fix(gen2-migration): lock command shows unexpected drift for apps with REST APIs, auth triggers or S3 triggers

[sai-ray]

Fixes: #14635, #14483 and #14489

Description of changes

This PR filters three known false-positive drifts in Phase 1 (CloudFormation stack drift) that cause gen2-migration lock to fail validation on apps with REST APIs, auth triggers, or S3 storage triggers.

The false positives are caused by Amplify's own push pipeline:

1. REST API Description: apigw-stack-builder.ts#generateStackResources (in amplify-category-api repo) sets description: '' on CfnRestApi, but API Gateway resolves it to null at deploy time. CloudFormation sees ActualValue: null, ExpectedValue: '' as drift.
2. Auth trigger policies: createPermissionsForAuthTrigger() (L219) attaches an AddToGroupCognito policy (defined in PostConfirmation.map.json) to the Lambda execution role. This appears as /Policies/0 drift with ExpectedValue: null.
3. S3 trigger policies: configureTriggerPolicy() (L109) attaches an amplify-lambda-execution-policy-storage policy (hardcoded in createTriggerPolicyDefinition() (L883)) to the Lambda execution role. This appears as /Policies/N drift with ExpectedValue: null.

All false-positive filters (including the existing isAmplifyAuthRoleDenyToAllowChange) are now registered in a FALSE_POSITIVE_FILTERS array. The detection loop iterates this array instead of using inline if-statements, so adding future filters is a one-line change.

Two new filter functions are added in detect-stack-drift.ts:

• isAmplifyRestApiDescriptionDrift — exact match on resource type, property path, and null-vs-empty values
• isAmplifyTriggerPolicyDrift — matches resource type, /Policies/\d+ path, null expected value, and parses the PolicyDocument JSON to verify actions via set containment against known Amplify policy patterns

Example console output after running amplify gen2-migration lock on a gen1 app with REST APIs, auth triggers and S3 triggers.

[2026-03-14T21:27:06.558Z] [lock] [goetest1/dev] → Performing validations
[2026-03-14T21:27:06.558Z] [lock] [goetest1/dev] • Inspecting root stack 'amplify-goetest1-dev-2612a' status
[2026-03-14T21:27:06.937Z] [lock] [goetest1/dev] • Root stack 'amplify-goetest1-dev-2612a' status is UPDATE_COMPLETE ✔
[2026-03-14T21:27:06.941Z] [lock] [goetest1/dev] • Started Drift Detection for Project: goetest1
Drift detection completed
[2026-03-14T21:28:37.597Z] [lock] [goetest1/dev] • 
API api2953882d
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-apiapi2953882d-AGLTIHQMIIUQ%2F3b26fa80-1fe8-11f1-8246-0affc8025cf1

  njt9lu4aw6
  ~ AWS::ApiGateway::RestApi
    Property: /Description
      Deployed:  "null"
      Expected:  ""

FUNCTION LambdaExecutionRole
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-functionS3Triggera0538cda-VURJMNQI1ASZ%2F1630b2c0-1fe8-11f1-83fc-0ef8b37bcd63

  S3Triggera0538cdaLambdaRolea0538cda-dev
  ~ AWS::IAM::Role
    Property: /Policies/0
      Deployed:  "{"PolicyDocument":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::goetest13ec17702450f4a26bea13eff98a259da2612a-dev\"},{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\",\"s3:GetObject\",\"s3:ListBucket\",\"s3:DeleteObject\"],\"Resource\":\"arn:aws:s3:::goetest13ec17702450f4a26bea13eff98a259da2612a-dev/*\"}]}","PolicyName":"amplify-lambda-execution-policy-storage"}"
      Expected:  "null"

FUNCTION LambdaExecutionRole
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-functiongoetest15dce7f8d5dce7f8dPostConfirmation-1TSGET3O9NMTW%2Fc9441300-1d10-11f1-b985-0affd047e119

  goetest15dce7f8d5dce7f8dPostConfirmation-dev
  ~ AWS::IAM::Role
    Property: /Policies/0
      Deployed:  "{"PolicyDocument":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"cognito-idp:AdminAddUserToGroup\",\"cognito-idp:GetGroup\",\"cognito-idp:CreateGroup\"],\"Resource\":\"arn:aws:cognito-idp:us-east-1:014148916658:userpool/us-east-1_FDGd50Fws\"}]}","PolicyName":"AddToGroupCognito"}"
      Expected:  "null"


[2026-03-14T21:28:37.598Z] [lock] [goetest1/dev] • Drift detected
🛑 Validations failed: Drift detected

Post-fix:

→ Planning complete
→ Validating complete

Validations Summary

┌────────────────────┬──────────┐
│ Validation         │ Status   │
├────────────────────┼──────────┤
│ Environment Status │ ✔ Passed │
├────────────────────┼──────────┤
│ Drift              │ ✔ Passed │
└────────────────────┴──────────┘

You are about to execute 'lock' on environment 'd136pyk8fntvyw/dev'.

Issue #, if available

1. (gen2-migration) lock command shows unexpected drift for auth triggers #14635
2. (gen2-migration) lock command shows unexpected drift for s3 storage triggers #14483
3. (gen2-migration) lock command shows unexpected drift for apps that have REST api #14489

Description of how you validated changes

• Added 9 unit tests covering both filters.
• Manually tested against a gen1 app with auth trigger, s3 trigger and REST APIs.
• yarn test passes in packages/amplify-cli.
• Existing drift-formatter.test.ts still passes (14/14).

Checklist

• PR description included
• yarn test passes
• Tests are changed or added
• Relevant documentation is changed or added (and PR referenced)
• New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
• Pull request labels are added

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[9pace]

General feedback. Let's talk in person.