chore: mid-work

Author: sai-ray

amplify-migration-apps/media-vault/_snapshot.post.generate/amplify/backend.ts

@@ -5,7 +5,7 @@ import { thumbnailgen } from './storage/thumbnailgen/resource';
 import { addusertogroup } from './function/addusertogroup/resource';
 import { removeuserfromgroup } from './function/removeuserfromgroup/resource';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration } from 'aws-cdk-lib';
+import { Duration, aws_iam } from 'aws-cdk-lib';
 import {
   OAuthScope,
   UserPoolClientIdentityProvider,
@@ -114,3 +114,23 @@ backend.removeuserfromgroup.addEnvironment(
   'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
+backend.addusertogroup.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: [
+      "cognito-idp:CreateGroup",
+      "cognito-idp:DeleteGroup",
+      "cognito-idp:UpdateGroup",
+    ],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
+backend.removeuserfromgroup.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: [
+      "cognito-idp:CreateGroup",
+      "cognito-idp:DeleteGroup",
+      "cognito-idp:UpdateGroup",
+    ],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);

amplify-migration-apps/store-locator/_snapshot.post.generate/amplify/auth/resource.ts

@@ -25,8 +25,5 @@ export const auth = defineAuth({
     allow
       .resource(storelocator41a9495f41a9495fPostConfirmation)
       .to(['addUserToGroup']),
-    allow
-      .resource(storelocator41a9495f41a9495fPostConfirmation)
-      .to(['manageGroups']),
   ],
 });

amplify-migration-apps/store-locator/_snapshot.post.generate/amplify/backend.ts

@@ -1,8 +1,9 @@
+import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { auth } from './auth/resource';
 import { storelocator41a9495f41a9495fPostConfirmation } from './auth/storelocator41a9495f41a9495fPostConfirmation/resource';
 import { defineGeo } from './geo/resource';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration } from 'aws-cdk-lib';
+import { Duration, aws_iam } from 'aws-cdk-lib';
 
 const backend = defineBackend({
   auth,
@@ -32,3 +33,13 @@ userPool.addClient('NativeAppClient', {
 });
 const branchName = process.env.AWS_BRANCH ?? 'sandbox';
 backend.storelocator41a9495f41a9495fPostConfirmation.resources.cfnResources.cfnFunction.functionName = `storelocator41a9495f41a9495fPostConfirmation-${branchName}`;
+
+backend.storelocator41a9495f41a9495fPostConfirmation.resources.lambda.addToRolePolicy(
+    new aws_iam.PolicyStatement({
+    actions: [
+      "cognito-idp:GetGroup",
+      "cognito-idp:CreateGroup"
+    ],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);

packages/amplify-cli/src/commands/gen2-migration/generate/amplify/function/function.generator.ts

@@ -631,7 +631,7 @@ export class FunctionGenerator implements Planner {
       }
     }
 
-    return resolveAuthTriggerAccess(cognitoActions);
+    return resolveAuthAccess(cognitoActions);
   }
 
   /**
@@ -1077,6 +1077,10 @@ const AUTH_ACTION_MAPPING: Readonly<Record<string, keyof AuthPermissions>> = {
   'cognito-idp:UpdateUserAttributes': 'updateUserAttributes',
   'cognito-idp:SetUserMFAPreference': 'setUserMfaPreference',
   'cognito-idp:SetUserSettings': 'setUserSettings',
+  'cognito-idp:GetGroup': 'manageGroups',
+  'cognito-idp:CreateGroup': 'manageGroups',
+  'cognito-idp:DeleteGroup': 'manageGroups',
+  'cognito-idp:UpdateGroup': 'manageGroups',
 };
 
 function resolveAuthAccess(cognitoActions: string[]): AuthPermissions {
@@ -1100,35 +1104,6 @@ function resolveAuthAccess(cognitoActions: string[]): AuthPermissions {
   return result as AuthPermissions;
 }
 
-/**
- * Maps cognito-idp IAM actions from auth-trigger CFN templates to Gen2 auth permissions.
- *
- * Auth trigger policies (e.g., "Add User To Group") use actions like `GetGroup` and
- * `CreateGroup` that aren't in the standard `AUTH_ACTION_MAPPING` (which covers actions
- * from function-level `AmplifyResourcesPolicy`). This function extends the base mapping
- * with trigger-specific actions that map to `manageGroups`.
- */
-const AUTH_TRIGGER_ACTION_MAPPING: Readonly<Record<string, keyof AuthPermissions>> = {
-  ...AUTH_ACTION_MAPPING,
-  'cognito-idp:GetGroup': 'manageGroups',
-  'cognito-idp:CreateGroup': 'manageGroups',
-  'cognito-idp:DeleteGroup': 'manageGroups',
-  'cognito-idp:UpdateGroup': 'manageGroups',
-};
-
-function resolveAuthTriggerAccess(cognitoActions: string[]): AuthPermissions {
-  if (cognitoActions.length === 0) return {};
-  const result: Record<string, boolean> = {};
-
-  for (const action of cognitoActions) {
-    if (AUTH_TRIGGER_ACTION_MAPPING[action]) {
-      result[AUTH_TRIGGER_ACTION_MAPPING[action]] = true;
-    }
-  }
-
-  return result as AuthPermissions;
-}
-
 // ── Auth trigger suffix mapping ───────────────────────────────────
 
 const TRIGGER_SUFFIX_TO_EVENT: Readonly<Record<string, AuthTriggerEvent>> = {