Merge branch 'master' into fix-build-command

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+/docs/**/android @aws-amplify/amplify-native
+/docs/**/cli @aws-amplify/amplify-cli
+/docs/**/flutter @aws-amplify/amplify-native
+/docs/**/ios @aws-amplify/amplify-native
+/docs/**/js  @aws-amplify/amplify-js
+/docs/guides @aws-amplify/developer-advocates

client/src/amplify-ui/cli-feature-flag/__snapshots__/feature-flag.spec.ts.snap

@@ -1,3 +1,17 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`amplify-feature-flags Render logic should render 1`] = `<amplify-feature-flags class="css-b9wf8u"></amplify-feature-flags>`;
+exports[`amplify-feature-flags Render logic should render 1`] = `
+<amplify-feature-flags class="css-b9wf8u">
+  <div>
+    <docs-in-page-link targetid="graphQLTransformer">
+      <h2 id="graphQLTransformer">
+        graphQLTransformer
+      </h2>
+    </docs-in-page-link>
+    <p>
+      Feature Flag related to GraphQL Transformer
+    </p>
+    <amplify-feature-flag-summary name="addMissingOwnerFields"></amplify-feature-flag-summary>
+  </div>
+</amplify-feature-flags>
+`;

client/src/amplify-ui/cli-feature-flag/feature-flags.json

@@ -1,2 +1,27 @@
 {
+  "graphQLTransformer": {
+    "description": "Feature Flag related to GraphQL Transformer",
+    "features": {
+      "addMissingOwnerFields": {
+        "description": "Automatically add owner field to type when owner fields are not in the type",
+        "type": "Feature",
+        "valueType": "Boolean",
+        "versionAdded": "4.30.0",
+        "values": [
+          {
+            "value": "true",
+            "description": "Inserts the owner field from auth rules when its missing in type",
+            "defaultNewProject": true,
+            "defaultExistingProject": false
+          },
+          {
+            "value": "false",
+            "description": "Doesn't insert the owner field automatically",
+            "defaultNewProject": false,
+            "defaultExistingProject": true
+          }
+        ]
+      }
+    }
+  }
 }

cspell.json

@@ -1309,7 +1309,9 @@
     "amplifyconfig",
     "nextamplified",
     "vercel",
-    "Uploader"
+    "Uploader",
+    "AMPLIFYLAYERGUIDE",
+    "instanceof"
   ],
   "flagWords": ["hte"]
 }

docs/cli/auth/import.md

@@ -0,0 +1,52 @@
+---
+title: Use an existing Cognito User Pool and Identity Pool
+description: Configure the Amplify CLI to use existing Amazon Cognito User Pool and Identity Pool resources as an authentication & authorization mechanism for other Amplify categories. (API, Storage, and more)
+---
+
+Import existing Amazon Cognito resources into your Amplify project. Get started by running `amplify import auth` command to search for & import an existing Cognito User Pool & Identity Pool in your account. 
+
+The `amplify import auth` will:
+* automatically populate your Amplify Library configuration files (aws-exports.js, amplifyconfiguration.json) with your chosen Amazon Cognito resource information 
+* provide your designated existing Cognito resource as the authentication & authorization mechanism for all auth-dependent categories (API, Storage and more)
+* enable Lambda functions to access the chosen Cognito resource if you permit it
+
+Make sure to run `amplify push` to complete the import process and deploy this backend change to the cloud. 
+
+This feature is particularly useful if you're trying to:
+* enable Amplify categories (such as API, Storage, and function) for your existing user base;
+* incrementally adopt Amplify for your application stack;
+* independently manage Cognito resources while working with Amplify.
+
+## Import an existing Cognito User Pool
+
+Select the "Cognito User Pool only" option when you've run `amplify import auth`. In order to successfully import your User Pool, your User Pools require at least two app clients with the following conditions:
+- *At least one "Web app client"*: an app client **without** a client secret
+- *At least one "Native app client*": an app client **with** a client secret
+
+Run `amplify push` to complete the import procedure.
+
+## Import an existing Identity Pool
+
+Select the "Cognito User Pool and Identity Pool" option when you've run `amplify import auth`. In order to successfully import your Identity Pool, it must have both of the User Pool app clients fulfilling [these requirements](#import-an-existing-cognito-user-pool) associated as an authentication provider.
+
+Your Identity Pool needs:
+- an Authenticated Role with a trust relationship to your Identity Pool
+- an **optional** Unauthenticated Role if you want to use any guest user access for your Amplify categories. (Example: Guest access for your S3 buckets or REST API endpoints)
+
+These roles are usually automatically configured when you create a new Identity Pool enabling "Unauthenticated" access and have a Cognito User Pool as an authentication provider.
+
+Amplify CLI will update the policies attached to the roles to ensure Amplify categories function correctly. For example, enabling Storage for authenticated & guest users will add private, protected, public, read and upload permissions for the S3 bucket to the unauthenticated & authenticated role.
+
+Run `amplify push` to complete the import procedure.
+
+## Multi-environment support
+
+When you create a new environment through `amplify env add`, Amplify CLI will assume by default that you're managing your app's Cognito resources outside of an Amplify project. You'll be asked to either import a different Cognito resource or maintain the same Cognito resource for your app's auth category.
+
+If you want to have Amplify manage your auth resources in a new environment, run `amplify remove auth` to unlink the imported Cognito resource and `amplify add auth` to create new Amplify-managed auth resources in the new environment.
+
+## Unlink an existing Cognito User Pool or Identity Pool
+
+In order to unlink your existing Cognito resource run `amplify remove auth`. This will only unlink the Cognito resource reference from the Amplify project. It will not remove the Cognito resource itself. 
+
+Run `amplify push` to complete the unlink procedure.

docs/cli/auth/menu.json

@@ -3,6 +3,7 @@
   "items": [
     "overview",
     "groups",
-    "admin"
+    "admin",
+    "import"
   ]
 }

docs/cli/auth/overview.md

@@ -41,3 +41,9 @@ Do you want to use the default authentication and security configuration?
 ```
 
 You can find [more documentation on adding each social provider in the Libraries section](https://docs.amplify.aws/lib/auth/social/q/platform/js#setup-your-auth-provider) of the docs.
+
+## Re-use an existing Cognito User Pool and Identity Pool
+
+Instead of letting Amplify CLI create a new set of auth resources, you can also import your existing Cognito resources. These resources can be used to auto-generate the Amplify library configuration files, used as an auth dependency for other categories and provided access permissions from within Lambda functions.
+
+Run `amplify import auth` or read the [guide on how to import existing Cognito resources](~/cli/auth/import.md).

docs/cli/cli.md

@@ -28,6 +28,8 @@ The AWS Amplify CLI uses AWS CloudFormation and nested stacks. This allows you t
 
 For example, running `amplify add auth` will bootstrap a CloudFormation template in the `amplify>auth` folder. The infrastructure template can be re-used in CI/CD processes (either with the Amplify Console or your own build process), and can be used to replicate stacks.
 
+**Note:** We strongly advise against manually updating or deleting resources created by AWS CloudFormation; it may cause the stack to be stuck in a state that can no longer be updated. Among those operations, manually updating or deleting **Cognito** resources (created by the Amplify Auth category) are considered especially dangerous and you may lose user data or break auth-related functionalities in your app.
+
 ### Local mocking 
 
 Amplify supports running a local server for mocking and testing your application before pushing to the cloud with certain categories, including API (AWS AppSync), Storage (Amazon DynamoDB and Amazon S3), Functions (AWS Lambda), and Hosting. After running amplify init you can run the following to start a mock server. [Learn more](~/cli/usage/mock.md)

docs/cli/function/build-options.md

@@ -3,7 +3,56 @@ title: Build options
 description: Use build options for Amplify's function category to execute a script before a function is deployed, e.g. to transpile Typescript or ES6 with Babel into a format that is supported by the AWS Lambda's node runtime.
 ---
 
-In some cases, it might be necessary to execute a script before a function is deployed, e.g. to transpile Typescript or ES6 with Babel into a format that is supported by the AWS Lambda's node runtime. `amplify push` will look for a `script` definition in the project root's `package.json` with the name `amplify:<resource_name>` and run it right after `npm install` is canned in the function resource's `src` directory.
+In some cases, it might be necessary to execute a script before a function is deployed, e.g. to transpile Typescript or ES6 with Babel or with `tsc` into a format that is supported by the AWS Lambda's node runtime. `amplify push` will look for a `script` definition in the project root's `package.json` with the name `amplify:<resource_name>` and run it right after `npm install` is canned in the function resource's `src` directory.
+
+**Example: Transpiling Typescript code with TSC**
+
+Make sure you have the `tsc` command installed globally by running `npm install -g typescript` or locally by running `npm install --save-dev typescript`
+
+Let's say, a function resource has been created with `amplify function add` and it is called `generateReport`. The ES6 source code for this function is located in `amplify/backend/function/generateReport/lib` and the resource's `src` directory only contains the auto-generated `package.json` for this function. In order to run Babel, you have to add the following script definition to your project root's `package.json`:
+
+```json
+{
+  "scripts": {
+    "amplify:generateReport": "cd amplify/backend/function/generateReport && tsc -p ./tsconfig.json && cd -"
+  },
+}
+```
+
+Navigate into `amplify/backend/function/generateReport` and create `tsconfig.json` then add the following to it:
+
+<!-- // spell-checker: disable -->
+```json
+{
+  "compilerOptions": {
+    "allowSyntheticDefaultImports": true,
+    "lib": ["dom", "esnext"],
+    "module": "commonjs",
+    "moduleResolution": "node",
+    "skipLibCheck": true,
+    "resolveJsonModule": true,
+    "outDir": "./src",
+    "baseUrl": "./",
+    "rootDir": "./lib",
+    "paths": {
+      "src": ["./lib"]
+    }
+  }
+}
+```
+
+<!-- // spell-checker: enable -->
+
+**NOTE:** It is important to note that if you are using `aws-sdk` in your TypeScript file, you will get a timeout if you attempt to import it with the following:
+```js
+import AWS from 'aws-sdk';
+```
+Change to this:
+```js
+import * as AWS from 'aws-sdk';
+```
+
+Once you run `amplify push`, the `amplify:generateReport` script will be executed, either by `yarn` or by `npm` depending on the existence of a `yarn.lock` file in the project root directory.
 
 **Example: Transpiling ES6 code with Babel**
 
@@ -44,4 +93,4 @@ Babel needs to be configured properly so that the transpiled code can be run on
 }
 ```
 
-Once you run `amplify push`, the `amplify:generateReport` script will be executed, either by `yarn` or by `npm` depending on the existence of a `yarn.lock` file in the project root directory.
+Once you run `amplify push`, the `amplify:generateReport` script will be executed, either by `yarn` or by `npm` depending on the existence of a `yarn.lock` file in the project root directory.

docs/cli/graphql-transformer/directives.md

@@ -1022,24 +1022,6 @@ The above schema assumes a combination of **Amazon Cognito User Pools** and **IA
 
 </amplify-callout>
 
-Let's have a look at one more example. In the following example the model is protected by Cognito User Pools by default and anyone with a valid JWT token can perform any operation on the `Post` type, but cannot update the `secret` field. The `secret` field can only be modified through the configured IAM policies, from a Lambda function for example.
-
-```graphql
-type Post @model @auth (rules: [{ allow: private }]) {
-  id: ID!
-  title: String
-  owner: String
-  secret: String
-    @auth (rules: [{ allow: private, provider: iam, operations: [create, update] }])
-}
-```
-
-<amplify-callout>
-
-The above schema assumes a combination of **Amazon Cognito User Pools** and **IAM** authentication types
-
-</amplify-callout>
-
 ### Allowed authorization mode vs. provider combinations
 
 The following table shows the allowed combinations of authorization modes and providers.

docs/cli/graphql-transformer/resolvers.md

@@ -315,7 +315,7 @@ type Todo @model @searchable {
   id: ID!
   name: String!
   description: String
-  comments: [Todo] @connection(name: "TodoComments")
+  comments: [Comment] @connection(name: "TodoComments")
 }
 ```
 
@@ -324,21 +324,30 @@ The next time you run `amplify push`, an Amazon Elasticsearch domain will be cre
 * Add the relevant location and search fields to the schema.
 
 ```graphql
-type Location {
-  lat: Float
-  lon: Float
+type Comment  @model {
+  id: ID!
+  content: String
+  todoID: ID!
 }
-input LocationInput {
+type Location {
   lat: Float
   lon: Float
 }
 type Todo @model @searchable {
   id: ID!
   name: String!
   description: String
-  comments: [Todo] @connection(name: "TodoComments")
+  comments: [Comment] @connection(name: "TodoComments")
   location: Location
 }
+type TodoConnection {
+  items: [Todo]
+  nextToken: String
+}
+input LocationInput {
+  lat: Float
+  lon: Float
+}
 type Query {
   nearbyTodos(location: LocationInput!, km: Int): TodoConnection
 }

docs/cli/reference/feature-flags.md

@@ -75,7 +75,7 @@ Amplify CLI supports the definition and override of feature flags values from en
 The environment variables must follow a naming convention, to be picked up by Amplify CLI:
 
 - Project level override: `AMPLIFYCLI_{SECTION}__{PROPERTY}`, for example: `AMPLIFYCLI_GRAPHQLTRANSFORMER__TRANSFORMERVERSION`
-- Environment specific override: `AMPLIFYCLI_{ENVNAME}_{SECTION}__{PROPERTY}`, for example: `AMPLIFYCLI-PROD_GRAPHQLTRANSFORMER__TRANSFORMERVERSION`
+- Environment specific override: `AMPLIFYCLI_{ENVNAME}_{SECTION}__{PROPERTY}`, for example: `AMPLIFYCLI_PROD_GRAPHQLTRANSFORMER__TRANSFORMERVERSION`
 
 If a `.env` file is used in the project's root folder, then it is being merged on top of the current process' environment variables, overwriting those.
 

docs/cli/restapi/testing.md

@@ -139,7 +139,7 @@ Tue Aug 18 17:36:14 UTC 2020 : Method request headers: {}
 Tue Aug 18 17:36:14 UTC 2020 : Method request body before transformations: 
 Tue Aug 18 17:36:14 UTC 2020 : Endpoint request URI: https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:664371068953:function:expressLambda-dev/invocations
 Tue Aug 18 17:36:14 UTC 2020 : Endpoint request headers: { X-Amz-Date=20200818T173614Z, X-Amz-Source-Arn=arn:aws:execute-api:eu-west-2:664371068953:s3zmw6fqy5/test-invoke-stage/GET/todos, Accept=application/json, User-Agent=AmazonAPIGateway_s3zmw6fqy5, X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDEaCWV1LXdlc3QtMiJGMEQCIC3KIeR66WhaCBw+eJ+GPhF7y4hz9xC2nN+ARb7T3psyAiBdsoaD9yMfiw2dHWjQM5x7vM11XmToNSGu64mckUQdzSq0AwgaEAEaDDU0NDM4ODgxNjY2MyIMIzObNbCd6QtYwb0IKpEDpHXEzkM2OYq7JfL0U/WbF09KNamodfnifRYwZd/GNOwykykc/zHiU9X0XZPRd+QTnQe/9eoy8DaxBkDgRzQQjTThQWJWadtcfjryTLRKpVeo1UueL+f6DTUDf+URjb0P9CN1gPm+ntZD3LSyAXGwACKG7YMA5/HyeEk [TRUNCATED]
-Tue Aug 18 17:36:14 UTC 2020 : Endpoint request body after transformations: {"resource":"/todos","path":"/todos","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":{"limit":"10"},"multiValueQueryStringParameters":{"limit":["10"]},"pathParameters":null,"stageVariables":null,"requestContext":{"resourcePath":"/todos","httpMethod":"GET","requestTime":"18/Aug/2020:17:36:14 +0000","path":"/todos","accountId":"664371068953","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":1597772174890,"requestId":"4fc3c0c7-6f9f-4ac3-84d7-205500f39b5f","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::664371068953:root","apiKeyId":"test-invoke-api-key-id","userAgent":"aws-internal/3 aws-sdk-java/1.11.820 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.252-b09 java/1.8.0_252 v [TRUNCATED]
+Tue Aug 18 17:36:14 UTC 2020 : Endpoint request body after transformations: {"resource":"/todos","path":"/todos","httpMethod":"GET","headers":null,"multiValueHeaders":null,"queryStringParameters":{"limit":"10"},"multiValueQueryStringParameters":{"limit":["10"]},"pathParameters":null,"stageVariables":null,"requestContext":{"resourcePath":"/todos","httpMethod":"GET","requestTime":"18/Aug/2020:17:36:14 +0000","path":"/todos","accountId":"EXAMPLE_ID","protocol":"HTTP/1.1","stage":"test-invoke-stage","domainPrefix":"testPrefix","requestTimeEpoch":1597772174890,"requestId":"4fc3c0c7-6f9f-4ac3-84d7-205500f39b5f","identity":{"cognitoIdentityPoolId":null,"cognitoIdentityId":null,"apiKey":"test-invoke-api-key","principalOrgId":null,"cognitoAuthenticationType":null,"userArn":"arn:aws:iam::664371068953:root","apiKeyId":"test-invoke-api-key-id","userAgent":"aws-internal/3 aws-sdk-java/1.11.820 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.252-b09 java/1.8.0_252 v [TRUNCATED]
 Tue Aug 18 17:36:14 UTC 2020 : Sending request to https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:eu-west-2:664371068953:function:expressLambda-dev/invocations
 Tue Aug 18 17:36:15 UTC 2020 : Received response. Status: 200, Integration latency: 137 ms
 Tue Aug 18 17:36:15 UTC 2020 : Endpoint response headers: {Date=Tue, 18 Aug 2020 17:36:15 GMT, Content-Type=application/json, Content-Length=443, Connection=keep-alive, sampled=0}