update e2e test for storage access outputs (aws-amplify#2063)

* update backend output test for storage access outputs

* move assertion to post deployment

.changeset/healthy-planes-live.md

@@ -0,0 +1,2 @@
+---
+---

packages/integration-tests/src/test-e2e/backend_output.test.ts

@@ -24,6 +24,11 @@ import { DataStorageAuthWithTriggerTestProjectCreator } from '../test-project-se
 import { SQSClient } from '@aws-sdk/client-sqs';
 import { setupDeployedBackendClient } from '../test-project-setup/setup_deployed_backend_client.js';
 
+/**
+ * This E2E test is to check whether current (aka latest) repository content introduces breaking changes
+ * for our deployed backend client to read outputs.
+ */
+
 // Different root test dir to avoid race conditions with e2e deployment tests
 const rootTestDir = fileURLToPath(
   new URL('../e2e-outputs-tests', import.meta.url)
@@ -83,7 +88,6 @@ void describe(
 
       await testProject.deploy(branchBackendIdentifier, sharedSecretsEnv);
       await testProject.assertPostDeployment(branchBackendIdentifier);
-
       await testProject.assertDeployedClientOutputs(branchBackendIdentifier);
     });
   }

packages/integration-tests/src/test-project-setup/data_storage_auth_with_triggers.ts

@@ -23,6 +23,7 @@ import {
   SQSClient,
 } from '@aws-sdk/client-sqs';
 import { e2eToolingClientConfig } from '../e2e_tooling_client_config.js';
+import isMatch from 'lodash.ismatch';
 
 /**
  * Creates test projects with data, storage, and auth categories.
@@ -298,6 +299,31 @@ class DataStorageAuthWithTriggerTestProject extends TestProjectBase {
     );
     assert.ok(fileContent.includes('newKey: string;')); // Env var added via addEnvironment
     assert.ok(fileContent.includes('TEST_SECRET: string;')); // Env var added via defineFunction
+
+    // assert storage access paths are correct in stack outputs
+    const outputsObject = JSON.parse(
+      await fs.readFile(
+        path.join(this.projectDirPath, 'amplify_outputs.json'),
+        'utf-8'
+      )
+    );
+    assert.ok(
+      isMatch(outputsObject.storage.buckets[0].paths, {
+        'public/*': {
+          guest: ['get', 'list'],
+          authenticated: ['get', 'list', 'write'],
+          groupsAdmins: ['get', 'list', 'write', 'delete'],
+        },
+        'protected/*': {
+          authenticated: ['get', 'list'],
+          groupsAdmins: ['get', 'list', 'write', 'delete'],
+        },
+        'protected/${cognito-identity.amazonaws.com:sub}/*': {
+          // eslint-disable-next-line spellcheck/spell-checker
+          entityidentity: ['get', 'list', 'write', 'delete'],
+        },
+      })
+    );
   }
 
   private getUpdateReplacementDefinition = (suffix: string) => ({

packages/integration-tests/src/test-projects/data-storage-auth-with-triggers-ts/amplify/auth/resource.ts

@@ -24,4 +24,5 @@ export const auth = defineAuth({
   triggers: {
     postConfirmation: defaultNodeFunc,
   },
+  groups: ['Admins'],
 });

packages/integration-tests/src/test-projects/data-storage-auth-with-triggers-ts/amplify/storage/resource.ts

@@ -16,6 +16,14 @@ export const storage = defineStorage({
     'public/*': [
       allow.resource(defaultNodeFunc).to(['read', 'write']),
       allow.resource(node16Func).to(['read', 'write']),
+      allow.guest.to(['read']),
+      allow.authenticated.to(['read', 'write']),
+      allow.groups(['Admins']).to(['read', 'write', 'delete']),
+    ],
+    'protected/{entity_id}/*': [
+      allow.authenticated.to(['read']),
+      allow.entity('identity').to(['read', 'write', 'delete']),
+      allow.groups(['Admins']).to(['read', 'write', 'delete']),
     ],
   }),
 });