fix(amplify-category-auth): clean up OIDC provider on auth stack teardown#14952
Open
ahmedhamouda78 wants to merge 3 commits into
Open
fix(amplify-category-auth): clean up OIDC provider on auth stack teardown#14952ahmedhamouda78 wants to merge 3 commits into
ahmedhamouda78 wants to merge 3 commits into
Conversation
…down The OpenId custom resource Lambda only handled Create/Update requests, so on stack deletion the account-global IAM OIDC provider (accounts.google.com) was never removed. Orphaned providers accumulate in the account on every teardown. Add a Delete handler that removes the client IDs this resource registered and deletes the provider only once no client IDs remain, so providers shared by other Amplify apps in the same account are preserved. All IAM calls tolerate an already-removed provider/client ID, keeping the handler idempotent. Grant the OpenId Lambda role iam:RemoveClientIDFromOpenIDConnectProvider and iam:DeleteOpenIDConnectProvider (scoped to the accounts.google.com provider). Adds unit tests covering create, sole-owner delete, shared-provider delete, and idempotent delete.
…a deps cfn-response and @aws-sdk/client-iam are provided by the Lambda runtime and are not installed in the package, so jest.mock could not resolve them and the suite failed to run in CI. Mark both mocks as virtual.
soberm
reviewed
Jul 2, 2026
- Re-read the provider after removing our client IDs and delete it if a concurrently-deleting stack emptied it, closing a race that could leave a provider with zero client IDs orphaned in the account. - Harden provider lookup to match on the URL host / :oidc-provider/<host> ARN suffix instead of brittle string splitting. - Clarify in the stack builder that account-level iam:ListOpenIDConnectProviders is granted in the adjacent statement (required by the lookup). - Tests: guard invoke() when response.send is never called, rename the URL constant to avoid shadowing the global, and add Update-appends and concurrent-deletion-race cases.
Member
Author
|
Thanks for the thorough review @soberm — all six points addressed in b16780b:
All six unit tests pass locally under CI-like conditions (runtime-only deps mocked virtually). |
soberm
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
The auth category's
OpenIdcustom resource Lambda (openIdLambda.js) only handledCreate/Updateevents. On stack deletion CloudFormation sends aDeleteevent, which fell through to a no-op — so the account-global IAM OIDC provider (accounts.google.com) was never removed. Orphaned providers accumulate in the account on every teardown of an auth resource configured with Google/OpenID federation.This PR:
Deletehandler toopenIdLambda.js. Because the provider is account-global and keyed by URL (the create path reuses it and appends client IDs), the handler removes only the client IDs this resource registered and deletes the provider only once no client IDs remain — preserving providers shared by other Amplify apps in the same account. All IAM calls tolerate an already-removed provider/client ID, so the handler is idempotent.iam:RemoveClientIDFromOpenIDConnectProviderandiam:DeleteOpenIDConnectProvider(scoped to theaccounts.google.comprovider ARN) inauth-cognito-stack-builder.ts.Issue #, if available
N/A
Description of how you validated changes
openIdLambda.test.jspasses (4/4), driving the real handler through: create, sole-owner delete (provider removed), shared-provider delete (provider retained, only this resource's client IDs removed), and delete-when-absent (idempotent).Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.