feat: Custom policies IAM Policies for Lambda and Containers

packages/amplify-category-api/src/provider-utils/awscloudformation/containers-handler.ts

@@ -6,7 +6,7 @@ import { DEPLOYMENT_MECHANISM } from './base-api-stack';
 import { GitHubSourceActionInfo } from './pipeline-with-awaiter';
 import { API_TYPE, IMAGE_SOURCE_TYPE, ResourceDependency, ServiceConfiguration } from './service-walkthroughs/containers-walkthrough';
 import { ApiResource, generateContainersArtifacts } from './utils/containers-artifacts';
-import { addCustomPoliciesFile, pathManager } from "amplify-cli-core";
+import { createDefaultCustomPoliciesFile, pathManager } from 'amplify-cli-core';
 
 export const addResource = async (
   serviceWalkthroughPromise: Promise<ServiceConfiguration>,
@@ -97,7 +97,7 @@ export const addResource = async (
 
   }
 
-  addCustomPoliciesFile(category, resourceName);
+  createDefaultCustomPoliciesFile(category, resourceName);
 
   const customPoliciesPath = pathManager.getCustomPoliciesPath(category, resourceName);
 

packages/amplify-category-function/src/provider-utils/awscloudformation/index.ts

@@ -30,7 +30,7 @@ import {
   saveMutableState,
   updateLayerArtifacts,
 } from './utils/storeResources';
-import {addCustomPoliciesFile} from "amplify-cli-core";
+import { createDefaultCustomPoliciesFile } from 'amplify-cli-core';
 
 /**
  * Entry point for creating a new function
@@ -113,15 +113,14 @@ export async function addFunctionResource(
 
   await createFunctionResources(context, completeParams);
 
-  addCustomPoliciesFile(category, completeParams.resourceName);
+  createDefaultCustomPoliciesFile(category, completeParams.resourceName);
 
   if (!completeParams.skipEdit) {
     await openEditor(context, category, completeParams.resourceName, completeParams.functionTemplate);
   }
 
   const { print } = context;
 
-
   const customPoliciesPath = pathManager.getCustomPoliciesPath(category, completeParams.resourceName);
 
   print.success(`Successfully added resource ${completeParams.resourceName} locally.`);

packages/amplify-cli-core/src/__tests__/customPoliciesUtils.test.ts

@@ -1,7 +1,7 @@
-import {addCustomPoliciesFile} from "../customPoliciesUtils"
-import { JSONUtilities } from "..";
-import { pathManager, PathConstants } from "../state-manager";
-import * as path from 'path';
+import {createDefaultCustomPoliciesFile} from '../customPoliciesUtils'
+import { JSONUtilities } from '..';
+import { pathManager, PathConstants } from '../state-manager';
+import path from 'path';
 
 describe('Custom policies util test', () => {
 
@@ -16,7 +16,7 @@ describe('Custom policies util test', () => {
 
     test('Write default custom policy file to the specified resource name', () => {
 
-        addCustomPoliciesFile(testCategoryName, testResourceName);
+        createDefaultCustomPoliciesFile(testCategoryName, testResourceName);
 
         const data = JSONUtilities.readJson(expectedFilePath);
 

packages/amplify-cli-core/src/__tests__/testFiles/custom-policies-test/function/functionTest/custom-policies.json

@@ -1,8 +1,6 @@
-{
-  "policies": [
-    {
-      "Action": [],
-      "Resource": []
-    }
-  ]
-}
+[
+  {
+    "Action": [],
+    "Resource": []
+  }
+]

packages/amplify-cli-core/src/cfnUtilities.ts

@@ -231,7 +231,7 @@ const CF_SCHEMA = yaml.JSON_SCHEMA.extend([
   }),
 ]);
 
-export function isJsonFileContent(fileContent: string): boolean {
+function isJsonFileContent(fileContent: string): boolean {
   // We use the first character to determine if the content is json or yaml because historically the CLI could
   // have emitted JSON with YML extension, so we can't rely on filename extension.
   return fileContent?.trim()[0] === '{'; // CFN templates are always objects, never arrays

packages/amplify-cli-core/src/customPoliciesUtils.ts

@@ -1,7 +1,5 @@
-import { Fn, IAM } from "cloudform-types";
-import * as iam from '@aws-cdk/aws-iam';
-import { JSONUtilities, pathManager } from ".";
-import * as fs from 'fs-extra';
+import { Fn, IAM } from 'cloudform-types';
+import { JSONUtilities, pathManager } from '.';
 
 export type CustomIAMPolicies = CustomIAMPolicy[];
 
@@ -11,23 +9,22 @@ export type CustomIAMPolicy = {
     Resource: string[];
 }
 
-
 export const CustomIAMPoliciesSchema = {
-    type : "array",
-    minItems: 1,
-    items: {type: "object"},
-    additionalProperties: false
-}
-
-export const CustomIAMPolicySchema = {
-        type: "object",
-        properties: {
-            Action: {type: "array", items: {type: "string"}, minItems: 1, nullable: false},
-            Effect: {type: "string", nullable: true, default: iam.Effect.ALLOW},
-            Resource: {type: "array", items: {type: "string"}, minItems: 1, nullable: false},
-        },
-        required: ["Resource", "Action"],
-        additionalProperties: false
+  type : 'array',
+  minItems: 1,
+  items: {
+    type: 'object',
+    properties: {
+      Action: { type: 'array', items: { type: 'string' }, minItems: 1, nullable: false },
+      Resource: { type: 'array', items: { type: 'string' }, minItems: 1, nullable: false }
+    },
+    optionalProperties: {
+      Effect: { type: 'string', enum:['Allow', 'Deny'], default: 'Allow' },
+    },
+    required: ['Resource', 'Action'],
+    additionalProperties: true
+  },
+  additionalProperties: false
 }
 
 export const customExecutionPolicyForFunction = new IAM.Policy({
@@ -52,7 +49,7 @@ export const customExecutionPolicyForContainer = new IAM.Policy({
     ]
   });
 
-export function addCustomPoliciesFile(categoryName: string, resourceName: string) {
+export function createDefaultCustomPoliciesFile(categoryName: string, resourceName: string) {
   const customPoliciesPath = pathManager.getCustomPoliciesPath(categoryName, resourceName);
   const defaultCustomPolicies = [
     {
@@ -63,15 +60,5 @@ export function addCustomPoliciesFile(categoryName: string, resourceName: string
   JSONUtilities.writeJson(customPoliciesPath, defaultCustomPolicies);
 }
 
-export function isCustomPoliciesFile(filePath: string) {
-  try{
-    const fileString = fs.readFileSync(filePath, 'utf-8');
-    JSON.parse(fileString);
-    return true;
-  } catch(err) {
-  return false;
-  }
-}
-
 
 

packages/amplify-cli-core/src/index.ts

@@ -24,7 +24,7 @@ export * from './cliGetCategories';
 export * from './cliRemoveResourcePrompt';
 export * from './cliViewAPI';
 export * from './hooks';
-export * from "./cliViewAPI";
+export * from './cliViewAPI';
 export * from './customPoliciesUtils'
 
 // Temporary types until we can finish full type definition across the whole CLI

packages/amplify-cli-core/src/state-manager/stateManager.ts

@@ -1,12 +1,12 @@
 import * as fs from 'fs-extra';
+import * as path from 'path';
 import _ from 'lodash';
 import { PathConstants, pathManager } from './pathManager';
 import { $TSMeta, $TSTeamProviderInfo, $TSAny, DeploymentSecrets, HooksConfig } from '..';
 import { JSONUtilities } from '../jsonUtilities';
 import { SecretFileMode } from '../cliConstants';
 import { HydrateTags, ReadTags, Tag } from '../tags';
-import { CustomIAMPolicies, isCustomPoliciesFile } from '../customPoliciesUtils';
-import path from 'path';
+import { CustomIAMPolicies } from '../customPoliciesUtils';
 
 export type GetOptions<T> = {
   throwIfNotExist?: boolean;
@@ -79,10 +79,11 @@ export class StateManager {
 
   getCustomPolicies = (categoryName: string, resourceName: string): CustomIAMPolicies | undefined => {
     const filePath = pathManager.getCustomPoliciesPath(categoryName, resourceName);
-    if (!(fs.existsSync(filePath)) || !isCustomPoliciesFile(filePath)) {
+    try{
+      return JSONUtilities.readJson<CustomIAMPolicies>(filePath);
+    } catch(err) {
       return undefined;
     }
-    return JSONUtilities.readJson<CustomIAMPolicies>(filePath);
   };
 
   localEnvInfoExists = (projectPath?: string): boolean => this.doesExist(pathManager.getLocalEnvFilePath, projectPath);

packages/amplify-e2e-core/src/categories/api.ts

@@ -567,7 +567,7 @@ export function addRestContainerApi(projectDir: string) {
   });
 }
 
-export function addRestContainerApiForCustomPolicies(projectDir: string) {
+export function addRestContainerApiForCustomPolicies(projectDir: string, settings: { name: string }) {
   return new Promise<void>((resolve, reject) => {
     spawn(getCLIPath(), ['add', 'api'], { cwd: projectDir, stripColors: true })
       .wait('Please select from one of the below mentioned services:')
@@ -577,7 +577,7 @@ export function addRestContainerApiForCustomPolicies(projectDir: string) {
       .sendKeyDown()
       .sendCarriageReturn()
       .wait('Provide a friendly name for your resource to be used as a label for this category in the project:')
-      .send('containertest')
+      .send(settings.name)
       .sendCarriageReturn()
       .wait('What image would you like to use')
       .sendKeyDown()

packages/amplify-e2e-core/src/utils/projectMeta.ts

@@ -29,7 +29,7 @@ function getProjectMeta(projectRoot: string) {
   return JSON.parse(fs.readFileSync(metaFilePath, 'utf8'));
 }
 function getCustomPoliciesPath(projectRoot: string, category: string, resourceName: string): string {
-  return path.join(projectRoot, 'amplify', 'backend', category, resourceName, 'custom-iam-policy-documents.json');
+  return path.join(projectRoot, 'amplify', 'backend', category, resourceName, 'custom-policies.json');
 }
 
 function getProjectTags(projectRoot: string) {

packages/amplify-e2e-tests/src/__tests__/custom_policies_container.test.ts

@@ -48,7 +48,7 @@ it(`should init and deploy a api container, attach custom policies to the Fargat
   const name = 'containertest';
   await initJSProjectWithProfile(projRoot, { name: containerName, envName });
   await setupAmplifyProject(projRoot);
-  await addRestContainerApiForCustomPolicies(projRoot);
+  await addRestContainerApiForCustomPolicies(projRoot, { name: name });
 
   const meta = getProjectMeta(projRoot);
   const { Region: region } = meta?.providers?.awscloudformation;

packages/amplify-provider-awscloudformation/src/__tests__/pre-push-cfn-processor/cfn-pre-processor.test.ts

@@ -23,8 +23,7 @@ const customPolicies: CustomIAMPolicies = [
     Action : ['test:test'],
     Effect : 'Allow',
     Resource : ['arn:aws:s3:us-east-2:012345678910:testResource']
-  }
-];
+  }];
 
 readCFNTemplate_mock.mockResolvedValue({
   templateFormat,
@@ -39,6 +38,7 @@ const backendPath = '/project/amplify/backend';
 const resourcePath = 'api/resourceName/cfn-template-name.json';
 
 pathManager_mock.getBackendDirPath.mockReturnValue(backendPath);
+pathManager_mock.getResourceDirectoryPath.mockReturnValue(backendPath);
 stateManager_mock.getCustomPolicies.mockReturnValue(customPolicies);
 stateManager_mock.getLocalEnvInfo.mockReturnValue({envName:'test'});
 
@@ -68,8 +68,8 @@ describe('preProcessCFNTemplate', () => {
   it('writes valid custom policies to cfn template', async () => {
     const cfnTemplate = ({
       Resources: {
-        "LambdaExecutionRole": {
-          "Type": "AWS::IAM::Role"
+        LambdaExecutionRole: {
+          Type: 'AWS::IAM::Role'
         }
       },
     } as unknown) as Template;
@@ -79,7 +79,7 @@ describe('preProcessCFNTemplate', () => {
       cfnTemplate,
     });
 
-    await writeCustomPoliciesToCFNTemplate('test', 'Lambda', backendPath, 'cfn-template.json', 'test', path.join(backendPath, resourcePath));
+    await writeCustomPoliciesToCFNTemplate('test', 'Lambda', 'cfn-template.json', 'test');
 
     const templateWithCustomPolicies = writeCFNTemplate_mock.mock.calls[0][0] as any;