fix(stepfunctions-tasks): run task perm no longer valid (#30788)

### Issue # (if applicable) Closes #30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jul 23, 2024 · 82b163d · 82b163d
1 parent 7278d42
commit 82b163d
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 535 deletions.
diff --git a/...s-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts b/...s-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts
@@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
 import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
-import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 
 /*
@@ -20,7 +20,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task');
 stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
-stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);
 
 const cluster = new ecs.Cluster(stack, 'Ec2Cluster');
 cluster.addCapacity('DefaultAutoScalingGroup', {

diff --git a/...k-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts b/...k-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts
@@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
 import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import * as cdk from 'aws-cdk-lib';
 import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
-import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 
 /*
@@ -19,7 +19,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task');
 stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
-stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);
 
 const cluster = new ecs.Cluster(stack, 'FargateCluster');
 

diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts
@@ -5,7 +5,6 @@ import * as ecs from '../../../aws-ecs';
 import * as iam from '../../../aws-iam';
 import * as sfn from '../../../aws-stepfunctions';
 import * as cdk from '../../../core';
-import * as cxapi from '../../../cx-api';
 import { integrationResourceArn, validatePatternSupported } from '../private/task-utils';
 
 /**
@@ -347,31 +346,11 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
   private makePolicyStatements(): iam.PolicyStatement[] {
     const stack = cdk.Stack.of(this);
 
-    const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn();
-    const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS);
-    let policyStatements = [];
-
-    // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
-    if (reduceRunTaskPermissions) {
-      policyStatements.push(
-        new iam.PolicyStatement({
-          actions: ['ecs:RunTask'],
-          resources: [`${taskDefinitionFamilyArn}:*`],
-        }),
-      );
-    } else {
-      policyStatements.push(
-        new iam.PolicyStatement({
-          actions: ['ecs:RunTask'],
-          resources: [
-            taskDefinitionFamilyArn,
-            `${taskDefinitionFamilyArn}:*`,
-          ],
-        }),
-      );
-    }
-
-    policyStatements.push(
+    const policyStatements = [
+      new iam.PolicyStatement({
+        actions: ['ecs:RunTask'],
+        resources: [`${this.getTaskDefinitionFamilyArn()}:*`],
+      }),
       new iam.PolicyStatement({
         actions: ['ecs:StopTask', 'ecs:DescribeTasks'],
         resources: ['*'],
@@ -380,7 +359,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
         actions: ['iam:PassRole'],
         resources: this.taskExecutionRoles().map((r) => r.roleArn),
       }),
-    );
+    ];
 
     if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) {
       policyStatements.push(