search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
89 stars 79 forks source link

Unnecessary AppSync resources not included in the operation specified by @auth directive are included in authRole and unauthRole #2111

Open fossamagna opened 11 months ago

fossamagna commented 11 months ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v18.18.1

Amplify CLI Version

12.8.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

N/A

Describe the bug

Grant public access read operation to the Todo model. Also, allow read, create, and update operations for private access.

type Todo @model @auth(rules: [
  { allow: public, provider: iam, operations: [read] },
  { allow: private, provider: iam, operations: [read, create, update] }
]) {
  id: ID!
  name: String!
  description: String
}

The policy of unauthRole generated by amplify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Todo/*",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/getTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/listTodos",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onCreateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onUpdateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onDeleteTodo"
            ],
            "Effect": "Allow"
        }
    ]
}

The following three resource definitions are not necessary because only read operations are allowed for public access.

                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",

The policy of authRole generated by amplify:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "appsync:GraphQL",
            "Resource": [
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Todo/*",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/getTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Query/fields/listTodos",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/createTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/updateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onCreateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onUpdateTodo",
                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Subscription/fields/onDeleteTodo"
            ],
            "Effect": "Allow"
        }
    ]
}

The following a resource definition is not necessary because only read, create, and update operations are allowed for private access.

                "arn:aws:appsync:ap-northeast-1:<accountId>:apis/sito7d2bozb4tp4bio7nnmwetu/types/Mutation/fields/deleteTodo",

Expected behavior

Resource definitions described above as unnecessary should not be included in the generated policy.

Reproduction steps

  1. Run git clone git@github.com:fossamagna/amplify-unnecessary-iam-role-resources.git
  2. Run amplify push
  3. Check the policy of the IAM roles (authRole, unauthRole) created by amplify in the AWS Web Console

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

https://github.com/aws-amplify/amplify-category-api/issues/308#issuecomment-1129357188 may have the same issue.

Before submitting, please confirm:

AnilMaktala commented 11 months ago

Hey @fossamagna, Thank you for bringing up this issue and raising the PR. We've successfully reproduced the issue based on the description provided. Therefore, we're categorizing this as a bug for the team's thorough evaluation and review of the PR.