Skip to content

fix(gen2-migration): lock command shows unexpected drift for apps with REST APIs, auth triggers or S3 triggers#14669

Merged
sai-ray merged 5 commits intogen2-migrationfrom
sai/fix-lock-command-unexpected-drifts
Mar 26, 2026
Merged

fix(gen2-migration): lock command shows unexpected drift for apps with REST APIs, auth triggers or S3 triggers#14669
sai-ray merged 5 commits intogen2-migrationfrom
sai/fix-lock-command-unexpected-drifts

Conversation

@sai-ray
Copy link
Copy Markdown
Contributor

@sai-ray sai-ray commented Mar 13, 2026
edited
Loading

Fixes: #14635, #14483 and #14489

Description of changes

This PR filters three known false-positive drifts in Phase 1 (CloudFormation stack drift) that cause gen2-migration lock to fail validation on apps with REST APIs, auth triggers, or S3 storage triggers.

The false positives are caused by Amplify's own push pipeline:

  1. REST API Description: apigw-stack-builder.ts#generateStackResources (in amplify-category-api repo) sets description: '' on CfnRestApi, but API Gateway resolves it to null at deploy time. CloudFormation sees ActualValue: null, ExpectedValue: '' as drift.
  2. Auth trigger policies: createPermissionsForAuthTrigger() (L219) attaches an AddToGroupCognito policy (defined in PostConfirmation.map.json) to the Lambda execution role. This appears as /Policies/0 drift with ExpectedValue: null.
  3. S3 trigger policies: configureTriggerPolicy() (L109) attaches an amplify-lambda-execution-policy-storage policy (hardcoded in createTriggerPolicyDefinition() (L883)) to the Lambda execution role. This appears as /Policies/N drift with ExpectedValue: null.

All false-positive filters (including the existing isAmplifyAuthRoleDenyToAllowChange) are now registered in a FALSE_POSITIVE_FILTERS array. The detection loop iterates this array instead of using inline if-statements, so adding future filters is a one-line change.

Two new filter functions are added in detect-stack-drift.ts:

  • isAmplifyRestApiDescriptionDrift — exact match on resource type, property path, and null-vs-empty values
  • isAmplifyTriggerPolicyDrift — matches resource type, /Policies/\d+ path, null expected value, and parses the PolicyDocument JSON to verify actions via set containment against known Amplify policy patterns

Example console output after running amplify gen2-migration lock on a gen1 app with REST APIs, auth triggers and S3 triggers.

[2026-03-14T21:27:06.558Z] [lock] [goetest1/dev] → Performing validations
[2026-03-14T21:27:06.558Z] [lock] [goetest1/dev] • Inspecting root stack 'amplify-goetest1-dev-2612a' status
[2026-03-14T21:27:06.937Z] [lock] [goetest1/dev] • Root stack 'amplify-goetest1-dev-2612a' status is UPDATE_COMPLETE ✔
[2026-03-14T21:27:06.941Z] [lock] [goetest1/dev] • Started Drift Detection for Project: goetest1
Drift detection completed
[2026-03-14T21:28:37.597Z] [lock] [goetest1/dev] • 
API api2953882d
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-apiapi2953882d-AGLTIHQMIIUQ%2F3b26fa80-1fe8-11f1-8246-0affc8025cf1

  njt9lu4aw6
  ~ AWS::ApiGateway::RestApi
    Property: /Description
      Deployed:  "null"
      Expected:  ""

FUNCTION LambdaExecutionRole
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-functionS3Triggera0538cda-VURJMNQI1ASZ%2F1630b2c0-1fe8-11f1-83fc-0ef8b37bcd63

  S3Triggera0538cdaLambdaRolea0538cda-dev
  ~ AWS::IAM::Role
    Property: /Policies/0
      Deployed:  "{"PolicyDocument":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:ListBucket\",\"Resource\":\"arn:aws:s3:::goetest13ec17702450f4a26bea13eff98a259da2612a-dev\"},{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\",\"s3:GetObject\",\"s3:ListBucket\",\"s3:DeleteObject\"],\"Resource\":\"arn:aws:s3:::goetest13ec17702450f4a26bea13eff98a259da2612a-dev/*\"}]}","PolicyName":"amplify-lambda-execution-policy-storage"}"
      Expected:  "null"

FUNCTION LambdaExecutionRole
  CloudFormation Drift: Deployed resources do not match templates
  Drift Id: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/drifts?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A014148916658%3Astack%2Famplify-goetest1-dev-2612a-functiongoetest15dce7f8d5dce7f8dPostConfirmation-1TSGET3O9NMTW%2Fc9441300-1d10-11f1-b985-0affd047e119

  goetest15dce7f8d5dce7f8dPostConfirmation-dev
  ~ AWS::IAM::Role
    Property: /Policies/0
      Deployed:  "{"PolicyDocument":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"cognito-idp:AdminAddUserToGroup\",\"cognito-idp:GetGroup\",\"cognito-idp:CreateGroup\"],\"Resource\":\"arn:aws:cognito-idp:us-east-1:014148916658:userpool/us-east-1_FDGd50Fws\"}]}","PolicyName":"AddToGroupCognito"}"
      Expected:  "null"


[2026-03-14T21:28:37.598Z] [lock] [goetest1/dev] • Drift detected
🛑 Validations failed: Drift detected

Post-fix:

→ Planning complete
→ Validating complete

Validations Summary

┌────────────────────┬──────────┐
│ Validation         │ Status   │
├────────────────────┼──────────┤
│ Environment Status │ ✔ Passed │
├────────────────────┼──────────┤
│ Drift              │ ✔ Passed │
└────────────────────┴──────────┘

You are about to execute 'lock' on environment 'd136pyk8fntvyw/dev'.

Issue #, if available

  1. (gen2-migration) lock command shows unexpected drift for auth triggers #14635
  2. (gen2-migration) lock command shows unexpected drift for s3 storage triggers #14483
  3. (gen2-migration) lock command shows unexpected drift for apps that have REST api #14489

Description of how you validated changes

  • Added 9 unit tests covering both filters.
  • Manually tested against a gen1 app with auth trigger, s3 trigger and REST APIs.
  • yarn test passes in packages/amplify-cli.
  • Existing drift-formatter.test.ts still passes (14/14).

Checklist

  • PR description included
  • yarn test passes
  • Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)
  • New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
  • Pull request labels are added

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sai-ray sai-ray requested a review from a team as a code owner March 13, 2026 21:28
@sai-ray sai-ray changed the title fix(gen2-migration): lock commands shows unexpected drift for apps with REST APIs, auth triggers or S3 triggers fix(gen2-migration): lock command shows unexpected drift for apps with REST APIs, auth triggers or S3 triggers Mar 13, 2026
@sai-ray sai-ray enabled auto-merge (squash) March 16, 2026 13:40
9pace
9pace reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@9pace 9pace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General feedback. Let's talk in person.

Comment thread packages/amplify-cli/src/commands/drift-detection/detect-stack-drift.ts Outdated
Comment thread packages/amplify-cli/src/commands/drift-detection/detect-stack-drift.ts Outdated
9pace
9pace requested changes Mar 24, 2026
View reviewed changes
Comment thread packages/amplify-cli/src/commands/drift-detection/detect-stack-drift.ts Outdated
@sai-ray sai-ray merged commit 04199d7 into gen2-migration Mar 26, 2026
4 checks passed
@sai-ray sai-ray deleted the sai/fix-lock-command-unexpected-drifts branch March 26, 2026 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@9pace 9pace 9pace approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sai-ray @9pace