fix: team provider migration (#5733)

* fix: using team provider for secrets

.circleci/config.base.yml

@@ -328,6 +328,7 @@ jobs:
 
   amplify_migration_tests_v4:
     <<: *defaults
+
     steps:
       - attach_workspace:
           at: ./
@@ -348,6 +349,32 @@ jobs:
           path: ~/repo/packages/amplify-migration-tests/amplify-migration-reports
     working_directory: ~/repo
 
+  amplify_migration_tests_v4_30_0:
+    <<: *defaults
+    environment:
+      AMPLIFY_PATH: /home/circleci/.npm-global/lib/node_modules/@aws-amplify/cli/bin/amplify
+    steps:
+      - attach_workspace:
+          at: ./
+      - restore_cache:
+          key: amplify-cli-yarn-deps-{{ .Branch }}-{{ checksum "yarn.lock" }}
+      - run:
+          name: Update OS Packages
+          command: sudo apt-get update
+      - run:
+          name: Run tests migrating from CLI v4.30.0
+          command: |
+            source .circleci/local_publish_helpers.sh
+            changeNpmGlobalPath
+            cd packages/amplify-migration-tests
+            yarn run migration_v4.30.0_auth --maxWorkers=3
+          no_output_timeout: 90m
+      - store_test_results:
+          path: packages/amplify-migration-tests/
+      - store_artifacts:
+          path: ~/repo/packages/amplify-migration-tests/amplify-migration-reports
+    working_directory: ~/repo
+
   amplify_migration_tests_latest:
     <<: *defaults
     steps:
@@ -878,6 +905,15 @@ workflows:
                 - master
           requires:
             - build
+      - amplify_migration_tests_v4_30_0:
+          filters:
+            branches:
+              only:
+                - master
+                - graphqlschemae2e
+                - feat-import
+          requires:
+            - build
       - amplify_console_integration_tests:
           filters:
             branches:
@@ -911,6 +947,7 @@ workflows:
             - amplify_console_integration_tests
             - amplify_migration_tests_latest
             - amplify_migration_tests_v4
+            - amplify_migration_tests_v4_30_0
             - github_prerelease_install_sanity_check
           filters:
             branches:

.circleci/config.yml

@@ -397,6 +397,32 @@ jobs:
           path: packages/amplify-migration-tests/
       - store_artifacts:
           path: ~/repo/packages/amplify-migration-tests/amplify-migration-reports
+  amplify_migration_tests_v4_30_0:
+    working_directory: ~/repo
+    docker: *ref_0
+    resource_class: large
+    environment:
+      AMPLIFY_PATH: /home/circleci/.npm-global/lib/node_modules/@aws-amplify/cli/bin/amplify
+    steps:
+      - attach_workspace:
+          at: ./
+      - restore_cache:
+          key: 'amplify-cli-yarn-deps-{{ .Branch }}-{{ checksum "yarn.lock" }}'
+      - run:
+          name: Update OS Packages
+          command: sudo apt-get update
+      - run:
+          name: Run tests migrating from CLI v4.30.0
+          command: |
+            source .circleci/local_publish_helpers.sh
+            changeNpmGlobalPath
+            cd packages/amplify-migration-tests
+            yarn run migration_v4.30.0_auth --maxWorkers=3
+          no_output_timeout: 90m
+      - store_test_results:
+          path: packages/amplify-migration-tests/
+      - store_artifacts:
+          path: ~/repo/packages/amplify-migration-tests/amplify-migration-reports
   amplify_migration_tests_latest:
     working_directory: ~/repo
     docker: *ref_0
@@ -2004,6 +2030,15 @@ workflows:
                 - master
           requires:
             - build
+      - amplify_migration_tests_v4_30_0:
+          filters:
+            branches:
+              only:
+                - master
+                - graphqlschemae2e
+                - feat-import
+          requires:
+            - build
       - amplify_console_integration_tests:
           filters:
             branches:
@@ -2037,6 +2072,7 @@ workflows:
             - amplify_console_integration_tests
             - amplify_migration_tests_latest
             - amplify_migration_tests_v4
+            - amplify_migration_tests_v4_30_0
             - github_prerelease_install_sanity_check
           filters:
             branches:

packages/amplify-category-auth/resources/cloudformation-templates/auth-template.yml.ejs

@@ -23,6 +23,7 @@ Parameters:
   <%=Object.keys(props)[i]%>:
     Type: String
   <% } -%>
+
   <% if (typeof Object.values(props)[i] === 'boolean') { %>
   <%=Object.keys(props)[i]%>:
     Type: String
@@ -40,6 +41,11 @@ Parameters:
     Type: CommaDelimitedList
   <% } -%>
   <% } -%>
+  <% if(Object.keys(props).includes('hostedUIProviderMeta') && !Object.keys(props).includes('hostedUIProviderCreds')) { %>
+  hostedUIProviderCreds:
+    Type: String
+    Default: '[]'
+  <% } -%>
 
 Conditions:
   ShouldNotCreateEnvResources: !Equals [ !Ref env, NONE ]
@@ -562,6 +568,9 @@ Resources:
             - ' const userPoolId = event.ResourceProperties.userPoolId;'
             - ' let hostedUIProviderMeta = JSON.parse(event.ResourceProperties.hostedUIProviderMeta);'
             - ' let hostedUIProviderCreds = JSON.parse(event.ResourceProperties.hostedUIProviderCreds);'
+            - ' if(hostedUIProviderCreds.length === 0) {'
+            - '  response.send(event, context, response.SUCCESS, {});'
+            - ' }'
             - ' if (event.RequestType == ''Delete'') {'
             - '  response.send(event, context, response.SUCCESS, {});'
             - ' }'

packages/amplify-cli-core/src/cliConstants.ts

@@ -0,0 +1 @@
+export const SecretFileMode = 0o600; //file permissions for -rw-------

packages/amplify-cli-core/src/deploymentSecretsHelper.ts

@@ -0,0 +1,50 @@
+import { DeploymentSecrets } from '.';
+import _ from 'lodash';
+
+export const mergeDeploymentSecrets = (deploymentSecretsModifier: deploymentSecretMerge): DeploymentSecrets => {
+  const { currentDeploymentSecrets, category, rootStackId, envName, resource, keyName, value } = deploymentSecretsModifier;
+  const newDeploymentAppSecret = _.find(currentDeploymentSecrets.appSecrets, appSecret => appSecret.rootStackId === rootStackId) || {
+    rootStackId,
+    environments: {},
+  };
+  _.set(newDeploymentAppSecret, ['environments', envName, category, resource, keyName], value);
+  return {
+    appSecrets: [...currentDeploymentSecrets.appSecrets.filter(appSecret => appSecret.rootStackId !== rootStackId), newDeploymentAppSecret],
+  };
+};
+
+export const removeFromDeploymentSecrets = (deploymentSecretsModifier: deploymentSecretsRemove): DeploymentSecrets => {
+  const { currentDeploymentSecrets, category, rootStackId, envName, resource, keyName } = deploymentSecretsModifier;
+  const secretsByAppId = _.find(currentDeploymentSecrets.appSecrets, secrets => secrets.rootStackId === rootStackId);
+  if (secretsByAppId) {
+    recursiveOmit(secretsByAppId.environments, [envName, category, resource, keyName]);
+    if (Object.keys(secretsByAppId.environments).length === 0) {
+      currentDeploymentSecrets.appSecrets = currentDeploymentSecrets.appSecrets.filter(r => r.rootStackId !== rootStackId);
+    }
+  }
+  return currentDeploymentSecrets;
+};
+const recursiveOmit = (obj: any, path: Array<string>): void => {
+  if (path.length === 0) return;
+  const currentKey = path[0];
+  if (path.length === 1 && !!obj[currentKey]) {
+    delete obj[currentKey];
+    return;
+  }
+  recursiveOmit(obj[currentKey], path.slice(1));
+
+  if (obj[currentKey] && _.isEmpty(obj[currentKey])) {
+    delete obj[currentKey];
+  }
+};
+
+type deploymentSecretMerge = deploymentSecretsRemove & { value: string };
+
+type deploymentSecretsRemove = {
+  currentDeploymentSecrets: DeploymentSecrets;
+  category: string;
+  rootStackId: string;
+  envName: string;
+  resource: string;
+  keyName: string;
+};

packages/amplify-cli-core/src/errors/index.ts

@@ -10,3 +10,4 @@ export class NonEmptyDirectoryError extends Error {}
 export class InvalidEnvironmentNameError extends Error {}
 export class InvalidSubCommandError extends Error {}
 export class FrontendBuildError extends Error {}
+export class TeamProviderInfoMigrateError extends Error {}

packages/amplify-cli-core/src/index.ts

@@ -12,6 +12,8 @@ export * from './tags';
 export * from './errors';
 export * from './exitOnNextTick';
 export * from './isPackaged';
+export * from './cliConstants';
+export * from './deploymentSecretsHelper';
 
 // Temporary types until we can finish full type definition across the whole CLI
 
@@ -54,6 +56,14 @@ export type IPluginInfo = {
   manifest: $IPluginManifest;
 };
 
+export type DeploymentSecrets = {
+  appSecrets: Array<{
+    rootStackId: string;
+
+    environments: { [env: string]: { [category: string]: { [resourceName: string]: { [key: string]: string } } } };
+  }>;
+};
+
 /**
  * Plugins or other packages bundled with the CLI that pass a file to a system command or execute a binary file must export a function named
  * "getPackageAssetPaths" of this type.

packages/amplify-cli-core/src/jsonUtilities.ts

@@ -43,6 +43,7 @@ export class JSONUtilities {
     options?: {
       minify?: boolean;
       keepComments?: boolean;
+      mode?: number;
     },
   ): void => {
     if (!fileName) {
@@ -68,7 +69,10 @@ export class JSONUtilities {
     const dirPath = path.dirname(fileName);
     fs.ensureDirSync(dirPath);
 
-    fs.writeFileSync(fileName, jsonString, 'utf8');
+    fs.writeFileSync(fileName, jsonString, {
+      encoding: 'utf8',
+      mode: options?.mode,
+    });
   };
 
   public static parse = <T>(

packages/amplify-cli-core/src/state-manager/pathManager.ts

@@ -7,6 +7,7 @@ export const PathConstants = {
   DotAWSDir: '.aws',
   AWSCredentials: 'credentials',
   AWSConfig: 'config',
+  DeploymentSecretsFileName: 'deployment-secrets.json',
 
   // in project root
   AmplifyDirName: 'amplify',
@@ -130,6 +131,10 @@ export class PathManager {
     return this.constructPath(projectPath, [PathConstants.AmplifyDirName, fileName]);
   };
 
+  getDotAWSAmplifyDirPath = (): string => path.normalize(path.join(homedir(), PathConstants.DotAWSDir, PathConstants.AmplifyDirName));
+
+  getDeploymentSecrets = (): string => path.normalize(path.join(this.getDotAWSAmplifyDirPath(), PathConstants.DeploymentSecretsFileName));
+
   private constructPath = (projectPath?: string, segments: string[] = []): string => {
     if (!projectPath) {
       projectPath = this.findProjectRoot();

packages/amplify-cli-core/src/state-manager/stateManager.ts

@@ -1,9 +1,10 @@
 import * as fs from 'fs-extra';
 import { pathManager } from './pathManager';
-import { $TSMeta, $TSTeamProviderInfo, $TSAny } from '..';
+import { $TSMeta, $TSTeamProviderInfo, $TSAny, DeploymentSecrets } from '..';
 import { JSONUtilities } from '../jsonUtilities';
 import { Tag, ReadValidateTags } from '../tags';
-
+import _ from 'lodash';
+import { SecretFileMode } from '../cliConstants';
 export type GetOptions<T> = {
   throwIfNotExist?: boolean;
   preserveComments?: boolean;
@@ -27,6 +28,11 @@ export class StateManager {
 
   currentMetaFileExists = (projectPath?: string): boolean => fs.existsSync(pathManager.getCurrentAmplifyMetaFilePath(projectPath));
 
+  setDeploymentSecrets = (deploymentSecrets: DeploymentSecrets): void => {
+    const path = pathManager.getDeploymentSecrets();
+    JSONUtilities.writeJson(path, deploymentSecrets, { mode: SecretFileMode }); //set deployment secret file permissions to -rw-------
+  };
+
   getCurrentMeta = (projectPath?: string, options?: GetOptions<$TSMeta>): $TSMeta => {
     const filePath = pathManager.getCurrentAmplifyMetaFilePath(projectPath);
     const mergedOptions = {
@@ -39,6 +45,14 @@ export class StateManager {
     return data;
   };
 
+  getDeploymentSecrets = (): DeploymentSecrets => {
+    return (
+      JSONUtilities.readJson<DeploymentSecrets>(pathManager.getDeploymentSecrets(), {
+        throwIfNotExist: false,
+      }) || { appSecrets: [] }
+    );
+  };
+
   getProjectTags = (projectPath?: string): Tag[] => ReadValidateTags(pathManager.getTagFilePath(projectPath));
 
   getCurrentProjectTags = (projectPath?: string): Tag[] => ReadValidateTags(pathManager.getCurrentTagFilePath(projectPath));