diff --git a/packages/amplify-category-api/src/graphql-transformer/transformer-options-v2.ts b/packages/amplify-category-api/src/graphql-transformer/transformer-options-v2.ts index da5c790e2e..2fe5c9c08e 100644 --- a/packages/amplify-category-api/src/graphql-transformer/transformer-options-v2.ts +++ b/packages/amplify-category-api/src/graphql-transformer/transformer-options-v2.ts @@ -286,6 +286,7 @@ const generateTransformParameters = ( pathManager.findProjectRoot(), pathManager.getCurrentCloudBackendDirPath(), ), + enableSearchEncryptionAtRest: featureFlagProvider.getBoolean('enableSearchEncryptionAtRest'), sandboxModeEnabled, enableTransformerCfnOutputs: true, allowDestructiveGraphqlSchemaUpdates: false, diff --git a/packages/amplify-graphql-searchable-transformer/src/cdk/create-searchable-domain.ts b/packages/amplify-graphql-searchable-transformer/src/cdk/create-searchable-domain.ts index 7dd28b9ff6..2c59622abc 100644 --- a/packages/amplify-graphql-searchable-transformer/src/cdk/create-searchable-domain.ts +++ b/packages/amplify-graphql-searchable-transformer/src/cdk/create-searchable-domain.ts @@ -12,6 +12,7 @@ export const createSearchableDomain = ( parameterMap: Map, apiId: string, nodeToNodeEncryption: boolean, + encryptionAtRest: boolean, ): Domain => { const { OpenSearchEBSVolumeGB, OpenSearchInstanceType, OpenSearchInstanceCount } = ResourceConstants.PARAMETERS; const { OpenSearchDomainLogicalID } = ResourceConstants.RESOURCES; @@ -26,6 +27,9 @@ export const createSearchableDomain = ( volumeSize: parameterMap.get(OpenSearchEBSVolumeGB)?.valueAsNumber, }, nodeToNodeEncryption, + encryptionAtRest: { + enabled: encryptionAtRest, + }, zoneAwareness: { enabled: false, }, diff --git a/packages/amplify-graphql-searchable-transformer/src/graphql-searchable-transformer.ts b/packages/amplify-graphql-searchable-transformer/src/graphql-searchable-transformer.ts index c46fe84e64..87cfd38036 100644 --- a/packages/amplify-graphql-searchable-transformer/src/graphql-searchable-transformer.ts +++ b/packages/amplify-graphql-searchable-transformer/src/graphql-searchable-transformer.ts @@ -304,6 +304,7 @@ export class SearchableModelTransformer extends TransformerPluginBase { parameterMap, context.api.apiId, context.transformParameters.enableSearchNodeToNodeEncryption, + context.transformParameters.enableSearchEncryptionAtRest, ); const openSearchRole = createSearchableDomainRole(context, stack, parameterMap); diff --git a/packages/amplify-graphql-transformer-core/src/transformer-context/transform-parameters.ts b/packages/amplify-graphql-transformer-core/src/transformer-context/transform-parameters.ts index 1c6b1142da..2b1f09f4a1 100644 --- a/packages/amplify-graphql-transformer-core/src/transformer-context/transform-parameters.ts +++ b/packages/amplify-graphql-transformer-core/src/transformer-context/transform-parameters.ts @@ -1,5 +1,8 @@ import type { TransformParameters } from '@aws-amplify/graphql-transformer-interfaces'; +/** + * Default settings for the transform parameters + */ export const defaultTransformParameters: TransformParameters = { // General Params enableTransformerCfnOutputs: true, @@ -27,6 +30,7 @@ export const defaultTransformParameters: TransformParameters = { // Search Params enableSearchNodeToNodeEncryption: false, + enableSearchEncryptionAtRest: false, // Migration enableGen2Migration: false, diff --git a/packages/amplify-graphql-transformer-interfaces/API.md b/packages/amplify-graphql-transformer-interfaces/API.md index 6c1bdb696c..17566925ff 100644 --- a/packages/amplify-graphql-transformer-interfaces/API.md +++ b/packages/amplify-graphql-transformer-interfaces/API.md @@ -909,24 +909,42 @@ export interface TransformParameterProvider { } // @public (undocumented) -export type TransformParameters = { - enableTransformerCfnOutputs: boolean; - shouldDeepMergeDirectiveConfigDefaults: boolean; - disableResolverDeduping: boolean; - sandboxModeEnabled: boolean; +export interface TransformParameters { + // (undocumented) allowDestructiveGraphqlSchemaUpdates: boolean; - replaceTableUponGsiUpdate: boolean; + // (undocumented) allowGen1Patterns: boolean; - useSubUsernameForDefaultIdentityClaim: boolean; - populateOwnerFieldForStaticGroupAuth: boolean; - suppressApiKeyGeneration: boolean; - subscriptionsInheritPrimaryAuth: boolean; - secondaryKeyAsGSI: boolean; + // (undocumented) + disableResolverDeduping: boolean; + // (undocumented) enableAutoIndexQueryNames: boolean; - respectPrimaryKeyAttributesOnConnectionField: boolean; - enableSearchNodeToNodeEncryption: boolean; + // (undocumented) enableGen2Migration?: boolean; -}; + // (undocumented) + enableSearchEncryptionAtRest: boolean; + // (undocumented) + enableSearchNodeToNodeEncryption: boolean; + // (undocumented) + enableTransformerCfnOutputs: boolean; + // (undocumented) + populateOwnerFieldForStaticGroupAuth: boolean; + // (undocumented) + replaceTableUponGsiUpdate: boolean; + // (undocumented) + respectPrimaryKeyAttributesOnConnectionField: boolean; + // (undocumented) + sandboxModeEnabled: boolean; + // (undocumented) + secondaryKeyAsGSI: boolean; + // (undocumented) + shouldDeepMergeDirectiveConfigDefaults: boolean; + // (undocumented) + subscriptionsInheritPrimaryAuth: boolean; + // (undocumented) + suppressApiKeyGeneration: boolean; + // (undocumented) + useSubUsernameForDefaultIdentityClaim: boolean; +} // @public (undocumented) export interface UserPoolConfig { diff --git a/packages/amplify-graphql-transformer-interfaces/src/transformer-context/transform-parameters.ts b/packages/amplify-graphql-transformer-interfaces/src/transformer-context/transform-parameters.ts index 070373d196..1a89dfb4c6 100644 --- a/packages/amplify-graphql-transformer-interfaces/src/transformer-context/transform-parameters.ts +++ b/packages/amplify-graphql-transformer-interfaces/src/transformer-context/transform-parameters.ts @@ -4,7 +4,7 @@ * a single location, and isn't spread around the transformers, where they can * have different default behaviors. */ -export type TransformParameters = { +export interface TransformParameters { // General Params enableTransformerCfnOutputs: boolean; @@ -31,7 +31,8 @@ export type TransformParameters = { // Search Params enableSearchNodeToNodeEncryption: boolean; + enableSearchEncryptionAtRest: boolean; // Migration enableGen2Migration?: boolean; -}; +} diff --git a/packages/amplify-graphql-transformer-test-utils/src/test-transform.ts b/packages/amplify-graphql-transformer-test-utils/src/test-transform.ts index 8ef72b195e..67f5cc96a4 100644 --- a/packages/amplify-graphql-transformer-test-utils/src/test-transform.ts +++ b/packages/amplify-graphql-transformer-test-utils/src/test-transform.ts @@ -35,9 +35,12 @@ export type TestTransformParameters = RDSLayerMappingProvider & /** * Defaults for transform parameters in tests, if they're not set explicitly. + * + * (Also for some E2E tests, so this gets actually deployed) */ const DEFAULT_TEST_TRANSFORM_PARAMETERS: Partial = { enableSearchNodeToNodeEncryption: true, + enableSearchEncryptionAtRest: true, }; /** diff --git a/packages/amplify-graphql-transformer/src/__tests__/graphql-transformer.test.ts b/packages/amplify-graphql-transformer/src/__tests__/graphql-transformer.test.ts index e08fb789ad..7bc792a221 100644 --- a/packages/amplify-graphql-transformer/src/__tests__/graphql-transformer.test.ts +++ b/packages/amplify-graphql-transformer/src/__tests__/graphql-transformer.test.ts @@ -47,6 +47,9 @@ describe('constructTransformerChain', () => { }); }); +/** + * Default transform config for these unit tests + */ const defaultTransformConfig: TransformConfig = { transformersFactoryArgs: {}, transformParameters: { @@ -61,6 +64,7 @@ const defaultTransformConfig: TransformConfig = { enableAutoIndexQueryNames: false, respectPrimaryKeyAttributesOnConnectionField: false, enableSearchNodeToNodeEncryption: false, + enableSearchEncryptionAtRest: false, enableTransformerCfnOutputs: true, allowDestructiveGraphqlSchemaUpdates: false, replaceTableUponGsiUpdate: false, diff --git a/packages/amplify-graphql-transformer/src/graphql-transformer.ts b/packages/amplify-graphql-transformer/src/graphql-transformer.ts index 930a01127c..a79fe3f161 100644 --- a/packages/amplify-graphql-transformer/src/graphql-transformer.ts +++ b/packages/amplify-graphql-transformer/src/graphql-transformer.ts @@ -80,7 +80,15 @@ export const constructTransformerChain = (options?: TransformerFactoryArgs): Tra new DefaultValueTransformer(), authTransformer, new MapsToTransformer(), - new SqlTransformer(), + + // This doesn't typecheck because of weird dependencies: this package + // comes from Amplify Gen2, not in this repository, and will implement + // a different version of the abstract base class than the one this + // function declares to be returning... but nobody's + // complained yet that it's really broken, so we're just assuming that this + // is safe to cast away. + new SqlTransformer() as any, + new RefersToTransformer(), ...(allowGen1Patterns ? [new SearchableModelTransformer()] : []), ...(options?.customTransformers ?? []), diff --git a/packages/amplify-util-mock/src/__e2e__/utils/index.ts b/packages/amplify-util-mock/src/__e2e__/utils/index.ts index a602c0e509..6328820250 100644 --- a/packages/amplify-util-mock/src/__e2e__/utils/index.ts +++ b/packages/amplify-util-mock/src/__e2e__/utils/index.ts @@ -51,6 +51,11 @@ export const transformAndSynth = ( return transformManager.generateDeploymentResources(); }; +/** + * Default transform params for some E2E tests + * + * (This gets actually deployed) + */ export const defaultTransformParams: Pick = { transformersFactoryArgs: {}, transformParameters: { @@ -65,6 +70,7 @@ export const defaultTransformParams: Pick { cf, STACK_NAME, out, - { CreateAPIKey: '1' }, + { + CreateAPIKey: '1', + // Cheapest instance type that supports encryption at rest, and is available in + // most regions (m4 is not everywhere) + [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch', + }, LOCAL_FS_BUILD_DIR, BUCKET_NAME, S3_ROOT_DIR_KEY, diff --git a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableModelTransformerV2.e2e.test.ts b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableModelTransformerV2.e2e.test.ts index 3d5785c53f..536cd141f9 100644 --- a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableModelTransformerV2.e2e.test.ts +++ b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableModelTransformerV2.e2e.test.ts @@ -101,7 +101,11 @@ beforeAll(async () => { cf, STACK_NAME, out, - {}, + { + // Cheapest instance type that supports encryption at rest, and is available in + // most regions (m4 is not everywhere) + [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch', + }, LOCAL_FS_BUILD_DIR, BUCKET_NAME, S3_ROOT_DIR_KEY, diff --git a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthTests.e2e.test.ts b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthTests.e2e.test.ts index 3d329974fb..2b47516ba1 100644 --- a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthTests.e2e.test.ts +++ b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthTests.e2e.test.ts @@ -210,6 +210,9 @@ beforeAll(async () => { const params = { CreateAPIKey: '1', AuthCognitoUserPoolId: USER_POOL_ID, + // Cheapest instance type that supports encryption at rest, and is available in + // most regions (m4 is not everywhere) + [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch', }; const finishedStack = await deploy( diff --git a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2.e2e.test.ts b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2.e2e.test.ts index 5dd4fad7fe..383c92bb3d 100644 --- a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2.e2e.test.ts +++ b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2.e2e.test.ts @@ -213,7 +213,14 @@ beforeAll(async () => { cf, STACK_NAME, out, - { AuthCognitoUserPoolId: USER_POOL_ID, authRoleName: authRole.RoleName, unauthRoleName: unauthRole.RoleName }, + { + [ResourceConstants.PARAMETERS.AuthCognitoUserPoolId]: USER_POOL_ID, + [ResourceConstants.PARAMETERS.AuthRoleName]: authRole.RoleName ?? '', + [ResourceConstants.PARAMETERS.UnauthRoleName]: unauthRole.RoleName ?? '', + // Cheapest instance type that supports encryption at rest, and is available in + // most regions (m4 is not everywhere) + [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch', + }, LOCAL_FS_BUILD_DIR, BUCKET_NAME, S3_ROOT_DIR_KEY, diff --git a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2WithFF.e2e.test.ts b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2WithFF.e2e.test.ts index 2183003808..f6ed8b6dc5 100644 --- a/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2WithFF.e2e.test.ts +++ b/packages/graphql-transformers-e2e-tests/src/__tests__/SearchableWithAuthV2WithFF.e2e.test.ts @@ -212,7 +212,14 @@ beforeAll(async () => { cf, STACK_NAME, out, - { AuthCognitoUserPoolId: USER_POOL_ID, authRoleName: authRole.RoleName, unauthRoleName: unauthRole.RoleName }, + { + [ResourceConstants.PARAMETERS.AuthCognitoUserPoolId]: USER_POOL_ID, + [ResourceConstants.PARAMETERS.AuthRoleName]: authRole.RoleName ?? '', + [ResourceConstants.PARAMETERS.UnauthRoleName]: unauthRole.RoleName ?? '', + // Cheapest instance type that supports encryption at rest, and is available in + // most regions (m4 is not everywhere) + [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch', + }, LOCAL_FS_BUILD_DIR, BUCKET_NAME, S3_ROOT_DIR_KEY,