test: update e2e coverage for policy update on auth removal (#13538)

packages/amplify-e2e-tests/src/__tests__/auth_3a.test.ts

@@ -40,7 +40,7 @@ describe('amplify add auth...a', () => {
     await removeAuthWithDefault(projRoot);
     await amplifyPushAuth(projRoot);
 
-    expect(AuthRoleName).not.toHaveValidPolicyConditionMatchingIdpId(idpId);
-    expect(UnauthRoleName).not.toHaveValidPolicyConditionMatchingIdpId(idpId);
+    expect(AuthRoleName).toHaveDenyAssumeRolePolicy();
+    expect(UnauthRoleName).toHaveDenyAssumeRolePolicy();
   });
 });

packages/amplify-e2e-tests/src/aws-matchers/iamMatcher.ts

@@ -67,3 +67,30 @@ export const toHaveValidPolicyConditionMatchingIdpId = async (roleName: string,
     pass,
   };
 };
+
+export const toHaveDenyAssumeRolePolicy = async (roleName: string) => {
+  let pass = false;
+  let message = '';
+
+  try {
+    const iam = new IAM({
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      sessionToken: process.env.AWS_SESSION_TOKEN,
+    });
+
+    const { Role: role } = await iam.getRole({ RoleName: roleName }).promise();
+    const assumeRolePolicyDocument = JSON.parse(decodeURIComponent(role.AssumeRolePolicyDocument));
+
+    pass = assumeRolePolicyDocument?.Statement?.length === 1 && assumeRolePolicyDocument?.Statement?.[0]?.Effect === 'Deny';
+
+    message = pass ? 'Assume role policy has Effect: Deny' : `Assume role policy does not exist or does not have Effect: Deny.`;
+  } catch (e) {
+    message = 'IAM GetRole threw Error: ' + e.message;
+  }
+
+  return {
+    message: () => message,
+    pass,
+  };
+};

packages/amplify-e2e-tests/src/setup-tests.ts

@@ -1,4 +1,4 @@
-import { toBeIAMRoleWithArn, toHaveValidPolicyConditionMatchingIdpId, toBeAS3Bucket } from './aws-matchers';
+import { toBeIAMRoleWithArn, toHaveValidPolicyConditionMatchingIdpId, toBeAS3Bucket, toHaveDenyAssumeRolePolicy } from './aws-matchers';
 
 const removeYarnPaths = () => {
   // Remove yarn's temporary PATH modifications as they affect the yarn version used by jest tests when building the lambda functions
@@ -9,6 +9,7 @@ const removeYarnPaths = () => {
 
 expect.extend({ toBeIAMRoleWithArn });
 expect.extend({ toHaveValidPolicyConditionMatchingIdpId });
+expect.extend({ toHaveDenyAssumeRolePolicy });
 expect.extend({ toBeAS3Bucket });
 
 removeYarnPaths();

packages/amplify-e2e-tests/typings/aws-matchers.d.ts

@@ -5,5 +5,6 @@ namespace jest {
     toBeIAMRoleWithArn(roleName: string, arn?: string): R;
     toBeAS3Bucket(bucketName: string): R;
     toHaveValidPolicyConditionMatchingIdpId(idpId: string): R;
+    toHaveDenyAssumeRolePolicy(): R;
   }
 }