fix: cognito trigger permissions

aws-amplify · Jun 6, 2022 · 6f2bc15 · 6f2bc15
1 parent 5bc8cb4
commit 6f2bc15
Show file tree

Hide file tree

Showing 19 changed files with 330 additions and 174 deletions.
diff --git a/.eslint-dictionary.json b/.eslint-dictionary.json
@@ -139,6 +139,7 @@
   "uint",
   "unauth",
   "unlink",
+  "unlinksync",
   "updateamplify",
   "urls",
   "userpool",

diff --git a/packages/amplify-category-auth/package.json b/packages/amplify-category-auth/package.json
@@ -33,6 +33,7 @@
     "@aws-cdk/aws-lambda": "~1.124.0",
     "@aws-cdk/core": "~1.124.0",
     "amplify-cli-core": "2.9.0",
+    "amplify-function-plugin-interface": "1.9.5",
     "amplify-headless-interface": "1.15.0",
     "amplify-prompts": "2.2.0",
     "amplify-util-headless-input": "1.9.5",

diff --git a/...mation/triggers/CreateAuthChallenge/cloudformation-templates/CreateAuthChallenge.json.ejs b/...mation/triggers/CreateAuthChallenge/cloudformation-templates/CreateAuthChallenge.json.ejs
@@ -194,6 +194,11 @@
         "LambdaExecutionRole": {
             "Value": {
                 "Ref": "LambdaExecutionRole"
+            }∏
+        },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
             }
         },
         "Region": {

diff --git a/.../awscloudformation/triggers/CustomMessage/cloudformation-templates/CustomMessage.json.ejs b/.../awscloudformation/triggers/CustomMessage/cloudformation-templates/CustomMessage.json.ejs
@@ -213,6 +213,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
         "Region": {
             "Value": {
                 "Ref": "AWS::Region"

diff --git a/...mation/triggers/DefineAuthChallenge/cloudformation-templates/DefineAuthChallenge.json.ejs b/...mation/triggers/DefineAuthChallenge/cloudformation-templates/DefineAuthChallenge.json.ejs
@@ -189,6 +189,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
         "Region": {
             "Value": {
                 "Ref": "AWS::Region"

diff --git a/...ormation/triggers/PostAuthentication/cloudformation-templates/PostAuthentication.json.ejs b/...ormation/triggers/PostAuthentication/cloudformation-templates/PostAuthentication.json.ejs
@@ -189,6 +189,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
         "Region": {
             "Value": {
                 "Ref": "AWS::Region"

diff --git a/...dformation/triggers/PreAuthentication/cloudformation-templates/PreAuthentication.json.ejs b/...dformation/triggers/PreAuthentication/cloudformation-templates/PreAuthentication.json.ejs
@@ -189,6 +189,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
       "Region": {
           "Value": {
               "Ref": "AWS::Region"

diff --git a/...er-utils/awscloudformation/triggers/PreSignup/cloudformation-templates/PreSignup.json.ejs b/...er-utils/awscloudformation/triggers/PreSignup/cloudformation-templates/PreSignup.json.ejs
@@ -203,6 +203,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
         "Region": {
             "Value": {
                 "Ref": "AWS::Region"

diff --git a/...ormation/triggers/PreTokenGeneration/cloudformation-templates/PreTokenGeneration.json.ejs b/...ormation/triggers/PreTokenGeneration/cloudformation-templates/PreTokenGeneration.json.ejs
@@ -189,6 +189,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
       "Region": {
           "Value": {
               "Ref": "AWS::Region"

diff --git a/...VerifyAuthChallengeResponse/cloudformation-templates/VerifyAuthChallengeResponse.json.ejs b/...VerifyAuthChallengeResponse/cloudformation-templates/VerifyAuthChallengeResponse.json.ejs
@@ -197,6 +197,11 @@
                 "Ref": "LambdaExecutionRole"
             }
         },
+        "LambdaExecutionRoleArn": {
+            "Value": {
+                "Fn::GetAtt": ["LambdaExecutionRole", "Arn"]
+            }
+        },
         "Region": {
             "Value": {
                 "Ref": "AWS::Region"

diff --git a/...r-utils/awscloudformation/utils/__snapshots__/generate-auth-trigger-template.test.ts.snap b/...r-utils/awscloudformation/utils/__snapshots__/generate-auth-trigger-template.test.ts.snap
@@ -131,39 +131,73 @@ Object {
 const aws = require('aws-sdk');
 
 exports.handler = async function (event, context) {
+  const physicalResourceId = \`\${event.LogicalResourceId}-\${event.ResourceProperties.userpoolId}\`;
+
   try {
     const userPoolId = event.ResourceProperties.userpoolId;
     const lambdaConfig = event.ResourceProperties.lambdaConfig;
     const config = {};
+    const cognitoClient = new aws.CognitoIdentityServiceProvider();
+    const userPoolConfig = await cognitoClient.describeUserPool({ UserPoolId: userPoolId }).promise();
+    const userPoolParams = userPoolConfig.UserPool;
+    // update userPool params
+
+    const updateUserPoolConfig = {
+      UserPoolId: userPoolParams.Id,
+      Policies: userPoolParams.Policies,
+      SmsVerificationMessage: userPoolParams.SmsVerificationMessage,
+      AccountRecoverySetting: userPoolParams.AccountRecoverySetting,
+      AdminCreateUserConfig: userPoolParams.AdminCreateUserConfig,
+      AutoVerifiedAttributes: userPoolParams.AutoVerifiedAttributes,
+      EmailConfiguration: userPoolParams.EmailConfiguration,
+      EmailVerificationMessage: userPoolParams.EmailVerificationMessage,
+      EmailVerificationSubject: userPoolParams.EmailVerificationSubject,
+      VerificationMessageTemplate: userPoolParams.VerificationMessageTemplate,
+      SmsAuthenticationMessage: userPoolParams.SmsAuthenticationMessage,
+      MfaConfiguration: userPoolParams.MfaConfiguration,
+      DeviceConfiguration: userPoolParams.DeviceConfiguration,
+      SmsConfiguration: userPoolParams.SmsConfiguration,
+      UserPoolTags: userPoolParams.UserPoolTags,
+      UserPoolAddOns: userPoolParams.UserPoolAddOns,
+    };
+
+    // removing undefined keys
+    Object.keys(updateUserPoolConfig).forEach(key => updateUserPoolConfig[key] === undefined && delete updateUserPoolConfig[key]);
+
+    /*removing UnusedAccountValidityDays as deprecated
+    InvalidParameterException: Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays
+    */
+    if (updateUserPoolConfig.AdminCreateUserConfig && updateUserPoolConfig.AdminCreateUserConfig.UnusedAccountValidityDays) {
+      delete updateUserPoolConfig.AdminCreateUserConfig.UnusedAccountValidityDays;
+    }
+
     lambdaConfig.forEach(lambda => (config[\`\${lambda.triggerType}\`] = lambda.lambdaFunctionArn));
-    if (event.RequestType == 'Delete') {
-      const authParams = { UserPoolId: userPoolId, LambdaConfig: {} };
-      const cognitoclient = new aws.CognitoIdentityServiceProvider();
+    if (event.RequestType === 'Delete') {
       try {
-        const result = await cognitoclient.updateUserPool(authParams).promise();
+        updateUserPoolConfig.LambdaConfig = {};
+        const result = await cognitoClient.updateUserPool(updateUserPoolConfig).promise();
         console.log('delete response data ' + JSON.stringify(result));
-        await response.send(event, context, response.SUCCESS, {});
+        await response.send(event, context, response.SUCCESS, {}, physicalResourceId);
       } catch (err) {
         console.log(err.stack);
-        await response.send(event, context, response.FAILED, { err });
+        await response.send(event, context, response.FAILED, { err }, physicalResourceId);
       }
     }
-    if (event.RequestType == 'Update' || event.RequestType == 'Create') {
-      const authParams = { UserPoolId: userPoolId, LambdaConfig: config };
-      console.log(authParams);
-      const cognitoclient = new aws.CognitoIdentityServiceProvider();
+    if (event.RequestType === 'Update' || event.RequestType === 'Create') {
+      updateUserPoolConfig.LambdaConfig = config;
+      console.log(\`\${event.RequestType}: \${updateUserPoolConfig}\`);
       try {
-        const result = await cognitoclient.updateUserPool(authParams).promise();
+        const result = await cognitoClient.updateUserPool(updateUserPoolConfig).promise();
         console.log('createOrUpdate response data ' + JSON.stringify(result));
-        await response.send(event, context, response.SUCCESS, { result });
+        await response.send(event, context, response.SUCCESS, {}, physicalResourceId);
       } catch (err) {
         console.log(err.stack);
-        await response.send(event, context, response.FAILED, { err });
+        await response.send(event, context, response.FAILED, { err }, physicalResourceId);
       }
     }
   } catch (err) {
     console.log(err.stack);
-    await response.send(event, context, response.FAILED, { err });
+    await response.send(event, context, response.FAILED, { err }, physicalResourceId);
   }
 };
 ",
@@ -216,8 +250,10 @@ exports.handler = async function (event, context) {
           "Statement": Array [
             Object {
               "Action": Array [
+                "cognito-idp:DescribeUserPool",
                 "cognito-idp:DescribeUserPoolClient",
                 "cognito-idp:UpdateUserPool",
+                "iam:PassRole",
               ],
               "Effect": "Allow",
               "Resource": "*",
@@ -281,9 +317,7 @@ Object {
         },
         "lambdaConfig": Array [
           Object {
-            "lambdaFunctionArn": Object {
-              "Ref": "functionrandomFnArn",
-            },
+            "lambdaFunctionArn": "randomArn",
             "lambdaFunctionName": "randomFn",
             "triggerType": "PreAuthentication",
           },
@@ -319,39 +353,73 @@ Object {
 const aws = require('aws-sdk');
 
 exports.handler = async function (event, context) {
+  const physicalResourceId = \`\${event.LogicalResourceId}-\${event.ResourceProperties.userpoolId}\`;
+
   try {
     const userPoolId = event.ResourceProperties.userpoolId;
     const lambdaConfig = event.ResourceProperties.lambdaConfig;
     const config = {};
+    const cognitoClient = new aws.CognitoIdentityServiceProvider();
+    const userPoolConfig = await cognitoClient.describeUserPool({ UserPoolId: userPoolId }).promise();
+    const userPoolParams = userPoolConfig.UserPool;
+    // update userPool params
+
+    const updateUserPoolConfig = {
+      UserPoolId: userPoolParams.Id,
+      Policies: userPoolParams.Policies,
+      SmsVerificationMessage: userPoolParams.SmsVerificationMessage,
+      AccountRecoverySetting: userPoolParams.AccountRecoverySetting,
+      AdminCreateUserConfig: userPoolParams.AdminCreateUserConfig,
+      AutoVerifiedAttributes: userPoolParams.AutoVerifiedAttributes,
+      EmailConfiguration: userPoolParams.EmailConfiguration,
+      EmailVerificationMessage: userPoolParams.EmailVerificationMessage,
+      EmailVerificationSubject: userPoolParams.EmailVerificationSubject,
+      VerificationMessageTemplate: userPoolParams.VerificationMessageTemplate,
+      SmsAuthenticationMessage: userPoolParams.SmsAuthenticationMessage,
+      MfaConfiguration: userPoolParams.MfaConfiguration,
+      DeviceConfiguration: userPoolParams.DeviceConfiguration,
+      SmsConfiguration: userPoolParams.SmsConfiguration,
+      UserPoolTags: userPoolParams.UserPoolTags,
+      UserPoolAddOns: userPoolParams.UserPoolAddOns,
+    };
+
+    // removing undefined keys
+    Object.keys(updateUserPoolConfig).forEach(key => updateUserPoolConfig[key] === undefined && delete updateUserPoolConfig[key]);
+
+    /*removing UnusedAccountValidityDays as deprecated
+    InvalidParameterException: Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays
+    */
+    if (updateUserPoolConfig.AdminCreateUserConfig && updateUserPoolConfig.AdminCreateUserConfig.UnusedAccountValidityDays) {
+      delete updateUserPoolConfig.AdminCreateUserConfig.UnusedAccountValidityDays;
+    }
+
     lambdaConfig.forEach(lambda => (config[\`\${lambda.triggerType}\`] = lambda.lambdaFunctionArn));
-    if (event.RequestType == 'Delete') {
-      const authParams = { UserPoolId: userPoolId, LambdaConfig: {} };
-      const cognitoclient = new aws.CognitoIdentityServiceProvider();
+    if (event.RequestType === 'Delete') {
       try {
-        const result = await cognitoclient.updateUserPool(authParams).promise();
+        updateUserPoolConfig.LambdaConfig = {};
+        const result = await cognitoClient.updateUserPool(updateUserPoolConfig).promise();
         console.log('delete response data ' + JSON.stringify(result));
-        await response.send(event, context, response.SUCCESS, {});
+        await response.send(event, context, response.SUCCESS, {}, physicalResourceId);
       } catch (err) {
         console.log(err.stack);
-        await response.send(event, context, response.FAILED, { err });
+        await response.send(event, context, response.FAILED, { err }, physicalResourceId);
       }
     }
-    if (event.RequestType == 'Update' || event.RequestType == 'Create') {
-      const authParams = { UserPoolId: userPoolId, LambdaConfig: config };
-      console.log(authParams);
-      const cognitoclient = new aws.CognitoIdentityServiceProvider();
+    if (event.RequestType === 'Update' || event.RequestType === 'Create') {
+      updateUserPoolConfig.LambdaConfig = config;
+      console.log(\`\${event.RequestType}: \${updateUserPoolConfig}\`);
       try {
-        const result = await cognitoclient.updateUserPool(authParams).promise();
+        const result = await cognitoClient.updateUserPool(updateUserPoolConfig).promise();
         console.log('createOrUpdate response data ' + JSON.stringify(result));
-        await response.send(event, context, response.SUCCESS, { result });
+        await response.send(event, context, response.SUCCESS, {}, physicalResourceId);
       } catch (err) {
         console.log(err.stack);
-        await response.send(event, context, response.FAILED, { err });
+        await response.send(event, context, response.FAILED, { err }, physicalResourceId);
       }
     }
   } catch (err) {
     console.log(err.stack);
-    await response.send(event, context, response.FAILED, { err });
+    await response.send(event, context, response.FAILED, { err }, physicalResourceId);
   }
 };
 ",
@@ -404,8 +472,10 @@ exports.handler = async function (event, context) {
           "Statement": Array [
             Object {
               "Action": Array [
+                "cognito-idp:DescribeUserPool",
                 "cognito-idp:DescribeUserPoolClient",
                 "cognito-idp:UpdateUserPool",
+                "iam:PassRole",
               ],
               "Effect": "Allow",
               "Resource": "*",

diff --git a/...c/__tests__/provider-utils/awscloudformation/utils/generate-auth-trigger-template.test.ts b/...c/__tests__/provider-utils/awscloudformation/utils/generate-auth-trigger-template.test.ts
@@ -2,9 +2,11 @@ import {
   AuthTriggerConnection,
   AuthTriggerPermissions,
   TriggerType,
-} from '../../../../provider-utils/awscloudformation/service-walkthrough-types';
+} from '../../../../provider-utils/awscloudformation/service-walkthrough-types/cognito-user-input-types';
+// eslint-disable-next-line spellcheck/spell-checker
 import { createCustomResourceforAuthTrigger } from '../../../../provider-utils/awscloudformation/utils/generate-auth-trigger-template';
 
+jest.mock('uuid');
 describe('generate Auth Trigger Template', () => {
   it('successfully generate auth Trigger Template', async () => {
     const mockAuthTriggerConnections: AuthTriggerConnection[] = [
@@ -27,6 +29,7 @@ describe('generate Auth Trigger Template', () => {
         },
       },
     ];
+    // eslint-disable-next-line spellcheck/spell-checker
     const cfn = await createCustomResourceforAuthTrigger(mockAuthTriggerConnections, mockAuthTriggerPermissions);
     expect(cfn).toMatchSnapshot();
   });

diff --git a/...gory-auth/src/provider-utils/awscloudformation/auth-stack-builder/auth-stack-transform.ts b/...gory-auth/src/provider-utils/awscloudformation/auth-stack-builder/auth-stack-transform.ts
@@ -60,7 +60,7 @@ export class AmplifyAuthTransform extends AmplifyCategoryTransform {
     } else {
       await createUserPoolGroups(context, this._cognitoStackProps.resourceName!, this._cognitoStackProps.userPoolGroupList);
     }
-    // generate customm Auth Trigger for Cognito
+    // generate custom Auth Trigger for Cognito
     if (this._cognitoStackProps.breakCircularDependency) {
       await generateNestedAuthTriggerTemplate(this._category, this.resourceName, this._cognitoStackProps);
     }