Define IAM Permissions Boundary for Project

.circleci/config.yml

@@ -1119,30 +1119,38 @@ jobs:
     environment:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
+  iam-permission-boundary-amplify_e2e_tests:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    steps: *ref_4
+    environment:
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
   function_5-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
   configure-project-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
   api_4-amplify_e2e_tests:
     working_directory: ~/repo
     docker: *ref_1
     resource_class: large
     steps: *ref_4
     environment:
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
   schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1803,6 +1811,16 @@ jobs:
       TEST_SUITE: src/__tests__/migration/node.function.test.ts
       CLI_REGION: eu-west-2
     steps: *ref_5
+  iam-permission-boundary-amplify_e2e_tests_pkg_linux:
+    working_directory: ~/repo
+    docker: *ref_1
+    resource_class: large
+    environment:
+      AMPLIFY_DIR: /home/circleci/repo/out
+      AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
+      TEST_SUITE: src/__tests__/iam-permission-boundary.test.ts
+      CLI_REGION: eu-central-1
+    steps: *ref_5
   function_5-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
     docker: *ref_1
@@ -1811,7 +1829,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/function_5.test.ts
-      CLI_REGION: eu-central-1
+      CLI_REGION: ap-northeast-1
     steps: *ref_5
   configure-project-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1821,7 +1839,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/configure-project.test.ts
-      CLI_REGION: ap-northeast-1
+      CLI_REGION: ap-southeast-1
     steps: *ref_5
   api_4-amplify_e2e_tests_pkg_linux:
     working_directory: ~/repo
@@ -1831,7 +1849,7 @@ jobs:
       AMPLIFY_DIR: /home/circleci/repo/out
       AMPLIFY_PATH: /home/circleci/repo/out/amplify-pkg-linux
       TEST_SUITE: src/__tests__/api_4.test.ts
-      CLI_REGION: ap-southeast-1
+      CLI_REGION: ap-southeast-2
     steps: *ref_5
 workflows:
   version: 2
@@ -1944,19 +1962,19 @@ workflows:
             - predictions-amplify_e2e_tests
             - schema-predictions-amplify_e2e_tests
             - amplify-configure-amplify_e2e_tests
-            - function_5-amplify_e2e_tests
+            - iam-permission-boundary-amplify_e2e_tests
             - containers-api-amplify_e2e_tests
             - interactions-amplify_e2e_tests
             - datastore-modelgen-amplify_e2e_tests
-            - configure-project-amplify_e2e_tests
+            - function_5-amplify_e2e_tests
             - schema-iterative-update-2-amplify_e2e_tests
             - schema-data-access-patterns-amplify_e2e_tests
             - init-special-case-amplify_e2e_tests
-            - api_4-amplify_e2e_tests
-            - auth_1-amplify_e2e_tests
+            - configure-project-amplify_e2e_tests
             - feature-flags-amplify_e2e_tests
             - schema-versioned-amplify_e2e_tests
             - plugin-amplify_e2e_tests
+            - api_4-amplify_e2e_tests
       - done_with_pkg_linux_e2e_tests:
           requires:
             - schema-key-amplify_e2e_tests_pkg_linux
@@ -1974,19 +1992,19 @@ workflows:
             - predictions-amplify_e2e_tests_pkg_linux
             - schema-predictions-amplify_e2e_tests_pkg_linux
             - amplify-configure-amplify_e2e_tests_pkg_linux
-            - function_5-amplify_e2e_tests_pkg_linux
+            - iam-permission-boundary-amplify_e2e_tests_pkg_linux
             - containers-api-amplify_e2e_tests_pkg_linux
             - interactions-amplify_e2e_tests_pkg_linux
             - datastore-modelgen-amplify_e2e_tests_pkg_linux
-            - configure-project-amplify_e2e_tests_pkg_linux
+            - function_5-amplify_e2e_tests_pkg_linux
             - schema-iterative-update-2-amplify_e2e_tests_pkg_linux
             - schema-data-access-patterns-amplify_e2e_tests_pkg_linux
             - init-special-case-amplify_e2e_tests_pkg_linux
-            - api_4-amplify_e2e_tests_pkg_linux
-            - auth_1-amplify_e2e_tests_pkg_linux
+            - configure-project-amplify_e2e_tests_pkg_linux
             - feature-flags-amplify_e2e_tests_pkg_linux
             - schema-versioned-amplify_e2e_tests_pkg_linux
             - plugin-amplify_e2e_tests_pkg_linux
+            - api_4-amplify_e2e_tests_pkg_linux
       - amplify_migration_tests_latest:
           context:
             - amplify-ecr-image-pull
@@ -2339,7 +2357,7 @@ workflows:
           filters: *ref_9
           requires:
             - auth_4-amplify_e2e_tests
-      - function_5-amplify_e2e_tests:
+      - iam-permission-boundary-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2399,7 +2417,7 @@ workflows:
           filters: *ref_9
           requires:
             - migration-api-key-migration1-amplify_e2e_tests
-      - configure-project-amplify_e2e_tests:
+      - function_5-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2459,7 +2477,7 @@ workflows:
           filters: *ref_9
           requires:
             - layer-amplify_e2e_tests
-      - api_4-amplify_e2e_tests:
+      - configure-project-amplify_e2e_tests:
           context: *ref_7
           post-steps: *ref_8
           filters: *ref_9
@@ -2519,6 +2537,12 @@ workflows:
           filters: *ref_9
           requires:
             - auth_3-amplify_e2e_tests
+      - api_4-amplify_e2e_tests:
+          context: *ref_7
+          post-steps: *ref_8
+          filters: *ref_9
+          requires:
+            - auth_1-amplify_e2e_tests
       - schema-iterative-update-4-amplify_e2e_tests_pkg_linux:
           context: &ref_10
             - amplify-ecr-image-pull
@@ -2777,7 +2801,7 @@ workflows:
           filters: *ref_12
           requires:
             - auth_4-amplify_e2e_tests_pkg_linux
-      - function_5-amplify_e2e_tests_pkg_linux:
+      - iam-permission-boundary-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2841,7 +2865,7 @@ workflows:
           filters: *ref_12
           requires:
             - migration-api-key-migration1-amplify_e2e_tests_pkg_linux
-      - configure-project-amplify_e2e_tests_pkg_linux:
+      - function_5-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2905,7 +2929,7 @@ workflows:
           filters: *ref_12
           requires:
             - layer-amplify_e2e_tests_pkg_linux
-      - api_4-amplify_e2e_tests_pkg_linux:
+      - configure-project-amplify_e2e_tests_pkg_linux:
           context: *ref_10
           post-steps: *ref_11
           filters: *ref_12
@@ -2969,3 +2993,9 @@ workflows:
           filters: *ref_12
           requires:
             - auth_3-amplify_e2e_tests_pkg_linux
+      - api_4-amplify_e2e_tests_pkg_linux:
+          context: *ref_10
+          post-steps: *ref_11
+          filters: *ref_12
+          requires:
+            - auth_1-amplify_e2e_tests_pkg_linux

packages/amplify-cli-core/src/index.ts

@@ -5,6 +5,7 @@ export * from './cliContext';
 export * from './cliContextEnvironmentProvider';
 export * from './cliEnvironmentProvider';
 export * from './feature-flags';
+export * from './permissionBoundaryState';
 export * from './jsonUtilities';
 export * from './jsonValidationError';
 export * from './serviceSelection';

packages/amplify-cli-core/src/permissionBoundaryState.ts

@@ -0,0 +1,24 @@
+import { stateManager } from './state-manager';
+import _ from 'lodash';
+
+const backendConfigObjectPath = ['providers', 'awscloudformation', 'PermissionBoundaryPolicyArn'];
+
+export const getPermissionBoundaryArn: () => string | undefined = () => {
+  try {
+    const backendConfig = stateManager.getBackendConfig();
+    return _.get(backendConfig, backendConfigObjectPath) as string | undefined;
+  } catch (err) {
+    // uninitialized project
+    return undefined;
+  }
+};
+
+export const setPermissionBoundaryArn: (arn?: string) => void = arn => {
+  const backendConfig = stateManager.getBackendConfig();
+  if (!arn) {
+    _.unset(backendConfig, backendConfigObjectPath);
+  } else {
+    _.set(backendConfig, backendConfigObjectPath, arn);
+  }
+  stateManager.setBackendConfig(undefined, backendConfig);
+};

packages/amplify-cli/src/config-steps/c0-analyzeProject.ts

@@ -6,7 +6,7 @@ import { getEnvInfo } from '../extensions/amplify-helpers/get-env-info';
 import { displayConfigurationDefaults } from '../init-steps/s0-analyzeProject';
 import { getFrontendPlugins } from '../extensions/amplify-helpers/get-frontend-plugins';
 import { isContainersEnabled } from '../execution-manager';
-import { stateManager } from 'amplify-cli-core';
+import { getPermissionBoundaryArn, stateManager } from 'amplify-cli-core';
 
 export async function analyzeProject(context) {
   context.exeInfo.projectConfig = stateManager.getProjectConfig(undefined, {
@@ -42,14 +42,14 @@ export async function analyzeProject(context) {
     }
   }
 
-  await displayContainersInfo(context);
+  await displayAdvancedSettings(context);
   context.print.info('');
 
   const configurationSetting = await getConfigurationSetting();
 
-  if (configurationSetting === 'containers') {
+  if (configurationSetting === 'advanced') {
     context.exeInfo.inputParams.yes = true;
-    context.exeInfo.inputParams.containerSetting = true;
+    context.exeInfo.inputParams.advanced = true;
   }
   if (configurationSetting === 'profile') {
     context.exeInfo.inputParams.yes = true;
@@ -67,10 +67,12 @@ function displayProfileSetting(context, profileName) {
   context.print.info(`| Selected profile: ${profileName}`);
 }
 
-function displayContainersInfo(context) {
-  context.print.info('Advanced: Container-based deployments');
+function displayAdvancedSettings(context) {
+  context.print.info('Advanced');
   const containerDeploymentStatus = isContainersEnabled(context) ? 'Yes' : 'No';
   context.print.info(`| Leverage container-based deployments: ${containerDeploymentStatus}`);
+  const permissionBoundaryArnDisplay = getPermissionBoundaryArn() ?? '';
+  context.print.info(`| IAM Role Permission Boundary Policy ARN: ${permissionBoundaryArnDisplay}`);
 }
 
 async function getConfigurationSetting() {
@@ -81,13 +83,13 @@ async function getConfigurationSetting() {
     choices: [
       { name: 'Project information', value: 'project' },
       { name: 'AWS Profile setting', value: 'profile' },
-      { name: 'Advanced: Container-based deployments', value: 'containers' },
+      { name: 'Advanced', value: 'advanced' },
     ],
     default: 'project',
   };
 
   const { configurationSetting } = await inquirer.prompt(configureSettingQuestion);
-  return configurationSetting;
+  return configurationSetting as 'project' | 'profile' | 'advanced';
 }
 
 async function configureProjectName(context) {

packages/amplify-e2e-core/src/configure/index.ts

@@ -28,7 +28,7 @@ export const amplifyRegions = [
   'ca-central-1',
 ];
 
-const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced: Container-based deployments'];
+const configurationOptions = ['Project information', 'AWS Profile setting', 'Advanced'];
 const profileOptions = ['No', 'Update AWS Profile', 'Remove AWS Profile'];
 const authenticationOptions = ['AWS profile', 'AWS access keys'];
 
@@ -82,6 +82,7 @@ export function amplifyConfigureProject(settings: {
   profileOption?: string;
   authenticationOption?: string;
   region?: string;
+  permissionBoundaryArn?: string;
 }): Promise<void> {
   const {
     cwd,
@@ -90,6 +91,7 @@ export function amplifyConfigureProject(settings: {
     authenticationOption,
     configLevel = 'project',
     region = defaultSettings.region,
+    permissionBoundaryArn,
   } = settings;
 
   return new Promise((resolve, reject) => {
@@ -98,6 +100,10 @@ export function amplifyConfigureProject(settings: {
     if (enableContainers) {
       singleSelect(chain, configurationOptions[2], configurationOptions);
       chain.wait('Do you want to enable container-based deployments?').sendConfirmYes();
+    } else if (permissionBoundaryArn !== undefined) {
+      singleSelect(chain, configurationOptions[2], configurationOptions);
+      chain.wait('Do you want to enable container-based deployments?').sendConfirmNo();
+      chain.wait('Specify an IAM Policy ARN to use as a Permission Boundary').sendLine(permissionBoundaryArn);
     } else {
       singleSelect(chain, configurationOptions[1], configurationOptions);
 

packages/amplify-e2e-core/src/utils/sdk-calls.ts

@@ -310,3 +310,8 @@ export const listAttachedRolePolicies = async (roleName: string, region: string)
   const service = new IAM({ region });
   return (await service.listAttachedRolePolicies({ RoleName: roleName }).promise()).AttachedPolicies;
 };
+
+export const getPermissionBoundary = async (roleName: string, region) => {
+  const iamClient = new IAM({ region });
+  return (await iamClient.getRole({ RoleName: roleName }).promise())?.Role?.PermissionsBoundary?.PermissionsBoundaryArn;
+};

packages/amplify-e2e-tests/src/__tests__/iam-permission-boundary.test.ts

@@ -0,0 +1,40 @@
+import {
+  addFunction,
+  amplifyConfigureProject,
+  amplifyPushAuth,
+  createNewProjectDir,
+  deleteProject,
+  deleteProjectDir,
+  getPermissionBoundary,
+  getProjectMeta,
+  initJSProjectWithProfile,
+} from 'amplify-e2e-core';
+import { addSimpleFunction } from '../schema-api-directives/functionTester';
+
+// Using a random AWS managed policy as a permission boundary
+const permissionBoundaryArn = 'arn:aws:iam::aws:policy/AlexaForBusinessFullAccess';
+
+describe('iam permission boundary', () => {
+  let projRoot: string;
+  beforeEach(async () => {
+    projRoot = await createNewProjectDir('init');
+  });
+
+  afterEach(async () => {
+    await deleteProject(projRoot);
+    deleteProjectDir(projRoot);
+  });
+  test('permission boundary is applied to roles created by the CLI', async () => {
+    await initJSProjectWithProfile(projRoot, {});
+    await amplifyConfigureProject({ cwd: projRoot, permissionBoundaryArn });
+    // adding a function isn't strictly part of the test, it just causes the project to have changes to push
+    await addFunction(projRoot, { functionTemplate: 'Hello World' }, 'nodejs');
+    await amplifyPushAuth(projRoot);
+    const meta = getProjectMeta(projRoot);
+    const authRoleName = meta?.providers?.awscloudformation?.AuthRoleName;
+    const region = meta?.providers?.awscloudformation?.Region;
+
+    const actualPermBoundary = await getPermissionBoundary(authRoleName, region);
+    expect(actualPermBoundary).toEqual(permissionBoundaryArn);
+  });
+});