feat(gen2-migration): generate IAM auth grant for Gen1 AppSync API#14778
Open
sai-ray wants to merge 1 commit intogen2-migrationfrom
Open
feat(gen2-migration): generate IAM auth grant for Gen1 AppSync API#14778sai-ray wants to merge 1 commit intogen2-migrationfrom
sai-ray wants to merge 1 commit intogen2-migrationfrom
Conversation
AppSync API When a Gen1 AppSync API uses AWS_IAM authentication, the generate step now automatically adds an IAM policy granting the Gen2 authenticated user role appsync:GraphQL access to the Gen1 API. This is required post-refactor because the identity pool moves to the Gen2 stack with a new auth role that has no access to the Gen1 API. The DataGenerator detects AWS_IAM as default or additional auth mode and contributes the policy statement to backend.ts via BackendGenerator. The Gen1 API ID is hardcoded as a string literal since it references an external resource. Removes the manual addGen1AppSyncPolicy() post-generate step from the product-catalog app. All 12 generate snapshot tests pass. --- Prompt: Implement codegen for IAM auth grant when Gen1 AppSync API uses AWS_IAM authentication mode. The generate step should detect AWS_IAM and add the policy statement granting the Gen2 auth role access to the Gen1 API.
sai-ray
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #14518
Description of changes
When a Gen1 AppSync API uses
AWS_IAMauthentication mode, thegeneratestep now automatically adds an IAM policy granting the Gen2 authenticated user roleappsync:GraphQLaccess to the Gen1 API.Post-refactor, the identity pool moves to the Gen2 stack with a new auth role. This role has no access to the Gen1 AppSync API, causing IAM-authenticated frontend requests to fail. Previously this was a manual post-generate step documented in the migration guide.
IAM auth detection and grant generation
DataGeneratorchecks ifAWS_IAMis the default or additional auth mode on the Gen1 AppSync API. If it is (and an auth category exists), it contributes aaddToPrincipalPolicystatement tobackend.tsthat grantsappsync:GraphQLon the Gen1 API ARN. The Gen1 API ID is hardcoded as a string literal since it references a resource external to the Gen2 stack.Snapshot cleanup
The product-catalog app's manual
addGen1AppSyncPolicy()andresolveGen1AppSyncApiId()post-generate functions are removed, along with the@aws-sdk/client-appsyncimport. The codegen handles it automatically now.Issue #, if available
#14518
Description of how you validated changes
Checklist
yarn testpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.