fix: fix appsync permission assignment from functions

[r0zar]

fix #4306

Issue #, if available:
4306

Description of changes:
The current implementation of appsync permissions is using an incorrect understanding of IAM policies for AppSync. This PR updates the IAM Policy generation process for lambdas from amplify function create/update walkthroughs.

This PR is ready for merging. 🚀

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jamesonwilliams]

PHAL @aws-amplify/amplify-cli (@kaustavghosh06 @renebrandel @UnleashedMind @yuth @attilah)

[codecov]

Codecov Report

Merging #5342 (e8b97a3) into master (473bea5) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff            @@
##           master    #5342    +/-   ##
========================================
  Coverage   57.05%   57.05%            
========================================
  Files         468      468            
  Lines       21489    21490     +1     
  Branches     4273     4058   -215     
========================================
+ Hits        12261    12262     +1     
- Misses       8349     8369    +20     
+ Partials      879      859    -20     

Impacted Files	Coverage Δ
...amplify-cli-core/src/feature-flags/featureFlags.ts	83.10% <100.00%> (+0.07%)	⬆️
packages/amplify-util-mock/src/api/api.ts	0.00% <0.00%> (ø)
packages/graphql-mapping-template/src/print.ts	35.29% <0.00%> (ø)
packages/amplify-util-mock/src/storage/storage.ts	0.00% <0.00%> (ø)
...ges/amplify-util-mock/src/CFNParser/stack/index.ts	0.00% <0.00%> (ø)
...es/amplify-util-mock/src/api/resolver-overrides.ts	0.00% <0.00%> (ø)
...es/graphql-transformer-core/src/stripDirectives.ts	35.29% <0.00%> (ø)
.../amplify-cli-core/src/state-manager/pathManager.ts	67.85% <0.00%> (ø)
.../amplify-util-mock/src/utils/lambda/loadMinimal.ts	0.00% <0.00%> (ø)
...graphql-transformer-core/src/TransformerContext.ts	25.09% <0.00%> (ø)
... and 10 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 206ab32...e8b97a3. Read the comment docs.

[renebrandel]

hi @r0zar ! I'll try to get the team to review it on Friday. Thanks for starting this!

[r0zar]

@renebrandel 👋 Completed my final updates. This PR is ready for merging now AFAIK

[renebrandel]

@attilah will test this PR and see if we need to introduce a feature flag. At this point it looks good.

[attilah]

@r0zar Thanks for the PR, I went through it and I see the reason for the changes, but because of existing deployments we have to preserve the existing functionality so it needs to be put behind a feature flag that can be enabled by default for new projects and not for existing projects.

I have one concern about the generated IAM policy and that is that I can't see that the policy generation code includes the schema types. If I remember correctly you have to have access to the types as well, since if I have a policy for UpdatePost that does not implicitly grant me access to the Post type. This brings to the other thing I am missing is an E2E test which creates a function and an AppSync API and invokes a GraphQL operation.

Since this change has to go behind a feature flag we don't have to deal with the legacy permissions especially we don't have to map it.

If you need further help on the above suggested changes, ping me and I we can setup a meeting to get it through the finish line.

[r0zar]

Thanks for the review.

Yeah let's find some time next week so I get aligned on this and put together a todo list.

[attilah]

@r0zar sounds good, please test out the types/* policy I miss before that if you can.

[attilah]

Synced up offline with @r0zar will add the E2E tests and the Feature flag to preserve the existing functionality and will update the PR.

[attilah]

@r0zar how you see your time working on this, do you have an ETA (no rush) ?

[r0zar]

I finally had some time open up this week and was going to make a start on it. Hopefully I can knock it out in a few sessions.

[attilah]

@r0zar let me know if I can be any help.

[r0zar]

Ran a rebase to keep my changes.

[r0zar]

Ok, fixed the terrible rebase. 😅

[lgtm-com]

This pull request introduces 3 alerts when merging 1c4309c into a7b7a8c - view on LGTM.com

new alerts:

• 3 for Expression has no effect

[r0zar]

🎉

[attilah]

Added a few comments on the recent changes, but overall almost there!

[attilah]

Please use import _ from 'lodash'; and don't deconstruct its functions, it's more readable that way.

[r0zar]

✔️

[attilah]

Why removed the '-' prefix? We rarely change prompts and DX without API reviews. Sync up on this with @renebrandel .

[r0zar]

The - served as a pseudo-bullet-point in the unordered list of choices. I replaced that with the icons in the PR. It results in a more visually comprehensible list of choices that can be understood better internationally.

[attilah]

Just name it normally as a variable, no need for GH reference, also FeatureFlags has a ., I'd suggest to use appSync.generateGraphQLPermissionsForCRUD since this feature flag is not for graphqlTransformer. We can debate the name but this is what it does IMHO, suggest something similar if you have a better in mind.

[r0zar]

how do you feel about the category being iamPolicies? This distinction would be helpful to make clear it's related to how the policies are generated and managed.

[attilah]

Why is the FF branch of the if doing anything that is backward compatible? It should not, right?

[r0zar]

I wrote it so that enabling a feature flag with incorrect permissions would autocorrect their policies. I now see that the way feature flags are being used in amplify is that by turning them on early, the user may deals with the consequences. I see this results in code with less 'artifacts' so I'll update to fit this design.

[r0zar]

I moved the FF check to line 102 of execPermissionsWalkthrough.ts. Still exists as an artifact in the code, but there is no more autocorrecting of permissions. Is this the intention?

[attilah]

As suggested above it should go into a new appSync group.

[lgtm-com]

This pull request introduces 1 alert when merging c3b406d into 206ab32 - view on LGTM.com

new alerts:

• 1 for Unused variable, import, function or class

[r0zar]

I squashed and force pushed the commit with only the relevant changes to keep the scope a little tighter.

[r0zar]

This value seems to be coming in as undefined for most scenarios. Is it still used?

[attilah]

LGTM, thanks for hanging in there ;-)

[github-actions]

This pull request has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.