@aws-amplify/graphql-api-construct 1.7.0-fix-publish-tag.0 → 1.7.0-gen2-release.0

package/node_modules/graphql-transformer-common/CHANGELOG.md

@@ -3,7 +3,7 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
-# [4.29.0-fix-publish-tag.0](https://github.com/aws-amplify/amplify-category-api/compare/graphql-transformer-common@4.28.1...graphql-transformer-common@4.29.0-fix-publish-tag.0) (2024-03-27)
+# [4.29.0-gen2-release.0](https://github.com/aws-amplify/amplify-category-api/compare/graphql-transformer-common@4.28.1...graphql-transformer-common@4.29.0-gen2-release.0) (2024-03-27)
 
 ### Features
 

package/node_modules/graphql-transformer-common/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphql-transformer-common",
-  "version": "4.29.0-fix-publish-tag.0",
+  "version": "4.29.0-gen2-release.0",
   "description": "Common code and constants for AppSync Transformers",
   "repository": {
     "type": "git",
@@ -66,5 +66,5 @@
       "/__tests__/"
     ]
   },
-  "gitHead": "b32d1359cc20706274a128fa42cea8f849226671"
+  "gitHead": "03f6c0039768b2540f158cd3dfac8e45f678fceb"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-amplify/graphql-api-construct",
-  "version": "1.7.0-fix-publish-tag.0",
+  "version": "1.7.0-gen2-release.0",
   "description": "AppSync GraphQL Api Construct using Amplify GraphQL Transformer.",
   "repository": {
     "type": "git",
@@ -75,20 +75,20 @@
   "dependencies": {
     "@aws-amplify/backend-output-schemas": "^0.4.0",
     "@aws-amplify/backend-output-storage": "^0.2.2",
-    "@aws-amplify/graphql-auth-transformer": "3.4.2-fix-publish-tag.0",
-    "@aws-amplify/graphql-default-value-transformer": "2.3.2-fix-publish-tag.0",
-    "@aws-amplify/graphql-function-transformer": "2.1.19-fix-publish-tag.0",
-    "@aws-amplify/graphql-http-transformer": "2.1.19-fix-publish-tag.0",
-    "@aws-amplify/graphql-index-transformer": "2.3.8-fix-publish-tag.0",
-    "@aws-amplify/graphql-maps-to-transformer": "3.4.9-fix-publish-tag.0",
-    "@aws-amplify/graphql-model-transformer": "2.7.0-fix-publish-tag.0",
-    "@aws-amplify/graphql-predictions-transformer": "2.1.19-fix-publish-tag.0",
-    "@aws-amplify/graphql-relational-transformer": "2.4.2-fix-publish-tag.0",
-    "@aws-amplify/graphql-searchable-transformer": "2.6.2-fix-publish-tag.0",
-    "@aws-amplify/graphql-sql-transformer": "0.2.8-fix-publish-tag.0",
-    "@aws-amplify/graphql-transformer": "1.4.0-fix-publish-tag.0",
-    "@aws-amplify/graphql-transformer-core": "2.5.1-fix-publish-tag.0",
-    "@aws-amplify/graphql-transformer-interfaces": "3.5.0-fix-publish-tag.0",
+    "@aws-amplify/graphql-auth-transformer": "3.5.0-gen2-release.0",
+    "@aws-amplify/graphql-default-value-transformer": "2.3.2-gen2-release.0",
+    "@aws-amplify/graphql-function-transformer": "2.1.19-gen2-release.0",
+    "@aws-amplify/graphql-http-transformer": "2.1.19-gen2-release.0",
+    "@aws-amplify/graphql-index-transformer": "2.3.8-gen2-release.0",
+    "@aws-amplify/graphql-maps-to-transformer": "3.4.9-gen2-release.0",
+    "@aws-amplify/graphql-model-transformer": "2.7.0-gen2-release.0",
+    "@aws-amplify/graphql-predictions-transformer": "2.1.19-gen2-release.0",
+    "@aws-amplify/graphql-relational-transformer": "2.4.2-gen2-release.0",
+    "@aws-amplify/graphql-searchable-transformer": "2.6.2-gen2-release.0",
+    "@aws-amplify/graphql-sql-transformer": "0.2.8-gen2-release.0",
+    "@aws-amplify/graphql-transformer": "1.4.0-gen2-release.0",
+    "@aws-amplify/graphql-transformer-core": "2.5.1-gen2-release.0",
+    "@aws-amplify/graphql-transformer-interfaces": "3.5.0-gen2-release.0",
     "@aws-amplify/platform-core": "^0.2.0",
     "@aws-amplify/plugin-types": "^0.4.1",
     "charenc": "^0.0.2",
@@ -97,7 +97,7 @@
     "graceful-fs": "^4.2.11",
     "graphql": "^15.5.0",
     "graphql-mapping-template": "4.20.15",
-    "graphql-transformer-common": "4.29.0-fix-publish-tag.0",
+    "graphql-transformer-common": "4.29.0-gen2-release.0",
     "hjson": "^3.2.2",
     "immer": "^9.0.12",
     "is-buffer": "^2.0.5",
@@ -112,7 +112,7 @@
     "zod": "^3.22.3"
   },
   "devDependencies": {
-    "@aws-amplify/graphql-transformer-test-utils": "0.4.7-fix-publish-tag.0",
+    "@aws-amplify/graphql-transformer-test-utils": "0.4.7-gen2-release.0",
     "@types/fs-extra": "^8.0.1",
     "@types/node": "^12.12.6",
     "aws-cdk-lib": "2.80.0",
@@ -177,5 +177,5 @@
       "/__tests__/"
     ]
   },
-  "gitHead": "b32d1359cc20706274a128fa42cea8f849226671"
+  "gitHead": "03f6c0039768b2540f158cd3dfac8e45f678fceb"
 }

package/src/amplify-graphql-api.ts

@@ -48,6 +48,7 @@ import {
   getGeneratedFunctionSlots,
   CodegenAssets,
   getAdditionalAuthenticationTypes,
+  validateAuthorizationModes,
 } from './internal';
 import { getStackForScope, walkAndProcessNodes } from './internal/construct-tree';
 import { getDataSourceStrategiesProvider } from './internal/data-source-config';
@@ -169,6 +170,7 @@ export class AmplifyGraphqlApi extends Construct {
       dataSources,
     });
 
+    validateAuthorizationModes(authorizationModes);
     const { authConfig, authSynthParameters } = convertAuthorizationModesToTransformerAuthConfig(authorizationModes);
 
     validateFunctionSlots(functionSlots ?? []);

package/src/index.ts

@@ -4,6 +4,7 @@
  */
 export type {
   IAMAuthorizationConfig,
+  IdentityPoolAuthorizationConfig,
   UserPoolAuthorizationConfig,
   OIDCAuthorizationConfig,
   ApiKeyAuthorizationConfig,

package/src/internal/authorization-modes.ts

@@ -5,19 +5,61 @@ import { IRole, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import {
   AuthorizationModes,
   ApiKeyAuthorizationConfig,
-  IAMAuthorizationConfig,
   LambdaAuthorizationConfig,
   OIDCAuthorizationConfig,
   UserPoolAuthorizationConfig,
 } from '../types';
 
 type AuthorizationConfigMode =
-  | (IAMAuthorizationConfig & { type: 'AWS_IAM' })
+  | { type: 'AWS_IAM' }
   | (UserPoolAuthorizationConfig & { type: 'AMAZON_COGNITO_USER_POOLS' })
   | (OIDCAuthorizationConfig & { type: 'OPENID_CONNECT' })
   | (ApiKeyAuthorizationConfig & { type: 'API_KEY' })
   | (LambdaAuthorizationConfig & { type: 'AWS_LAMBDA' });
 
+/**
+ * Validates authorization modes.
+ *
+ * Rules:
+ * 1. Validates that deprecated settings ('iamConfig.authenticatedUserRole', 'iamConfig.unauthenticatedUserRole',
+ *    'iamConfig.identityPoolId', 'iamConfig.allowListedRoles' and 'adminRoles') are mutually exclusive with new settings that
+ *    replaced them ('iamConfig.enableIamAuthorizationMode' and any of 'authorizationModes.identityPoolConfig')
+ * 2. If deprecated identity pool settings are used ('iamConfig.authenticatedUserRole', 'iamConfig.unauthenticatedUserRole',
+ *    and 'iamConfig.identityPoolId') validate that all are provided.
+ */
+export const validateAuthorizationModes = (authorizationModes: AuthorizationModes): void => {
+  const hasAnyDeprecatedIdentityPoolSetting =
+    authorizationModes.iamConfig?.authenticatedUserRole ||
+    authorizationModes.iamConfig?.unauthenticatedUserRole ||
+    authorizationModes.iamConfig?.identityPoolId;
+  const hasAllDeprecatedIdentityPoolSettings =
+    authorizationModes.iamConfig?.authenticatedUserRole &&
+    authorizationModes.iamConfig?.unauthenticatedUserRole &&
+    authorizationModes.iamConfig?.identityPoolId;
+  const hasDeprecatedIamSettings =
+    authorizationModes.iamConfig?.authenticatedUserRole ||
+    authorizationModes.iamConfig?.unauthenticatedUserRole ||
+    authorizationModes.iamConfig?.identityPoolId ||
+    authorizationModes.iamConfig?.allowListedRoles ||
+    authorizationModes.adminRoles;
+  const hasUnDeprecatedIamSettings =
+    typeof authorizationModes.iamConfig?.enableIamAuthorizationMode !== 'undefined' || authorizationModes.identityPoolConfig;
+
+  if (hasDeprecatedIamSettings && hasUnDeprecatedIamSettings) {
+    throw new Error(
+      'Invalid authorization modes configuration provided. ' +
+        "Deprecated IAM configuration cannot be used with identity pool configuration or when 'enableIamAuthorizationMode' is specified.",
+    );
+  }
+
+  if (hasAnyDeprecatedIdentityPoolSetting && !hasAllDeprecatedIdentityPoolSettings) {
+    throw new Error(
+      "'authorizationModes.iamConfig.authenticatedUserRole', 'authorizationModes.iamConfig.unauthenticatedUserRole' and" +
+        " 'authorizationModes.iamConfig.identityPoolId' must be provided.",
+    );
+  }
+};
+
 /**
  * Converts a single auth mode config into the amplify-internal representation.
  * @param authMode the auth mode to convert into the Appsync CDK representation.
@@ -79,7 +121,7 @@ const convertAuthConfigToAppSyncAuth = (authModes: AuthorizationModes): AppSyncA
     authModes.lambdaConfig ? { type: 'AWS_LAMBDA', ...authModes.lambdaConfig } : null,
     authModes.oidcConfig ? { type: 'OPENID_CONNECT', ...authModes.oidcConfig } : null,
     authModes.userPoolConfig ? { type: 'AMAZON_COGNITO_USER_POOLS', ...authModes.userPoolConfig } : null,
-    authModes.iamConfig ? { type: 'AWS_IAM', ...authModes.iamConfig } : null,
+    authModes.iamConfig || authModes.identityPoolConfig ? { type: 'AWS_IAM' } : null,
   ].filter((mode) => mode) as AuthorizationConfigMode[];
   const authProviders = authConfig.map(convertAuthModeToAuthProvider);
 
@@ -116,7 +158,7 @@ const convertAuthConfigToAppSyncAuth = (authModes: AuthorizationModes): AppSyncA
 
 type AuthSynthParameters = Pick<
   SynthParameters,
-  'userPoolId' | 'authenticatedUserRoleName' | 'unauthenticatedUserRoleName' | 'identityPoolId' | 'adminRoles'
+  'userPoolId' | 'authenticatedUserRoleName' | 'unauthenticatedUserRoleName' | 'identityPoolId' | 'adminRoles' | 'enableIamAccess'
 >;
 
 interface AuthConfig {
@@ -177,12 +219,19 @@ const getAllowListedRoles = (authModes: AuthorizationModes): string[] =>
  */
 const getSynthParameters = (authModes: AuthorizationModes): AuthSynthParameters => ({
   adminRoles: getAllowListedRoles(authModes),
-  identityPoolId: authModes.iamConfig?.identityPoolId,
+  identityPoolId: authModes.identityPoolConfig?.identityPoolId ?? authModes.iamConfig?.identityPoolId,
+  enableIamAccess: authModes.iamConfig?.enableIamAuthorizationMode,
   ...(authModes.userPoolConfig ? { userPoolId: authModes.userPoolConfig.userPool.userPoolId } : {}),
-  ...(authModes?.iamConfig
+  ...(authModes?.identityPoolConfig
+    ? {
+        authenticatedUserRoleName: authModes.identityPoolConfig.authenticatedUserRole.roleName,
+        unauthenticatedUserRoleName: authModes.identityPoolConfig.unauthenticatedUserRole.roleName,
+      }
+    : {}),
+  ...(authModes?.iamConfig && authModes?.iamConfig.authenticatedUserRole && authModes?.iamConfig.unauthenticatedUserRole
     ? {
-        authenticatedUserRoleName: authModes.iamConfig.authenticatedUserRole.roleName,
-        unauthenticatedUserRoleName: authModes.iamConfig.unauthenticatedUserRole.roleName,
+        authenticatedUserRoleName: authModes.iamConfig.authenticatedUserRole?.roleName,
+        unauthenticatedUserRoleName: authModes.iamConfig.unauthenticatedUserRole?.roleName,
       }
     : {}),
 });

package/src/internal/codegen-assets.ts

@@ -1,5 +1,5 @@
-import { RemovalPolicy } from 'aws-cdk-lib';
-import { Bucket, IBucket } from 'aws-cdk-lib/aws-s3';
+import { RemovalPolicy, Fn } from 'aws-cdk-lib';
+import { Bucket, HttpMethods, IBucket } from 'aws-cdk-lib/aws-s3';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Construct } from 'constructs';
 
@@ -8,6 +8,7 @@ export type CodegenAssetsProps = {
 };
 
 const MODEL_SCHEMA_KEY = 'model-schema.graphql';
+const CONSOLE_SERVICE_ENDPOINT = Fn.join('', ['https://', Fn.ref('AWS::Region'), '.console.aws.amazon.com/amplify']);
 
 /**
  * Construct an S3 URI string for a given bucket and key.
@@ -30,6 +31,14 @@ export class CodegenAssets extends Construct {
     const bucket = new Bucket(this, `${id}Bucket`, {
       removalPolicy: RemovalPolicy.DESTROY,
       autoDeleteObjects: true,
+      // Enabling CORS to allow console to access the codegen assets.
+      cors: [
+        {
+          allowedMethods: [HttpMethods.GET, HttpMethods.HEAD],
+          allowedHeaders: ['*'],
+          allowedOrigins: [CONSOLE_SERVICE_ENDPOINT],
+        },
+      ],
     });
 
     const deployment = new BucketDeployment(this, `${id}Deployment`, {

package/src/types.ts

@@ -28,25 +28,68 @@ export interface IAMAuthorizationConfig {
   /**
    * ID for the Cognito Identity Pool vending auth and unauth roles.
    * Format: `<region>:<id string>`
+   *
+   * @deprecated Use 'IdentityPoolAuthorizationConfig.identityPoolId' instead.
+   * See https://docs.amplify.aws/cli/react/tools/cli/migration/iam-auth-updates-for-cdk-construct for details.
    */
-  readonly identityPoolId: string;
+  readonly identityPoolId?: string;
 
   /**
    * Authenticated user role, applies to { provider: iam, allow: private } access.
+   *
+   * @deprecated Use 'IdentityPoolAuthorizationConfig.authenticatedUserRole' instead.
+   * See https://docs.amplify.aws/cli/react/tools/cli/migration/iam-auth-updates-for-cdk-construct for details.
    */
-  readonly authenticatedUserRole: IRole;
+  readonly authenticatedUserRole?: IRole;
 
   /**
    * Unauthenticated user role, applies to { provider: iam, allow: public } access.
+   *
+   * @deprecated Use 'IdentityPoolAuthorizationConfig.unauthenticatedUserRole' instead.
+   * See https://docs.amplify.aws/cli/react/tools/cli/migration/iam-auth-updates-for-cdk-construct for details.
    */
-  readonly unauthenticatedUserRole: IRole;
+  readonly unauthenticatedUserRole?: IRole;
 
   /**
    * A list of IAM roles which will be granted full read/write access to the generated model if IAM auth is enabled.
    * If an IRole is provided, the role `name` will be used for matching.
    * If a string is provided, the raw value will be used for matching.
+   *
+   * @deprecated Use 'enableIamAuthorizationMode' and IAM Policy to control access for IAM principals.
+   * See https://docs.amplify.aws/cli/react/tools/cli/migration/iam-auth-updates-for-cdk-construct for details.
    */
   readonly allowListedRoles?: (IRole | string)[];
+
+  /**
+   * Enables access for IAM principals. If enabled @auth directive rules are not applied.
+   * Instead, access should be defined by IAM Policy, see https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html.
+   *
+   * Does not apply to authenticated and unauthenticated IAM Roles attached to Cognito Identity Pool.
+   * Use IdentityPoolAuthorizationConfig to configure their access.
+   */
+  readonly enableIamAuthorizationMode?: boolean;
+}
+
+/**
+ * Configuration for Cognito Identity Pool Authorization on the Graphql Api.
+ * @struct - required since this interface begins with an 'I'
+ */
+export interface IdentityPoolAuthorizationConfig {
+  /**
+   * ID for the Cognito Identity Pool vending auth and unauth roles.
+   * Format: `<region>:<id string>`
+   */
+  readonly identityPoolId: string;
+
+  /**
+   * Authenticated user role, applies to { provider: iam, allow: private } access.
+   */
+  readonly authenticatedUserRole: IRole;
+
+  /**
+   * Unauthenticated user role, applies to { provider: iam, allow: public } access.
+   */
+  readonly unauthenticatedUserRole: IRole;
 }
 
 /**
@@ -134,11 +177,19 @@ export interface AuthorizationModes {
   readonly defaultAuthorizationMode?: 'AWS_IAM' | 'AMAZON_COGNITO_USER_POOLS' | 'OPENID_CONNECT' | 'API_KEY' | 'AWS_LAMBDA';
 
   /**
-   * IAM Auth config, required if an 'iam' auth provider is specified in the Api.
-   * Applies to 'public' and 'private' auth strategies.
+   * IAM Auth config, required to allow IAM-based access to this API.
+   * This applies to any IAM principal except Amazon Cognito identity pool's authenticated and unauthenticated roles.
+   * This behavior was has recently been improved.
+   * See https://docs.amplify.aws/cli/react/tools/cli/migration/iam-auth-updates-for-cdk-construct for details.
    */
   readonly iamConfig?: IAMAuthorizationConfig;
 
+  /**
+   * Cognito Identity Pool config, required if an 'identityPool' auth provider is specified in the Api.
+   * Applies to 'public' and 'private' auth strategies.
+   */
+  readonly identityPoolConfig?: IdentityPoolAuthorizationConfig;
+
   /**
    * Cognito UserPool config, required if a 'userPools' auth provider is specified in the Api.
    * Applies to 'owner', 'private', and 'group' auth strategies.