feat(gen2-migration): assessment validation, credential loading, and infra reorganization#14719
Open
iliapolo wants to merge 94 commits intogen2-migrationfrom
Open
feat(gen2-migration): assessment validation, credential loading, and infra reorganization#14719iliapolo wants to merge 94 commits intogen2-migrationfrom
iliapolo wants to merge 94 commits intogen2-migrationfrom
Conversation
Squash of all work on the migration-plan branch since diverging from gen2-migration. Includes the assess subcommand for migration readiness, the refactor command rebuild with category-specific forward/rollback refactorers, the generate-new infrastructure with Generator+Renderer pattern, unified validation model, SpinningLogger UX, and comprehensive unit tests. --- Prompt: squash all commits after the merge base with gen2-migration into one and commit
Add a noOpLogger() test helper that creates a real SpinningLogger in debug mode, then replace all `null as any` logger arguments across 8 refactor test files with it. This improves type safety without changing test behavior since the logger methods are never exercised in these tests. All 30 tests pass. --- Prompt: In the refactor test directory there are lot of null as any being used to pass a spinning logger instance - change it to actually create a proper logger instance.
Plan.validate() now captures the report field from ValidationResult and renders a "Failed Validations Report" section before the summary table. Each failed validation shows its description in red followed by the report text. Also trims the drift report in _validations.ts. --- Prompt: The report property in ValidationResult is currently not used at all. We should use to print the validation report in case the validation failed.
Replace description-JSON-based auth stack classification with resource-type detection. The new approach checks for the presence of an AWS::Cognito::UserPool resource instead of parsing the stack Description field, which is more reliable. Also rename fetchStackDescription to fetchStack and descriptionCache to stackCache for accuracy since the method returns the full Stack object. --- Prompt: commit what I did
…apping Split monolithic auth-forward/rollback/utils into separate files for Cognito and UserPoolGroups, enabling independent forward and rollback refactoring per auth sub-resource. Replace gen1LogicalIds map with abstract targetLogicalId() method on RollbackCategoryRefactorer, giving each subclass explicit control over logical ID resolution. Extract match() hook on ForwardCategoryRefactorer for type-matching customization. Thread DiscoveredResource through CategoryRefactorer base class so refactorers can use resource metadata (e.g. resourceName) for stack discovery instead of relying on shared utility functions. Minor fixes to migration app docs and sanitize script (trailing newline normalization). --- Prompt: commit what I have
…tize --- Prompt: I reset the changes. just commit.
Thread DiscoveredResource through all resource-backed planners so each operation carries the resource it belongs to. Plan.describe() now groups operations under resource headers using the format "<resourceName> (<category>/<service>)", matching the assessment display style. Ungrouped operations (scaffolding, validations) render as a flat list. Changes: - Add optional `resource` field to AmplifyMigrationOperation - Update Plan.describe() to group by resource label - Thread DiscoveredResource into all generate-side planners (Auth, ReferenceAuth, Data, S3, DynamoDB, RestApi, Function, AnalyticsKinesis) replacing separate resourceName params - Tag refactor-side operations via CategoryRefactorer and its forward/rollback subclasses (already had this.resource) - Update all affected test files with DiscoveredResource objects --- Prompt: in the gen2-migration, i want to make the plan describe itself by listing the description of each operation per resource.
Change label format to "category/resourceName (service)", add cyan color to group headers, remove indentation on grouped items, and add blank lines between groups for readability. --- Prompt: i've made changes
…ollback Group all operations under labeled sections — resource-backed ops use "Resource: category/name (service)", ungrouped ops fall under "Project". Descriptions rendered in gray for visual hierarchy. Add auth:Cognito-UserPool-Groups support in refactor assess and rollback using AuthUserPoolGroupsRollbackRefactorer. --- Prompt: I've made more changes. commit
Add NODE_OPTIONS="--max-old-space-size=8192" to the commit command example and instructions to delete the scratch commit message file after a successful commit. --- Prompt: add an instruction in AGENTS.md to delete the commit file after committing and always increase memory size to prevent lint failures
…plan Enrich the refactor plan output with changeset reports and formatted move tables so operators can review exactly what each operation will change before executing. Key changes: - Auth cognito: explicit client matching (GEN1_WEB_CLIENT ↔ GEN2_WEB_CLIENT, GEN1_NATIVE_APP_CLIENT ↔ GEN2_NATIVE_APP_CLIENT) replacing negation-based logic. Exported shared constants. - Auth user pool groups: extracted RESOURCE_TYPES constant, use USER_POOL_GROUP_TYPE consistently. - category-refactorer: added changeset preview via CreateChangeSetCommand/DescribeChangeSetCommand, made updateSource/updateTarget/buildMoveOperations/beforeMovePlan async, enriched plan descriptions with changeset reports and move tables. - forward/rollback-category-refactorer: updated to async signatures, added move table formatting to descriptions. - Removed validateSingleResourcePerCategory from refactor.ts. - Plan output now uses numbered steps and bold labels. - New files: changeset-report.ts, template-diff.ts, move-table.ts (formatting utilities). - Test stubs updated for new CFN commands. --- Prompt: I've made changes - commit what i've done. dont run tests or anything, just commit.
Use full JSON path (Target.Path) instead of just the top-level property name so duplicate property names like RoleMappings are distinguishable. Show before/after values on separate lines for readability. Use bgGray chalk headers for operation descriptions. Minor spacing tweaks in plan output and move table. --- Prompt: I've made more changes. Commit them. not tests.
…et no-changes detection Replace hand-rolled box-drawing move table with cli-table3 (CLITable) to match existing patterns. Fix changeset no-changes detection: a CREATE_COMPLETE changeset with an empty Changes list is the actual no-changes case, not a waiter failure. formatChangeSetReport now returns undefined when there are no changes. Remove debug 'bubu' suffix from cfn-output-resolver. --- Prompt: commit
…tor plan Move changeset creation into the validation lifecycle of updateSource/updateTarget operations. formatChangeSetReport returns undefined when no changes are detected. The validation checks report === undefined (valid) and surfaces the changeset report on failure. The describe output shows the report regardless. Removed unused chalk and formatTemplateDiff imports. --- Prompt: Commit. Don't run tests yet.
Add CreateChangeSetCommand/DescribeChangeSetCommand mocks to the CloudFormationMock framework and individual test files that call plan(). Update tests for API changes: renamed module paths (auth-forward → auth-cognito-forward), new abstract targetLogicalId method on RollbackCategoryRefactorer, async beforeMovePlan, updated error message format, and Cognito-UserPool-Groups now being supported. Remove dead auth-utils.test.ts for deleted module. All 376 gen2-migr
Improve category refactorer resilience for partial failure recovery and multi-stack auth scenarios: - Handle empty change-sets gracefully when source/target templates match deployed state (partial failure recovery) - Support reusing existing holding stacks in forward path for auth's two-gen1-stack-to-one-gen2-stack mapping - Consolidate rollback restore-from-holding into a single operation instead of three separate ops - Add logging before stack update/move/refactor operations - Improve plan step formatting (remove extra blank lines, add trailing newline to move table) - Use clearer descriptions for empty change-set validation --- Prompt: commit my changes
Move physicalResourceId onto MoveMapping so it is populated once during buildResourceMappings and carried through the entire refactor pipeline. This eliminates redundant fetchStackResources calls in buildMoveOperations and the separate physicalIds/types maps that were threaded to formatMoveTable. - buildResourceMappings is now async; forward fetches from gen1Env, rollback from gen2Branch. - buildBlueprint is now async to await buildResourceMappings. - Deleted move-table.ts; renderMappingTable is now a protected method on CategoryRefactorer accepting MoveMapping[]. --- Prompt: in category-refactorer - I want to add the physical resource id to MoveMapping. Also make formatMoveTable accept MoveMapping[] and remove the unnecessary maps being passed to it. Remove move-table.ts and put formatMoveTable into a protected method inside CategoryRefactorer. Rename formatMoveTable to renderMappingTable.
…fy error handling Move all non-mutating work out of execute/describe/validate callbacks so errors surface during planning before any mutations run. tryRefactorStack and tryUpdateStack now throw on failure instead of returning result objects, eliminating boilerplate checks at every call site. createChangeSetReport now cleans up its changeset via try/finally. Deleted unused legacy-custom-resource.ts and template-diff.ts. --- Prompt: hoist computation out of execute callbacks, make tryRefactorStack and tryUpdateStack throw on failure, createChangeSetReport should delete its changeset, remove legacy-custom-resource.ts and template-diff.ts.
Introduce a Cfn class that centralizes all CloudFormation operations (update, refactor, createChangeSet, findStack, deleteStack, renderChangeSet) behind a single client instance. Replace custom polling with SDK waiters (waitUntilStackUpdateComplete, waitUntilStackRefactorCreate/ ExecuteComplete, waitUntilStackDeleteComplete). Delete refactorer.ts (re-export of Planner), holding-stack.ts, cfn-stack-updater.ts, cfn-stack-refactor-updater.ts, changeset-report.ts, and snap.ts. Move getHoldingStackName and HOLDING_STACK_SUFFIX into CategoryRefactorer. Inline snapshot writing into cfn.ts. --- Prompt: consolidate 3 CFN operations into a Cfn class, replace custom polling with SDK waiters, remove refactorer.ts, holding-stack.ts, snap.ts, changeset-report.ts, inline snap into cfn.ts, remove resolveStackName, move ensureOutputDirectory to constructor.
Cfn now accepts a SpinningLogger and logs info messages before every wait operation (stack update, refactor create/execute, source/destination verification, stack deletion). --- Prompt: the cfn class should accept the spinning logger and log info whenever it is waiting on something.
Split rollback holding stack update into its own operation with a validation that the changeset only adds the placeholder. Split forward holding stack deletion into a separate operation. Remove redundant fetchStackResources calls by deriving physical IDs from blueprint mappings. Move description/header construction into describe callbacks and ResourceMapping construction into execute callbacks. Add Cfn.fetchTemplate method. Remove unused imports. --- Prompt: split holding stack operations, add validation, remove redundant fetches, move descriptions into describe callbacks, add Cfn.fetchTemplate.
Add stack-level deduplication to prevent duplicate updates when multiple refactorers target the same stack. Thread targetStackId through buildResourceMappings for better error messages. Rework forward beforeMove to incrementally build holding stack templates by fetching existing state. In rollback, defer template computation into the execute closure and add duplicate-resource detection. Remove non-null assertions on StackResource fields. --- Prompt: commit everything I did. don't run tests.
… noop handling Add resource-scoped log prefixes to Cfn operations so each category/resource pair is identifiable in output. Remove StackFacade caching layer so every call fetches fresh state from CloudFormation. Introduce buildNoopOperation and suppress the Implications section when all operations are no-ops. In rollback, skip resources that already exist in the target stack instead of throwing. Reduce max wait time from 3600s to 900s and pre-check destination stack existence to select the correct waiter. --- Prompt: commit everything I did. Don't run tests. just commit.
…actor workflow RefactorBlueprint now carries only mappings and stack IDs. Templates are fetched and resolved fresh inside each operation's execute() closure, so sequential refactorers targeting the same stack always see current state. This fixes the stale template bug where the second auth refactorer (user-pool-groups) would operate on a Gen2 template that the first refactorer (cognito) had already mutated. updateSource/updateTarget use plan-time resolved stacks directly (still fresh since they run before any moves). updateSource now accepts mappings to determine if a placeholder is needed. move(), beforeMove() (forward), and afterMove() (rollback) all re-fetch and re-resolve templates at execution time. --- Prompt: defer template resolution to execution time in refactor workflow to fix stale template bug when two Gen1 stacks map to the same Gen2 stack.
…and use SDK ResourceMapping Cfn.refactor() now accepts ResourceMapping[] directly, fetches both stack templates, moves resources between them, and handles the full refactor lifecycle internally. This eliminates template manipulation from callers entirely. Replace custom MoveMapping with the SDK's ResourceMapping type throughout the workflow. Simplify move(), beforeMove() (forward), and afterMove() (rollback) to just pass resource mappings. Remove fetchHoldingStackTemplate, isPlaceholderOnlyChangeSet, and the holding stack changeset validation. Move placeholder logic into addPlaceHolderIfNeeded() at the top of plan(). Fix symmetricDifference check to compare .size === 0. --- Prompt: Read what i've done and commit it.
Replace the 7-parameter AmplifyMigrationStep constructor (logger, envName, appName, appId, rootStackName, region, context) with a 3-parameter version (logger, gen1App, context). Gen1App now encapsulates all app state and is created once in the top-level dispatcher. Key changes: - Add appName to Gen1App and Gen1CreateOptions - Rename SUPPORTED_RESOURCE_KEYS to KNOWN_RESOURCE_KEYS and 'unsupported' ResourceKey to 'UNKNOWN' - Move Gen1App.create() to the dispatcher, pass instance to steps - Refactor Assessment to support step-scoped validation via validFor() and reportFor() - Replace per-resource feature assessment ops with a single Assessment validation operation per step - Add geo assessors (Map, PlaceIndex, GeofenceCollection) - Update generate/refactor tests to use mockGen1App() helper instead of spying on Gen1App.create --- Prompt: I made some changes and now refactor.test.ts and generate.test.ts don't compile. Fix them by creating a proper mock for Gen1App.
Add forward/rollback unit tests to both generate.test.ts and
refactor.test.ts that verify plan.validate() fails when the
assessment contains unsupported resources (UNKNOWN key) and
passes when all resources are supported. Uses geo:Map for
refactor and auth:Cognito-UserPool-Groups for generate since
these are assessed as supported and don't trigger deep
generator/refactorer pipelines. Also renames describe blocks
from 'execute()' to 'forward()' to match the actual method
name, and adds cfn to the createInfrastructure mock.
---
Prompt: Write a unit in refactor.test.ts that ensures that
validates fail if assessment fails. Now do the same for
generate. In refactor, the "does not throw for stateless-only
resources" should assert on the fact plan.validate passed -
like the other test. Also this is missing from generate. The
test still use "describe('execute()', ()" even though the
method is called "forward".
…ssment Fix all broken tests caused by the Gen1App constructor refactor: - lock.test.ts: use Gen1App mock instead of 7-arg constructor - _assessment.test.ts: rewrite for new validFor/render(step) API - assess.test.ts: replace removed assessFeatures() with assess() - function.assessor.test.ts: fix expected support levels - rollback-category-refactorer.test.ts: update afterMove assertion to expect 1 operation (placeholder cleanup moved into execute) Also includes user changes to assessors, AwsClients, Gen1App, refactor step, and dispatcher simplification. --- Prompt: fix the pre-existing failure as well / commit everything I have so far
…ctor Update all test files to match the refactored constructor signatures: - CategoryRefactorer: replace (clients, region) args with gen1App mock across 10 refactor test files - AuthCognitoForwardRefactorer: replace (clients, region, appId, envName) with gen1App mock - AwsClients: make loadConfiguration a dynamic import to avoid FeatureFlags side-effect, cast through `as any` in tests for private constructor - Assessment: re-add resources/features getters for test access - Assessor tests: add fileExists mock for DynamoDB/RestApi, update feature name expectations to match KNOWN_FEATURES enum - Snapshot tests: add MigrationApp.createGen1App() to bypass Gen1App.create() which requires real AWS credentials - Update _assessment.test.ts snapshots for new table format All 134 suites / 744 tests pass. --- Prompt: Now run tests and fix
Move _assessment.ts to assess/assessment.ts and rename the Assessor interface method from assess() to record(). Update all test imports and method calls to match. --- Prompt: I made some renames and moved stuff around. run tests and commit.
Replace bare 'supported'/'unsupported'/'not-applicable' string literals with a Support interface containing level and optional note. Each assessor now provides its own note for unsupported entries instead of relying on hardcoded labels in the renderer. Add supported(), unsupported(note), notApplicable() helper functions for concise assessor code. Update all assessor tests to assert on .level property and use Support objects in recordResource/recordFeature calls. --- Prompt: change the 'SupportLevel' type to "Support" that has "level" and "note" - use the note instead of the hardcoded "unsupportedLabel" we use now for refactor and generate. I want for each assessor to be able to record its own note.
Replace default return values with eslint-disable for consistent-return. The compiler already guarantees exhaustiveness via the union type — a default case with a made-up value is misleading. --- Prompt: don't do that. There is a coding guideline against it. the violation was eslint being too restrictive, the compiler ensures that no other case can happen - just disable the violation for those lines.
- Fix FunctionAssessor to record supported (was temp unsupported) - Fix GeoFenceCollectionAssessor note to standard message - Switch AwsClients dynamic import to require - Add "Final Review" step to AGENTS.md PR stage --- Prompt: commit everything and run the PR stage.
Update gen2-migration.md for Gen1App facade, new constructor signature, and assessment notes. Rewrite assess.md for the new assessor architecture, Support type, and geo resources. Generate PR body. --- Prompt: commit everything and run the PR stage.
Clarify PR stage purpose, rename "Final Review" to "Code Review", and add instruction to ask for target branch and inspect the full diff. --- Prompt: I've made some changes to AGENTS.md / commit them.
Restore `as const` on KNOWN_RESOURCE_KEYS to preserve exhaustive switch type checking. Fix validateLockStatus() in refactor.ts passing rootStackName twice instead of (rootStackName, envName). Fix copy-paste JSDoc on three geo assessors that incorrectly said "DynamoDB storage resource". Fix typo "assessement". Convert all single-line JSDoc comments to multi-line format per coding guidelines. --- Prompt: Run the PR stage.
Update AGENTS.md to instruct that both .commit-message.ai-generated.txt and .pr-body.ai-generated.md must be written to the repository root, not inside package directories. This prevents stale files from accumulating in subdirectories. --- Prompt: Add a similar instruction for the commit message file.
Consolidate all direct AWS SDK client instantiations into AwsClients. Add STSClient to AwsClients. Update _validations.ts to accept a CloudFormationClient via constructor instead of creating its own. Update lock.ts, decommission.ts, and refactor.ts to use gen1App.clients.*. Make the dispatcher instantiate AmplifyGen2MigrationValidations once and pass it to every step via the base class constructor. Steps now use this.validations instead of creating their own instances. Updated all tests accordingly. --- Prompt: Make the dispatcher also instantiate AmplifyGen2MigrationValidations and pass it to every step.
…tructor Accept Gen1App directly instead of disparate properties (rootStackName, envName, cloudFormation). Extract the instantiation in the dispatcher to a named constant. --- Prompt: AmplifyGen2MigrationValidations should directly accept a Gen1App instead of disparate properties from it.
Move shared infrastructure files (_step, _operation, _plan, _spinning-logger, _validations, planner, aws-clients, cfn-template, categories, stateful-resources) into a new _infra/ subdirectory. Remove clone.ts and shift.ts stubs. Move refactor step from refactor/refactor.ts to refactor.ts. Fix all broken import paths across 51 files including drift-detection modules. Type AwsClients constructor with Partial<AwsSdkConfig> instead of any. Export AwsSdkConfig from amplify-provider-awscloudformation. --- Prompt: I've moved and renamed a bunch of files. Run yarn build and fix the compilation errors.
Only print the Resources and Features tables when they contain entries. Previously, empty tables with just headers were always rendered. --- Prompt: In the rendering of the assessment, lets only print the tables if they are not empty.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
packages/amplify-cli/src/commands/gen2-migration/refactor/workflow/category-refactorer.ts
Fixed
Show fixed
Hide fixed
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Replace Partial<AwsSdkConfig> with AmplifyClientConfig from the SDK. Add customUserAgent to the client config for user-agent tracking. Move constructExeInfo into the try block. Fix stale import paths in test framework app.ts. --- Prompt: Ok commit what i've done.
…ding Throw a clear error with resolution guidance when team-provider-info.json is missing, instead of letting stateManager throw a generic error. Use relative path in error messages for readability. --- Prompt: made some more changes. commit.
Add explicit null check for envInfo before accessing awscloudformation. Throws a clear error when the target environment is not found in team-provider-info.json, instead of crashing with 'Cannot read properties of undefined'. --- Prompt: the change I just made also resolves issue 14590
Update test imports for files moved to _infra/ (spinning-logger, validations, aws-clients, cfn-template). Update _validations.test.ts to use Gen1App mock with clients.cloudFormation instead of module-level CloudFormationClient mock. --- Prompt: run tests and fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
This PR restructures the gen2-migration assessment and validation system so that unsupported resources no longer hard-block migration, and centralizes SDK client initialization so commands work with any configured AWS profile — not just
default.refactorallows skipping unsupported resources (#14708)Previously,
refactorwouldthrow new AmplifyError('Unsupported resource ...')for any resource without explicit refactor support (e.g.,geo:GeofenceCollectionor unknown category:service pairs). This blocked migration entirely with no way to proceed.Now, assessment runs as a validation step inside both
generateandrefactor. When unsupported resources or features are detected, the assessment table is rendered in the "Failed Validations Report" and the user can proceed with--skip-validations. The refactor switch statement silently skips unsupported resources instead of throwing — the assessment validation already surfaced them.Example output when
generateencounters an unsupported resource:Example output when
refactorencounters an unsupported resource:SDK clients use correct credentials (#14562)
All gen2-migration commands were instantiating SDK clients with bare
new CloudFormationClient({}),new AppSyncClient(), etc. — which only works if adefaultAWS profile is configured. This broke for users with named profiles or access keys configured throughamplify pull.All SDK client instantiation is now centralized in
AwsClients, which loads credentials vialoadConfiguration(context)from@aws-amplify/amplify-provider-awscloudformation. This readsamplify/.config/local-aws-info.jsonto determine the correct profile or access keys.AwsClientsis created once inGen1App.create(context)and shared across all steps. The_validations.tsclass,lock.ts,decommission.ts, andrefactor.tsno longer create their own clients.Clear error when
team-provider-info.jsonis missing or stale (#14590)Running gen2-migration commands on a branch that doesn't have the expected environment in
team-provider-info.jsonwould crash withCannot read properties of undefined (reading 'awscloudformation').Gen1App.create()now validates that the file exists and that the target environment is present in it, throwing a clear error with resolution guidance ("checkout to the branch corresponding to environment X").Per-category assessors with feature detection
Assessment logic is extracted from the generate and refactor steps into dedicated
Assessorimplementations per category. Each assessor records resource-level support and optionally detects sub-features likeoverride.tsorcustom-policies.json. This replaces the previous model where both steps had their ownassess()method with duplicated switch statements.Example output when an app has auth overrides and custom Lambda policies:
Gen1AppfacadeAll Gen1 app state is consolidated into a single
Gen1Appclass created once viaGen1App.create(context). Steps receive(logger, gen1App, context, validations)instead of 6+ individual constructor params. Environment name resolution moved from the dispatcher intoGen1App.create()._infra/directoryShared infrastructure files (
step,operation,plan,spinning-logger,validations,planner,aws-clients,cfn-template,categories,stateful-resources) moved into_infra/. Thecloneandshiftstubs were removed. The refactor step moved fromrefactor/refactor.tstorefactor.ts.Supporttype replacesSupportResponseThe boolean
SupportResponseis replaced with aSupporttype carrying alevel('supported' | 'unsupported' | 'not-applicable') and an optionalnote. Helper functionssupported(),unsupported(note),notApplicable()keep call sites clean.Issue #, if available
Closes #14590, closes #14708, closes #14562
Description of how you validated changes
validFor()with supported, unsupported, and not-applicable combinationsAssessment.render()outputChecklist
yarn testpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.