Overriding resources
When defining resources, you can access some underlying AWS Cloud Development Kit (CDK) construct properties to modify resource configurations. This allows you to customize backend resources beyond what is offered through the define*
functions.
Overrides are defined in the amplify/backend.ts
file after the defineBackend
call has been made.
import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';import { data } from './data/resource';
const backend = defineBackend({ auth, data});
// overrides go here
The backend
object exposes a resources
property with objects for each of the components passed into the defineBackend
function. Each of these resource objects exposes underlying L1 and L2 AWS CDK constructs that you can modify.
For example, here is how you can access the Cognito user pool that is created by defineAuth
and set a custom removal policy on the resource.
import { RemovalPolicy } from 'aws-cdk-lib';import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';
const backend = defineBackend({ auth});
const userPool = backend.auth.resources.userPool;userPool.applyRemovalPolicy(RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE);
Most L1 and L2 AWS CDK constructs that are used by the define*
functions are accessible in this way.
Example - Grant access permissions between resources
Consider the case that we want to grant a function created by defineFunction
access to call the Cognito user pool created by defineAuth
. For most cases it is recommended to use the access
property on defineAuth
, however for permissions not exposed by this property, access can be accomplished with the following overrides.
import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';import { data } from './data/resource';import { authAuditorFunction } from './functions/auth-auditor-function/resource';
const backend = defineBackend({ auth, data, authAuditorFunction,});
const userPool = backend.auth.resources.userPool;const lambdaFunction = backend.authAuditorFunction.resources.lambda;
// grant the lambdaFunction access to list auth events for a particular useruserPool.grant(lambdaFunction, 'cognito:AdminListUserAuthEvents');
// pass the Lambda the UserPool ID so that the Lambda can use it to make SDK callsbackend.authAuditorFunction.addEnvironment('USER_POOL_ID', userPool.userPoolId);
Example - Modify L1 CDK Constructs
It's possible to reach all the way down to the raw CloudFormation to mutate properties using addPropertyOverride
on an AWS CDK construct. To edit the password policies of the Cognito user pool in defineAuth
, you can use the following code.
import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';
const backend = defineBackend({ auth,});// extract L1 CfnUserPool resourcesconst { cfnUserPool } = backend.auth.resources.cfnResources;// modify cfnUserPool policies directlycfnUserPool.policies = { passwordPolicy: { minimumLength: 10, requireLowercase: true, requireNumbers: true, requireSymbols: true, requireUppercase: true, temporaryPasswordValidityDays: 20, },};
Note the usage of auth.resources.cfnResources
. This property exposes L1 CDK constructs that map one-to-one with the underlying CloudFormation properties.
The auth.resources.cfnResources.cfnUserPool
property in the above example directly maps to the AWS::Cognito::UserPool CloudFormation resource.
This is different from auth.resources.userPool
in the first example, which is an L2 CDK construct. These are constructs that provide a convenient interface around several related L1 constructs.
Example - Add tags to resources
import { defineBackend } from '@aws-amplify/backend';import { auth } from './auth/resource';import { data } from './data/resource';
const backend = defineBackend({ auth, data});
backend.data.resources.cfnResources.cfnGraphqlApi.addPropertyOverride('Tags', [ { Key: 'graphqlapi-tag-1', Value: 'graphql-tag-value-1' }, { Key: 'graphqlapi-tag-2', Value: 'graphql-tag-value-2' }]);
For situations where you need even more customization of your app backend, see the documentation on custom resources.