fix: parse cognito pools with service role (#13365)

* fix: parse cognito pools with service role

* chore: test fixes

* chore: missed another spot

packages/amplify-e2e-tests/src/__tests__/transformer-migrations/predictions-migration.test.ts

@@ -55,7 +55,7 @@ describe('transformer predictions migration test', () => {
     expect(translateResult.errors).toBeUndefined();
     expect(translateResult.data).toBeDefined();
     expect((translateResult.data as any).translateThis).toMatch(
-      /((\bDies\b)|(\bdas\b)|(\bder\b)) ist ein ((\bStimmtest\b)|(\Sprachtest\b))/i,
+      /((\bDies\b)|(\bdas\b)|(\bder\b)) ist ein ((\bStimmtest\b)|(\Sprachtest\b)|(\bStimmentest\b))/i,
     );
 
     const speakQuery = /* GraphQL */ `
@@ -93,7 +93,7 @@ describe('transformer predictions migration test', () => {
     expect(translateResult.errors).toBeUndefined();
     expect(translateResult.data).toBeDefined();
     expect((translateResult.data as any).translateThis).toMatch(
-      /((\bDies\b)|(\bdas\b)|(\bder\b)) ist ein ((\bStimmtest\b)|(\Sprachtest\b))/i,
+      /((\bDies\b)|(\bdas\b)|(\bder\b)) ist ein ((\bStimmtest\b)|(\Sprachtest\b)|(\bStimmentest\b))/i,
     );
 
     speakResult = await appSyncClient.query({

packages/amplify-provider-awscloudformation/src/__tests__/aws-utils/IdentityPoolService.test.ts

@@ -7,6 +7,8 @@ let mockCognitoIdentityRoles = {
   unauthenticated: 'arn:aws:iam::123456789012:role/service-role/my-unauth-role',
 };
 
+const iamRoleNameRegex = /[\w+=,.@-]+/;
+
 jest.mock('aws-sdk', () => {
   return {
     CognitoIdentity: jest.fn(() => {
@@ -33,11 +35,18 @@ jest.mock('../../configuration-manager', () => {
 describe('IdentityPoolService', () => {
   it('should correctly parse arn if it contains multiple forward slashes', async () => {
     const idpService = await createIdentityPoolService({} as unknown as $TSContext, {});
-    expect(await idpService.getIdentityPoolRoles('mockIdpId')).toEqual({
+    const identityPoolRoles = await idpService.getIdentityPoolRoles('mockIdpId');
+
+    // ensure role names match regex for IAM
+    // see: https://docs.aws.amazon.com/IAM/latest/APIReference/API_Role.html
+    expect(identityPoolRoles.authRoleName).toMatch(iamRoleNameRegex);
+    expect(identityPoolRoles.unauthRoleName).toMatch(iamRoleNameRegex);
+
+    expect(identityPoolRoles).toEqual({
       authRoleArn: 'arn:aws:iam::123456789012:role/service-role/my-auth-role',
-      authRoleName: 'service-role/my-auth-role',
+      authRoleName: 'my-auth-role',
       unauthRoleArn: 'arn:aws:iam::123456789012:role/service-role/my-unauth-role',
-      unauthRoleName: 'service-role/my-unauth-role',
+      unauthRoleName: 'my-unauth-role',
     });
   });
 
@@ -48,7 +57,14 @@ describe('IdentityPoolService', () => {
       unauthenticated: 'arn:aws:iam::123456789012:role/my-unauth-role',
     };
 
-    expect(await idpService.getIdentityPoolRoles('mockIdpId')).toEqual({
+    const identityPoolRoles = await idpService.getIdentityPoolRoles('mockIdpId');
+
+    // ensure role names match regex for IAM
+    // see: https://docs.aws.amazon.com/IAM/latest/APIReference/API_Role.html
+    expect(identityPoolRoles.authRoleName).toMatch(iamRoleNameRegex);
+    expect(identityPoolRoles.unauthRoleName).toMatch(iamRoleNameRegex);
+
+    expect(identityPoolRoles).toEqual({
       authRoleArn: 'arn:aws:iam::123456789012:role/my-auth-role',
       authRoleName: 'my-auth-role',
       unauthRoleArn: 'arn:aws:iam::123456789012:role/my-unauth-role',

packages/amplify-provider-awscloudformation/src/aws-utils/IdentityPoolService.ts

@@ -104,7 +104,7 @@ export class IdentityPoolService implements IIdentityPoolService {
       const fullRoleName = parseArn(arn).resource;
       const parts = fullRoleName.split('/');
       if (parts.length >= 2) {
-        resourceName = parts.slice(1).join('/');
+        resourceName = [...parts].pop();
       }
     }