fix(gen2-migration): relax lock status validation to check for Deny statement existence instead of exact policy match (#14756)

sai-ray · web-flow · commit e313e277ab97 · 2026-04-13T11:39:58.000-04:00
chore: relax lock statement validation

Co-authored-by: Sai Ray &lt;saisujit@amazon.com&gt;
diff --git a/packages/amplify-cli/src/__tests__/commands/gen2-migration/_infra/validations.test.ts b/packages/amplify-cli/src/__tests__/commands/gen2-migration/_infra/validations.test.ts
@@ -784,6 +784,39 @@ describe('AmplifyGen2MigrationValidations', () => {
       await expect(validations.validateLockStatus()).resolves.not.toThrow();
     });
 
+    it('should pass when lock statement exists alongside other statements', async () => {
+      jest.spyOn(stateManager, 'getTeamProviderInfo').mockReturnValue({
+        mock: {
+          awscloudformation: {
+            StackName: 'test-stack',
+          },
+        },
+      });
+
+      const policyWithBoth = {
+        Statement: [
+          {
+            Effect: 'Allow',
+            Action: 'Update:*',
+            Principal: '*',
+            Resource: '*',
+          },
+          {
+            Effect: 'Deny',
+            Action: 'Update:*',
+            Principal: '*',
+            Resource: '*',
+          },
+        ],
+      };
+
+      mockCfnSend.mockResolvedValue({
+        StackPolicyBody: JSON.stringify(policyWithBoth),
+      });
+
+      await expect(validations.validateLockStatus()).resolves.not.toThrow();
+    });
+
     it('should throw MigrationError when stack policy has wrong effect', async () => {
       jest.spyOn(stateManager, 'getTeamProviderInfo').mockReturnValue({
         mock: {
diff --git a/packages/amplify-cli/src/commands/gen2-migration/_infra/validations.ts b/packages/amplify-cli/src/commands/gen2-migration/_infra/validations.ts
@@ -161,18 +161,11 @@ export class AmplifyGen2MigrationValidations {
     }
 
     const currentPolicy = JSON.parse(StackPolicyBody);
-    const expectedPolicy = {
-      Statement: [
-        {
-          Effect: 'Deny',
-          Action: 'Update:*',
-          Principal: '*',
-          Resource: '*',
-        },
-      ],
-    };
-
-    if (JSON.stringify(currentPolicy) !== JSON.stringify(expectedPolicy)) {
+    const hasLockStatement = currentPolicy.Statement.some(
+      (s: Record<string, string>) => s.Effect === 'Deny' && s.Action === 'Update:*' && s.Principal === '*' && s.Resource === '*',
+    );
+
+    if (!hasLockStatement) {
       throw new AmplifyError('MigrationError', {
         message: 'Stack policy does not match expected lock policy',
         resolution: 'Run the lock command to set the correct stack policy.',
