Step Functions - support calling nested dynamic State Machine
See original GitHub issueDescription
Note: Bug occurs with the experimental library @aws-cdk/aws-stepfunctions
When creating a state machine with a nested workflow task, whose StateMachineArn is a dynamic value set using a JSONPath query, the stepfunctions CDK library recognizes the nested workflow task ARN as dynamic and suffixes StateMachineArn
with .$
correctly.
However, the library doesn’t realize that the ARN provided is a dynamic value when generating default policies for the state machine. As a result, it generates a policy statement for the state machine with the action “states:StartExecution” so that the state machine can execute nested workflows (which is a good thing), but sets the resource field to the dynamic value (which is a bad thing).
Reproduction Steps
Reproduction Repo: https://github.com/sabarnac/cdk-stepfunctions-bug-repo
Steps:
- Run
npm run cdk synth
/cdk synth
- Open
./cdk.out/CdkStepfunctionsBugRepoStack.template.json
- Search for
SampleStateMachineRoleDefaultPolicy
- Check the first policy statement
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": "$.dynamicArn"
}
Stack Code:
import * as sfn from "@aws-cdk/aws-stepfunctions";
import * as tasks from "@aws-cdk/aws-stepfunctions-tasks";
import * as cdk from "@aws-cdk/core";
export class CdkStepfunctionsBugRepoStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const stepFunctionsTask = new sfn.Task(this, "NestedWorkflowTask", {
task: new tasks.StartExecution(
sfn.StateMachine.fromStateMachineArn(this, "NestedWorkflowStateMachine", sfn.Data.stringAt("$.dynamicArn")),
{
input: {
"input.$": "$.dynamicInput",
"AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$": "$$.Execution.Id",
},
name: sfn.Data.stringAt("$.dynamicName"),
integrationPattern: sfn.ServiceIntegrationPattern.SYNC,
},
),
resultPath: "$.workflowResult",
})
new sfn.StateMachine(this, "SampleStateMachine", {
definition: stepFunctionsTask,
});
}
}
Error Log
None.
Environment
- CLI Version : 1.22.0 (build 309ac1b)
- Framework Version:
@aws-cdk/aws-stepfunctions-tasks
: 1.22.0@aws-cdk/aws-stepfunctions
: 1.22.0@aws-cdk/core
: 1.22.0
- OS : Mac OS Mojave [10.14.6 (18G2022)]
- Language : TypeScript
Other
No other details
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:12
- Comments:10 (3 by maintainers)
Top GitHub Comments
I used the following code to remove the default policy statements that the Step Function CDK generates for the state machine when providing a dynamic ARN.
After this, then you can add in your own policy statement for what other state machine ARNs the current one is allowed to call. Make sure to provide policy statements for all the actions that were removed.
Changes are needed to the workaround from @sabarnac to work with CDK 2.32.0 (action is now _action, and is of type OrderedSet so we need to access the internal array with
_action.direct()
to do the.includes()
check).