chore: add oidc config to api

Author: rjuliano

src/integ_test_resources/android/amplify/integration/cdk/scripts/amplify_app.py

@@ -3,6 +3,7 @@
 from common import (
     LOGGER,
     AMPLIFY_AWSSDK_CLIENT,
+    SECRETS_MANAGER_CLIENT,
     BASE_PATH,
     run_command,
     OperationType
@@ -88,6 +89,10 @@ def push(self):
         self._load_metadata()
         return result.returncode
 
+    def retrieve_secret(self, secret_name: str):
+        get_secret_result = SECRETS_MANAGER_CLIENT.get_secret_value(SecretId=secret_name)
+        return json.loads(get_secret_result["SecretString"])
+
     def _get_existing_app_id(self):
         try:
             response = AMPLIFY_AWSSDK_CLIENT.list_apps()

src/integ_test_resources/android/amplify/integration/cdk/scripts/auth.py

@@ -9,6 +9,7 @@ def create(cls, *, auth_resource_name:str,
                         allow_unauth = True,
                         signin_method = 'USERNAME',
                         group_names = [],
+                        oauth_config = None,
                         refresh_token_period_in_days = 365,
                         required_signup_attributes = ['EMAIL', 'NAME', 'NICKNAME'],
                         write_attributes = ['EMAIL', 'NAME', 'NICKNAME'],
@@ -37,6 +38,9 @@ def create(cls, *, auth_resource_name:str,
             'refreshTokenPeriod': refresh_token_period_in_days
         }
 
+        if oauth_config is not None:
+            user_pool_config['oAuth'] = oauth_config 
+
         id_pool_config = {
             'unauthenticatedLogin': allow_unauth,
             'identityPoolName': identity_pool_name

src/integ_test_resources/android/amplify/integration/cdk/scripts/common.py

@@ -13,6 +13,7 @@ class OperationType(Enum):
 def parse_arguments():
     parser = argparse.ArgumentParser(description="Utility that runs the Amplify CLI in headless mode to provision backend resources for integration tests.")
     parser.add_argument("--backend_name", help="The name of the Amplify app.", required=True)
+    parser.add_argument("--oidc_provider", help="Name of the oidc provider.")
     parser.add_argument("--schema_dir", help="Name of the subdirectory under the schemas folder that contains the GraphQL schemas for the backend API.", required=True)
     parser.add_argument("--group_names", help="Comma-separated list of group names to be created.", default="")
     parser.add_argument("--conflict_resolution", help="Conflict resolution mode.")
@@ -26,6 +27,7 @@ def parse_arguments():
 LOGGER.addHandler(CONSOLE_HANDLER)
 
 AMPLIFY_AWSSDK_CLIENT = boto3.client('amplify')
+SECRETS_MANAGER_CLIENT = boto3.client('secretsmanager')
 REGION = 'us-east-1'
 SCRIPTS_DIR = os.path.dirname(__file__)
 LOGGER.info(f"SCRIPTS_DIR = {SCRIPTS_DIR}")

src/integ_test_resources/android/amplify/integration/cdk/scripts/setup_amplify

@@ -46,16 +46,20 @@ auth_config = AuthConfigFactory.create(auth_resource_name=auth_resource_name,
 
 auth_cmd_result = amplify_app.config_auth(auth_config=auth_config, op_type=auth_op_type)
 if auth_cmd_result == 0:
-    LOGGER.info("Auth category configured.")
+    LOGGER.info("Auth category configured. Pushing changes.")
+    push_cmd_result = amplify_app.push()
+    if push_cmd_result == 0:
+        LOGGER.info("Auth category changed pushed.")
+    else:
+        LOGGER.error("Failed to push Auth category changes.")
+        exit(-1)
 else:
     LOGGER.error("Failed to configure Auth category.")
     exit(-1)
 
-amplify_app.push()
-
 api_key_config = ApiAuthModeFactory.create_api_key_config()
 user_pools_config = ApiAuthModeFactory.create_user_pools_config(auth_resource_name=f"auth{auth_resource_name}")
-oidc_config = ApiAuthModeFactory.create_oidc_config(client_id='dummy', issuer_url="https://localhost/", provider_name="Dummy provider")
+oidc_config = ApiAuthModeFactory.create_oidc_config(client_id='dummy', issuer_url="https://accounts.google.com/", provider_name='GoogleIntegTestOIDC')
 iam_config = ApiAuthModeFactory.create_iam_config()
 api_config = ApiConfigFactory.create(api_name=f"{amplify_backend_name}Api", 
                                         op_type=api_op_type, 

src/integ_test_resources/android/amplify/integration/cdk/stacks/amplify_deployer_stack.py

@@ -91,9 +91,21 @@ def __init__(self, scope: core.App, id: str, props, **kwargs) -> None:
                 aws_iam.PolicyStatement(actions=individual_actions, effect=aws_iam.Effect.ALLOW, resources=["*"]),
             ]
         )
+        policy.attach_to_role(project.role)
 
+        policy = aws_iam.ManagedPolicy(self,
+            "AmplifyCodeBuildScriptRunnerSecretReaderPolicy",
+            managed_policy_name=f"AmplifyCodeBuildScriptRunnerSecretReaderPolicy-{cb_project_name}",
+            description="Policy used by the CodeBuild role that manages the creation of backend resources using the Amplify CLI",
+            statements=[
+                aws_iam.PolicyStatement(actions=["secretsmanager:GetSecretValue"], 
+                                        effect=aws_iam.Effect.ALLOW, 
+                                        resources=[f"arn:aws:secretsmanager:us-east-1:{self.account}:secret:awsmobilesdk/android/*"]),
+            ]
+        )
         policy.attach_to_role(project.role)
 
+
         project.role.add_managed_policy(aws_iam.ManagedPolicy.from_aws_managed_policy_name("AmazonS3FullAccess"))
         project.role.add_managed_policy(aws_iam.ManagedPolicy.from_aws_managed_policy_name("AWSCloudFormationFullAccess"))
         project.role.add_managed_policy(aws_iam.ManagedPolicy.from_aws_managed_policy_name('IAMReadOnlyAccess'))