-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add storage access rules to outputs #1927
Conversation
🦋 Changeset detectedLatest commit: 2b23793 The changes in this PR will be included in the next version bump. This PR includes changesets to release 6 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall change looks good to me.
Question on npx ampx generate outputs
, will customer be able to specify and generate version like 1, 1.1, 1.2?
Yes they can specify using the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I notice the access can be 1 of enum value from 2 sets: read | write | delete
or get | list | write | delete
. Is it possible the output file only use the later one? It would make client side logic a lot easier.
The DX from the PR description makes sense. The JS library can resolve which of the |
Yes we can make this change |
Functions specifically have separate logic through environment variables that reference the resource they are given access to to avoid circular dependencies. For more information see https://docs.amplify.aws/flutter/build-a-backend/functions/grant-access-to-other-resources/. |
'write', | ||
'delete', | ||
]); | ||
const storageAccessActionEnum = z.enum(['get', 'list', 'write', 'delete']); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wouldn't this be a breaking change for deployed apps ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, I forgot to think about impact on existing apps, adding this back in.
@@ -356,7 +356,7 @@ | |||
"$defs": { | |||
"amplify_storage_access_actions": { | |||
"type": "string", | |||
"enum": ["read", "get", "list", "write", "delete"] | |||
"enum": ["get", "list", "write", "delete"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we may deprecate and not use read
but we should keep it.
*/ | ||
// eslint-disable-next-line @typescript-eslint/naming-convention |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be needed here.
/** | ||
* JSON schema | ||
*/ | ||
$schema?: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we typically remove this from the code-gen
export interface AmazonLocationServiceConfig { | ||
/** | ||
* Map style | ||
*/ | ||
style?: string; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems the name property is missing from this type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might have misconfigured or am using a different version of json-schema-to-typescript
. The closest I would get to the existing client config was running:
json2ts packages/client-config/src/client-config-schema/schema_v1.2.json -o packages/client-config/src/client-config-schema/client_config_v1.2.ts --style.singleQuote --ignoreMinAndMaxItems
I'll update this manually.
@@ -104,6 +103,7 @@ export class StorageOutputsAspect implements IAspect { | |||
name: node.name, | |||
bucketName: node.resources.bucket.bucketName, | |||
storageRegion: Stack.of(node).region, | |||
paths: node.accessDefinition, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We didn't need to make changes here
const bucketSchema = z.object({ | |
name: z.string(), | |
bucketName: z.string(), | |
storageRegion: z.string(), | |
}); |
We might also be missing some automated testing if we didn't catch this failure, or Zod is not strict here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is needed to add paths
to the amplify_outputs.json
file. paths
is optional so storage with no access rules defined will not fail and not have paths
in their amplify_outputs.json
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't the paths be added as optional since we are adding that in the bucketSchema object before stringifying.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, and yup I believe Zod is not strict enough here, I'll add a test to make sure we cover for both cases of storage with access and without.
paths: { | ||
'path/*': { | ||
guest: ['get'], | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add all five types of access rules we support here.
For groups, entity and resource, do we print the actual substituted value (for the group, entity and resource) or just the key name groups
, entity
etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add all the types of access rules.
For group and entity, we append the group name or entityId to the key name.
For resource since we use environment variables they go through different logic since we don't create storage policies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this updated? I was thinking this is where we should update https://github.com/aws-amplify/amplify-backend/pull/1927/files#diff-cc440dd1098daee47d41294de3ae883a0c8e2570e516061b54623fa84f7ff8edR136-R139
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added all the access rules but we won't see much benefit from adding more to this test since we are just mapping paths from the payload to the config. For key names, this is handled in access_builder.test.ts
and tested there and for verifying the paths
is built correctly that is done when we assert storageAccessDefinitionOutput
in storage_access_orchestrator.test.ts
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving from JS client side. The outputs generated works as expected without breaking our existing outputs parsing logic.
Problem
Storage access rules defined in
defineStorage
are not inamplify_outputs.json
.Issue number, if available:
Changes
Adds storage access rules to
amplify_outputs.json
. Considering the following backend code:The outputs for storage will be (note:
read
is replaced withget
andlist
):Corresponding docs PR, if applicable:
Validation
E2E and unit tests
Checklist
run-e2e
label set.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.