fix: cognito trigger template permissions

[akshbhu]

Description of changes

• Previously Cognito trigger permissions were missing from auth trigger template, this PR adds those permissions to the template
• added physical resource id on custom resource lambda function which enables auth trigger.

Issue #7582

Description of how you validated changes

• Maunally tested and added and e2e test for the same
• cloud-e2e : https://app.circleci.com/pipelines/github/aws-amplify/amplify-cli/13176/workflows/228459e7-248f-40d4-a5dc-758b0ab21946
• two tests are failling ( failing on dev as well)
  -https://app.circleci.com/pipelines/github/aws-amplify/amplify-cli/13176/workflows/228459e7-248f-40d4-a5dc-758b0ab21946/jobs/558753
  - https://app.circleci.com/pipelines/github/aws-amplify/amplify-cli/13176/workflows/228459e7-248f-40d4-a5dc-758b0ab21946/jobs/558519

Checklist

• PR description included
• yarn test passes
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)
• New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
• Pull request labels are added

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[edwardfoyle]

asked a couple small clarifications but if they are all irrelevant then LGTM

[guidovalente]

just for the record - I had to update a stack today that includes a cognito trigger linked to a lambda function (it's a customMessage trigger). The last changes I had made to the app were under v10.5

as I went to update the stack today, the deployment process failed when getting to the AuthTriggerCustomLambdaStack resource. Specificaly, I was getting an error saying Output 'LambdaExecutionRoleArn' not found in stack '<edited: ARN for my customMessage stack here>'.

What I did was remove the trigger from the template and added it again from scratch, reconfiguring environment variables for that lambda.

It seems these kinds of changes are breaking changes that stop deployments alltogether. This was a small function in my stack that didn't take long to edit, but it could have been a more complicated issue if the lambda had been tied to other resources in a different way.

Is there a preferred way to approach this kind of change in Amplify without having to re-create resources? Or is there a way to force the online deployment to use an older version of the CLI so that I don't have to update my stack?

from what I could see, what happens is that the new Amplify version expects an output in the stack that wasn't there before, so maybe a version change like this should scan for these changes and try to incorporate them into the template?

I'm not an expert with Amplify so please point me in the right direction if I'm not asking the right questions, but at times I feel Amplify is getting in my way when I come across these things and I might just be better off going with raw CF or CDK.

It may just be that Amplify needs a bit more time to evolve, but not being able to deploy a small change to my stack and forcing me to update the CLI version just to be able to add in a few new lines of code to a lambda frustrates me a little, especially when the lambda I wanted to edit was a completely different one unrelated to the trigger.