feat(amplify): add compute role support for Amplify app #33962
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #33962 +/- ##
=======================================
Coverage 83.98% 83.98%
=======================================
Files 120 120
Lines 6976 6976
Branches 1178 1178
=======================================
Hits 5859 5859
Misses 1005 1005
Partials 112 112
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
…ld in `customRule` (#33973) ### Issue # (if applicable) N/A I found this problem while working on #33962. ### Reason for this change Re-running `packages/@aws-cdk/aws-amplify-alpha/test/integ.app.ts`, got the following error: ```sh Resource handler returned message: "Invalid request provided: Status field in rewrite custom rules should not be empty (Service: Amplify, Status Code: 400, Request ID: 3f3694f1-3eeb-4af3-8cdf-8b77b6387e57) (SDK Attempt Count: 1)" (RequestToken: 5748aef8-c0e1-1a1d-ab27-1bab938e0bd3, HandlerErrorCode: InvalidRequest) ``` If `status` is omitted in `customRules`, `App` cannot be deployed. ### Description of changes Specify `status` property in integ test. ### Describe any new or updated permissions being added N/A ### Description of how you validated changes Re-ran integ test. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| /** | ||
| * The IAM role for an SSR app. | ||
| * The Compute role allows the Amplify Hosting compute service to securely access specific AWS resources based on the role's permissions. | ||
| * @default undefined - a new role is created when `platform` is `Platform.WEB_COMPUTE` or `Platform.WEB_DYNAMIC`, otherwise no compute role |
There was a problem hiding this comment.
Since the compute role is used when SSR apps access AWS resources, I thought it would be more user-friendly to auto-generate it.
Please let me know if you have any opinions on this.
| enableLookups: true, | ||
| stackUpdateWorkflow: false, |
There was a problem hiding this comment.
Are these options needed? This is not a blocking comment.
There was a problem hiding this comment.
Thanks. I've removed.
There was a problem hiding this comment.
Thanks for the contribution @mazyu36 and thanks for reviewing @badmintoncryer!
The changes look good to me and change is creating a minimal default role for the compute role. We will bring this up as a low-risk change for a security review but I don't expect there to be any issues. I will approve for now and then remove the do-not-merge label and merge once the security review is complete.
|
@Mergifyio update |
❌ Mergify doesn't have permission to updateFor security reasons, Mergify can't update this pull request. Try updating locally. |
|
Security review is good! Thanks again for the contribution! @Mergifyio update |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #33882 .
Reason for this change
To support compute role for SSR app.
Description of changes
computeRoleproperty.Describe any new or updated permissions being added
N/A
Description of how you validated changes
Add unit tests and an integ test.
Checklist
BREAKING CHANGE: A compute role is created when
platformisPlatform.WEB_COMPUTEorPlatform.WEB_DYNAMIC.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license