Reference Auth

.changeset/good-pugs-rescue.md

@@ -0,0 +1,9 @@
+---
+'@aws-amplify/auth-construct': minor
+'@aws-amplify/backend-auth': minor
+'@aws-amplify/backend-data': minor
+'@aws-amplify/plugin-types': minor
+'@aws-amplify/backend': minor
+---
+
+Add support for referenceAuth.

.changeset/spicy-rules-speak.md

@@ -0,0 +1,2 @@
+---
+---

CONTRIBUTING.md

@@ -82,6 +82,8 @@ For local testing we recommend writing unit tests that exercise the code you are
 npm run test:dir packages/<package name>/lib/<file-name>.test.ts
 ```
 
+> Note: If your test depends on \_\_dirname or import.meta.url paths, you may see errors resolving paths if you specify the entire path to the test file. You should specify just the `packages/<package name>` portion of the test you are running.
+
 > Note: You must rebuild using `npm run build` for tests to pick up your changes.
 
 Sometimes it's nice to have a test project to use as a testing environment for local changes. You can create test projects in the `local-testing` directory using

packages/auth-construct/src/construct.ts

@@ -223,6 +223,7 @@ export class AmplifyAuth
       userPoolClient,
       authenticatedUserIamRole: auth,
       unauthenticatedUserIamRole: unAuth,
+      identityPoolId: identityPool.ref,
       cfnResources: {
         cfnUserPool,
         cfnUserPoolClient,

packages/backend-auth/.npmignore

@@ -10,5 +10,6 @@
 # Then ignore test js and ts declaration files
 *.test.js
 *.test.d.ts
+**/test-resources/**
 
 # This leaves us with including only js and ts declaration files of functional code

packages/backend-auth/API.md

@@ -7,9 +7,11 @@
 import { AmazonProviderProps } from '@aws-amplify/auth-construct';
 import { AmplifyFunction } from '@aws-amplify/plugin-types';
 import { AppleProviderProps } from '@aws-amplify/auth-construct';
+import { AuthOutput } from '@aws-amplify/backend-output-schemas';
 import { AuthProps } from '@aws-amplify/auth-construct';
 import { AuthResources } from '@aws-amplify/plugin-types';
 import { AuthRoleName } from '@aws-amplify/plugin-types';
+import { BackendOutputStorageStrategy } from '@aws-amplify/plugin-types';
 import { BackendSecret } from '@aws-amplify/plugin-types';
 import { ConstructFactory } from '@aws-amplify/plugin-types';
 import { ConstructFactoryGetInstanceProps } from '@aws-amplify/plugin-types';
@@ -19,6 +21,7 @@ import { FunctionResources } from '@aws-amplify/plugin-types';
 import { GoogleProviderProps } from '@aws-amplify/auth-construct';
 import { IFunction } from 'aws-cdk-lib/aws-lambda';
 import { OidcProviderProps } from '@aws-amplify/auth-construct';
+import { ReferenceAuthResources } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptor } from '@aws-amplify/plugin-types';
 import { ResourceAccessAcceptorFactory } from '@aws-amplify/plugin-types';
 import { ResourceProvider } from '@aws-amplify/plugin-types';
@@ -48,6 +51,11 @@ export type AmplifyAuthProps = Expand<Omit<AuthProps, 'outputStorageStrategy' |
     };
 }>;
 
+// @public (undocumented)
+export type AmplifyReferenceAuthProps = Expand<Omit<ReferenceAuthProps, 'outputStorageStrategy'> & {
+    access?: AuthAccessGenerator;
+}>;
+
 // @public
 export type AppleProviderFactoryProps = Omit<AppleProviderProps, 'clientId' | 'teamId' | 'keyId' | 'privateKey'> & {
     clientId: BackendSecret;
@@ -86,6 +94,9 @@ export type AuthLoginWithFactoryProps = Omit<AuthProps['loginWith'], 'externalPr
 // @public (undocumented)
 export type BackendAuth = ResourceProvider<AuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
 
+// @public (undocumented)
+export type BackendReferenceAuth = ResourceProvider<ReferenceAuthResources> & ResourceAccessAcceptorFactory<AuthRoleName | string> & StackProvider;
+
 // @public
 export type CustomEmailSender = {
     handler: ConstructFactory<AmplifyFunction> | IFunction;
@@ -130,6 +141,22 @@ export type OidcProviderFactoryProps = Omit<OidcProviderProps, 'clientId' | 'cli
     clientSecret: BackendSecret;
 };
 
+// @public
+export const referenceAuth: (props: AmplifyReferenceAuthProps) => ConstructFactory<BackendReferenceAuth>;
+
+// @public (undocumented)
+export type ReferenceAuthProps = {
+    outputStorageStrategy?: BackendOutputStorageStrategy<AuthOutput>;
+    userPoolId: string;
+    identityPoolId: string;
+    userPoolClientId: string;
+    authRoleArn: string;
+    unauthRoleArn: string;
+    groups?: {
+        [groupName: string]: string;
+    };
+};
+
 // (No @packageDocumentation comment for this package)
 
 ```

packages/backend-auth/package.json

@@ -20,12 +20,17 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@aws-amplify/auth-construct": "^1.4.0",
+    "@aws-amplify/backend-output-schemas": "^1.4.0",
     "@aws-amplify/backend-output-storage": "^1.1.3",
     "@aws-amplify/plugin-types": "^1.3.1"
   },
   "devDependencies": {
     "@aws-amplify/backend-platform-test-stubs": "^0.3.6",
-    "@aws-amplify/platform-core": "^1.0.6"
+    "@aws-amplify/platform-core": "^1.0.6",
+    "@aws-sdk/client-cognito-identity-provider": "^3.624.0",
+    "@aws-sdk/client-cognito-identity": "^3.624.0",
+    "@types/aws-lambda": "^8.10.119",
+    "aws-lambda": "^1.0.7"
   },
   "peerDependencies": {
     "aws-cdk-lib": "^2.158.0",

packages/backend-auth/src/factory.test.ts

@@ -153,8 +153,8 @@ void describe('AmplifyAuthFactory', () => {
       },
       new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       })
     );
   });

packages/backend-auth/src/factory.ts

@@ -103,8 +103,8 @@ export class AmplifyAuthFactory implements ConstructFactory<BackendAuth> {
     if (AmplifyAuthFactory.factoryCount > 0) {
       throw new AmplifyUserError('MultipleSingletonResourcesError', {
         message:
-          'Multiple `defineAuth` calls are not allowed within an Amplify backend',
-        resolution: 'Remove all but one `defineAuth` call',
+          'Multiple `defineAuth` or `referenceAuth` calls are not allowed within an Amplify backend',
+        resolution: 'Remove all but one `defineAuth` or `referenceAuth` call',
       });
     }
     AmplifyAuthFactory.factoryCount++;

packages/backend-auth/src/index.ts

@@ -1,2 +1,8 @@
 export { BackendAuth, AmplifyAuthProps, defineAuth } from './factory.js';
+export {
+  BackendReferenceAuth,
+  AmplifyReferenceAuthProps,
+  referenceAuth,
+  ReferenceAuthProps,
+} from './reference_factory.js';
 export * from './types.js';

packages/backend-auth/src/lambda/.eslintrc.json

@@ -0,0 +1,6 @@
+{
+  "rules": {
+    "no-console": "off",
+    "amplify-backend-rules/prefer-amplify-errors": "off"
+  }
+}