aws-amplify · sai-ray · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 20, 2026
@@ -12,7 +12,7 @@ import {
 } from 'aws-cdk-lib/aws-apigateway';
 import { Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration, Stack } from 'aws-cdk-lib';
+import { Duration, aws_iam, Stack } from 'aws-cdk-lib';
 
 const backend = defineBackend({
   auth,
@@ -83,6 +83,12 @@ backend.admin.addEnvironment(
   'AUTH_FITNESSTRACKER33F5545533F55455_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
+backend.admin.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: ['cognito-idp:Describe*'],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
 const cfnGraphqlApi = backend.data.resources.cfnResources.cfnGraphqlApi;
 cfnGraphqlApi.additionalAuthenticationProviders = [
   {

@@ -5,7 +5,7 @@ import { thumbnailgen } from './storage/thumbnailgen/resource';
 import { addusertogroup } from './function/addusertogroup/resource';
 import { removeuserfromgroup } from './function/removeuserfromgroup/resource';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration } from 'aws-cdk-lib';
+import { Duration, aws_iam } from 'aws-cdk-lib';
 import {
   OAuthScope,
   UserPoolClientIdentityProvider,
@@ -109,8 +109,110 @@ backend.addusertogroup.addEnvironment(
   'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
+backend.addusertogroup.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: [
+      'cognito-idp:ConfirmSignUp',
+      'cognito-idp:CreateUserImportJob',
+      'cognito-idp:AdminLinkProviderForUser',
+      'cognito-idp:CreateIdentityProvider',
+      'cognito-idp:SetUICustomization',
+      'cognito-idp:SignUp',
+      'cognito-idp:SetRiskConfiguration',
+      'cognito-idp:StartUserImportJob',
+      'cognito-idp:AssociateSoftwareToken',
+      'cognito-idp:CreateResourceServer',
+      'cognito-idp:RespondToAuthChallenge',
+      'cognito-idp:CreateUserPoolClient',
+      'cognito-idp:GlobalSignOut',
+      'cognito-idp:AddCustomAttributes',
+      'cognito-idp:CreateGroup',
+      'cognito-idp:CreateUserPool',
+      'cognito-idp:CreateUserPoolDomain',
+      'cognito-idp:StopUserImportJob',
+      'cognito-idp:InitiateAuth',
+      'cognito-idp:ConfirmForgotPassword',
+      'cognito-idp:VerifySoftwareToken',
+      'cognito-idp:AdminDisableProviderForUser',
+      'cognito-idp:SetUserPoolMfaConfig',
+      'cognito-idp:ChangePassword',
+      'cognito-idp:ConfirmDevice',
+      'cognito-idp:ResendConfirmationCode',
+      'cognito-idp:Describe*',
+      'cognito-idp:ForgotPassword',
+      'cognito-idp:UpdateAuthEventFeedback',
+      'cognito-idp:UpdateResourceServer',
+      'cognito-idp:UpdateUserPoolClient',
+      'cognito-idp:UpdateUserPoolDomain',
+      'cognito-idp:UpdateIdentityProvider',
+      'cognito-idp:UpdateGroup',
+      'cognito-idp:UpdateDeviceStatus',
+      'cognito-idp:UpdateUserPool',
+      'cognito-idp:DeleteUserPoolDomain',
+      'cognito-idp:DeleteResourceServer',
+      'cognito-idp:DeleteGroup',
+      'cognito-idp:DeleteUserPoolClient',
+      'cognito-idp:DeleteUserAttributes',
+      'cognito-idp:DeleteUserPool',
+      'cognito-idp:DeleteIdentityProvider',
+      'cognito-idp:DeleteUser',
+    ],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
 backend.removeuserfromgroup.resources.cfnResources.cfnFunction.functionName = `removeuserfromgroup-${branchName}`;
 backend.removeuserfromgroup.addEnvironment(
   'AUTH_MEDIAVAULT1F08412D_USERPOOLID',
   backend.auth.resources.userPool.userPoolId
 );
+backend.removeuserfromgroup.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: [
+      'cognito-idp:ConfirmSignUp',
+      'cognito-idp:CreateUserImportJob',
+      'cognito-idp:AdminLinkProviderForUser',
+      'cognito-idp:CreateIdentityProvider',
+      'cognito-idp:SetUICustomization',
+      'cognito-idp:SignUp',
+      'cognito-idp:SetRiskConfiguration',
+      'cognito-idp:StartUserImportJob',
+      'cognito-idp:AssociateSoftwareToken',
+      'cognito-idp:CreateResourceServer',
+      'cognito-idp:RespondToAuthChallenge',
+      'cognito-idp:CreateUserPoolClient',
+      'cognito-idp:GlobalSignOut',
+      'cognito-idp:AddCustomAttributes',
+      'cognito-idp:CreateGroup',
+      'cognito-idp:CreateUserPool',
+      'cognito-idp:CreateUserPoolDomain',
+      'cognito-idp:StopUserImportJob',
+      'cognito-idp:InitiateAuth',
+      'cognito-idp:ConfirmForgotPassword',
+      'cognito-idp:VerifySoftwareToken',
+      'cognito-idp:AdminDisableProviderForUser',
+      'cognito-idp:SetUserPoolMfaConfig',
+      'cognito-idp:ChangePassword',
+      'cognito-idp:ConfirmDevice',
+      'cognito-idp:ResendConfirmationCode',
+      'cognito-idp:Describe*',
+      'cognito-idp:ForgotPassword',
+      'cognito-idp:UpdateAuthEventFeedback',
+      'cognito-idp:UpdateResourceServer',
+      'cognito-idp:UpdateUserPoolClient',
+      'cognito-idp:UpdateUserPoolDomain',
+      'cognito-idp:UpdateIdentityProvider',
+      'cognito-idp:UpdateGroup',
+      'cognito-idp:UpdateDeviceStatus',
+      'cognito-idp:UpdateUserPool',
+      'cognito-idp:DeleteUserPoolDomain',
+      'cognito-idp:DeleteResourceServer',
+      'cognito-idp:DeleteGroup',
+      'cognito-idp:DeleteUserPoolClient',
+      'cognito-idp:DeleteUserAttributes',
+      'cognito-idp:DeleteUserPool',
+      'cognito-idp:DeleteIdentityProvider',
+      'cognito-idp:DeleteUser',
+    ],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
@@ -54,7 +54,7 @@ backend.auth.resources.authenticatedUserIamRole.addToPrincipalPolicy(
     effect: aws_iam.Effect.ALLOW,
     actions: ['appsync:GraphQL'],
     resources: [
-      `arn:aws:appsync:${backend.data.stack.region}:${backend.data.stack.account}:apis/3oy6oxkj6ffojmc2upd52ftdsq/*`,
+      `arn:aws:appsync:${backend.data.stack.region}:${backend.data.stack.account}:apis/hscmwhprkbaljmcpavj3dcztrq/*`,
     ],
   })
 );

@@ -21,4 +21,9 @@ export const auth = defineAuth({
   multifactor: {
     mode: 'OFF',
   },
+  access: (allow: any) => [
+    allow
+      .resource(storelocator41a9495f41a9495fPostConfirmation)
+      .to(['addUserToGroup']),
+  ],
 });
@@ -2,7 +2,7 @@ import { auth } from './auth/resource';
 import { storelocator41a9495f41a9495fPostConfirmation } from './auth/storelocator41a9495f41a9495fPostConfirmation/resource';
 import { defineGeo } from './geo/resource';
 import { defineBackend } from '@aws-amplify/backend';
-import { Duration } from 'aws-cdk-lib';
+import { Duration, aws_iam } from 'aws-cdk-lib';
 
 const backend = defineBackend({
   auth,
@@ -32,3 +32,9 @@ userPool.addClient('NativeAppClient', {
 });
 const branchName = process.env.AWS_BRANCH ?? 'sandbox';
 backend.storelocator41a9495f41a9495fPostConfirmation.resources.cfnResources.cfnFunction.functionName = `storelocator41a9495f41a9495fPostConfirmation-${branchName}`;
+backend.storelocator41a9495f41a9495fPostConfirmation.resources.lambda.addToRolePolicy(
+  new aws_iam.PolicyStatement({
+    actions: ['cognito-idp:GetGroup', 'cognito-idp:CreateGroup'],
+    resources: [backend.auth.resources.userPool.userPoolArn],
+  })
+);
@@ -6,8 +6,7 @@
  * 1. Update frontend import from amplifyconfiguration.json to amplify_outputs.json
  * 2. Convert PostConfirmation trigger index.js from CommonJS to ESM
  * 3. Convert PostConfirmation trigger add-to-group.js from CommonJS to ESM
- * 4. Add auth resource access for the PostConfirmation trigger
- * 5. Update PostConfirmation resource.ts (memoryMB, resourceGroupName)
+ * 4. Update PostConfirmation resource.ts (memoryMB, resourceGroupName)
  */
 
 import fs from 'fs/promises';
@@ -77,24 +76,6 @@ async function convertAddToGroupToESM(appPath: string, dirName: string): Promise
   await fs.writeFile(filePath, updated, 'utf-8');
 }
 
-async function addAuthResourceAccess(appPath: string, dirName: string): Promise<void> {
-  const resourcePath = path.join(appPath, 'amplify', 'auth', 'resource.ts');
-
-  const content = await fs.readFile(resourcePath, 'utf-8');
-
-  // Find the variable name from the import statement
-  const importMatch = content.match(/import\s*\{\s*(\w+)\s*\}\s*from\s*['"]\.\//);
-  const fnName = importMatch ? importMatch[1] : dirName;
-
-  // Add access block after the triggers block
-  const updated = content.replace(
-    /(triggers:\s*\{[^}]*\},?)/,
-    `$1\n  access: (allow) => [\n    allow.resource(${fnName}).to([\n      "addUserToGroup",\n      "manageGroups",\n    ]),\n  ],`,
-  );
-
-  await fs.writeFile(resourcePath, updated, 'utf-8');
-}
-
 async function updatePostConfirmationResource(appPath: string, dirName: string): Promise<void> {
   const resourcePath = path.join(appPath, 'amplify', 'auth', dirName, 'resource.ts');
   let content = await fs.readFile(resourcePath, 'utf-8');
@@ -118,7 +99,6 @@ export async function postGenerate(appPath: string): Promise<void> {
   await updateFrontendConfig(appPath);
   await convertIndexToESM(appPath, dirName);
   await convertAddToGroupToESM(appPath, dirName);
-  await addAuthResourceAccess(appPath, dirName);
   await updatePostConfirmationResource(appPath, dirName);
 }
 

@@ -528,7 +528,11 @@ export class AuthRenderer {
     }
 
     for (const func of functionsWithAuthAccess) {
-      namedImports[`../function/${func.resourceName}/resource`] = new Set([func.resourceName]);
+      // Skip adding import if the function is already imported (e.g., by addLambdaTriggers for auth triggers).
+      const alreadyImported = Object.values(namedImports).some((names) => names.has(func.resourceName));
+      if (!alreadyImported) {
+        namedImports[`../function/${func.resourceName}/resource`] = new Set([func.resourceName]);
+      }
     }
 
     const accessRules: ts.Expression[] = [];