Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning #30265

Open
mpd18 opened this issue May 17, 2024 · 1 comment
Open

stepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning #30265

mpd18 opened this issue May 17, 2024 · 1 comment
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@mpd18
Copy link

mpd18 commented May 17, 2024

Describe the bug

When Creating a StateMachine construct that has a StepFunctionsStartExecution step that starts a state machine with an alias the generated policy is not correct.

const startStateMachineAlias = new StepFunctionsStartExecution(stack, 'StartStepFunctionAlias', {
    stateMachine: StateMachine.fromStateMachineArn(stack, 'StateMachineAlias', 'arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1:alias'),
  });

new StateMachine(stack, 'StateMachine', {
    stateMachineEntryPoint: startStateMachineAlias,
  });

the created policy will have a statement that looks like

{
  "Action": "states:StartExecution",
  "Effect": "Allow",
  "Resource": "arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1:alias",
}

Expected Behavior

Based on the AWS doc For executing aliases or versions you need to have a policy statement that looks like this

{
  "Action": "states:StartExecution",
  "Effect": "Allow",
  "Resource": "arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1",
}

or this

{
  "Action": "states:StartExecution",
  "Effect": "Allow",
  "Resource": "arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1",
  "Condition": {
      "ForAnyValue:StringEquals": {
        "states:StateMachineQualifier": [
          "alias"
        ]
      }
    }
}

Current Behavior

the created policy looks like this which is incorrect for executing an alias

{
  "Action": "states:StartExecution",
  "Effect": "Allow",
  "Resource": "arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1:alias",
}

Reproduction Steps

Create a StateMachine Construct that has a step that calls another state machine

const startStateMachineAlias = new StepFunctionsStartExecution(stack, 'StartStepFunctionAlias', {
    stateMachine: StateMachine.fromStateMachineArn(stack, 'StateMachineAlias', 'arn:aws:states:us-west-2:12345678900:stateMachine:stateMachine1:alias'),
  });

new StateMachine(stack, 'StateMachine', {
    stateMachineEntryPoint: startStateMachineAlias,
  });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.115.0

Framework Version

No response

Node.js Version

18

OS

Amazon Linux 2

Language

TypeScript

Language Version

4.9.5

Other information

No response
@mpd18 mpd18 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 17, 2024
@github-actions github-actions bot added the @aws-cdk/aws-stepfunctions Related to AWS StepFunctions label May 17, 2024
@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@pahud pahud changed the title aws-cdk-lib.aws_stepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning tepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning May 21, 2024
@pahud pahud changed the title tepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning stepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning May 21, 2024
@pahud
Copy link
Contributor

pahud commented May 21, 2024

Yes we should handle this from here

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

Lines 448 to 451 in 168cdac

graph = new StateGraph(definitionBody.chainable.startState, 'State Machine definition');
graph.timeout = props.timeout;
for (const statement of graph.policyStatements) {
this.addToRolePolicy(statement);

and probably in the StateGraph as well.

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 21, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @mpd18