(gen2-migration) `lock` command overrides existing root stack policy

[iliapolo]

How did you install the Amplify CLI?

npm install --no-save @aws-amplify/cli-internal-gen2-migration-experimental-alpha

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

0.6.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No

Describe the bug

The lock command currently overrides the policy the root stack:

amplify-cli/packages/amplify-cli/src/commands/gen2-migration/lock.ts

Lines 50 to 67 in 4cf7c8d

	const stackPolicy = {
	Statement: [
	{
	Effect: 'Deny',
	Action: 'Update:*',
	Principal: '*',
	Resource: '*',
	},
	],
	};
	const cfnClient = new CloudFormationClient({});
	await cfnClient.send(
	new SetStackPolicyCommand({
	StackName: this.rootStackName,
	StackPolicyBody: JSON.stringify(stackPolicy),
	}),
	);

Any existing stack policy statements are lost, which is not good since we customer may still need them. Its gets even worse because during lock --rollback, we set the same policy with an Allow instead of Deny, so we might end up with a policy thats more permissive than the customer originally had.

Expected behavior

Instead of overriding, we should add our statement to it by first reading the existing policy with GetStackPolicyCommand.

Reproduction steps

1. Deploy a gen1 app.
2. Manually add some stack policy to the root stack.
3. Run npx amplify gen2-migration lock

Observe the policy added in (2) being removed.

Project Identifier

No response

Log output

Details

# Put your logs below this line

Additional information

This also means --rollback needs to do the reverse, subtract instead of overriding.

Before submitting, please confirm:

• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
• I have removed any sensitive information from my code snippets and submission.