From 82b163d00c0b6726cdd8c7fc092fd377bda0a4e2 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Tue, 23 Jul 2024 17:53:01 -0500 Subject: [PATCH] fix(stepfunctions-tasks): run task perm no longer valid (#30788) ### Issue # (if applicable) Closes #30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../test/ecs/integ.ec2-run-task.ts | 3 +- .../test/ecs/integ.fargate-run-task.ts | 3 +- .../lib/ecs/run-task.ts | 33 +- .../test/ecs/run-tasks-feature-flag.test.ts | 488 ------------------ .../test/ecs/run-tasks.test.ts | 2 - packages/aws-cdk-lib/cx-api/lib/features.ts | 14 - 6 files changed, 8 insertions(+), 535 deletions(-) delete mode 100644 packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts index e4af41e57113b..05cb571dbd3d7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts @@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -20,7 +20,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); -stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'Ec2Cluster'); cluster.addCapacity('DefaultAutoScalingGroup', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts index 98a31e84b9520..3dad45d7604a3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts @@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -19,7 +19,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); -stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'FargateCluster'); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts index f23a0d68fc567..6ab4fc5cedbe7 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts @@ -5,7 +5,6 @@ import * as ecs from '../../../aws-ecs'; import * as iam from '../../../aws-iam'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; -import * as cxapi from '../../../cx-api'; import { integrationResourceArn, validatePatternSupported } from '../private/task-utils'; /** @@ -347,31 +346,11 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { private makePolicyStatements(): iam.PolicyStatement[] { const stack = cdk.Stack.of(this); - const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn(); - const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS); - let policyStatements = []; - - // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html - if (reduceRunTaskPermissions) { - policyStatements.push( - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [`${taskDefinitionFamilyArn}:*`], - }), - ); - } else { - policyStatements.push( - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [ - taskDefinitionFamilyArn, - `${taskDefinitionFamilyArn}:*`, - ], - }), - ); - } - - policyStatements.push( + const policyStatements = [ + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [`${this.getTaskDefinitionFamilyArn()}:*`], + }), new iam.PolicyStatement({ actions: ['ecs:StopTask', 'ecs:DescribeTasks'], resources: ['*'], @@ -380,7 +359,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { actions: ['iam:PassRole'], resources: this.taskExecutionRoles().map((r) => r.roleArn), }), - ); + ]; if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) { policyStatements.push( diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts deleted file mode 100644 index a4b8cf53b812e..0000000000000 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts +++ /dev/null @@ -1,488 +0,0 @@ -import { Template } from '../../../assertions'; -import * as autoscaling from '../../../aws-autoscaling'; -import * as ec2 from '../../../aws-ec2'; -import * as ecs from '../../../aws-ecs'; -import * as sfn from '../../../aws-stepfunctions'; -import { Stack } from '../../../core'; -import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; -import * as tasks from '../../lib'; - -let stack: Stack; -let vpc: ec2.Vpc; -let cluster: ecs.Cluster; - -/* eslint-disable quote-props */ - -test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to false grants extra permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }], - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); - -test('Leaving ECS_REDUCE_RUN_TASK_PERMISSIONS as the default (false) grants extra permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }], - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); - -test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to true reduces permissions', () => { - stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); - vpc = new ec2.Vpc(stack, 'Vpc'); - cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); - cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { - autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { - vpc, - instanceType: new ec2.InstanceType('t3.medium'), - machineImage: ec2.MachineImage.latestAmazonLinux2023(), - }), - })); - - const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { - memoryMiB: '512', - cpu: '256', - compatibility: ecs.Compatibility.FARGATE, - }); - const containerDefinition = taskDefinition.addContainer('TheContainer', { - image: ecs.ContainerImage.fromRegistry('foo/bar'), - memoryLimitMiB: 256, - }); - - // WHEN - const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { - integrationPattern: sfn.IntegrationPattern.RUN_JOB, - cluster, - taskDefinition, - containerOverrides: [ - { - containerDefinition, - environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], - }, - ], - launchTarget: new tasks.EcsFargateLaunchTarget({ - platformVersion: ecs.FargatePlatformVersion.VERSION1_4, - }), - }); - - new sfn.StateMachine(stack, 'SM', { - definitionBody: sfn.DefinitionBody.fromChainable(runTask), - }); - - // THEN - expect(stack.resolve(runTask.toStateJson())).toEqual({ - End: true, - Parameters: { - Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, - LaunchType: 'FARGATE', - NetworkConfiguration: { - AwsvpcConfiguration: { - SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], - Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], - }, - }, - PlatformVersion: '1.4.0', - TaskDefinition: 'TD', - Overrides: { - ContainerOverrides: [ - { - Environment: [ - { - Name: 'SOME_KEY', - 'Value.$': '$.SomeKey', - }, - ], - Name: 'TheContainer', - }, - ], - }, - }, - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { - Ref: 'AWS::Partition', - }, - ':states:::ecs:runTask.sync', - ], - ], - }, - Type: 'Task', - }); - - Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { - PolicyDocument: { - Statement: [ - { - Action: 'ecs:RunTask', - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ':*', - ], - ], - }, - }, - { - Action: ['ecs:StopTask', 'ecs:DescribeTasks'], - Effect: 'Allow', - Resource: '*', - }, - { - Action: 'iam:PassRole', - Effect: 'Allow', - Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, - }, - { - Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], - Effect: 'Allow', - Resource: { - 'Fn::Join': [ - '', - [ - 'arn:', - { Ref: 'AWS::Partition' }, - ':events:', - { Ref: 'AWS::Region' }, - ':', - { Ref: 'AWS::AccountId' }, - ':rule/StepFunctionsGetEventsForECSTaskRule', - ], - ], - }, - }, - ], - }, - }); -}); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts index 785a96ba4f075..9ef23e8e9a3d6 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts @@ -4,7 +4,6 @@ import * as ec2 from '../../../aws-ec2'; import * as ecs from '../../../aws-ecs'; import * as sfn from '../../../aws-stepfunctions'; import { Stack } from '../../../core'; -import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; import * as tasks from '../../lib'; let stack: Stack; @@ -16,7 +15,6 @@ let cluster: ecs.Cluster; beforeEach(() => { // GIVEN stack = new Stack(); - stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); vpc = new ec2.Vpc(stack, 'Vpc'); cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index ba01e8b9a0e6f..233529bf8fa5b 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -101,7 +101,6 @@ export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/ export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope'; export const PIPELINE_REDUCE_ASSET_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceAssetRoleTrustScope'; -export const ECS_REDUCE_RUN_TASK_PERMISSIONS = '@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions'; export const EKS_NODEGROUP_NAME = '@aws-cdk/aws-eks:nodegroupNameAttribute'; export const EBS_DEFAULT_GP3 = '@aws-cdk/aws-ec2:ebsDefaultGp3Volume'; export const ECS_REMOVE_DEFAULT_DEPLOYMENT_ALARM = '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm'; @@ -1093,19 +1092,6 @@ export const FLAGS: Record = { introducedIn: { v2: '2.145.0' }, recommendedValue: false, }, - - ////////////////////////////////////////////////////////////////////// - [ECS_REDUCE_RUN_TASK_PERMISSIONS]: { - type: FlagType.BugFix, - summary: 'When enabled, IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN.', - detailsMd: ` - When this feature flag is enabled, the IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN. - The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html - for more details. - `, - introducedIn: { v2: '2.148.0' }, - recommendedValue: true, - }, }; const CURRENT_MV = 'v2';