Update permission

aws · Mar 10, 2020 · 407757a · 407757a
1 parent 4680681
commit 407757a
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 42 deletions.
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/run-batch-job.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/run-batch-job.ts
@@ -244,27 +244,7 @@ export class RunBatchJob implements sfn.IStepFunctionsTask {
         'submitJob',
         this.integrationPattern
       ),
-      policyStatements: [
-        // Resource-level access control is not supported by Batch
-        // https://docs.aws.amazon.com/step-functions/latest/dg/batch-iam.html
-        new iam.PolicyStatement({
-          resources: ['*'],
-          actions: ['batch:SubmitJob']
-        }),
-        new iam.PolicyStatement({
-          resources: [
-            Stack.of(_task).formatArn({
-              service: 'events',
-              resource: 'rule/StepFunctionsGetEventsForBatchJobsRule'
-            })
-          ],
-          actions: [
-            'events:PutTargets',
-            'events:PutRule',
-            'events:DescribeRule'
-          ]
-        })
-      ],
+      policyStatements: this.configurePolicyStatements(_task),
       parameters: {
         JobDefinition: this.props.jobDefinition.jobDefinitionArn,
         JobName: this.props.jobName,
@@ -299,27 +279,61 @@ export class RunBatchJob implements sfn.IStepFunctionsTask {
     };
   }
 
+  private configurePolicyStatements(task: sfn.Task): iam.PolicyStatement[] {
+    return [
+      // Resource level access control for job-definition requires revision which batch does not support yet
+      // Using the alternative permissions as mentioned here:
+      // https://docs.aws.amazon.com/batch/latest/userguide/batch-supported-iam-actions-resources.html
+      new iam.PolicyStatement({
+        resources: [
+          Stack.of(task).formatArn({
+            service: 'batch',
+            resource: 'job-definition',
+            resourceName: '*'
+          }),
+          this.props.jobQueue.jobQueueArn
+        ],
+        actions: ['batch:SubmitJob']
+      }),
+      new iam.PolicyStatement({
+        resources: [
+          Stack.of(task).formatArn({
+            service: 'events',
+            resource: 'rule/StepFunctionsGetEventsForBatchJobsRule'
+          })
+        ],
+        actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule']
+      })
+    ];
+  }
+
   private configureContainerOverrides(containerOverrides: ContainerOverrides) {
+    let environment;
+    if (containerOverrides.environment) {
+      environment = Object.entries(containerOverrides.environment).map(
+        ([key, value]) => ({
+          Name: key,
+          Value: value
+        })
+      );
+    }
+
+    let resources;
+    if (containerOverrides.gpuCount) {
+      resources = [
+        {
+          Type: 'GPU',
+          Value: `${containerOverrides.gpuCount}`
+        }
+      ];
+    }
+
     return {
       Command: containerOverrides.command,
-      Environment: containerOverrides.environment
-        ? Object.entries(containerOverrides.environment).map(
-            ([key, value]) => ({
-              Name: key,
-              Value: value
-            })
-          )
-        : undefined,
+      Environment: environment,
       InstanceType: containerOverrides.instanceType?.toString(),
       Memory: containerOverrides.memory,
-      ResourceRequirements: containerOverrides.gpuCount
-        ? [
-            {
-              Type: 'GPU',
-              Value: `${containerOverrides.gpuCount}`
-            }
-          ]
-        : undefined,
+      ResourceRequirements: resources,
       Vcpus: containerOverrides.vcpus
     };
   }

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.run-batch-job.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.run-batch-job.expected.json
@@ -920,7 +920,31 @@
             {
               "Action": "batch:SubmitJob",
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": [
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "arn:",
+                      {
+                        "Ref": "AWS::Partition"
+                      },
+                      ":batch:",
+                      {
+                        "Ref": "AWS::Region"
+                      },
+                      ":",
+                      {
+                        "Ref": "AWS::AccountId"
+                      },
+                      ":job-definition/*"
+                    ]
+                  ]
+                },
+                {
+                  "Ref": "JobQueueEE3AD499"
+                }
+              ]
             },
             {
               "Action": [

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.run-batch-job.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.run-batch-job.ts
@@ -11,10 +11,8 @@ import * as tasks from '../lib';
  * * aws stepfunctions start-execution --state-machine-arn <deployed state machine arn> : should return execution arn
  * * aws batch list-jobs --job-queue <deployed job queue name or arn> --job-status RUNNABLE : should return jobs-list with size greater than 0
  * *
- * * wait for the batch-job to finish executing
- * *
- * * aws batch describe-jobs --jobs <job-id returned by list-jobs>: should return object with status as SUCCEEDED
- * * aws stepfunctions describe-execution --execution-arn <exection-arn generated before>: should return object with status as SUCCEEDED
+ * * aws batch describe-jobs --jobs <job-id returned by list-jobs> --query 'jobs[0].status': wait until the status is 'SUCCEEDED'
+ * * aws stepfunctions describe-execution --execution-arn <exection-arn generated before> --query 'status': should return status as SUCCEEDED
  */
 
 class RunBatchStack extends cdk.Stack {