fix(stepfunctions): distributed maps under branches

distributed maps under branch states (i.e., Parallel) do not apply the
necessary permissions to run the state.

this moves the bind functionality into state and calls it on both state
and all child states.

rather than relying on the single purpose that it is now (add
distributed map perms) and fast returning all the way out, this instead
just checks if the policy it is trying to add is in place before
proceeding and uses that condition to return immediately.

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.map-distributed-iam.js.snapshot/cdk-stepfunctions-map-distributed-stack.template.json

@@ -0,0 +1,216 @@
+{
+ "Resources": {
+  "StateMachine1RoleDE82F282": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "states.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "StateMachine18AFC9B86": {
+   "Type": "AWS::StepFunctions::StateMachine",
+   "Properties": {
+    "DefinitionString": "{\"StartAt\":\"My-Map-State\",\"States\":{\"My-Map-State\":{\"Type\":\"Map\",\"End\":true,\"ItemsPath\":\"$.inputForMap\",\"ItemSelector\":{\"foo\":\"foo\",\"bar.$\":\"$.bar\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"DISTRIBUTED\",\"ExecutionType\":\"STANDARD\"},\"StartAt\":\"Pass State 1\",\"States\":{\"Pass State 1\":{\"Type\":\"Pass\",\"End\":true}}},\"MaxConcurrencyPath\":\"$.maxConcurrency\"}},\"TimeoutSeconds\":30}",
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "StateMachine1RoleDE82F282",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "StateMachine1RoleDE82F282"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "StateMachine1DistributedMapPolicyA6BF4F8F": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "states:StartExecution",
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "StateMachine18AFC9B86"
+       }
+      },
+      {
+       "Action": [
+        "states:DescribeExecution",
+        "states:StopExecution"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          {
+           "Ref": "StateMachine18AFC9B86"
+          },
+          ":*"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "StateMachine1DistributedMapPolicyA6BF4F8F",
+    "Roles": [
+     {
+      "Ref": "StateMachine1RoleDE82F282"
+     }
+    ]
+   }
+  },
+  "StateMachine2Role6BE3CF0B": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "states.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "StateMachine21CE8E3CE": {
+   "Type": "AWS::StepFunctions::StateMachine",
+   "Properties": {
+    "DefinitionString": "{\"StartAt\":\"My-Map-State\",\"States\":{\"My-Map-State\":{\"Type\":\"Map\",\"End\":true,\"ItemsPath\":\"$.inputForMap\",\"ItemSelector\":{\"foo\":\"foo\",\"bar.$\":\"$.bar\"},\"ItemProcessor\":{\"ProcessorConfig\":{\"Mode\":\"DISTRIBUTED\",\"ExecutionType\":\"STANDARD\"},\"StartAt\":\"Pass State 2\",\"States\":{\"Pass State 2\":{\"Type\":\"Pass\",\"End\":true}}},\"MaxConcurrencyPath\":\"$.maxConcurrency\"}},\"TimeoutSeconds\":30}",
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "StateMachine2Role6BE3CF0B",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "StateMachine2Role6BE3CF0B"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
+  "StateMachine2DistributedMapPolicyECDEB23C": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "states:StartExecution",
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "StateMachine21CE8E3CE"
+       }
+      },
+      {
+       "Action": [
+        "states:DescribeExecution",
+        "states:StopExecution"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          {
+           "Ref": "StateMachine21CE8E3CE"
+          },
+          ":*"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "StateMachine2DistributedMapPolicyECDEB23C",
+    "Roles": [
+     {
+      "Ref": "StateMachine2Role6BE3CF0B"
+     }
+    ]
+   }
+  }
+ },
+ "Outputs": {
+  "StateMachine1ARN": {
+   "Value": {
+    "Ref": "StateMachine18AFC9B86"
+   }
+  },
+  "StateMachine1RoleARN": {
+   "Value": {
+    "Fn::GetAtt": [
+     "StateMachine1RoleDE82F282",
+     "Arn"
+    ]
+   }
+  },
+  "StateMachine2ARN": {
+   "Value": {
+    "Ref": "StateMachine21CE8E3CE"
+   }
+  },
+  "StateMachine2RoleARN": {
+   "Value": {
+    "Fn::GetAtt": [
+     "StateMachine2Role6BE3CF0B",
+     "Arn"
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}