Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(stepfunctions): make grants work when state machines are imported from other accounts or regions #18737

Closed
wants to merge 2 commits into from
Closed

fix(stepfunctions): make grants work when state machines are imported from other accounts or regions #18737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4777ab5
use all StateMachine arn components in executionArn() method
Jan 29, 2022
e97f28e
fix executions arn composition in other packages
Jan 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 1 addition & 20 deletions packages/@aws-cdk/aws-appsync/test/appsync-http.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,26 +121,7 @@ describe('Http Data Source configuration', () => {
'states:GetExecutionHistory',
],
Effect: 'Allow',
Resource: {
'Fn::Join': [
'',
[
'arn:',
{
Ref: 'AWS::Partition',
},
':states:',
{
Ref: 'AWS::Region',
},
':',
{
Ref: 'AWS::AccountId',
},
':execution:hello:*',
],
],
},
Resource: 'arn:aws:states:us-east-1::execution:hello:*',
},
{
Action: [
Expand Down
7 changes: 6 additions & 1 deletion packages/@aws-cdk/aws-codepipeline-actions/lib/stepfunctions/invoke-action.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,12 +134,17 @@ export class StepFunctionInvokeAction extends Action {
}));

// allow state machine executions to be inspected
const { sep, ...arnComponents } = cdk.Stack.of(this.props.stateMachine).splitArn(
this.props.stateMachine.stateMachineArn,
cdk.ArnFormat.COLON_RESOURCE_NAME,
);
options.role.addToPrincipalPolicy(new iam.PolicyStatement({
actions: ['states:DescribeExecution'],
resources: [cdk.Stack.of(this.props.stateMachine).formatArn({
...arnComponents,
service: 'states',
resource: 'execution',
resourceName: `${cdk.Stack.of(this.props.stateMachine).splitArn(this.props.stateMachine.stateMachineArn, cdk.ArnFormat.COLON_RESOURCE_NAME).resourceName}:${this.props.executionNamePrefix ?? ''}*`,
resourceName: `${arnComponents.resourceName}:${this.props.executionNamePrefix ?? ''}*`,
arnFormat: cdk.ArnFormat.COLON_RESOURCE_NAME,
})],
}));
Expand Down
36 changes: 33 additions & 3 deletions packages/@aws-cdk/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -549,15 +549,45 @@
[
"arn:",
{
"Ref": "AWS::Partition"
"Fn::Select": [
1,
{
"Fn::Split": [
":",
{
"Ref": "SimpleStateMachineE8E2CF40"
}
]
}
]
},
":states:",
{
"Ref": "AWS::Region"
"Fn::Select": [
3,
{
"Fn::Split": [
":",
{
"Ref": "SimpleStateMachineE8E2CF40"
}
]
}
]
},
":",
{
"Ref": "AWS::AccountId"
"Fn::Select": [
4,
{
"Fn::Split": [
":",
{
"Ref": "SimpleStateMachineE8E2CF40"
}
]
}
]
},
":execution:",
{
Expand Down
36 changes: 33 additions & 3 deletions ...@aws-cdk/aws-codepipeline-actions/test/stepfunctions/stepfunctions-invoke-actions.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,15 +104,45 @@ describe('StepFunctions Invoke Action', () => {
[
'arn:',
{
Ref: 'AWS::Partition',
'Fn::Select': [
1,
{
'Fn::Split': [
':',
{
Ref: 'SimpleStateMachineE8E2CF40',
},
],
},
],
},
':states:',
{
Ref: 'AWS::Region',
'Fn::Select': [
3,
{
'Fn::Split': [
':',
{
Ref: 'SimpleStateMachineE8E2CF40',
},
],
},
],
},
':',
{
Ref: 'AWS::AccountId',
'Fn::Select': [
4,
{
'Fn::Split': [
':',
{
Ref: 'SimpleStateMachineE8E2CF40',
},
],
},
],
},
':execution:',
{
Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-stepfunctions-tasks/lib/start-execution.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,14 +97,16 @@ export class StartExecution implements sfn.IStepFunctionsTask {

// Step Functions use Cloud Watch managed rules to deal with synchronous tasks.
if (this.integrationPattern === sfn.ServiceIntegrationPattern.SYNC) {
const { sep, ...arnComponents } = stack.splitArn(this.stateMachine.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME);
policyStatements.push(new iam.PolicyStatement({
actions: ['states:DescribeExecution', 'states:StopExecution'],
// https://docs.aws.amazon.com/step-functions/latest/dg/concept-create-iam-advanced.html#concept-create-iam-advanced-execution
resources: [stack.formatArn({
...arnComponents,
service: 'states',
resource: 'execution',
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
resourceName: `${stack.splitArn(this.stateMachine.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME).resourceName}*`,
resourceName: `${arnComponents.resourceName}*`,
})],
}));

Expand Down
8 changes: 4 additions & 4 deletions packages/@aws-cdk/aws-stepfunctions-tasks/lib/stepfunctions/start-execution.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,17 +125,17 @@ export class StepFunctionsStartExecution extends sfn.TaskStateBase {

// Step Functions use Cloud Watch managed rules to deal with synchronous tasks.
if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) {
const { sep, ...arnComponents } = stack.splitArn(this.props.stateMachine.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME);
policyStatements.push(
new iam.PolicyStatement({
actions: ['states:DescribeExecution', 'states:StopExecution'],
// https://docs.aws.amazon.com/step-functions/latest/dg/concept-create-iam-advanced.html#concept-create-iam-advanced-execution
resources: [
stack.formatArn({
`${stack.formatArn({
...arnComponents,
service: 'states',
resource: 'execution',
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
resourceName: `${stack.splitArn(this.props.stateMachine.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME).resourceName}*`,
}),
})}*`,
],
}),
);
Expand Down
36 changes: 33 additions & 3 deletions packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.start-execution.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,15 +95,45 @@
[
"arn:",
{
"Ref": "AWS::Partition"
"Fn::Select": [
1,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":states:",
{
"Ref": "AWS::Region"
"Fn::Select": [
3,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":",
{
"Ref": "AWS::AccountId"
"Fn::Select": [
4,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":execution:",
{
Expand Down
36 changes: 33 additions & 3 deletions packages/@aws-cdk/aws-stepfunctions-tasks/test/start-execution.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,15 +110,45 @@ describeDeprecated('StartExecution', () => {
[
'arn:',
{
Ref: 'AWS::Partition',
'Fn::Select': [
1,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':states:',
{
Ref: 'AWS::Region',
'Fn::Select': [
3,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':',
{
Ref: 'AWS::AccountId',
'Fn::Select': [
4,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':execution:',
{
Expand Down
36 changes: 33 additions & 3 deletions ...s/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/integ.start-execution.expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,15 +95,45 @@
[
"arn:",
{
"Ref": "AWS::Partition"
"Fn::Select": [
1,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":states:",
{
"Ref": "AWS::Region"
"Fn::Select": [
3,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":",
{
"Ref": "AWS::AccountId"
"Fn::Select": [
4,
{
"Fn::Split": [
":",
{
"Ref": "ChildDAB30558"
}
]
}
]
},
":execution:",
{
Expand Down
36 changes: 33 additions & 3 deletions packages/@aws-cdk/aws-stepfunctions-tasks/test/stepfunctions/start-execution.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,15 +104,45 @@ test('Execute State Machine - Run Job', () => {
[
'arn:',
{
Ref: 'AWS::Partition',
'Fn::Select': [
1,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':states:',
{
Ref: 'AWS::Region',
'Fn::Select': [
3,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':',
{
Ref: 'AWS::AccountId',
'Fn::Select': [
4,
{
'Fn::Split': [
':',
{
Ref: 'ChildStateMachine9133117F',
},
],
},
],
},
':execution:',
{
Expand Down
4 changes: 2 additions & 2 deletions packages/@aws-cdk/aws-stepfunctions/lib/state-machine.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,11 +330,11 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
* Returns the pattern for the execution ARN's of the state machine
*/
private executionArn(): string {
const { sep, ...arnComponents } = Arn.split(this.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME);
return Stack.of(this).formatArn({
...arnComponents,
resource: 'execution',
service: 'states',
resourceName: Arn.split(this.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME).resourceName,
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
});
}

Expand Down
Loading