Skip to content

feat(amplify): add compute role support for Amplify branches #34708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jun 18, 2025
Merged

feat(amplify): add compute role support for Amplify branches #34708

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0997c45
feat(amplify): add compute role support for Amplify branches
mazyu36 Jun 13, 2025
5eee1ea
fix readme
mazyu36 Jun 13, 2025
d407d28
Merge branch 'main' into feature/branch-compute-role
mazyu36 Jun 15, 2025
0cfeb39
fix
mazyu36 Jun 16, 2025
a7dd592
add validation
mazyu36 Jun 17, 2025
bab1ebc
fix integ
mazyu36 Jun 17, 2025
052bb10
addressed review comments
mazyu36 Jun 18, 2025
d26173b
fix
mazyu36 Jun 18, 2025
30ea997
Merge branch 'main' into feature/branch-compute-role
mergify[bot] Jun 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions packages/@aws-cdk/aws-amplify-alpha/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,15 @@ const amplifyApp = new amplify.App(this, 'MyApp', {
});
```

It is also possible to override the compute role for a specific branch by setting `computeRole` in `Branch`:

```ts
declare const computeRole: iam.Role;
declare const amplifyApp: amplify.App

const branch = amplifyApp.addBranch("dev", { computeRole });
```

## Cache Config

Amplify uses Amazon CloudFront to manage the caching configuration for your hosted applications. A cache configuration is applied to each app to optimize for the best performance.
Expand Down
17 changes: 15 additions & 2 deletions packages/@aws-cdk/aws-amplify-alpha/lib/app.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ export interface IApp extends IResource {
* @attribute
*/
readonly appId: string;

/**
* The platform of the app
*/
readonly platform?: Platform;
Copy link
Contributor

@leonmk-aws leonmk-aws Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not add optional field in the interface that extends iResource, see below one approach on how to do the isSSR check without exposing the field in this interface.

}

/**
Expand Down Expand Up @@ -237,6 +242,11 @@ export class App extends Resource implements IApp, iam.IGrantable {
*/
public readonly computeRole?: iam.IRole;

/**
* The platform of the app
*/
public readonly platform?: Platform;

private readonly customRules: CustomRule[];
private readonly environmentVariables: { [name: string]: string };
private readonly autoBranchEnvironmentVariables: { [name: string]: string };
Expand All @@ -256,7 +266,8 @@ export class App extends Resource implements IApp, iam.IGrantable {
this.grantPrincipal = role;

let computedRole: iam.IRole | undefined;
const isSSR = props.platform === Platform.WEB_COMPUTE || props.platform === Platform.WEB_DYNAMIC;
const appPlatform = props.platform || Platform.WEB;
const isSSR = appPlatform === Platform.WEB_COMPUTE || appPlatform === Platform.WEB_DYNAMIC;
Copy link
Contributor

@leonmk-aws leonmk-aws Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would consider adding a function in the utils.ts file, to share it between app.ts and branch.ts


if (props.computeRole) {
if (!isSSR) {
Expand All @@ -272,6 +283,8 @@ export class App extends Resource implements IApp, iam.IGrantable {

const sourceCodeProviderOptions = props.sourceCodeProvider?.bind(this);

this.platform = appPlatform;

const app = new CfnApp(this, 'Resource', {
accessToken: sourceCodeProviderOptions?.accessToken?.unsafeUnwrap(), // Safe usage
autoBranchCreationConfig: props.autoBranchCreation && {
Expand Down Expand Up @@ -302,7 +315,7 @@ export class App extends Resource implements IApp, iam.IGrantable {
oauthToken: sourceCodeProviderOptions?.oauthToken?.unsafeUnwrap(), // Safe usage
repository: sourceCodeProviderOptions?.repository,
customHeaders: props.customResponseHeaders ? renderCustomResponseHeaders(props.customResponseHeaders) : undefined,
platform: props.platform || Platform.WEB,
platform: appPlatform,
});

this.appId = app.attrAppId;
Expand Down
21 changes: 20 additions & 1 deletion packages/@aws-cdk/aws-amplify-alpha/lib/branch.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,12 @@ import {
Duration,
NestedStack,
Stack,
ValidationError,
} from 'aws-cdk-lib/core';
import { Provider } from 'aws-cdk-lib/custom-resources';
import { Construct } from 'constructs';
import { CfnBranch } from 'aws-cdk-lib/aws-amplify';
import { IApp } from './app';
import { IApp, Platform } from './app';
import { BasicAuth } from './basic-auth';
import { renderEnvironmentVariables } from './utils';
import { AssetDeploymentIsCompleteFunction, AssetDeploymentOnEventFunction } from '../custom-resource-handlers/dist/aws-amplify-alpha/asset-deployment-provider.generated';
Expand Down Expand Up @@ -137,6 +138,16 @@ export interface BranchOptions {
* @default None - Default setting is no skew protection.
*/
readonly skewProtection?: boolean;

/**
* The IAM role to assign to a branch of an SSR app.
* The SSR Compute role allows the Amplify Hosting compute service to securely access specific AWS resources based on the role's permissions.
*
* This role overrides the app-level compute role.
*
* @default undefined - No specific role for the branch. If the app has a compute role, it will be inherited.
*/
readonly computeRole?: iam.IRole;
}

/**
Expand Down Expand Up @@ -183,6 +194,13 @@ export class Branch extends Resource implements IBranch {
// Enhanced CDK Analytics Telemetry
addConstructMetadata(this, props);

const platform = props.app.platform;
Copy link
Contributor

@leonmk-aws leonmk-aws Jun 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of relying on the IApp interface to have an optional platform field, another approach would be to check if if (props.app instanceof App) is true and use the platform attribute of this class to perform the isSSR check.

const isSSR = platform === Platform.WEB_COMPUTE || platform === Platform.WEB_DYNAMIC;

if (props.computeRole && !isSSR) {
throw new ValidationError('`computeRole` can only be specified for branches of apps with `Platform.WEB_COMPUTE` or `Platform.WEB_DYNAMIC`.', this);
}

this.environmentVariables = props.environmentVariables || {};

const branchName = props.branchName || id;
Expand All @@ -199,6 +217,7 @@ export class Branch extends Resource implements IBranch {
stage: props.stage,
enablePerformanceMode: props.performanceMode,
enableSkewProtection: props.skewProtection,
computeRoleArn: props.computeRole?.roleArn,
});

this.arn = branch.attrArn;
Expand Down
35 changes: 35 additions & 0 deletions packages/@aws-cdk/aws-amplify-alpha/test/branch.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { Template } from 'aws-cdk-lib/assertions';
import { Asset } from 'aws-cdk-lib/aws-s3-assets';
import { SecretValue, Stack } from 'aws-cdk-lib';
import * as amplify from '../lib';
import * as iam from 'aws-cdk-lib/aws-iam';

let stack: Stack;
let app: amplify.App;
Expand Down Expand Up @@ -154,3 +155,37 @@ test('with skew protection', () => {
EnableSkewProtection: true,
});
});

test('with compute role', () => {
// WHEN
const computeRole = new iam.Role(stack, 'ComputeRole', {
assumedBy: new iam.ServicePrincipal('amplify.amazonaws.com'),
});

const ssrApp = new amplify.App(stack, 'SsrApp', {
platform: amplify.Platform.WEB_COMPUTE,
});

ssrApp.addBranch('main', { computeRole });

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Amplify::Branch', {
ComputeRoleArn: stack.resolve(computeRole.roleArn),
});
});

test('throws error when compute role provided for WEB platform', () => {
// WHEN
const computeRole = new iam.Role(stack, 'ComputeRoleWeb', {
assumedBy: new iam.ServicePrincipal('amplify.amazonaws.com'),
});

const webApp = new amplify.App(stack, 'WebApp', {
platform: amplify.Platform.WEB,
});

// THEN
expect(() => {
webApp.addBranch('main', { computeRole });
}).toThrow(/`computeRole` can only be specified for branches of apps with `Platform.WEB_COMPUTE` or `Platform.WEB_DYNAMIC`./);
});
20 changes: 20 additions & 0 deletions ...pute-role.js.snapshot/amplifybranchcomputeroleDefaultTestDeployAssert73C754F8.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions ...te-role.js.snapshot/amplifybranchcomputeroleDefaultTestDeployAssert73C754F8.template.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 20 additions & 0 deletions ...ha/test/integ.branch-compute-role.js.snapshot/cdk-amplify-branch-compute-role.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

134 changes: 134 additions & 0 deletions .../test/integ.branch-compute-role.js.snapshot/cdk-amplify-branch-compute-role.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
{
"Resources": {
"ComputeRole65BDBE3E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "amplify.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"AppRole1AF9B530": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "amplify.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"AppComputeRole426920E4": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "amplify.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
}
},
"AppF1B96344": {
"Type": "AWS::Amplify::App",
"Properties": {
"BasicAuthConfig": {
"EnableBasicAuth": false
},
"CacheConfig": {
"Type": "AMPLIFY_MANAGED_NO_COOKIES"
},
"ComputeRoleArn": {
"Fn::GetAtt": [
"AppComputeRole426920E4",
"Arn"
]
},
"IAMServiceRole": {
"Fn::GetAtt": [
"AppRole1AF9B530",
"Arn"
]
},
"Name": "App",
"Platform": "WEB_COMPUTE"
}
},
"AppmainF505BAED": {
"Type": "AWS::Amplify::Branch",
"Properties": {
"AppId": {
"Fn::GetAtt": [
"AppF1B96344",
"AppId"
]
},
"BranchName": "main",
"ComputeRoleArn": {
"Fn::GetAtt": [
"ComputeRole65BDBE3E",
"Arn"
]
},
"EnableAutoBuild": true,
"EnablePullRequestPreview": true
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-amplify-alpha/test/integ.branch-compute-role.js.snapshot/cdk.out
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading