unable to extend opensearchstreaminglambda policy with overrides

[dhruvbansal2]

Note: If your question is regarding the AWS Amplify Console service, please log it in the AWS Amplify Console repository

Which Category is your question related to? API

Amplify CLI Version 9.2.1

You can use amplify -v to check the amplify cli version on your system

What AWS Services are you utilizing? OpenSearch, Lambda, IAM

Provide additional details e.g. code snippets. Be sure to remove any sensitive data.

How can I append to the OpenSearch Streaming Lambda IAM Role policy using override.ts? I have attempted adding the following code in the api override.ts file, however, it seems to fail silently and ignore all other configurations in the override.ts file.

    const searchStreamingLambdaName = "test-name";

    resources.opensearch.OpenSearchStreamingLambdaFunction.functionName = searchStreamingLambdaName;

    const lambdaRole = resources.opensearch.OpenSearchStreamingLambdaIAMRole;

    const basePolicies = Array.isArray(lambdaRole.policies)
      ? lambdaRole.policies
      : [lambdaRole.policies];

    resources.opensearch.OpenSearchStreamingLambdaIAMRole.policies = [
      ...basePolicies,
      {
        policyName: 'custom-transform-lambda-permissions',
        policyDocument: {
          Version: '2012-10-17',
          Statement: [
            {
              Resource: '*',
              Action: ['lambda:InvokeFunction'],
              Effect: 'Allow',
            },
          ],
        },
      },
    ];

More specifically, when I run amplify push -y, I notice that the OpenSearchStreamingLambdaFunction gets recreated with a different name (something auto-generated) and the policy I added is not present in the IAM role. When I remove the line that defines resources.opensearch.OpenSearchStreamingLambdaIAMRole.policies, I see the OpenSearchStreamingLambdaFunction created with the value of searchStreamingLambdaName

Am I incorrectly appending the policy to OpenSearchStreamingLambdaIAMRole? I followed the documentation for overriding the project level IAM auth role

[dhruvbansal2]

Based on my latest test, I noticed that removing ..basePolicies allowed the remaining overrides to work & correctly set OpenSearchStreamingLambdaFunction. I can manually copy over the current default policies, however I want to make sure those don't get overridden.

    const basePolicies = Array.isArray(lambdaRole.policies)
      ? lambdaRole.policies
      : [lambdaRole.policies];

[ykethan]

Hey @dhruvbansal2, thank you for reaching out. Tested the following API override in my amplify application.

added the following code in my application

 resources.opensearch.OpenSearchStreamingLambdaFunction.functionName =
    "tstname";
  var lambdaRole = resources.opensearch.OpenSearchStreamingLambdaIAMRole;

const basePolicies = Array.isArray(lambdaRole.policies)
  ? lambdaRole.policies
  : [lambdaRole.policies];

  resources.opensearch.OpenSearchStreamingLambdaIAMRole.policies = [
    ...basePolicies,
    {
      policyName: "custom-transform-lambda-permissions",
      policyDocument: {
        Version: "2012-10-17",
        Statement: [
          {
            Resource: "*",
            Action: ["lambda:InvokeFunction"],
            Effect: "Allow",
          },
        ],
      },
    },
  ];

but was unable to observe the behaviour in my application.

As a mitigation step could you try adding the base policy back in and move the function name line to the end of the file. Then push the application, check the IAM policy, function name and let us know if the the function names changes to the default name with random string.

[dhruvbansal2]

@ykethan Thanks for the response.

When attempting to print basePolicies in the override.ts, I would see it is undefined - is that expected?

I've also console.logged both at the beginning and end of the file - both of which print.

[ykethan]

Hey @dhruvbansal2, I did observe this behaviour in my application. Marking this as bug for further investigation.