IAM not authorized for schema with only custom operations

[palpatim]

Environment information

System:
  OS: macOS 15.0.1
  CPU: (10) arm64 Apple M1 Pro
  Memory: 121.84 MB / 32.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 18.20.4 - ~/.local/share/mise/installs/node/18/bin/node
  Yarn: 1.22.22 - ~/.local/share/mise/installs/node/18/bin/yarn
  npm: 10.7.0 - ~/.local/share/mise/installs/node/18/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.3.1
  @aws-amplify/backend: 1.3.0
  @aws-amplify/backend-auth: 1.2.0
  @aws-amplify/backend-cli: 1.2.8
  @aws-amplify/backend-data: 1.1.4
  @aws-amplify/backend-deployer: 1.1.4
  @aws-amplify/backend-function: 1.5.0
  @aws-amplify/backend-output-schemas: 1.2.0
  @aws-amplify/backend-output-storage: 1.1.2
  @aws-amplify/backend-secret: 1.1.3
  @aws-amplify/backend-storage: 1.2.0
  @aws-amplify/cli-core: 1.1.3
  @aws-amplify/client-config: 1.3.2
  @aws-amplify/deployed-backend-client: 1.4.1
  @aws-amplify/form-generator: 1.0.3
  @aws-amplify/model-generator: 1.0.8
  @aws-amplify/platform-core: 1.1.0
  @aws-amplify/plugin-types: 1.3.0
  @aws-amplify/sandbox: 1.2.2
  @aws-amplify/schema-generator: 1.2.4
  aws-amplify: 6.6.2
  aws-cdk: 2.160.0
  aws-cdk-lib: 2.160.0
  typescript: 5.6.2
AWS environment variables:
  AWS_PROFILE = personal
  AWS_DEFAULT_REGION = us-west-2
  AWS_SCHMELTE_ACCOUNT = 779656175277
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
CDK environment variables:
  CDK_DEFAULT_ACCOUNT = 779656175277
  CDK_DEFAULT_REGION = us-west-2

Data packages

gh2837-iam-auth-custom-mutations@0.0.0 /Users/schmelte/src/data/test-apps/gen2/gh2837-iam-auth-custom-mutations
├─┬ @aws-amplify/backend-cli@1.2.8
│ └─┬ @aws-amplify/schema-generator@1.2.4
│   └── @aws-amplify/graphql-schema-generator@0.9.4
└─┬ @aws-amplify/backend@1.3.0
  └─┬ @aws-amplify/backend-data@1.1.4
    └── @aws-amplify/data-construct@1.10.1

Description

During investigation of #2837, @atierian noted a case not covered by the fix. In the case of a schema with only custom operations and types, the @aws_iam annotation won't get automatically added to the custom type. E.g., in the following schema:

type Foo { description: String }
type Query { getFoo: Foo }

The transformed schema would correctly include @aws_iam on the getFoo field, but not on the Foo type itself, meaning that a properly authorized getFoo query would be unable to view the actual result.

There are a couple of notes to help gauge priority:

1. A workaround for this bug is to add a static auth rule to the field, which triggers the auth transformer to process the field:

   type Foo {
     description: String @auth(rules: [{ allow: groups, groups: ["ZZZ_DOES_NOT_EXIST"] }])
   }

2. This does not pertain to custom operation fields that have scalar types: the below example works fine after the fix in fix: add aws_iam to custom operations when enableIamAuthorization is enabled #2921:

   type Query {
     getFooCustom: String
   }

[palpatim]

Once we fix this issue, be sure to enable the skip()ped tests that cover this case.

• Test 1
• Test 2

[palpatim]

Note: We also need to make sure this fix properly handles the EventInvocationResponse type for .async() function handlers (see https://docs.amplify.aws/react/build-a-backend/data/custom-business-logic/#async-function-handlers). It should, since that type must be specified in the schema, but we'll want a specific test for it.