feat: Add support for custom Lambda function email senders in Auth construct

[vigy02]

Problem

This PR addresses the need for more flexible email sender configuration in the Auth construct, specifically allowing the use of custom Lambda functions for email sending capabilities.

Changes

• Added support for using Lambda functions as email senders in the Auth construct
• Implemented KMS key management for custom email senders
• Updated types and interfaces to accommodate new email sender options
• Added new test case for custom email sender functionality
• Modified existing code to handle Lambda function email senders, including permission setup
• Introduced functionality for attaching a user's KMS key to the customEmailSender for message encryption and decryption.
• Added integration tests to verify customEmailSender functionality.

Validation

A new test case was added to verify the behavior when a function is provided as an email sender. This test ensures that the custom email sender is properly set up when a Lambda function is provided.

** Manual Validation for KMS-ARN pass check **

Checklist

• If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.

[sobolk]

please insert those in alphabetical order.

[sobolk]

you might need to merge latest main. this change shouldn't be on the diff.

[sobolk]

Is kmsKeyArn applicable to any of Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> ?

If not then we should introduce type for custom sender.
Something like:
type CustomEmailSender = { handler: IFunction, kmsKeyArn?: string } and then use that instead of IFunction in the union.

Or perhaps have email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | IFunction | CustomEmailSender so that passing function without kmskey is still easy.

The bottom line is that we should find typing that doesn't let you specify kmsKeyArn if IFunction is not used.

@josefaidt wdyt ?

[awsluja]

this is a good point, i think this would be enough:
email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | CustomEmailSender

[josefaidt]

feedback makes sense. I like this take

email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | IFunction | CustomEmailSender

this is also simple, and easier to understand that you only have two valid configuration options (ses or a sender function with/without a custom kms key)

email: Pick<UserPoolSESOptions, 'fromEmail' | 'fromName' | 'replyTo'> | CustomEmailSender

[sobolk]

Similar feedback here. We should find better typing.

[sobolk]

yes, we should name this function something different.

[sobolk]

This is not good assertion for this feature. It just sends request directly to lambda. We should be asserting that communication between cognito and lambda works.

How to make this happen?:

1. We need to execute an operation on user pool that triggers email sending.
2. We need a function that can signal a fact that it was called by something and await that.
   1. Please take a look at solution we have for "scheduled functions". We use SQS queue to capture the fact that function was called.

      1. amplify-backend/packages/integration-tests/src/test-projects/data-storage-auth-with-triggers-ts/amplify/func-src/handler_with_aws_sqs.ts

         Lines 20 to 25 in 10ef35d

         	await sqsClient.send(
         	new SendMessageCommand({
         	QueueUrl: queueUrl,
         	MessageBody: messageBody,
         	})
         	);

      2. amplify-backend/packages/integration-tests/src/test-project-setup/data_storage_auth_with_triggers.ts

         Line 614 in 10ef35d

         // wait for schedule to invoke the function one time for it to send a message

      3. And fail with timeout (if sqs message doesn't arrive),

[sobolk]

Suggested change

	export type CustomEmailSenderConstruct = {
	export type CustomEmailSender = {

or CustomEmailSenderOptions

This is not a construct. It has a reference to IFunction inside but this type is not implementing Construct super class.

[sobolk]

We should add separate queue for this scenario.

Otherwise messages from email and scheduled functions will land in the same queue and we can't tell which one is which.

[sobolk]

It seems that sequencing of post deployment assertions help. But it's very implicit assumption. Using separate resources for both scenarios will remove that trap.

[sobolk]

Does Cognito try to send email if we suppress messaging ?

[sobolk]

Related to my previous comments.

We shouldn't reuse funcWithSchedule here. Because we'll be blending together two independent scenarios.

We should create a function similar to funcWithSchedule with it's own associated queue. I.e. create similar but isolated setup.

[awsluja]

same as above, this should not end with *Construct in the name

[rtpascual]

I agree with what Kamil said about this, funcWithSchedule also has a cron job to invoke it every minute which may make testing this inaccurate.

[rtpascual]

We would probably want a new/different function with same SQS setup for a different queue and no schedule set. That way only message in the queue will be from when you create a new user in triggerEmailSending and not from scheduled invocations.