN must be specified using --permissions-boundary');
+  }
+  if (!doPrompt) {
+    // if we got here, the permissions boundary is not required and we can't prompt so return undefined
+    return;
+  }
+  const envName = envNameSupplier();
+  const { permissionsBoundaryArn } = await prompt<{ permissionsBoundaryArn: string }>({
+    type: 'input',
+    name: 'permissionsBoundaryArn',
+    message: `Specify an IAM Policy ARN to use as a permissions boundary for all IAM Roles in the ${envName} environment (leave blank to remove the permissions boundary configuration):`,
+    default: getPermissionsBoundaryArn(envName),
+    validate,
+  });
+  return permissionsBoundaryArn;
+};
+
+/**
+ * This function expects to be called during the env add flow BEFORE the local-env-info file is overwritten with the new env
+ * (ie when it still contains info on the previous env)
+ * context.exeInfo.localEnvInfo.envName is expected to have the new env name
+ */
+const rolloverPermissionsBoundaryToNewEnvironment = async (context: $TSContext) => {
+  const newEnv = context.exeInfo.localEnvInfo.envName;
+  const headlessPermissionsBoundary = await permissionsBoundarySupplier(context, { doPrompt: false, envNameSupplier: () => newEnv });
+  // if headless policy specified, apply that and return
+  if (typeof headlessPermissionsBoundary === 'string') {
+    setPermissionsBoundaryArn(headlessPermissionsBoundary, newEnv, context.exeInfo.teamProviderInfo);
+    return;
+  }
+
+  const currBoundary = getPermissionsBoundaryArn();
+  // if current env doesn't have a permissions boundary, do nothing
+  if (!currBoundary) {
+    return;
+  }
+  // if existing policy is accessible in new env, apply that one
+  if (await isPolicyAccessible(context, currBoundary)) {
+    setPermissionsBoundaryArn(currBoundary, newEnv, context.exeInfo.teamProviderInfo);
+    context.print.info(
+      `permissions boundary ${currBoundary} has automatically been applied to this environment. To modify this, run \`amplify env update\`.`,
+    );
+    return;
+  }
+  // if existing policy policy is not accessible in the new environment, prompt for a new one
+  context.print.warning(`permissions boundary ${currBoundary} cannot be applied to resources in this environment.`);
+  setPermissionsBoundaryArn(
+    await permissionsBoundarySupplier(context, { required: true, envNameSupplier: () => newEnv }),
+    newEnv,
+    context.exeInfo.teamProviderInfo,
+  );
+};
+
+const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
+  const iamClient = await IAMClient.getInstance(context);
+  try {
+    await iamClient.client.getPolicy({ PolicyArn: policyArn }).promise();
+  } catch (err) {
+    // if there's an error, then the policy wasn't accessible
+    return false;
+  }
+  return true;
+};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
deleted file mode 100644
index d170978a44a..00000000000
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permission-boundary-modifier.ts
+++ /dev/null
@@ -1,15 +0,0 @@
-import { getPermissionBoundaryArn } from 'amplify-cli-core';
-import Role from 'cloudform-types/types/iam/role';
-import { ResourceModifier } from '../pre-push-cfn-modifier';
-
-export const iamRolePermissionBoundaryModifier: ResourceModifier<Role> = async resource => {
-  if (resource?.Properties?.PermissionsBoundary) {
-    return resource; // don't modify an existing permission boundary
-  }
-  const policyArn = getPermissionBoundaryArn();
-  if (!policyArn) {
-    return resource; // exit if no permission boundary specified
-  }
-  resource.Properties.PermissionsBoundary = policyArn;
-  return resource;
-};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.ts
new file mode 100644
index 00000000000..ed87ae6d20a
--- /dev/null
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/modifiers/iam-role-permissions-boundary-modifier.ts
@@ -0,0 +1,15 @@
+import { getPermissionsBoundaryArn } from 'amplify-cli-core';
+import Role from 'cloudform-types/types/iam/role';
+import { ResourceModifier } from '../pre-push-cfn-modifier';
+
+export const iamRolePermissionsBoundaryModifier: ResourceModifier<Role> = async resource => {
+  if (resource?.Properties?.PermissionsBoundary) {
+    return resource; // don't modify an existing permissions boundary
+  }
+  const policyArn = getPermissionsBoundaryArn();
+  if (!policyArn) {
+    return resource; // exit if no permissions boundary specified
+  }
+  resource.Properties.PermissionsBoundary = policyArn;
+  return resource;
+};
diff --git a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
index c87aeaeded4..ec5f3f03df9 100644
--- a/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
+++ b/packages/amplify-provider-awscloudformation/src/pre-push-cfn-processor/pre-push-cfn-modifier.ts
@@ -2,7 +2,7 @@ import Resource from 'cloudform-types/types/resource';
 import _ from 'lodash';
 import { applyS3SSEModification } from './modifiers/s3-sse-modifier';
 import { Template } from 'cloudform-types';
-import { iamRolePermissionBoundaryModifier } from './modifiers/iam-role-permission-boundary-modifier';
+import { iamRolePermissionsBoundaryModifier } from './modifiers/iam-role-permissions-boundary-modifier';
 
 // modifies the template in-place
 export type TemplateModifier = (template: Template) => Promise<void>;
@@ -26,7 +26,7 @@ const getResourceModifiers = (type: string): ResourceModifier<Resource>[] => {
 
 const resourceTransformerRegistry: Record<string, ResourceModifier<Resource>[]> = {
   'AWS::S3::Bucket': [applyS3SSEModification],
-  'AWS::IAM::Role': [iamRolePermissionBoundaryModifier],
+  'AWS::IAM::Role': [iamRolePermissionsBoundaryModifier],
 };
 
 const identityResourceModifier: ResourceModifier<Resource> = async resource => resource;
diff --git a/packages/amplify-provider-awscloudformation/src/update-env.ts b/packages/amplify-provider-awscloudformation/src/update-env.ts
index f317436465b..797f094002a 100644
--- a/packages/amplify-provider-awscloudformation/src/update-env.ts
+++ b/packages/amplify-provider-awscloudformation/src/update-env.ts
@@ -1,6 +1,6 @@
 import { $TSContext } from 'amplify-cli-core';
-import { configurePermissionBoundaryForExistingEnv } from './permission-boundary/permission-boundary';
+import { configurePermissionsBoundaryForExistingEnv } from './permissions-boundary/permissions-boundary';
 
 export const updateEnv = async (context: $TSContext) => {
-  await configurePermissionBoundaryForExistingEnv(context);
+  await configurePermissionsBoundaryForExistingEnv(context);
 };

From 68adc9d8e22cbe12cb27504ba9dd4e8b1cf44b7a Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 21 May 2021 12:57:52 -0700
Subject: [PATCH 29/35] fix: merge tpi instead of overwrite

---
 packages/amplify-cli/bin/amplify              |  1 +
 .../src/init-steps/s9-onSuccess.ts            |  3 ++-
 .../src/{initializer.js => initializer.ts}    | 25 +++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)
 rename packages/amplify-provider-awscloudformation/src/{initializer.js => initializer.ts} (94%)

diff --git a/packages/amplify-cli/bin/amplify b/packages/amplify-cli/bin/amplify
index b56bea3c1e6..3d86d139a04 100755
--- a/packages/amplify-cli/bin/amplify
+++ b/packages/amplify-cli/bin/amplify
@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+
 if (process.pkg) {
   require('../lib/utils/copy-override').copyOverride();
 } else {
diff --git a/packages/amplify-cli/src/init-steps/s9-onSuccess.ts b/packages/amplify-cli/src/init-steps/s9-onSuccess.ts
index 940a772d858..46d2167402a 100644
--- a/packages/amplify-cli/src/init-steps/s9-onSuccess.ts
+++ b/packages/amplify-cli/src/init-steps/s9-onSuccess.ts
@@ -6,6 +6,7 @@ import { getProviderPlugins } from '../extensions/amplify-helpers/get-provider-p
 import { insertAmplifyIgnore } from '../extensions/amplify-helpers/git-manager';
 import { writeReadMeFile } from '../extensions/amplify-helpers/docs-manager';
 import { initializeEnv } from '../initialize-env';
+import _ from 'lodash';
 
 export async function onHeadlessSuccess(context: $TSContext) {
   const frontendPlugins = getFrontendPlugins(context);
@@ -144,7 +145,7 @@ function generateTeamProviderInfoFile(context: $TSContext) {
       default: {},
     });
 
-    Object.assign(teamProviderInfo, context.exeInfo.teamProviderInfo);
+    _.merge(teamProviderInfo, context.exeInfo.teamProviderInfo);
   } else {
     ({ teamProviderInfo } = context.exeInfo);
   }
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.js b/packages/amplify-provider-awscloudformation/src/initializer.ts
similarity index 94%
rename from packages/amplify-provider-awscloudformation/src/initializer.js
rename to packages/amplify-provider-awscloudformation/src/initializer.ts
index 59538be7485..bce310b90bc 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.js
+++ b/packages/amplify-provider-awscloudformation/src/initializer.ts
@@ -1,3 +1,6 @@
+import { $TSContext } from 'amplify-cli-core';
+import _ from 'lodash';
+
 const moment = require('moment');
 const path = require('path');
 const { pathManager, PathConstants, stateManager, JSONUtilities } = require('amplify-cli-core');
@@ -103,6 +106,8 @@ async function run(context) {
     context.exeInfo.inputParams.amplify.appId
   ) {
     await amplifyServiceMigrate.run(context);
+  } else {
+    setCloudFormationOutputInContext(context, {});
   }
 }
 
@@ -117,22 +122,20 @@ function processStackCreationData(context, amplifyAppId, stackDescriptiondata) {
       metadata[constants.AmplifyAppIdLabel] = amplifyAppId;
     }
 
-    context.exeInfo.amplifyMeta = {};
-    if (!context.exeInfo.amplifyMeta.providers) {
-      context.exeInfo.amplifyMeta.providers = {};
-    }
-    context.exeInfo.amplifyMeta.providers[constants.ProviderName] = metadata;
-
-    if (context.exeInfo.isNewEnv) {
-      const { envName } = context.exeInfo.localEnvInfo;
-      context.exeInfo.teamProviderInfo[envName] = {};
-      context.exeInfo.teamProviderInfo[envName][constants.ProviderName] = metadata;
-    }
+    setCloudFormationOutputInContext(context, metadata);
   } else {
     throw new Error('No stack data present');
   }
 }
 
+function setCloudFormationOutputInContext(context: $TSContext, cfnOutput: object) {
+  _.set(context, ['exeInfo', 'amplifyMeta', 'providers', constants.ProviderName], cfnOutput);
+  const { envName } = context.exeInfo.localEnvInfo;
+  if (envName) {
+    _.merge(_.get(context, ['exeInfo', 'teamProviderInfo', envName, constants.ProviderName]), cfnOutput);
+  }
+}
+
 function cloneCLIJSONForNewEnvironment(context) {
   if (context.exeInfo.isNewEnv && !context.exeInfo.isNewProject) {
     const { projectPath } = context.exeInfo.localEnvInfo;

From 27b318e93adf82e0418cb6dd731dbecf88bd4a94 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 21 May 2021 12:59:31 -0700
Subject: [PATCH 30/35] chore: remove newline

---
 packages/amplify-cli/bin/amplify | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/amplify-cli/bin/amplify b/packages/amplify-cli/bin/amplify
index 3d86d139a04..b56bea3c1e6 100755
--- a/packages/amplify-cli/bin/amplify
+++ b/packages/amplify-cli/bin/amplify
@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-
 if (process.pkg) {
   require('../lib/utils/copy-override').copyOverride();
 } else {

From 6baa2a894df625e20eefb8a577d63f3e1b513738 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 21 May 2021 17:04:06 -0700
Subject: [PATCH 31/35] fix: load creds for new env when checking policy

---
 .../amplify-cli/src/commands/env/update.ts    |  3 +++
 .../src/aws-utils/aws-iam.ts                  |  4 +--
 .../src/configuration-manager.ts              |  2 +-
 .../permissions-boundary.ts                   | 27 ++++++++++++++-----
 .../src/push-resources.ts                     |  8 +++++-
 5 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/packages/amplify-cli/src/commands/env/update.ts b/packages/amplify-cli/src/commands/env/update.ts
index 27b785451d1..d671b19bad2 100644
--- a/packages/amplify-cli/src/commands/env/update.ts
+++ b/packages/amplify-cli/src/commands/env/update.ts
@@ -3,4 +3,7 @@ import { executeProviderCommand } from '../../extensions/amplify-helpers/get-pro
 
 export const run = async (context: $TSContext) => {
   await executeProviderCommand(context, 'updateEnv');
+  context.print.info(
+    'Environment configuration will be updated on the next `amplify push`.\nIf there are no other project changes, run `amplify push --force` to push environment configuration chnages.',
+  );
 };
diff --git a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
index d641bc807c8..17aa50f7166 100644
--- a/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
+++ b/packages/amplify-provider-awscloudformation/src/aws-utils/aws-iam.ts
@@ -2,7 +2,7 @@ import aws from './aws.js';
 import awstype from 'aws-sdk';
 import { IAM } from 'aws-sdk';
 import { AwsSdkConfig } from '../utils/auth-types.js';
-import { loadConfiguration } from '../configuration-manager';
+import { getAwsConfig } from '../configuration-manager';
 import { $TSContext } from 'amplify-cli-core';
 
 export class IAMClient {
@@ -13,7 +13,7 @@ export class IAMClient {
     if (!IAMClient.instance) {
       let cred: AwsSdkConfig;
       try {
-        cred = await loadConfiguration(context);
+        cred = await getAwsConfig(context);
       } catch (e) {
         // ignore missing config
       }
diff --git a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
index b204ac534a1..ff356719d5c 100644
--- a/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
+++ b/packages/amplify-provider-awscloudformation/src/configuration-manager.ts
@@ -741,7 +741,7 @@ function getConfigLevel(context: $TSContext): ProjectType {
   return configLevel;
 }
 
-export async function getAwsConfig(context: $TSContext): Promise<AwsConfig> {
+export async function getAwsConfig(context: $TSContext): Promise<AwsSdkConfig> {
   const { awsConfigInfo } = context.exeInfo;
   const httpProxy = process.env.HTTP_PROXY || process.env.HTTPS_PROXY;
 
diff --git a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
index e0e91784836..0814b46dd96 100644
--- a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
@@ -65,11 +65,16 @@ const permissionsBoundarySupplier = async (
     return;
   }
   const envName = envNameSupplier();
+
+  const defaultValue = getPermissionsBoundaryArn(envName);
+  const hasDefault = typeof defaultValue === 'string' && defaultValue.length > 0;
+  const promptSuffix = hasDefault ? ' (leave blank to remove the permissions boundary configuration)' : '';
+
   const { permissionsBoundaryArn } = await prompt<{ permissionsBoundaryArn: string }>({
     type: 'input',
     name: 'permissionsBoundaryArn',
-    message: `Specify an IAM Policy ARN to use as a permissions boundary for all IAM Roles in the ${envName} environment (leave blank to remove the permissions boundary configuration):`,
-    default: getPermissionsBoundaryArn(envName),
+    message: `Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles in the ${envName} environment${promptSuffix}:`,
+    default: defaultValue,
     validate,
   });
   return permissionsBoundaryArn;
@@ -94,16 +99,21 @@ const rolloverPermissionsBoundaryToNewEnvironment = async (context: $TSContext)
   if (!currBoundary) {
     return;
   }
+
+  const { envName: currEnv } = stateManager.getLocalEnvInfo();
+
   // if existing policy is accessible in new env, apply that one
   if (await isPolicyAccessible(context, currBoundary)) {
     setPermissionsBoundaryArn(currBoundary, newEnv, context.exeInfo.teamProviderInfo);
     context.print.info(
-      `permissions boundary ${currBoundary} has automatically been applied to this environment. To modify this, run \`amplify env update\`.`,
+      `Permissions boundary ${currBoundary} from the ${currEnv} environment has automatically been applied to the ${newEnv} environment.\nTo modify this, run \`amplify env update\`.\n`,
     );
     return;
   }
   // if existing policy policy is not accessible in the new environment, prompt for a new one
-  context.print.warning(`permissions boundary ${currBoundary} cannot be applied to resources in this environment.`);
+  context.print.warning(
+    `Permissions boundary ${currBoundary} from the ${currEnv} environment cannot be applied to resources the ${newEnv} environment.`,
+  );
   setPermissionsBoundaryArn(
     await permissionsBoundarySupplier(context, { required: true, envNameSupplier: () => newEnv }),
     newEnv,
@@ -116,8 +126,13 @@ const isPolicyAccessible = async (context: $TSContext, policyArn: string) => {
   try {
     await iamClient.client.getPolicy({ PolicyArn: policyArn }).promise();
   } catch (err) {
-    // if there's an error, then the policy wasn't accessible
-    return false;
+    // NoSuchEntity error
+    if (err?.statusCode === 404) {
+      return false;
+    }
+    // if it's some other error (such as client credentials don't have getPolicy permissions, or network error)
+    // give customer's the benefit of the doubt that the ARN is correct
+    return true;
   }
   return true;
 };
diff --git a/packages/amplify-provider-awscloudformation/src/push-resources.ts b/packages/amplify-provider-awscloudformation/src/push-resources.ts
index e6cd5eab0f4..15a8e561067 100644
--- a/packages/amplify-provider-awscloudformation/src/push-resources.ts
+++ b/packages/amplify-provider-awscloudformation/src/push-resources.ts
@@ -196,7 +196,13 @@ export async function run(context: $TSContext, resourceDefinition: $TSObject) {
     await updateS3Templates(context, resources, projectDetails.amplifyMeta);
 
     // We do not need CloudFormation update if only syncable resources are the changes.
-    if (resourcesToBeCreated.length > 0 || resourcesToBeUpdated.length > 0 || resourcesToBeDeleted.length > 0 || tagsUpdated) {
+    if (
+      resourcesToBeCreated.length > 0 ||
+      resourcesToBeUpdated.length > 0 ||
+      resourcesToBeDeleted.length > 0 ||
+      tagsUpdated ||
+      context.exeInfo.forcePush
+    ) {
       // If there is an API change, there will be one deployment step. But when there needs an iterative update the step count is > 1
       if (deploymentSteps.length > 1) {
         // create deployment manager

From 490ed8c2b1cdc60d9c9f553fdcb56b028db7269a Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 21 May 2021 18:11:01 -0700
Subject: [PATCH 32/35] fix: test fixes

---
 .../src/__tests__/iam-permissions-boundary.test.ts     | 10 ++++++++++
 packages/amplify-e2e-tests/src/environment/env.ts      |  2 +-
 .../src/initializer.ts                                 |  7 ++++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
index e2b2a1d76a3..a523304cd3f 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
@@ -6,9 +6,11 @@ import {
   deleteProjectDir,
   getPermissionsBoundary,
   getProjectMeta,
+  getTeamProviderInfo,
   initJSProjectWithProfile,
   initWithPermissionsBoundary,
 } from 'amplify-e2e-core';
+import _ from 'lodash';
 import { updateEnvironment } from '../environment/env';
 
 // Using a random AWS managed policy as a permissions boundary
@@ -36,6 +38,10 @@ describe('iam permissions boundary', () => {
 
     const actualPermBoundary = await getPermissionsBoundary(authRoleName, region);
     expect(actualPermBoundary).toEqual(permissionsBoundaryArn);
+
+    const tpi = getTeamProviderInfo(projRoot);
+    const storedArn = _.get(tpi, ['integtest', 'awscloudformation', 'PermissionsBoundaryPolicyArn']);
+    expect(storedArn).toEqual(permissionsBoundaryArn);
   });
 
   test('permissions boundary is applied during headless init', async () => {
@@ -46,5 +52,9 @@ describe('iam permissions boundary', () => {
 
     const actualPermBoundary = await getPermissionsBoundary(authRoleName, region);
     expect(actualPermBoundary).toEqual(permissionsBoundaryArn);
+
+    const tpi = getTeamProviderInfo(projRoot);
+    const storedArn = _.get(tpi, ['dev', 'awscloudformation', 'PermissionsBoundaryPolicyArn']);
+    expect(storedArn).toEqual(permissionsBoundaryArn);
   });
 });
diff --git a/packages/amplify-e2e-tests/src/environment/env.ts b/packages/amplify-e2e-tests/src/environment/env.ts
index fd1e8b7ff20..e874d6e53d0 100644
--- a/packages/amplify-e2e-tests/src/environment/env.ts
+++ b/packages/amplify-e2e-tests/src/environment/env.ts
@@ -29,7 +29,7 @@ export function addEnvironment(cwd: string, settings: { envName: string; numLaye
 export function updateEnvironment(cwd: string, settings: { permissionsBoundaryArn: string }) {
   return new Promise<void>((resolve, reject) => {
     spawn(getCLIPath(), ['env', 'update'], { cwd, stripColors: true })
-      .wait('Specify an IAM Policy ARN to use as a permissions boundary for all IAM Roles')
+      .wait('Specify an IAM Policy ARN to use as a permissions boundary for all Amplify-generated IAM Roles')
       .sendLine(settings.permissionsBoundaryArn)
       .run((err: Error) => (!!err ? reject(err) : resolve()));
   });
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.ts b/packages/amplify-provider-awscloudformation/src/initializer.ts
index bce310b90bc..0f306504bdb 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.ts
+++ b/packages/amplify-provider-awscloudformation/src/initializer.ts
@@ -132,7 +132,12 @@ function setCloudFormationOutputInContext(context: $TSContext, cfnOutput: object
   _.set(context, ['exeInfo', 'amplifyMeta', 'providers', constants.ProviderName], cfnOutput);
   const { envName } = context.exeInfo.localEnvInfo;
   if (envName) {
-    _.merge(_.get(context, ['exeInfo', 'teamProviderInfo', envName, constants.ProviderName]), cfnOutput);
+    const providerInfo = _.get(context, ['exeInfo', 'teamProviderInfo', envName, constants.ProviderName]);
+    if (providerInfo) {
+      _.merge(providerInfo, cfnOutput);
+    } else {
+      _.set(context, ['exeInfo', 'teamProviderInfo', envName, constants.ProviderName], cfnOutput);
+    }
   }
 }
 

From 3e34fcddd288aeba304b53f14f508504b58141a8 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Fri, 21 May 2021 18:35:06 -0700
Subject: [PATCH 33/35] test: fix unit tests

---
 ...ion-boundary.test.ts => permissions-boundary.test.ts} | 9 ++++++---
 .../src/initializer.ts                                   | 9 ++-------
 .../src/permissions-boundary/permissions-boundary.ts     | 2 +-
 3 files changed, 9 insertions(+), 11 deletions(-)
 rename packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/{permission-boundary.test.ts => permissions-boundary.test.ts} (91%)

diff --git a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permissions-boundary.test.ts
similarity index 91%
rename from packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
rename to packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permissions-boundary.test.ts
index 7e0cfd2c7ff..df908ea8cd5 100644
--- a/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permission-boundary.test.ts
+++ b/packages/amplify-provider-awscloudformation/src/__tests__/permission-boundary/permissions-boundary.test.ts
@@ -1,6 +1,6 @@
 import { $TSContext } from 'amplify-cli-core';
 import { configurePermissionsBoundaryForInit } from '../../permissions-boundary/permissions-boundary';
-import { setPermissionsBoundaryArn, getPermissionsBoundaryArn } from 'amplify-cli-core';
+import { setPermissionsBoundaryArn, getPermissionsBoundaryArn, stateManager } from 'amplify-cli-core';
 import { prompt } from 'inquirer';
 import { IAMClient } from '../../aws-utils/aws-iam';
 import { IAM } from 'aws-sdk';
@@ -17,6 +17,9 @@ const setPermissionsBoundaryArn_mock = setPermissionsBoundaryArn as jest.MockedF
 const getPermissionsBoundaryArn_mock = getPermissionsBoundaryArn as jest.MockedFunction<typeof getPermissionsBoundaryArn>;
 const prompt_mock = prompt as jest.MockedFunction<typeof prompt>;
 const IAMClient_mock = IAMClient as jest.Mocked<typeof IAMClient>;
+const stateManager_mock = stateManager as jest.Mocked<typeof stateManager>;
+
+stateManager_mock.getLocalEnvInfo.mockReturnValue({ envName: 'testenv' });
 
 describe('configure permissions boundary on init', () => {
   let context_stub: $TSContext;
@@ -114,7 +117,7 @@ describe('configure permissions boundary on env add', () => {
     IAMClient_mock.getInstance.mockResolvedValueOnce({
       client: ({
         getPolicy: jest.fn().mockReturnValueOnce({
-          promise: jest.fn().mockRejectedValueOnce('test error'),
+          promise: jest.fn().mockRejectedValueOnce({ statusCode: 404, message: 'test error' }),
         }),
       } as unknown) as IAM,
     });
@@ -132,7 +135,7 @@ describe('configure permissions boundary on env add', () => {
     IAMClient_mock.getInstance.mockResolvedValueOnce({
       client: ({
         getPolicy: jest.fn().mockReturnValueOnce({
-          promise: jest.fn().mockRejectedValueOnce('test error'),
+          promise: jest.fn().mockRejectedValueOnce({ statusCode: 404, message: 'test error' }),
         }),
       } as unknown) as IAM,
     });
diff --git a/packages/amplify-provider-awscloudformation/src/initializer.ts b/packages/amplify-provider-awscloudformation/src/initializer.ts
index 0f306504bdb..03ddb87225a 100644
--- a/packages/amplify-provider-awscloudformation/src/initializer.ts
+++ b/packages/amplify-provider-awscloudformation/src/initializer.ts
@@ -20,7 +20,7 @@ const { prePushCfnTemplateModifier } = require('./pre-push-cfn-processor/pre-pus
 const logger = fileLogger('attach-backend');
 const { configurePermissionsBoundaryForInit } = require('./permissions-boundary/permissions-boundary');
 
-async function run(context) {
+export async function run(context) {
   await configurationManager.init(context);
   if (!context.exeInfo || context.exeInfo.isNewEnv) {
     context.exeInfo = context.exeInfo || {};
@@ -161,7 +161,7 @@ function cloneCLIJSONForNewEnvironment(context) {
   }
 }
 
-async function onInitSuccessful(context) {
+export async function onInitSuccessful(context) {
   configurationManager.onInitSuccessful(context);
   if (context.exeInfo.isNewEnv) {
     context = await storeCurrentCloudBackend(context);
@@ -258,8 +258,3 @@ function normalizeStackName(stackName) {
   }
   return result;
 }
-
-module.exports = {
-  run,
-  onInitSuccessful,
-};
diff --git a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
index 0814b46dd96..200b809c46f 100644
--- a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
@@ -100,7 +100,7 @@ const rolloverPermissionsBoundaryToNewEnvironment = async (context: $TSContext)
     return;
   }
 
-  const { envName: currEnv } = stateManager.getLocalEnvInfo();
+  const currEnv = stateManager.getLocalEnvInfo()?.envName ?? 'current';
 
   // if existing policy is accessible in new env, apply that one
   if (await isPolicyAccessible(context, currBoundary)) {

From fd65741c5a13f4de45b826a3de3e71b0ed8e9050 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Mon, 24 May 2021 11:20:21 -0700
Subject: [PATCH 34/35] test: fix profile selection

---
 .../src/init/initProjectHelper.ts                 | 15 +++++----------
 .../__tests__/iam-permissions-boundary.test.ts    |  5 ++---
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/packages/amplify-e2e-core/src/init/initProjectHelper.ts b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
index 6b3dcb5a81d..7d825bd143d 100644
--- a/packages/amplify-e2e-core/src/init/initProjectHelper.ts
+++ b/packages/amplify-e2e-core/src/init/initProjectHelper.ts
@@ -19,6 +19,7 @@ const defaultSettings = {
   disableAmplifyAppCreation: true,
   disableCIDetection: false,
   providerConfig: undefined,
+  permissionsBoundaryArn: undefined,
 };
 
 export function initJSProjectWithProfile(cwd: string, settings: Object): Promise<void> {
@@ -39,6 +40,10 @@ export function initJSProjectWithProfile(cwd: string, settings: Object): Promise
     cliArgs.push('--providers', JSON.stringify(s.providerConfig));
   }
 
+  if (s.permissionsBoundaryArn) {
+    cliArgs.push('--permissions-boundary', s.permissionsBoundaryArn);
+  }
+
   return new Promise((resolve, reject) => {
     const chain = spawn(getCLIPath(), cliArgs, { cwd, stripColors: true, env, disableCIDetection: s.disableCIDetection })
       .wait('Enter a name for the project')
@@ -367,16 +372,6 @@ export function amplifyInitSandbox(cwd: string, settings: {}): Promise<void> {
   });
 }
 
-export async function initWithPermissionsBoundary(cwd: string, permissionsBoundaryArn: string): Promise<void> {
-  return new Promise((resolve, reject) => {
-    spawn(getCLIPath(), ['init', '--yes', '--permissions-boundary', permissionsBoundaryArn], {
-      cwd,
-      stripColors: true,
-      env: { CLI_DEV_INTERNAL_DISABLE_AMPLIFY_APP_CREATION: '1' },
-    }).run((err: Error) => (err ? reject(err) : resolve()));
-  });
-}
-
 export function amplifyInitYes(cwd: string): Promise<void> {
   return new Promise((resolve, reject) => {
     spawn(getCLIPath(), ['init', '--yes'], {
diff --git a/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
index a523304cd3f..59ee3be9e65 100644
--- a/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/iam-permissions-boundary.test.ts
@@ -8,7 +8,6 @@ import {
   getProjectMeta,
   getTeamProviderInfo,
   initJSProjectWithProfile,
-  initWithPermissionsBoundary,
 } from 'amplify-e2e-core';
 import _ from 'lodash';
 import { updateEnvironment } from '../environment/env';
@@ -45,7 +44,7 @@ describe('iam permissions boundary', () => {
   });
 
   test('permissions boundary is applied during headless init', async () => {
-    await initWithPermissionsBoundary(projRoot, permissionsBoundaryArn);
+    await initJSProjectWithProfile(projRoot, { permissionsBoundaryArn });
     const meta = getProjectMeta(projRoot);
     const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
     const region = meta?.providers?.awscloudformation?.Region;
@@ -54,7 +53,7 @@ describe('iam permissions boundary', () => {
     expect(actualPermBoundary).toEqual(permissionsBoundaryArn);
 
     const tpi = getTeamProviderInfo(projRoot);
-    const storedArn = _.get(tpi, ['dev', 'awscloudformation', 'PermissionsBoundaryPolicyArn']);
+    const storedArn = _.get(tpi, ['integtest', 'awscloudformation', 'PermissionsBoundaryPolicyArn']);
     expect(storedArn).toEqual(permissionsBoundaryArn);
   });
 });

From 6fbff2bd670f0dbeeef3dd948a2043c8fe7e3599 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Mon, 24 May 2021 13:46:03 -0700
Subject: [PATCH 35/35] fix: change permissions boundary success text

---
 packages/amplify-cli/src/commands/env/update.ts                | 3 ---
 .../src/permissions-boundary/permissions-boundary.ts           | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/amplify-cli/src/commands/env/update.ts b/packages/amplify-cli/src/commands/env/update.ts
index d671b19bad2..27b785451d1 100644
--- a/packages/amplify-cli/src/commands/env/update.ts
+++ b/packages/amplify-cli/src/commands/env/update.ts
@@ -3,7 +3,4 @@ import { executeProviderCommand } from '../../extensions/amplify-helpers/get-pro
 
 export const run = async (context: $TSContext) => {
   await executeProviderCommand(context, 'updateEnv');
-  context.print.info(
-    'Environment configuration will be updated on the next `amplify push`.\nIf there are no other project changes, run `amplify push --force` to push environment configuration chnages.',
-  );
 };
diff --git a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
index 200b809c46f..267f2620adc 100644
--- a/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
+++ b/packages/amplify-provider-awscloudformation/src/permissions-boundary/permissions-boundary.ts
@@ -4,6 +4,9 @@ import { IAMClient } from '../aws-utils/aws-iam';
 
 export const configurePermissionsBoundaryForExistingEnv = async (context: $TSContext) => {
   setPermissionsBoundaryArn(await permissionsBoundarySupplier(context));
+  context.print.info(
+    'Run `amplify push --force` to update IAM permissions boundary if you have no other resource changes.\nRun `amplify push` to deploy IAM permissions boundary alongside other cloud resource changes.',
+  );
 };
 
 export const configurePermissionsBoundaryForInit = async (context: $TSContext) => {