refactor: use Cognito auth pattern for kinesis E2E infra\n\nFollow the same pattern as Analytics/Pinpoint and the Android KDS\nlibrary: include auth (Cognito) in the backend and grant the\nauthenticated IAM role permissions to Kinesis/Firehose resources.\n\nThis replaces the custom Secrets Manager credential injection with\nthe standard fetch_backends workflow pattern, making E2E tests use\nCognito-authenticated credentials like real customers would.\n\n- Add auth resource with pre-sign-up auto-confirm trigger\n- Grant authenticatedUserIamRole Kinesis and Firehose permissions\n- Rewrite E2E workflow to use fetch_backends composite action\n- Remove custom KINESIS_E2E secret fetching from workflow"

ekjotmultani · ekjotmultani · commit 18f1e9f712f3 · 2026-03-05T23:55:49.000-08:00
diff --git a/.github/workflows/kinesis_e2e.yaml b/.github/workflows/kinesis_e2e.yaml
@@ -33,9 +33,9 @@ jobs:
     steps:
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
-
-      - name: Git Submodules
-        run: git submodule update --init
+        with:
+          persist-credentials: false
+          submodules: true
 
       - name: Setup Flutter
         uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # 2.21.0
@@ -59,26 +59,16 @@ jobs:
         timeout-minutes: 20
         run: aft bootstrap --fail-fast --include=aws_kinesis_datastreams --verbose
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # 3.0.1
+      - name: Fetch Amplify backend configurations
+        uses: ./.github/composite_actions/fetch_backends
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Fetch Kinesis E2E secrets
-        uses: aws-actions/aws-secretsmanager-get-secrets@022e8919774ecb75e8e375656d7b1898936ab878 # 1.0.4
-        with:
-          secret-ids: |
-            KINESIS_E2E,${{ secrets.KINESIS_E2E_SECRET_ARN }}
-          parse-json-secrets: true
+          scope: aws_kinesis_datastreams
+          secret-identifier: ${{ secrets.AWS_SECRET_IDENTIFIER }}
 
       - name: Run E2E tests
         working-directory: packages/kinesis/aws_kinesis_datastreams
-        env:
-          TEST_ACCESS_KEY_ID: ${{ env.KINESIS_E2E_ACCESS_KEY_ID }}
-          TEST_SECRET_ACCESS_KEY: ${{ env.KINESIS_E2E_SECRET_ACCESS_KEY }}
-          TEST_REGION: ${{ secrets.AWS_REGION }}
-          TEST_STREAM_NAME: ${{ env.KINESIS_E2E_STREAM_NAME }}
         run: dart test test/e2e/ --tags=e2e
 
       - name: Log success/failure
@@ -104,9 +94,9 @@ jobs:
     steps:
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
-
-      - name: Git Submodules
-        run: git submodule update --init
+        with:
+          persist-credentials: false
+          submodules: true
 
       - name: Setup Flutter
         uses: subosito/flutter-action@fd55f4c5af5b953cc57a2be44cb082c8f6635e8e # 2.21.0
@@ -130,26 +120,16 @@ jobs:
         timeout-minutes: 20
         run: aft bootstrap --fail-fast --include=aws_amazon_firehose --verbose
 
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # 3.0.1
+      - name: Fetch Amplify backend configurations
+        uses: ./.github/composite_actions/fetch_backends
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
           aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Fetch Kinesis E2E secrets
-        uses: aws-actions/aws-secretsmanager-get-secrets@022e8919774ecb75e8e375656d7b1898936ab878 # 1.0.4
-        with:
-          secret-ids: |
-            KINESIS_E2E,${{ secrets.KINESIS_E2E_SECRET_ARN }}
-          parse-json-secrets: true
+          scope: aws_amazon_firehose
+          secret-identifier: ${{ secrets.AWS_SECRET_IDENTIFIER }}
 
       - name: Run E2E tests
         working-directory: packages/kinesis/aws_amazon_firehose
-        env:
-          TEST_ACCESS_KEY_ID: ${{ env.KINESIS_E2E_ACCESS_KEY_ID }}
-          TEST_SECRET_ACCESS_KEY: ${{ env.KINESIS_E2E_SECRET_ACCESS_KEY }}
-          TEST_REGION: ${{ secrets.AWS_REGION }}
-          TEST_DELIVERY_STREAM_NAME: ${{ env.KINESIS_E2E_DELIVERY_STREAM_NAME }}
         run: dart test test/e2e/ --tags=e2e
 
       - name: Log success/failure
diff --git a/infra-gen2/backends/kinesis/main/amplify/auth/pre-sign-up-handler.ts b/infra-gen2/backends/kinesis/main/amplify/auth/pre-sign-up-handler.ts
@@ -0,0 +1,4 @@
+import { PreSignUpTriggerHandler } from "aws-lambda";
+import { preSignUpTriggerHandler } from "infra-common";
+
+export const handler: PreSignUpTriggerHandler = preSignUpTriggerHandler;
diff --git a/infra-gen2/backends/kinesis/main/amplify/auth/resource.ts b/infra-gen2/backends/kinesis/main/amplify/auth/resource.ts
@@ -0,0 +1,19 @@
+import { defineAuth, defineFunction } from "@aws-amplify/backend";
+
+export const preSignUp = defineFunction({
+  name: "pre-sign-up",
+  entry: "./pre-sign-up-handler.ts",
+});
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+  loginWith: {
+    email: true,
+  },
+  triggers: {
+    preSignUp,
+  },
+});
diff --git a/infra-gen2/backends/kinesis/main/amplify/backend.ts b/infra-gen2/backends/kinesis/main/amplify/backend.ts
@@ -2,37 +2,29 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import { defineBackend } from "@aws-amplify/backend";
-import * as cdk from "aws-cdk-lib";
+import { Duration, RemovalPolicy } from "aws-cdk-lib";
 import * as iam from "aws-cdk-lib/aws-iam";
 import * as kinesis from "aws-cdk-lib/aws-kinesis";
 import * as firehose from "aws-cdk-lib/aws-kinesisfirehose";
 import * as s3 from "aws-cdk-lib/aws-s3";
+import { auth } from "./auth/resource";
 
-/**
- * Kinesis E2E test backend.
- *
- * Provisions Kinesis Data Streams and Amazon Data Firehose resources
- * for E2E testing. No Amplify categories are needed — the Amplify
- * backend is used only as a CDK entry-point.
- *
- * Test credentials and resource names are stored in a dedicated
- * Secrets Manager secret managed outside this stack.
- */
-const backend = defineBackend({});
+const backend = defineBackend({
+  auth,
+});
 
-const kinesisStack = backend.createStack("KinesisTestResources");
+const kinesisStack = backend.createStack("KinesisStack");
 
 // --- Kinesis Data Stream ---
-new kinesis.Stream(kinesisStack, "TestStream", {
-  streamName: "kinesis-e2e-data-stream",
+const stream = new kinesis.Stream(kinesisStack, "TestStream", {
+  streamName: "amplify-kinesis-test-stream",
   shardCount: 1,
-  retentionPeriod: cdk.Duration.hours(24),
-  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  retentionPeriod: Duration.hours(24),
 });
 
 // --- S3 bucket (Firehose destination) ---
 const bucket = new s3.Bucket(kinesisStack, "FirehoseDestBucket", {
-  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  removalPolicy: RemovalPolicy.DESTROY,
   autoDeleteObjects: true,
   enforceSSL: true,
 });
@@ -44,11 +36,11 @@ const firehoseRole = new iam.Role(kinesisStack, "FirehoseS3Role", {
 bucket.grantReadWrite(firehoseRole);
 
 // --- Firehose delivery stream ---
-new firehose.CfnDeliveryStream(
+const deliveryStream = new firehose.CfnDeliveryStream(
   kinesisStack,
   "TestDeliveryStream",
   {
-    deliveryStreamName: "kinesis-e2e-delivery-stream",
+    deliveryStreamName: "amplify-kinesis-test-delivery-stream",
     s3DestinationConfiguration: {
       bucketArn: bucket.bucketArn,
       roleArn: firehoseRole.roleArn,
@@ -58,5 +50,29 @@ new firehose.CfnDeliveryStream(
         sizeInMBs: 1,
       },
     },
-  },
+  }
+);
+
+// Grant authenticated users permission to put records to Kinesis Data Streams
+backend.auth.resources.authenticatedUserIamRole.addToPrincipalPolicy(
+  new iam.PolicyStatement({
+    actions: [
+      "kinesis:PutRecord",
+      "kinesis:PutRecords",
+      "kinesis:DescribeStream",
+    ],
+    resources: [stream.streamArn],
+  })
+);
+
+// Grant authenticated users permission to put records to Firehose
+backend.auth.resources.authenticatedUserIamRole.addToPrincipalPolicy(
+  new iam.PolicyStatement({
+    actions: [
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch",
+      "firehose:DescribeDeliveryStream",
+    ],
+    resources: [deliveryStream.attrArn],
+  })
 );
