From 77ab275b07f06a5aa5abd9ac101d63f05b4eb4c7 Mon Sep 17 00:00:00 2001 From: Saqib Dhuka Date: Wed, 29 Sep 2021 19:43:16 +0000 Subject: [PATCH] "StepFunctionsStartSyncExecutionIntegration and StepFunctionsStartExecutionIntegration fixed to attach Inline Policy for credentialsRole. Fixed README to change input for correct input passing. Fixed Unit and Integration tests. All tests passing. Permissions bug mentioned in the PR is now fixed. Fix Bug GH-14498." --- .../aws-apigatewayv2-integrations/README.md | 2 +- .../lib/http/aws.ts | 38 ++++++++++++++++--- .../test/http/aws.test.ts | 8 ++-- .../http/integ.aws-integration.expected.json | 27 +++++++++++-- .../test/http/integ.aws-integration.ts | 4 +- 5 files changed, 63 insertions(+), 16 deletions(-) diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md b/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md index c3e28c7484081..7185dbabc6042 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md +++ b/packages/@aws-cdk/aws-apigatewayv2-integrations/README.md @@ -101,7 +101,7 @@ httpApi.addRoutes({ methods: [ HttpMethod.POST ], integration: new StepFunctionsStartExecutionIntegration({ stateMachine: state, - input: '$request.body.input', + input: '$request.body', timeout: Duration.seconds(10), }), }); diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts index 8534c3ec62c9a..8ab4e2c353fc6 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-integrations/lib/http/aws.ts @@ -1,5 +1,6 @@ -import { IRole } from '@aws-cdk/aws-iam'; +import * as iam from '@aws-cdk/aws-iam'; import { IStateMachine } from '@aws-cdk/aws-stepfunctions'; +import { Construct } from 'constructs'; import { AwsServiceIntegration, AwsServiceIntegrationProps } from './private/integration'; /** @@ -53,7 +54,7 @@ export interface StepFunctionsStartExecutionIntegrationProps extends AwsServiceI */ export class StepFunctionsStartExecutionIntegration extends StepFunctionsIntegration { - constructor(private readonly _props: StepFunctionsStartExecutionIntegrationProps) { + constructor(private readonly _scope: Construct, private readonly _props: StepFunctionsStartExecutionIntegrationProps) { super(_props); } @@ -69,8 +70,20 @@ export class StepFunctionsStartExecutionIntegration extends StepFunctionsIntegra * * @internal */ - protected _fulfillRole(credentialsRole: IRole): void { + protected _fulfillRole(credentialsRole: iam.IRole): void { this._props.stateMachine.grantStartExecution(credentialsRole); + credentialsRole.attachInlinePolicy( + new iam.Policy(this._scope, 'AllowSfnSyncExec', { + statements: [ + new iam.PolicyStatement({ + actions: ['states:StartSyncExecution'], + effect: iam.Effect.ALLOW, + resources: ['*'], + }), + ], + }), + ); + } /** @@ -105,7 +118,7 @@ export interface StepFunctionsStartSyncExecutionIntegrationProps extends StepFun */ export class StepFunctionsStartSyncExecutionIntegration extends StepFunctionsIntegration { - constructor(private readonly _props: StepFunctionsStartSyncExecutionIntegrationProps) { + constructor(private readonly _scope: Construct, private readonly _props: StepFunctionsStartSyncExecutionIntegrationProps) { super(_props); } @@ -121,8 +134,21 @@ export class StepFunctionsStartSyncExecutionIntegration extends StepFunctionsInt * * @internal */ - protected _fulfillRole(credentialsRole: IRole): void { - this._props.stateMachine.grantStartExecution(credentialsRole); + protected _fulfillRole(credentialsRole: iam.IRole): void { + + this._props.stateMachine.grantExecution(credentialsRole.grantPrincipal, 'states:StartSyncExecution'); + credentialsRole.attachInlinePolicy( + new iam.Policy(this._scope, 'AllowSfnSyncExec', { + statements: [ + new iam.PolicyStatement({ + actions: ['states:StartSyncExecution'], + effect: iam.Effect.ALLOW, + resources: ['*'], + }), + ], + }), + ); + } /** diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts index 6bfb85f7ea290..5381ef2fa5afa 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/aws.test.ts @@ -11,10 +11,10 @@ describe('AwsServiceIntegration', () => { new HttpRoute(stack, 'StepFunctionsStartExeRoute', { httpApi: api, - integration: new StepFunctionsStartExecutionIntegration({ + integration: new StepFunctionsStartExecutionIntegration(stack, { stateMachine: stateMachine(stack), name: 'MyExe', - input: '$request.body.input', + input: '$request.body', timeout: Duration.seconds(10), description: 'Start execution of state machine', }), @@ -35,7 +35,7 @@ describe('AwsServiceIntegration', () => { StateMachineArn: { Ref: 'MyStateMachine6C968CA5', }, - Input: '$request.body.input', + Input: '$request.body', Name: 'MyExe', }, TimeoutInMillis: 10000, @@ -48,7 +48,7 @@ describe('AwsServiceIntegration', () => { new HttpRoute(stack, 'StepFunctionsStartSyncExeRoute', { httpApi: api, - integration: new StepFunctionsStartSyncExecutionIntegration({ + integration: new StepFunctionsStartSyncExecutionIntegration(stack, { stateMachine: stateMachine(stack), input: { a: 'b', diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json index 0dbf462ad57e6..399ee608b6e95 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json +++ b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.expected.json @@ -91,7 +91,7 @@ ] } }, - "AwsIntegrationApiDefaultRouteHttpIntegration537920e78a2bcc139296f1727fb9aebf9BA3DE24": { + "AwsIntegrationApiDefaultRouteHttpIntegration763d61b4364cdaa5d7369cd69c4cd3b7DD528130": { "Type": "AWS::ApiGatewayV2::Integration", "Properties": { "ApiId": { @@ -110,7 +110,7 @@ "StateMachineArn": { "Ref": "MyStateMachine6C968CA5" }, - "Input": "$request.body.input" + "Input": "$request.body" } } }, @@ -127,7 +127,7 @@ [ "integrations/", { - "Ref": "AwsIntegrationApiDefaultRouteHttpIntegration537920e78a2bcc139296f1727fb9aebf9BA3DE24" + "Ref": "AwsIntegrationApiDefaultRouteHttpIntegration763d61b4364cdaa5d7369cd69c4cd3b7DD528130" } ] ] @@ -143,6 +143,27 @@ "StageName": "$default", "AutoDeploy": true } + }, + "AllowSfnSyncExec72CF68FA": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "states:StartSyncExecution", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "AllowSfnSyncExec72CF68FA", + "Roles": [ + { + "Ref": "AwsIntegrationApiDefaultRouteRole281F5707" + } + ] + } } }, "Outputs": { diff --git a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts index 5ebbd9fa847cb..9dbd7ac1c94c3 100644 --- a/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts +++ b/packages/@aws-cdk/aws-apigatewayv2-integrations/test/http/integ.aws-integration.ts @@ -18,9 +18,9 @@ const state = new StateMachine(stack, 'MyStateMachine', { }); const endpoint = new HttpApi(stack, 'AwsIntegrationApi', { - defaultIntegration: new StepFunctionsStartExecutionIntegration({ + defaultIntegration: new StepFunctionsStartExecutionIntegration(stack, { stateMachine: state, - input: '$request.body.input', + input: '$request.body', }), });