backend.data.resources.graphqlApi.modes is empty even when modes are defined

[kwwendt]

Environment information

System:
  OS: macOS 14.4.1
  CPU: (8) x64 Apple M1
  Memory: 39.98 MB / 16.00 GB
  Shell: /bin/bash
Binaries:
  Node: 20.14.0 - ~/.nvm/versions/node/v20.14.0/bin/node
  Yarn: 1.22.19 - /usr/local/bin/yarn
  npm: 10.7.0 - ~/.nvm/versions/node/v20.14.0/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/backend: 1.0.3
  @aws-amplify/backend-cli: 1.0.4
  aws-amplify: 6.3.7
  aws-cdk: 2.146.0
  aws-cdk-lib: 2.146.0
  typescript: 5.4.5
AWS environment variables:
  AWS_PROFILE = kwwendt+mne-Admin
  AWS_DEFAULT_REGION = us-west-2
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Data packages

cms-app@0.0.0 /Project
├─┬ @aws-amplify/backend-cli@1.0.4
│ └─┬ @aws-amplify/schema-generator@1.0.0
│   └── @aws-amplify/graphql-schema-generator@0.8.6
└─┬ @aws-amplify/backend@1.0.3
  └─┬ @aws-amplify/backend-data@1.0.2
    └── @aws-amplify/data-construct@1.8.5

Description

const backend = defineBackend({
  auth,
  data
});

console.log(backend.data.resources.graphqlApi.modes); // prints an empty array []

The modes attribute is empty even though IAM is included by default and my API also has AMAZON_COGNITO_USER_POOLS added as an auth mode.

Root cause (most likely): in construct-export.ts Code link reference, the authorization modes aren't passed into the fromGraphqlApiAttributes method. Further investigation shows that the CDK implementation of that method sets modes to an empty array if the attribute isn't passed as part of the method CDK code reference.

Recommendation: modify the construct-export.ts file to pull in the L2 construct vs importing it from the L1 construct OR explicitly pass the other attributes for the fromGraphqlApiAttributes method.

Impact: Without this, I am unable to use the Amazon EventBridge AppSync target L2 construct. That construct checks for IAM as an included auth mode and fails when I pass backend.data.resources.graphqlApi to the construct. Example code below to reproduce.

import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { Rule, RuleTargetInput, EventField } from "aws-cdk-lib/aws-events";
import { AppSync } from "aws-cdk-lib/aws-events-targets";

const backend = defineBackend({
  auth,
  data
});

const processingStack = backend.createStack("AssetProcessingStack");

const tagsUpdated = new Rule(processingStack, 'TagsUpdated', {
  eventPattern: {
      source: ['events'],
      detailType: ['TagsIdentified'],
      detail: {
          id: [{ "exists": true }]
      }
  }
});

tagsUpdated.addTarget(new AppSync(backend.data.resources.graphqlApi, {
  graphQLOperation: "mutation UpdateAsset($input: AssetInput!) { updateAsset(input: $input) { id tags } }",
  variables: RuleTargetInput.fromObject({
      "input": {
          "id": EventField.fromPath("$.detail.id"),
          "tags": EventField.fromPath("$.detail.tags")
      }
  })
}));

[AnilMaktala]

Hey @kwwendt, thanks for raising this. Have you tried backend.data.resources.cfnResources.cfnGraphqlApi.authenticationType to retrieve the auth mode?

[kwwendt]

Hey @AnilMaktala - it's not a matter of needing access to auth modes but being able to reference the graphqlApi object in another CDK construct like this which checks if the modes attribute contains IAM in order to provision AppSync as a target for EventBridge.

Subset of code pulled from above:

const tagsUpdated = new Rule(processingStack, 'TagsUpdated', {
  eventPattern: {
      source: ['events'],
      detailType: ['TagsIdentified'],
      detail: {
          id: [{ "exists": true }]
      }
  }
});

tagsUpdated.addTarget(new AppSync(backend.data.resources.graphqlApi, {
  graphQLOperation: "mutation UpdateAsset($input: AssetInput!) { updateAsset(input: $input) { id tags } }",
  variables: RuleTargetInput.fromObject({
      "input": {
          "id": EventField.fromPath("$.detail.id"),
          "tags": EventField.fromPath("$.detail.tags")
      }
  })
}));

Location in the CDK code where it checks for IAM in the IGraphqlApi resource type.

[chrisbonifacio]

Marking this is as a bug as I was able to reproduce it consistently as well. The modes should not be an empty array if there are auth modes configured on defineData.

[iartemiev]

Support for the modes attribute in the fromGraphqlApiAttributes method was added in aws/aws-cdk#29584 and released as part of version aws-cdk-lib@2.143.1.

We're currently using version 2.129.0 in the amplify-graphql-api-construct package.

Since this is a newer AppSync CDK construct feature that was not available at the time of GA release for Amplify Gen2, I think this issue should be labeled a feature request. I will discuss with the team whether there are blockers to upgrading our aws-cdk-lib dep and surfacing modes via gen2 afterwards.

[palpatim]

Our most recent CDK upgrade only went to 2.129.0 because of problems we encountered attempting to migrate to a higher version--specifically, we had issues with some functions in the Gen 1 CLI. We have a plan to split this repo into Gen 1 and Gen 2 branches, which will enable us to iterate and upgrade the Gen 2 branch more easily. We haven't yet started work on that project, but will keep this request in mind when we finish it.

[palpatim]

We upgraded the CDK version in @aws-amplify/data-construct@1.9.7. I've got PR #2840 in the works to populate the L2 construct properties, including modes.

[palpatim]

This was released in @aws-amplify/graphql-api-construct@1.13.0, @aws-amplify/data-construct@1.10.1.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.