search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
81 stars 71 forks source link

Discrepancy between Amplify CLI deployment using local push and Amplify CI/CD deployment for serverless container api #2247

Open shivennn opened 5 months ago

shivennn commented 5 months ago

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v18.18.0

Amplify CLI Version

12.10.1

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

no

Describe the bug

Resource access permissions not updated for container based server less REST API when deploying it through Amplify CI/CD but permissions updated when deploying through amplify push from local system.

Expected behavior

Resource access permissions should be updated when deploying container based server less REST API using Amplify CI/CD

Reproduction steps

  1. amplify init
  2. enable container based deployment using amplify configure project
  3. amplify add api (Add container based serverless api)
  4. amplify add storage
  5. amplify add function
  6. amplify update api Do you want to access other resources in this project from your api? Yes ? Select the categories you want this function to have access to.

◉ function ◉ storage

❯◉ testfunction ◉ testfunction2 ◉ restserverlessapia6c7abf2

❯◉ create ◉ read ◉ update ◉ delete

You can access the following resource attributes as environment variables from your Lambda function

FUNCTION_RESTSERVERLESSAPIA6C7ABF2_NAME FUNCTION_TESTFUNCTION2_NAME FUNCTION_TESTFUNCTION_NAME STORAGE_TEST6_ARN STORAGE_TEST6_NAME STORAGE_TEST6_STREAMARN STORAGE_USERS2_ARN STORAGE_USERS2_NAME STORAGE_USERS2_STREAMARN STORAGE_USERS_ARN STORAGE_USERS_NAME STORAGE_USERS_STREAMARN

permissions updated in "containerapi-cloudformation-template.json" file.

amplify push -y

permissions added in "TaskDefinitionTaskRoleDefaultPolicy282E8624"

update in GitHub or Code Commit repo and trigger Amplify build

permission lost in "TaskDefinitionTaskRoleDefaultPolicy282E8624"

There is no any permission lost issue when we do deployment from local system using amplify push but permissions lost when trigger Amplify build using CI/CD

Project Identifier

No response

Log output

``` # Put your logs below this line ```

Additional information

Workaround : custom-policies.json

Tested deployment using CI/CD after adding permissions in custom-policies.json file and it's added to TaskDefinitionTaskRoleFD4-idoWvD9uZrLv with customer inline policy name CustomExecutionPolicyForContainer.

No response

Before submitting, please confirm:

ykethan commented 5 months ago

Hey,👋 thanks for raising this! I'm going to transfer this over to our Amplify API repository for better assistance 🙂

phani-srikar commented 4 months ago

Since the issue occurs only in the hosting CI/CD environment and not via local push, we believe hosting team would be able to look into the relevant logs and help you better. Closing this since it is being tracked internally and assigned to relevant team.

sundersc commented 3 weeks ago

I see that the permissions are updated in amplify-meta.json file but not correctly updated in the backend-config.json file. amplify-meta.json doesn't get committed to the repo, so when the deployment happens through CI, it has no idea about the policy changes.

As a workaround, for now, manually copy the value of api > [API_NAME] > categoryPolicies from the amplify-meta.json to backend-config.json (same path: api > [API_NAME] > categoryPolicies), save the file and commit to the repo. Wait for the deployment to complete and verify the policy.