aws-amplify · rix0rrr · Sep 19, 2025 · Sep 19, 2025 · Oct 10, 2025 · Oct 10, 2025
@@ -286,6 +286,7 @@ const generateTransformParameters = (
       pathManager.findProjectRoot(),
       pathManager.getCurrentCloudBackendDirPath(),
     ),
+    enableSearchEncryptionAtRest: featureFlagProvider.getBoolean('enableSearchEncryptionAtRest'),
     sandboxModeEnabled,
     enableTransformerCfnOutputs: true,
     allowDestructiveGraphqlSchemaUpdates: false,

@@ -12,6 +12,7 @@ export const createSearchableDomain = (
   parameterMap: Map<string, CfnParameter>,
   apiId: string,
   nodeToNodeEncryption: boolean,
+  encryptionAtRest: boolean,
 ): Domain => {
   const { OpenSearchEBSVolumeGB, OpenSearchInstanceType, OpenSearchInstanceCount } = ResourceConstants.PARAMETERS;
   const { OpenSearchDomainLogicalID } = ResourceConstants.RESOURCES;
@@ -26,6 +27,9 @@ export const createSearchableDomain = (
       volumeSize: parameterMap.get(OpenSearchEBSVolumeGB)?.valueAsNumber,
     },
     nodeToNodeEncryption,
+    encryptionAtRest: {
+      enabled: encryptionAtRest,
+    },
     zoneAwareness: {
       enabled: false,
     },

@@ -304,6 +304,7 @@ export class SearchableModelTransformer extends TransformerPluginBase {
       parameterMap,
       context.api.apiId,
       context.transformParameters.enableSearchNodeToNodeEncryption,
+      context.transformParameters.enableSearchEncryptionAtRest,
     );
 
     const openSearchRole = createSearchableDomainRole(context, stack, parameterMap);

@@ -1,5 +1,8 @@
 import type { TransformParameters } from '@aws-amplify/graphql-transformer-interfaces';
 
+/**
+ * Default settings for the transform parameters
+ */
 export const defaultTransformParameters: TransformParameters = {
   // General Params
   enableTransformerCfnOutputs: true,
@@ -27,6 +30,7 @@ export const defaultTransformParameters: TransformParameters = {
 
   // Search Params
   enableSearchNodeToNodeEncryption: false,
+  enableSearchEncryptionAtRest: false,
 
   // Migration
   enableGen2Migration: false,

@@ -909,24 +909,42 @@ export interface TransformParameterProvider {
 }
 
 // @public (undocumented)
-export type TransformParameters = {
-    enableTransformerCfnOutputs: boolean;
-    shouldDeepMergeDirectiveConfigDefaults: boolean;
-    disableResolverDeduping: boolean;
-    sandboxModeEnabled: boolean;
+export interface TransformParameters {
+    // (undocumented)
     allowDestructiveGraphqlSchemaUpdates: boolean;
-    replaceTableUponGsiUpdate: boolean;
+    // (undocumented)
     allowGen1Patterns: boolean;
-    useSubUsernameForDefaultIdentityClaim: boolean;
-    populateOwnerFieldForStaticGroupAuth: boolean;
-    suppressApiKeyGeneration: boolean;
-    subscriptionsInheritPrimaryAuth: boolean;
-    secondaryKeyAsGSI: boolean;
+    // (undocumented)
+    disableResolverDeduping: boolean;
+    // (undocumented)
     enableAutoIndexQueryNames: boolean;
-    respectPrimaryKeyAttributesOnConnectionField: boolean;
-    enableSearchNodeToNodeEncryption: boolean;
+    // (undocumented)
     enableGen2Migration?: boolean;
-};
+    // (undocumented)
+    enableSearchEncryptionAtRest: boolean;
+    // (undocumented)
+    enableSearchNodeToNodeEncryption: boolean;
+    // (undocumented)
+    enableTransformerCfnOutputs: boolean;
+    // (undocumented)
+    populateOwnerFieldForStaticGroupAuth: boolean;
+    // (undocumented)
+    replaceTableUponGsiUpdate: boolean;
+    // (undocumented)
+    respectPrimaryKeyAttributesOnConnectionField: boolean;
+    // (undocumented)
+    sandboxModeEnabled: boolean;
+    // (undocumented)
+    secondaryKeyAsGSI: boolean;
+    // (undocumented)
+    shouldDeepMergeDirectiveConfigDefaults: boolean;
+    // (undocumented)
+    subscriptionsInheritPrimaryAuth: boolean;
+    // (undocumented)
+    suppressApiKeyGeneration: boolean;
+    // (undocumented)
+    useSubUsernameForDefaultIdentityClaim: boolean;
+}
 
 // @public (undocumented)
 export interface UserPoolConfig {

@@ -4,7 +4,7 @@
  * a single location, and isn't spread around the transformers, where they can
  * have different default behaviors.
  */
-export type TransformParameters = {
+export interface TransformParameters {
   // General Params
   enableTransformerCfnOutputs: boolean;
 
@@ -31,7 +31,8 @@ export type TransformParameters = {
 
   // Search Params
   enableSearchNodeToNodeEncryption: boolean;
+  enableSearchEncryptionAtRest: boolean;
 
   // Migration
   enableGen2Migration?: boolean;
-};
+}
@@ -35,9 +35,12 @@ export type TestTransformParameters = RDSLayerMappingProvider &
 
 /**
  * Defaults for transform parameters in tests, if they're not set explicitly.
+ *
+ * (Also for some E2E tests, so this gets actually deployed)
  */
 const DEFAULT_TEST_TRANSFORM_PARAMETERS: Partial<TransformParameters> = {
   enableSearchNodeToNodeEncryption: true,
+  enableSearchEncryptionAtRest: true,
 };
 
 /**

@@ -47,6 +47,9 @@ describe('constructTransformerChain', () => {
   });
 });
 
+/**
+ * Default transform config for these unit tests
+ */
 const defaultTransformConfig: TransformConfig = {
   transformersFactoryArgs: {},
   transformParameters: {
@@ -61,6 +64,7 @@ const defaultTransformConfig: TransformConfig = {
     enableAutoIndexQueryNames: false,
     respectPrimaryKeyAttributesOnConnectionField: false,
     enableSearchNodeToNodeEncryption: false,
+    enableSearchEncryptionAtRest: false,
     enableTransformerCfnOutputs: true,
     allowDestructiveGraphqlSchemaUpdates: false,
     replaceTableUponGsiUpdate: false,

@@ -80,7 +80,15 @@ export const constructTransformerChain = (options?: TransformerFactoryArgs): Tra
     new DefaultValueTransformer(),
     authTransformer,
     new MapsToTransformer(),
-    new SqlTransformer(),
+
+    // This doesn't typecheck because of weird dependencies: this package
+    // comes from Amplify Gen2, not in this repository, and will implement
+    // a different version of the abstract base class than the one this
+    // function declares to be returning... but nobody's
+    // complained yet that it's really broken, so we're just assuming that this
+    // is safe to cast away.
+    new SqlTransformer() as any,
+
     new RefersToTransformer(),
     ...(allowGen1Patterns ? [new SearchableModelTransformer()] : []),
     ...(options?.customTransformers ?? []),

@@ -51,6 +51,11 @@ export const transformAndSynth = (
   return transformManager.generateDeploymentResources();
 };
 
+/**
+ * Default transform params for some E2E tests
+ *
+ * (This gets actually deployed)
+ */
 export const defaultTransformParams: Pick<ExecuteTransformConfig, 'transformersFactoryArgs' | 'transformParameters'> = {
   transformersFactoryArgs: {},
   transformParameters: {
@@ -65,6 +70,7 @@ export const defaultTransformParams: Pick<ExecuteTransformConfig, 'transformersF
     enableAutoIndexQueryNames: true,
     respectPrimaryKeyAttributesOnConnectionField: true,
     enableSearchNodeToNodeEncryption: false,
+    enableSearchEncryptionAtRest: false,
     enableTransformerCfnOutputs: true,
     allowDestructiveGraphqlSchemaUpdates: false,
     replaceTableUponGsiUpdate: false,

@@ -95,8 +95,8 @@ export class CloudFormationClient {
    */
   async waitForStack(
     name: string,
-    success: StackStatus[] = ['CREATE_COMPLETE', 'ROLLBACK_COMPLETE', 'DELETE_COMPLETE', 'UPDATE_COMPLETE', 'UPDATE_ROLLBACK_COMPLETE'],
-    failure: StackStatus[] = ['CREATE_FAILED', 'ROLLBACK_FAILED', 'DELETE_FAILED', 'UPDATE_ROLLBACK_FAILED'],
+    success: StackStatus[] = ['CREATE_COMPLETE', 'DELETE_COMPLETE', 'UPDATE_COMPLETE', 'UPDATE_ROLLBACK_COMPLETE'],
+    failure: StackStatus[] = ['CREATE_FAILED', 'ROLLBACK_COMPLETE', 'ROLLBACK_FAILED', 'DELETE_FAILED', 'UPDATE_ROLLBACK_FAILED'],
     poll: StackStatus[] = [
       'CREATE_IN_PROGRESS',
       'ROLLBACK_IN_PROGRESS',

@@ -180,7 +180,12 @@ beforeAll(async () => {
       cf,
       STACK_NAME,
       out,
-      { CreateAPIKey: '1' },
+      {
+        CreateAPIKey: '1',
+        // Cheapest instance type that supports encryption at rest, and is available in
+        // most regions (m4 is not everywhere)
+        [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch',
+      },
       LOCAL_FS_BUILD_DIR,
       BUCKET_NAME,
       S3_ROOT_DIR_KEY,

@@ -101,7 +101,11 @@ beforeAll(async () => {
       cf,
       STACK_NAME,
       out,
-      {},
+      {
+        // Cheapest instance type that supports encryption at rest, and is available in
+        // most regions (m4 is not everywhere)
+        [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch',
+      },
       LOCAL_FS_BUILD_DIR,
       BUCKET_NAME,
       S3_ROOT_DIR_KEY,

@@ -210,6 +210,9 @@ beforeAll(async () => {
     const params = {
       CreateAPIKey: '1',
       AuthCognitoUserPoolId: USER_POOL_ID,
+      // Cheapest instance type that supports encryption at rest, and is available in
+      // most regions (m4 is not everywhere)
+      [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch',
     };
 
     const finishedStack = await deploy(

@@ -213,7 +213,14 @@ beforeAll(async () => {
       cf,
       STACK_NAME,
       out,
-      { AuthCognitoUserPoolId: USER_POOL_ID, authRoleName: authRole.RoleName, unauthRoleName: unauthRole.RoleName },
+      {
+        [ResourceConstants.PARAMETERS.AuthCognitoUserPoolId]: USER_POOL_ID,
+        [ResourceConstants.PARAMETERS.AuthRoleName]: authRole.RoleName ?? '',
+        [ResourceConstants.PARAMETERS.UnauthRoleName]: unauthRole.RoleName ?? '',
+        // Cheapest instance type that supports encryption at rest, and is available in
+        // most regions (m4 is not everywhere)
+        [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch',
+      },
       LOCAL_FS_BUILD_DIR,
       BUCKET_NAME,
       S3_ROOT_DIR_KEY,

@@ -212,7 +212,14 @@ beforeAll(async () => {
       cf,
       STACK_NAME,
       out,
-      { AuthCognitoUserPoolId: USER_POOL_ID, authRoleName: authRole.RoleName, unauthRoleName: unauthRole.RoleName },
+      {
+        [ResourceConstants.PARAMETERS.AuthCognitoUserPoolId]: USER_POOL_ID,
+        [ResourceConstants.PARAMETERS.AuthRoleName]: authRole.RoleName ?? '',
+        [ResourceConstants.PARAMETERS.UnauthRoleName]: unauthRole.RoleName ?? '',
+        // Cheapest instance type that supports encryption at rest, and is available in
+        // most regions (m4 is not everywhere)
+        [ResourceConstants.PARAMETERS.OpenSearchInstanceType]: 'm5.large.elasticsearch',
+      },
       LOCAL_FS_BUILD_DIR,
       BUCKET_NAME,
       S3_ROOT_DIR_KEY,