Amplify-cli: How to extend generated CloudFormation templates

@olivoil opened a related issue, #530, and closed it soon after, saying that amplify api push --no-gql-override does what he wanted. I can find no documentation of that flag, BTW.

I used the flag to not modify the changes I made to the template before pushing. Not a great long term solution as it did overwrite my changes when I explicitly regenerated with gql-compile, but it was enough for my immediate need back then

@ceich For AppSync we'll be introducing Custom resolvers and Custom CFN support soon (it is being actively tested).

For the other services, have you tried modifying the Cloudformation files in the amplify/backend dir?
Did any of the operations override these files?

You can take a look at the our git homepage -> https://github.com/aws-amplify/amplify-cli for the list of commands which has a description of the --no-gql-override flag.

@kaustavghosh06 Thanks for the update. I have not tried updating the CFN files yet. I just today realized that CFN does not support Cognito Hosted UI at all, so moving to Amplify CLI is not a priority for me.

I think the description of --no-gql-override may be missing a word (I've added it in brackets):

The 'no-gql-override' flag does not automatically compile your annotated GraphQL schema and will [not] override your local AppSync resolvers and templates.

I'm using Auth resources and I want to modify AuthRole.

I edited the generated CloudFormation template: amplify/backend/awscloudformation/nested-cloudformation-stack.yml
(I'm using @aws-amplify/cli@multienv by the way)

When I did amplify push, the stack template had been overwritten.
--no-gql-override did not help for this.

Any suggestion?

@kulikala amplify/backend/awscloudformation/nested-cloudformation-stack.yml is a runtime file which gets re-generated on every push. What exactly are you looking to add in the AuthRole? So if you're adding some policies tied to say storage resource, you could modify the storage Cloudformation file located in amplify/backend/storage/<resource-name>/cloudformation-template.json and add custom policies to the authRole.

@kaustavghosh06 wrote:

... you could modify the storage Cloudformation file located in amplify/backend/storage/<resource-name>/cloudformation-template.json and add ...

Are you saying that templates are fair game for customization and won't be overwritten (as long as I don't remove that category)?

@kaustavghosh06

What exactly are you looking to add in the AuthRole?

Here's extraction of one of policies I need:

PolicyDocument:
  Version: '2012-10-17'
  Statement:
    - Sid: 1
      Effect: Allow
      Action:
        - cognito-idp:AdminEnableUser
        - cognito-idp:AdminCreateUser
        - cognito-idp:AdminDisableUser
        - cognito-idp:AdminGetUser
        - cognito-idp:adminDeleteUser
        - cognito-idp:ListUsers
      Resource:
        - !Sub
          - arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${UserPoolId}
          - UserPoolId: !GetAtt cognitoxxxxxxxx.Outputs.UserPoolId

In this case, customizing amplify/backend/auth/cognitoxxxxxxxx/cognitoxxxxxxxx-cloudformation-template.yml is the best solution for adding custom policies to the authRole?

amplify/backend/awscloudformation/nested-cloudformation-stack.yml is a runtime file which gets re-generated on every push.

Do you mean you can add nested-cloudformation-stack.yml to .gitignore file and not supposed to be maintained under version control system?

amplify init generates .gitignore with some of amplify files but it seems amplify/backend/awscloudformation dir is not in there.

Here's the copy of generated ones:

#amplify
amplify/\#current-cloud-backend
amplify/.config/local-*
amplify/backend/amplify-meta.json
aws-exports.js
awsconfiguration.json

@kulikala it looks like you're attaching administrator level policy. Is there a reason you're doing this for a specific use case? What you propose above could be a security risk, however we are looking at Administrator flows in this RFC: https://github.com/aws-amplify/amplify-cli/issues/766

@ceich We added support for Custom resolvers and custom CFN stacks in the latest version of our CLI. Let me know if you find that helpful. Also, we're actively working on supporting Cognito hosted UI setup as a part of the CLI. We'll update #766 when we have that ready.

@kulikala yes, to both your questions.

@kaustavghosh06 I can't find any documentation on how to use the support for custom cloudformation and custom resolvers. Where can I read up on this?

So, if i add a field to the auth (adding cognito when adding an api for example) that i didn't want to actually require i have to go through adding my api and auth again?

@kaustavghosh06 I can't find any documentation on how to use the support for custom cloudformation and custom resolvers. Where can I read up on this?

There's a few words here, although there aren't many examples.

https://aws-amplify.github.io/docs/cli-toolchain/graphql#api-category-project-structure

@kaustavghosh06 May I know why isn't the documentation linked when the feature is implemented and released public use? Ampilfy has tons of issues but without docs on feature updates how are we gonna track down and close issues?

@babus
We have docs for the extending for writing your cloudformation templates or extending it out here - https://aws-amplify.github.io/docs/cli-toolchain/quickstart#custom-cloudformation-stacks

@kaustavghosh06 wrote:

... you could modify the storage Cloudformation file located in amplify/backend/storage/<resource-name>/cloudformation-template.json and add ...

Are you saying that templates are fair game for customization and won't be overwritten (as long as I don't remove that category)?

Having trouble seeing a work around for this scenario. If I want to modify a resource from the generated cf template, what are my options. For a small example, say I want to change the "Name" of my RestApi resource to be a Fn::Join with the name and ${env}. As soon as I update my api or add a new route in the future(anything with the cli in that resource) it will overwrite what I had in there.

The released feature of custom stacks helps if it's new resources, but it doesn't seem extensible to the generated templates.

I'm sorta on the same boat. I want to add/edit a couple of policies withing the auth / unauth roles (amplify generated ones) and I don't know where to write the changes so they persist correctly.