"StepFunctionsStartSyncExecutionIntegration and StepFunctionsStartExe…

…cutionIntegration fixed to attach Inline Policy for credentialsRole. Fixed README to change input for correct input passing. Fixed Unit and Integration tests. All tests passing. Permissions bug mentioned in the PR is now fixed. Fix Bug awsGH-14498."
zxkane · Sep 29, 2021 · 77ab275 · 77ab275
1 parent 9697e9b
commit 77ab275
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 16 deletions.
diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md b/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md
@@ -101,7 +101,7 @@ httpApi.addRoutes({
   methods: [ HttpMethod.POST ],
   integration: new StepFunctionsStartExecutionIntegration({
     stateMachine: state,
-    input: '$request.body.input',
+    input: '$request.body',
     timeout: Duration.seconds(10),
   }),
 });

diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts
@@ -1,5 +1,6 @@
-import { IRole } from '@aws-cdk/aws-iam';
+import * as iam from '@aws-cdk/aws-iam';
 import { IStateMachine } from '@aws-cdk/aws-stepfunctions';
+import { Construct } from 'constructs';
 import { AwsServiceIntegration, AwsServiceIntegrationProps } from './private/integration';
 
 /**
@@ -53,7 +54,7 @@ export interface StepFunctionsStartExecutionIntegrationProps extends AwsServiceI
  */
 export class StepFunctionsStartExecutionIntegration extends StepFunctionsIntegration {
 
-  constructor(private readonly _props: StepFunctionsStartExecutionIntegrationProps) {
+  constructor(private readonly _scope: Construct, private readonly _props: StepFunctionsStartExecutionIntegrationProps) {
     super(_props);
   }
 
@@ -69,8 +70,20 @@ export class StepFunctionsStartExecutionIntegration extends StepFunctionsIntegra
    *
    * @internal
    */
-  protected _fulfillRole(credentialsRole: IRole): void {
+  protected _fulfillRole(credentialsRole: iam.IRole): void {
     this._props.stateMachine.grantStartExecution(credentialsRole);
+    credentialsRole.attachInlinePolicy(
+      new iam.Policy(this._scope, 'AllowSfnSyncExec', {
+        statements: [
+          new iam.PolicyStatement({
+            actions: ['states:StartSyncExecution'],
+            effect: iam.Effect.ALLOW,
+            resources: ['*'],
+          }),
+        ],
+      }),
+    );
+
   }
 
   /**
@@ -105,7 +118,7 @@ export interface StepFunctionsStartSyncExecutionIntegrationProps extends StepFun
  */
 export class StepFunctionsStartSyncExecutionIntegration extends StepFunctionsIntegration {
 
-  constructor(private readonly _props: StepFunctionsStartSyncExecutionIntegrationProps) {
+  constructor(private readonly _scope: Construct, private readonly _props: StepFunctionsStartSyncExecutionIntegrationProps) {
     super(_props);
   }
 
@@ -121,8 +134,21 @@ export class StepFunctionsStartSyncExecutionIntegration extends StepFunctionsInt
    *
    * @internal
    */
-  protected _fulfillRole(credentialsRole: IRole): void {
-    this._props.stateMachine.grantStartExecution(credentialsRole);
+  protected _fulfillRole(credentialsRole: iam.IRole): void {
+
+    this._props.stateMachine.grantExecution(credentialsRole.grantPrincipal, 'states:StartSyncExecution');
+    credentialsRole.attachInlinePolicy(
+      new iam.Policy(this._scope, 'AllowSfnSyncExec', {
+        statements: [
+          new iam.PolicyStatement({
+            actions: ['states:StartSyncExecution'],
+            effect: iam.Effect.ALLOW,
+            resources: ['*'],
+          }),
+        ],
+      }),
+    );
+
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts
@@ -11,10 +11,10 @@ describe('AwsServiceIntegration', () => {
 
     new HttpRoute(stack, 'StepFunctionsStartExeRoute', {
       httpApi: api,
-      integration: new StepFunctionsStartExecutionIntegration({
+      integration: new StepFunctionsStartExecutionIntegration(stack, {
         stateMachine: stateMachine(stack),
         name: 'MyExe',
-        input: '$request.body.input',
+        input: '$request.body',
         timeout: Duration.seconds(10),
         description: 'Start execution of state machine',
       }),
@@ -35,7 +35,7 @@ describe('AwsServiceIntegration', () => {
         StateMachineArn: {
           Ref: 'MyStateMachine6C968CA5',
         },
-        Input: '$request.body.input',
+        Input: '$request.body',
         Name: 'MyExe',
       },
       TimeoutInMillis: 10000,
@@ -48,7 +48,7 @@ describe('AwsServiceIntegration', () => {
 
     new HttpRoute(stack, 'StepFunctionsStartSyncExeRoute', {
       httpApi: api,
-      integration: new StepFunctionsStartSyncExecutionIntegration({
+      integration: new StepFunctionsStartSyncExecutionIntegration(stack, {
         stateMachine: stateMachine(stack),
         input: {
           a: 'b',

diff --git a/...ages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json b/...ages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json
@@ -91,7 +91,7 @@
         ]
       }
     },
-    "AwsIntegrationApiDefaultRouteHttpIntegration537920e78a2bcc139296f1727fb9aebf9BA3DE24": {
+    "AwsIntegrationApiDefaultRouteHttpIntegration763d61b4364cdaa5d7369cd69c4cd3b7DD528130": {
       "Type": "AWS::ApiGatewayV2::Integration",
       "Properties": {
         "ApiId": {
@@ -110,7 +110,7 @@
           "StateMachineArn": {
             "Ref": "MyStateMachine6C968CA5"
           },
-          "Input": "$request.body.input"
+          "Input": "$request.body"
         }
       }
     },
@@ -127,7 +127,7 @@
             [
               "integrations/",
               {
-                "Ref": "AwsIntegrationApiDefaultRouteHttpIntegration537920e78a2bcc139296f1727fb9aebf9BA3DE24"
+                "Ref": "AwsIntegrationApiDefaultRouteHttpIntegration763d61b4364cdaa5d7369cd69c4cd3b7DD528130"
               }
             ]
           ]
@@ -143,6 +143,27 @@
         "StageName": "$default",
         "AutoDeploy": true
       }
+    },
+    "AllowSfnSyncExec72CF68FA": {
+      "Type": "AWS::IAM::Policy",
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "states:StartSyncExecution",
+              "Effect": "Allow",
+              "Resource": "*"
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "PolicyName": "AllowSfnSyncExec72CF68FA",
+        "Roles": [
+          {
+            "Ref": "AwsIntegrationApiDefaultRouteRole281F5707"
+          }
+        ]
+      }
     }
   },
   "Outputs": {

diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts
@@ -18,9 +18,9 @@ const state = new StateMachine(stack, 'MyStateMachine', {
 });
 
 const endpoint = new HttpApi(stack, 'AwsIntegrationApi', {
-  defaultIntegration: new StepFunctionsStartExecutionIntegration({
+  defaultIntegration: new StepFunctionsStartExecutionIntegration(stack, {
     stateMachine: state,
-    input: '$request.body.input',
+    input: '$request.body',
   }),
 });