feat(cli-internal): escape hatch for unmapped cognito auth actions

resolveAuthAccess() silently dropped cognito-idp actions that
didn't match GROUPED_AUTH_PERMISSIONS or AUTH_ACTION_MAPPING.
Functions lost permissions they had in Gen1 (e.g., CreateGroup,
DeleteGroup, UpdateGroup, Describe*).

Add a third resolution tier: unmapped actions now generate
addToRolePolicy(new aws_iam.PolicyStatement({...})) escape
hatches in backend.ts, following the existing Kinesis grant
pattern.

Also removes AUTH_TRIGGER_ACTION_MAPPING and
resolveAuthTriggerAccess() introduced in the previous commit.
The auth trigger path (extractAuthTriggerCfnPermissions) now
feeds into the same resolveAuthAccess, and trigger-specific
actions like GetGroup/CreateGroup naturally fall through to
the escape hatch since they don't match any group or
individual mapping.

Changes:
- resolveAuthAccess returns { permissions, unmapped }
- ResolvedFunction gains unmappedAuthActions field
- New contributeAuthEscapeHatch() generates addToRolePolicy
- Remove AUTH_TRIGGER_ACTION_MAPPING + resolveAuthTriggerAccess
- Updated snapshots: fitness-tracker (Describe*), media-vault
  (CreateGroup/DeleteGroup/UpdateGroup), store-locator
  (GetGroup/CreateGroup)

All 12 generate snapshot tests and 135 test suites pass.
---
Prompt: implement escape hatch tier for unmapped cognito
auth actions in resolveAuthAccess, remove
AUTH_TRIGGER_ACTION_MAPPING, update snapshots

Author: sai-ray

amplify-migration-apps/fitness-tracker/_snapshot.post.generate/amplify/backend.ts

@@ -12,7 +12,7 @@ import {
 } from 'aws-cdk-lib/aws-apigateway';
 import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration, Stack } from 'aws-cdk-lib';
+import { Duration, aws_iam, Stack } from 'aws-cdk-lib';
 
 const backend = defineBackend({
   auth,
@@ -83,6 +83,12 @@ backend.admin.addEnvironment(
   'AUTH_FITNESSTRACKER33F5545533F55455_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
+backend.admin.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: ['cognito-idp:Describe*'],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
 const cfnGraphqlApi = backend.data.resources.cfnResources.cfnGraphqlApi;
 cfnGraphqlApi.additionalAuthenticationProviders = [
   {

amplify-migration-apps/media-vault/_snapshot.post.generate/amplify/backend.ts

@@ -109,27 +109,109 @@ backend.addusertogroup.addEnvironment(
   'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
-backend.removeuserfromgroup.resources.cfnResources.cfnFunction.functionName = `removeuserfromgroup-${branchName}`;
-backend.removeuserfromgroup.addEnvironment(
-  'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
-  backend.auth.resources.userPool.userPoolId
-);
 backend.addusertogroup.resources.lambda.addToRolePolicy(
   new aws_iam.PolicyStatement({
     actions: [
-      "cognito-idp:CreateGroup",
-      "cognito-idp:DeleteGroup",
-      "cognito-idp:UpdateGroup",
+      'cognito-idp:ConfirmSignUp',
+      'cognito-idp:CreateUserImportJob',
+      'cognito-idp:AdminLinkProviderForUser',
+      'cognito-idp:CreateIdentityProvider',
+      'cognito-idp:SetUICustomization',
+      'cognito-idp:SignUp',
+      'cognito-idp:SetRiskConfiguration',
+      'cognito-idp:StartUserImportJob',
+      'cognito-idp:AssociateSoftwareToken',
+      'cognito-idp:CreateResourceServer',
+      'cognito-idp:RespondToAuthChallenge',
+      'cognito-idp:CreateUserPoolClient',
+      'cognito-idp:GlobalSignOut',
+      'cognito-idp:AddCustomAttributes',
+      'cognito-idp:CreateGroup',
+      'cognito-idp:CreateUserPool',
+      'cognito-idp:CreateUserPoolDomain',
+      'cognito-idp:StopUserImportJob',
+      'cognito-idp:InitiateAuth',
+      'cognito-idp:ConfirmForgotPassword',
+      'cognito-idp:VerifySoftwareToken',
+      'cognito-idp:AdminDisableProviderForUser',
+      'cognito-idp:SetUserPoolMfaConfig',
+      'cognito-idp:ChangePassword',
+      'cognito-idp:ConfirmDevice',
+      'cognito-idp:ResendConfirmationCode',
+      'cognito-idp:Describe*',
+      'cognito-idp:ForgotPassword',
+      'cognito-idp:UpdateAuthEventFeedback',
+      'cognito-idp:UpdateResourceServer',
+      'cognito-idp:UpdateUserPoolClient',
+      'cognito-idp:UpdateUserPoolDomain',
+      'cognito-idp:UpdateIdentityProvider',
+      'cognito-idp:UpdateGroup',
+      'cognito-idp:UpdateDeviceStatus',
+      'cognito-idp:UpdateUserPool',
+      'cognito-idp:DeleteUserPoolDomain',
+      'cognito-idp:DeleteResourceServer',
+      'cognito-idp:DeleteGroup',
+      'cognito-idp:DeleteUserPoolClient',
+      'cognito-idp:DeleteUserAttributes',
+      'cognito-idp:DeleteUserPool',
+      'cognito-idp:DeleteIdentityProvider',
+      'cognito-idp:DeleteUser',
     ],
     resources: [backend.auth.resources.userPool.userPoolArn],
   })
 );
+backend.removeuserfromgroup.resources.cfnResources.cfnFunction.functionName = `removeuserfromgroup-${branchName}`;
+backend.removeuserfromgroup.addEnvironment(
+  'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
+  backend.auth.resources.userPool.userPoolId
+);
 backend.removeuserfromgroup.resources.lambda.addToRolePolicy(
   new aws_iam.PolicyStatement({
     actions: [
-      "cognito-idp:CreateGroup",
-      "cognito-idp:DeleteGroup",
-      "cognito-idp:UpdateGroup",
+      'cognito-idp:ConfirmSignUp',
+      'cognito-idp:CreateUserImportJob',
+      'cognito-idp:AdminLinkProviderForUser',
+      'cognito-idp:CreateIdentityProvider',
+      'cognito-idp:SetUICustomization',
+      'cognito-idp:SignUp',
+      'cognito-idp:SetRiskConfiguration',
+      'cognito-idp:StartUserImportJob',
+      'cognito-idp:AssociateSoftwareToken',
+      'cognito-idp:CreateResourceServer',
+      'cognito-idp:RespondToAuthChallenge',
+      'cognito-idp:CreateUserPoolClient',
+      'cognito-idp:GlobalSignOut',
+      'cognito-idp:AddCustomAttributes',
+      'cognito-idp:CreateGroup',
+      'cognito-idp:CreateUserPool',
+      'cognito-idp:CreateUserPoolDomain',
+      'cognito-idp:StopUserImportJob',
+      'cognito-idp:InitiateAuth',
+      'cognito-idp:ConfirmForgotPassword',
+      'cognito-idp:VerifySoftwareToken',
+      'cognito-idp:AdminDisableProviderForUser',
+      'cognito-idp:SetUserPoolMfaConfig',
+      'cognito-idp:ChangePassword',
+      'cognito-idp:ConfirmDevice',
+      'cognito-idp:ResendConfirmationCode',
+      'cognito-idp:Describe*',
+      'cognito-idp:ForgotPassword',
+      'cognito-idp:UpdateAuthEventFeedback',
+      'cognito-idp:UpdateResourceServer',
+      'cognito-idp:UpdateUserPoolClient',
+      'cognito-idp:UpdateUserPoolDomain',
+      'cognito-idp:UpdateIdentityProvider',
+      'cognito-idp:UpdateGroup',
+      'cognito-idp:UpdateDeviceStatus',
+      'cognito-idp:UpdateUserPool',
+      'cognito-idp:DeleteUserPoolDomain',
+      'cognito-idp:DeleteResourceServer',
+      'cognito-idp:DeleteGroup',
+      'cognito-idp:DeleteUserPoolClient',
+      'cognito-idp:DeleteUserAttributes',
+      'cognito-idp:DeleteUserPool',
+      'cognito-idp:DeleteIdentityProvider',
+      'cognito-idp:DeleteUser',
     ],
     resources: [backend.auth.resources.userPool.userPoolArn],
   })

amplify-migration-apps/store-locator/_snapshot.post.generate/amplify/backend.ts

@@ -1,4 +1,3 @@
-import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { auth } from './auth/resource';
 import { storelocator41a9495f41a9495fPostConfirmation } from './auth/storelocator41a9495f41a9495fPostConfirmation/resource';
 import { defineGeo } from './geo/resource';
@@ -33,13 +32,9 @@ userPool.addClient('NativeAppClient', {
 });
 const branchName = process.env.AWS_BRANCH ?? 'sandbox';
 backend.storelocator41a9495f41a9495fPostConfirmation.resources.cfnResources.cfnFunction.functionName = `storelocator41a9495f41a9495fPostConfirmation-${branchName}`;
-
 backend.storelocator41a9495f41a9495fPostConfirmation.resources.lambda.addToRolePolicy(
-    new aws_iam.PolicyStatement({
-    actions: [
-      "cognito-idp:GetGroup",
-      "cognito-idp:CreateGroup"
-    ],
+  new aws_iam.PolicyStatement({
+    actions: ['cognito-idp:GetGroup', 'cognito-idp:CreateGroup'],
     resources: [backend.auth.resources.userPool.userPoolArn],
   })
 );

packages/amplify-cli/src/commands/gen2-migration/generate/amplify/function/function.generator.ts

@@ -44,6 +44,7 @@ interface ResolvedFunction {
   readonly kinesisActions: readonly string[];
   readonly graphqlApiPermissions: { readonly hasMutation: boolean; readonly hasQuery: boolean };
   readonly authAccess: AuthPermissions;
+  readonly unmappedAuthActions: readonly string[];
 }
 
 /**
@@ -131,6 +132,7 @@ export class FunctionGenerator implements Planner {
           await this.generateResource(func);
           this.contributeOverrides(func);
           this.contributeGrants(func);
+          this.contributeAuthEscapeHatch(func);
           if (triggerModels.length > 0) {
             this.contributeDynamoTrigger(func.resourceName, triggerModels);
           }
@@ -173,11 +175,18 @@ export class FunctionGenerator implements Planner {
     const { retained, escapeHatches } = classifyEnvVars(config.Environment?.Variables ?? {});
 
     // Extract DynamoDB/Kinesis actions and GraphQL API permissions from the function's CloudFormation template
-    const { dynamoActions, kinesisActions, graphqlApiPermissions, authAccess: cfnAuthAccess } = this.extractCfnPermissions();
+    const {
+      dynamoActions,
+      kinesisActions,
+      graphqlApiPermissions,
+      authAccess: cfnAuthAccess,
+      unmappedAuthActions: cfnUnmapped,
+    } = this.extractCfnPermissions();
 
     // For auth trigger functions, also extract permissions from the auth-trigger CFN template.
-    const triggerAuthAccess = this.extractAuthTriggerCfnPermissions();
+    const { permissions: triggerAuthAccess, unmapped: triggerUnmapped } = this.extractAuthTriggerCfnPermissions();
     const authAccess = { ...cfnAuthAccess, ...triggerAuthAccess };
+    const unmappedAuthActions = [...new Set([...cfnUnmapped, ...triggerUnmapped])];
 
     return {
       resourceName: this.resource.resourceName,
@@ -194,6 +203,7 @@ export class FunctionGenerator implements Planner {
       kinesisActions,
       graphqlApiPermissions,
       authAccess,
+      unmappedAuthActions,
     };
   }
 
@@ -257,6 +267,62 @@ export class FunctionGenerator implements Planner {
     }
   }
 
+  /** Emits `addToRolePolicy` in backend.ts for cognito-idp actions that don't map to any Gen2 auth permission. */
+  private contributeAuthEscapeHatch(func: ResolvedFunction): void {
+    if (func.unmappedAuthActions.length === 0) return;
+
+    this.backendGenerator.addImport('aws-cdk-lib', ['aws_iam']);
+
+    const lambdaRef = factory.createPropertyAccessExpression(
+      factory.createPropertyAccessExpression(
+        factory.createPropertyAccessExpression(factory.createIdentifier('backend'), factory.createIdentifier(func.resourceName)),
+        factory.createIdentifier('resources'),
+      ),
+      factory.createIdentifier('lambda'),
+    );
+
+    const policyStatement = factory.createNewExpression(
+      factory.createPropertyAccessExpression(factory.createIdentifier('aws_iam'), factory.createIdentifier('PolicyStatement')),
+      undefined,
+      [
+        factory.createObjectLiteralExpression(
+          [
+            factory.createPropertyAssignment(
+              'actions',
+              factory.createArrayLiteralExpression(func.unmappedAuthActions.map((a) => factory.createStringLiteral(a))),
+            ),
+            factory.createPropertyAssignment(
+              'resources',
+              factory.createArrayLiteralExpression([
+                factory.createPropertyAccessExpression(
+                  factory.createPropertyAccessExpression(
+                    factory.createPropertyAccessExpression(
+                      factory.createPropertyAccessExpression(factory.createIdentifier('backend'), factory.createIdentifier('auth')),
+                      factory.createIdentifier('resources'),
+                    ),
+                    factory.createIdentifier('userPool'),
+                  ),
+                  factory.createIdentifier('userPoolArn'),
+                ),
+              ]),
+            ),
+          ],
+          true,
+        ),
+      ],
+    );
+
+    this.backendGenerator.addStatement(
+      factory.createExpressionStatement(
+        factory.createCallExpression(
+          factory.createPropertyAccessExpression(lambdaRef, factory.createIdentifier('addToRolePolicy')),
+          undefined,
+          [policyStatement],
+        ),
+      ),
+    );
+  }
+
   private contributeAuthTrigger(): void {
     if (!this.authGenerator || this.category !== 'auth') return;
     const authResourceName = this.gen1App.singleResourceName('auth', 'Cognito');
@@ -544,13 +610,20 @@ export class FunctionGenerator implements Planner {
     kinesisActions: string[];
     graphqlApiPermissions: { hasMutation: boolean; hasQuery: boolean };
     authAccess: AuthPermissions;
+    unmappedAuthActions: string[];
   } {
     const templatePath = `function/${this.resource.resourceName}/${this.resource.resourceName}-cloudformation-template.json`;
     // eslint-disable-next-line @typescript-eslint/no-explicit-any -- untyped CloudFormation template
     const template = this.gen1App.json(templatePath);
     const policy = template.Resources?.AmplifyResourcesPolicy;
     if (!policy || policy.Type !== 'AWS::IAM::Policy') {
-      return { dynamoActions: [], kinesisActions: [], graphqlApiPermissions: { hasMutation: false, hasQuery: false }, authAccess: {} };
+      return {
+        dynamoActions: [],
+        kinesisActions: [],
+        graphqlApiPermissions: { hasMutation: false, hasQuery: false },
+        authAccess: {},
+        unmappedAuthActions: [],
+      };
     }
 
     const statements = policy.Properties?.PolicyDocument?.Statement ?? [];
@@ -589,8 +662,8 @@ export class FunctionGenerator implements Planner {
       }
     }
 
-    const authAccess = resolveAuthAccess(cognitoActions);
-    return { dynamoActions, kinesisActions, graphqlApiPermissions: { hasMutation, hasQuery }, authAccess };
+    const { permissions: authAccess, unmapped: unmappedAuthActions } = resolveAuthAccess(cognitoActions);
+    return { dynamoActions, kinesisActions, graphqlApiPermissions: { hasMutation, hasQuery }, authAccess, unmappedAuthActions };
   }
 
   /**
@@ -601,12 +674,12 @@ export class FunctionGenerator implements Planner {
    * This method reads that template and extracts cognito-idp actions from IAM policies
    * that reference this function.
    */
-  private extractAuthTriggerCfnPermissions(): AuthPermissions {
-    if (this.category !== 'auth') return {};
+  private extractAuthTriggerCfnPermissions(): { permissions: AuthPermissions; unmapped: string[] } {
+    if (this.category !== 'auth') return { permissions: {}, unmapped: [] };
 
     const authResourceName = this.gen1App.singleResourceName('auth', 'Cognito');
     const templatePath = `auth/${authResourceName}/build/auth-trigger-cloudformation-template.json`;
-    if (!this.gen1App.fileExists(templatePath)) return {};
+    if (!this.gen1App.fileExists(templatePath)) return { permissions: {}, unmapped: [] };
 
     // eslint-disable-next-line @typescript-eslint/no-explicit-any -- untyped CloudFormation template
     const template = this.gen1App.json(templatePath);
@@ -1077,14 +1150,10 @@ const AUTH_ACTION_MAPPING: Readonly<Record<string, keyof AuthPermissions>> = {
   'cognito-idp:UpdateUserAttributes': 'updateUserAttributes',
   'cognito-idp:SetUserMFAPreference': 'setUserMfaPreference',
   'cognito-idp:SetUserSettings': 'setUserSettings',
-  'cognito-idp:GetGroup': 'manageGroups',
-  'cognito-idp:CreateGroup': 'manageGroups',
-  'cognito-idp:DeleteGroup': 'manageGroups',
-  'cognito-idp:UpdateGroup': 'manageGroups',
 };
 
-function resolveAuthAccess(cognitoActions: string[]): AuthPermissions {
-  if (cognitoActions.length === 0) return {};
+function resolveAuthAccess(cognitoActions: string[]): { permissions: AuthPermissions; unmapped: string[] } {
+  if (cognitoActions.length === 0) return { permissions: {}, unmapped: [] };
   const result: Record<string, boolean> = {};
   const covered = new Set<string>();
 
@@ -1096,12 +1165,15 @@ function resolveAuthAccess(cognitoActions: string[]): AuthPermissions {
   }
 
   for (const action of cognitoActions) {
-    if (!covered.has(action) && AUTH_ACTION_MAPPING[action]) {
+    if (covered.has(action)) continue;
+    if (AUTH_ACTION_MAPPING[action]) {
       result[AUTH_ACTION_MAPPING[action]] = true;
+      covered.add(action);
     }
   }
 
-  return result as AuthPermissions;
+  const unmapped = cognitoActions.filter((a) => !covered.has(a));
+  return { permissions: result as AuthPermissions, unmapped };
 }
 
 // ── Auth trigger suffix mapping ───────────────────────────────────