feat(apigatewayv2): add aws service integration -- step functions

[zxkane]

• general changes for supporting aws integration
• add StepFunctions StartExecution and StartSyncExecution implementation

closes #11947

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[nija-at]

Thanks so much for submitting this pull request. I am marking this pull request as p2, which means that we are unable to work on it immediately, but it's definitely still on our radar.

We use +1s to help prioritize our work, and are happy to revaluate this pull request based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

[saqibdhuka]

This is a good feature.

I was testing it out with a EXPRESS Synchronous State Machine and the following bug was found:

Environment
Testing it on Linux OS
Software: Visual Studo Code
Language: Typescript

Steps to reproduce the bug

1. Set up the State Machine to be of type EXPRESS and set it as a Pass State Machine with result value: "Hello"
2. Use StepFunctionsStartSyncExecutionIntegration within api.addRoutes()
3. Set input parameter within the integration to be '{"test":"out"}' (with single quotations)
4. Deploy the CDK Stack
5. Ue "curl -X POST <invoke URL>/start" (without quotations)

Code to reproduce the bug
`

const passTask2 = new sfn.Pass(this, 'passTask2', {
  result: { value: "Hello" },
});

const handler: sfn.IStateMachine = new sfn.StateMachine(this, 'handler', {
  definition: passTask2,
  stateMachineType: sfn.StateMachineType.EXPRESS,
});

//Step Functions IAM Role
const stepFunctionRole = new iam.Role(this, "sfnRole", {
  assumedBy: new iam.ServicePrincipal("apigateway.amazonaws.com"),
  inlinePolicies: {
    AllowSFNExec: new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          actions: ["states:StartSyncExecution"],
          effect: iam.Effect.ALLOW,
          resources: [handler.stateMachineArn]
        })
      ]
    })
  }
});

const api = new apigwv2.HttpApi(this, 'HttpApiEndpoint');

api.addRoutes({
  path: '/start',
  methods: [ apigwv2.HttpMethod.POST ],
  integration: new StepFunctionsStartSyncExecutionIntegration({
    stateMachine: handler,
    input: '{"test":"out"}',
  }),
});

`

Expected Output
The expected output is to have state machine output ("Hello) along with billing details and other information

Actual Result
Permission Error: Access Denied Exception
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::123456789102:assumed-role/DemoCdkStack-HttpApiEndpointPOSTstartRoleF1234567-xxxxxxxx/xxxxxxx is not authorized to perform: states:StartSyncExecution on resource: arn:aws:states:us-west-2:123456789102:stateMachine:handlerExxxxxxx-xxxxxxxx because no identity-based policy allows the states:StartSyncExecution action"}%

Visual Proof

Severity
Medium - EXPRESS State Machine invocation is not working with StartSyncExecution

Fix
I was able to fix the bug by doing the following:

1. From your stack, pass stack into the StepFunctionsStartSyncExecutionIntegration as the Construct.
2. Edit the StepFunctionsStartSyncExecutionIntegration cosntructor to accept a Construct ( private readonly _scope: Construct )
3. Change the _fulfillRole function implementation to do the following:
   - Change 'this._props.stateMachine.grantStartExecution' to 'this._props.stateMachine.grantExecution(credentialsRole.grantPrincipal, 'states:StartSyncExecution')'
   - Next use credentialsRole.attachInlinePolicy() and add IAM Policy with PolicyStatement (with 'states:StartSyncExecution' as the actions) along with other parameters. You will need to pass the Construct (_scope) into the attachInlinePolicy().

This should fix the bug.

I would suggest looking into StepFunctionsStartExecutionIntegration implementation too as I dd not see any attached policy and I'm not sure if it works correctly or not.

[zxkane]

This is a good feature.

I was testing it out with a EXPRESS Synchronous State Machine and the following bug was found:

Environment
Testing it on Linux OS
Software: Visual Studo Code
Language: Typescript

Steps to reproduce the bug

1. Set up the State Machine to be of type EXPRESS and set it as a Pass State Machine with result value: "Hello"
2. Use StepFunctionsStartSyncExecutionIntegration within api.addRoutes()
3. Set input parameter within the integration to be '{"test":"out"}' (with single quotations)
4. Deploy the CDK Stack
5. Ue "curl -X POST /start" (without quotations)

Code to reproduce the bug
`

const passTask2 = new sfn.Pass(this, 'passTask2', {
  result: { value: "Hello" },
});

const handler: sfn.IStateMachine = new sfn.StateMachine(this, 'handler', {
  definition: passTask2,
  stateMachineType: sfn.StateMachineType.EXPRESS,
});

//Step Functions IAM Role
const stepFunctionRole = new iam.Role(this, "sfnRole", {
  assumedBy: new iam.ServicePrincipal("apigateway.amazonaws.com"),
  inlinePolicies: {
    AllowSFNExec: new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          actions: ["states:StartSyncExecution"],
          effect: iam.Effect.ALLOW,
          resources: [handler.stateMachineArn]
        })
      ]
    })
  }
});

const api = new apigwv2.HttpApi(this, 'HttpApiEndpoint');

api.addRoutes({
  path: '/start',
  methods: [ apigwv2.HttpMethod.POST ],
  integration: new StepFunctionsStartSyncExecutionIntegration({
    stateMachine: handler,
    input: '{"test":"out"}',
  }),
});

`

Expected Output
The expected output is to have state machine output ("Hello) along with billing details and other information

Actual Result
Permission Error: Access Denied Exception
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::123456789102:assumed-role/DemoCdkStack-HttpApiEndpointPOSTstartRoleF1234567-xxxxxxxx/xxxxxxx is not authorized to perform: states:StartSyncExecution on resource: arn:aws:states:us-west-2:123456789102:stateMachine:handlerExxxxxxx-xxxxxxxx because no identity-based policy allows the states:StartSyncExecution action"}%

Visual Proof

Severity
Medium - EXPRESS State Machine invocation is not working with StartSyncExecution

Fix
I was able to fix the bug by doing the following:

1. From your stack, pass stack into the StepFunctionsStartSyncExecutionIntegration as the Construct.
2. Edit the StepFunctionsStartSyncExecutionIntegration cosntructor to accept a Construct ( private readonly _scope: Construct )
3. Change the _fulfillRole function implementation to do the following:
   • Change 'this._props.stateMachine.grantStartExecution' to 'this._props.stateMachine.grantExecution(credentialsRole.grantPrincipal, 'states:StartSyncExecution')'
   • Next use credentialsRole.attachInlinePolicy() and add IAM Policy with PolicyStatement (with 'states:StartSyncExecution' as the actions) along with other parameters. You will need to pass the Construct (_scope) into the attachInlinePolicy().

This should fix the bug.

I would suggest looking into StepFunctionsStartExecutionIntegration implementation too as I dd not see any attached policy and I'm not sure if it works correctly or not.

Thanks for your deep dive the exception and proposed fix.

Will keep an eye on it due to the CDK team does not have review bandwidth.

[saqibdhuka]

This is a good feature.

I was testing it out with a EXPRESS Synchronous State Machine and the following bug was found:

Environment Testing it on Linux OS Software: Visual Studo Code Language: Typescript

Steps to reproduce the bug

1. Set up the State Machine to be of type EXPRESS and set it as a Pass State Machine with result value: "Hello"

2. Use StepFunctionsStartSyncExecutionIntegration within api.addRoutes()

3. Set input parameter within the integration to be '{"test":"out"}' (with single quotations)

4. Deploy the CDK Stack

5. Ue "curl -X POST <invoke URL>/start" (without quotations)

Code to reproduce the bug `

const passTask2 = new sfn.Pass(this, 'passTask2', {
  result: { value: "Hello" },
});

const handler: sfn.IStateMachine = new sfn.StateMachine(this, 'handler', {
  definition: passTask2,
  stateMachineType: sfn.StateMachineType.EXPRESS,
});

//Step Functions IAM Role
const stepFunctionRole = new iam.Role(this, "sfnRole", {
  assumedBy: new iam.ServicePrincipal("apigateway.amazonaws.com"),
  inlinePolicies: {
    AllowSFNExec: new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          actions: ["states:StartSyncExecution"],
          effect: iam.Effect.ALLOW,
          resources: [handler.stateMachineArn]
        })
      ]
    })
  }
});

const api = new apigwv2.HttpApi(this, 'HttpApiEndpoint');

api.addRoutes({
  path: '/start',
  methods: [ apigwv2.HttpMethod.POST ],
  integration: new StepFunctionsStartSyncExecutionIntegration({
    stateMachine: handler,
    input: '{"test":"out"}',
  }),
});

`

Expected Output The expected output is to have state machine output ("Hello) along with billing details and other information

Actual Result Permission Error: Access Denied Exception {"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::123456789102:assumed-role/DemoCdkStack-HttpApiEndpointPOSTstartRoleF1234567-xxxxxxxx/xxxxxxx is not authorized to perform: states:StartSyncExecution on resource: arn:aws:states:us-west-2:123456789102:stateMachine:handlerExxxxxxx-xxxxxxxx because no identity-based policy allows the states:StartSyncExecution action"}%

Visual Proof

Severity Medium - EXPRESS State Machine invocation is not working with StartSyncExecution

Fix I was able to fix the bug by doing the following:

1. From your stack, pass stack into the StepFunctionsStartSyncExecutionIntegration as the Construct.

2. Edit the StepFunctionsStartSyncExecutionIntegration cosntructor to accept a Construct ( private readonly _scope: Construct )

3. Change the _fulfillRole function implementation to do the following:
   - Change 'this._props.stateMachine.grantStartExecution' to 'this._props.stateMachine.grantExecution(credentialsRole.grantPrincipal, 'states:StartSyncExecution')'
   - Next use credentialsRole.attachInlinePolicy() and add IAM Policy with PolicyStatement (with 'states:StartSyncExecution' as the actions) along with other parameters. You will need to pass the Construct (_scope) into the attachInlinePolicy().

This should fix the bug.

I would suggest looking into StepFunctionsStartExecutionIntegration implementation too as I dd not see any attached policy and I'm not sure if it works correctly or not.

The bug is now fixed!!

[diegotry]

this one says StartExecution but later on L79 you are giving permission to StartSyncExecution.

Also resources [*] should be avoided if you have the state machine.

[saqibdhuka]

Good Note. I will fix this. Thank you

[diegotry]

I believe this should be removed.

[saqibdhuka]

This attaches the policy and fixes the permission bug mentioned above.

[diegotry]

but this is for StartExecution, not StartSyncExecution right? They are different constructs and therefore requires different permissions.

[saqibdhuka]

yes I have fixed that in the push

[diegotry]

could you please clarify what is this line of code doing?

[saqibdhuka]

It grants the execution permission, but does not attach the policy. That needs to be done explicitly.

[diegotry]

I believe permission to * should be avoided as you have the state machine. It should give permission only to the state machine ARN as a best practice (least privilege).

[saqibdhuka]

Yes that is correct. I will fix this. Thank you.

[diegotry]

doesn't StartExecution also accepts a traceheader?

[saqibdhuka]

Yes it does.

[diegotry]

should this be called ApiGatewayIntegrationRole?

[saqibdhuka]

Yes. I will fix that

[diegotry]

I believe the template files should be removed from your request.

[diegotry]

there's a bunch of files that are not related to your change. Example: Lambda Hot swap

[diegotry]

I believe this should be lowercase.

[saqibdhuka]

I will fix that

[diegotry]

I wonder if this should be the state machine arn instead of the resource. Did it work if you try to deploy?

[saqibdhuka]

nope it does not work. it needs the resource.

[diegotry]

should you validate if the other resources are also created? The IAM Role for example

[saqibdhuka]

IAM Role did not show up in the properties when testing, but I will add more extended tests for both.

[diegotry]

should this include some assertions? What is this test file doing?

[saqibdhuka]

It is integration testing. While testing, it validates the test against expected json.

[diegotry]

same question as above.

[saqibdhuka]

It is integration testing. While testing, it validates the test against expected json.

[nija-at]

1. This PR is changing unrelated files and has merge conflicts. Please update the PR to the latest master and make sure only the necessary changes are here.

2. Please add a section to the README with a sample usage.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: 1e2999c
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[TheRealAmazonKendra]

This PR has been deemed to be abandoned, and will be closed. Please create a new PR for these changes if you think this decision has been made in error.