[DRAFT] feat: Phase 2 - implement comprehensive access control system for storage-construct #2871
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add new storage-construct package with AmplifyConstruct implementation and test suite
- Add api-extractor.json configuration - Add build and clean scripts to package.json - Generate required TypeScript declaration files
…t package - Create new @aws-amplify/storage-construct package with standalone L3 construct - Migrate AmplifyStorage class from backend-storage with CDK-native trigger support - Replace factory-based triggers with direct IFunction references - Add comprehensive test suite with all original test coverage - Configure package build, API extraction, and TypeScript compilation - Maintain full backward compatibility with existing backend-storage package
- Replace constructor-based access control with grantAccess method pattern - Add StorageAccessDefinition type for access configuration - Update API to support storage.grantAccess(auth, accessDefinition) pattern - Add test coverage for new grantAccess method - Update exports to include StorageAccessDefinition type Copy
- Bump version from 0.1.0 to 1.0.0 for major release - Update aws-cdk-lib peer dependency from ^2.158.0 to ^2.189.1 for consistency - Add missing main field to package.json for lint compliance - Update changeset with detailed breaking change description - Update package-lock.json with new version and dependency changes
- Set initial version to 0.1.0 for new package (changeset will bump to 1.0.0) - Add storage-construct to version check exceptions for 0.x.x versions - Update changeset description to reflect initial release rather than breaking change - Update package-lock.json with corrected version - Fix husky hooks with proper PATH configuration
- Add StorageAccessPolicyFactory for IAM policy generation with allow/deny logic - Create StorageAccessOrchestrator following backend-storage architecture patterns - Implement AuthRoleResolver for role extraction from auth constructs - Support all access types: authenticated, guest, owner, groups - Add action mapping from storage actions to S3 IAM permissions - Handle path processing with wildcard patterns and ID substitution - Add comprehensive test coverage (20 tests) for all components - Align implementation with existing backend-storage package structure
🦋 Changeset detectedLatest commit: 8e50857 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
rozaychen
changed the title
rozaychen
added
the
run-e2e
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Phase 1 created the standalone storage-construct package with a placeholder
grantAccessmethod. Phase 2 needs to implement the actual access control logic to generate IAM policies and attach them to appropriate roles based on access definitions.Issue number, if available: Part of storage L3 construct initiative
Changes
Implemented a comprehensive access control system following the same architectural patterns as the existing backend-storage package:
Core Components Added:
Key Features:
read,write,delete) to S3 IAM actions (s3:GetObject,s3:PutObject, etc.)photos/*)authenticated,guest,owner, andgroupsaccess patternsImplementation Details:
Corresponding docs PR, if applicable: N/A
Validation
Comprehensive Test Coverage (20 tests total):
Test Scenarios Covered:
Build & Quality Checks:
Checklist
run-e2elabel set.Note: This is a foundational PR for the AmplifyStorage L3 construct migration project. The implementation follows a phased approach across multiple PRs:
Phase 1 ✅ Create standalone storage-construct package
@aws-amplify/storage-constructpackagegrantAccess(auth, accessDefinition)method patternbackend-storagePhase 2 ✅ Implement access control logic in grantAccess method(this PR)
Phase 3 🔄 Add path-based permission system
photos/*)Phase 4 🔄 Add function resource access support
StorageAccessRuletype to support'resource'typegrantAccess(functionConstruct, accessConfig)overload{ type: 'resource', actions: ['read'] }patternPhase 5 🔄 Add granular action support
['get', 'list', 'write', 'delete']'read'→['get', 'list']expansionPhase 6 🔄 Add multi-storage validation
isDefaultflag validation across multiple constructsPhase 7 🔄 Enhance auth construct discovery
Phase 8 🔄 Update documentation and examples
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.