feat(stepfunctions-tasks): step functions task for cross-region AWS API call

[tmokmss]

Issue # (if applicable)

Closes #29918.

Reason for this change

It would be useful if we could call AWS API across regions from a Step Functions state machine. Currently it is not officially supported even with AWS SDK integration tasks.

Our usecase is to automate a cross-region failover scenario in a multi-region application. This requires you to orchestrate multiple API calls for both active and standby regions (e.g. failover Aurora DB cluster, rewrite AppConfig parameter, etc), and it would be great if we can manage these operations in a single state machine.

Description of changes

This PR adds a new construct CallAwsServiceCrossRegion that deploys 1. a Lambda function to call AWS API in different regions 2. SFn task to call the function.

Because most properties are compatible with the existing CallAwsService construct, you can use the new construct by just adding the region property.

Additionally, it also allows to set endpoint to override AWS API endpoint, because some AWS APIs requires you to override it. (e.g. Route53 ARC)

Here's example code to define this new SFn task:

    const pollTable = new tasks.CallAwsServiceCrossRegion(this, 'DescribeTable', {
      service: 'dynamodb',
      action: 'describeTable',
      parameters: {
        TableName: tableName,
      },
      // You can set any region in the same partition
      region: 'ap-northeast-1',
    });

Description of how you validated changes

Added unit tests and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[nmussy]

Looks good overall, just some concerns and minor comments. I'm also wondering if it's better for maintainability not to create a new class, and to reuse the existing CallAwsService, and just to add an optional crossRegionTarget prop

[nmussy]

Correct me if I'm wrong, but normalizeServiceName is not being ran for your handler? It would allow us to keep the same pattern as other services props, see AwsSdkCall:

aws-cdk/packages/@aws-cdk/aws-custom-resource-sdk-adapter/lib/api-call.ts

Line 65 in fff9cf6

this.service = normalizeServiceName(service);

aws-cdk/packages/@aws-cdk/aws-custom-resource-sdk-adapter/lib/sdk-info.ts

Lines 10 to 15 in fff9cf6

	export function normalizeServiceName(service: string) {
	service = service.toLowerCase(); // Lowercase
	service = service.replace(/^@aws-sdk\/client-/, ''); // Strip the start of a V3 package name
	service = v2ToV3Mapping()?.[service] ?? service; // Optionally map v2 name -> v3 name
	return service;
	}

[tmokmss]

I'd like to keep this feature and API as simple as possible to lower the maintenance cost. AwsSdkCall code has become such complicated mostly for backward compatibility reason. Since this feature is new, we don't have to introduce the complexity at all.

Also the API is aimed to be compatible with the existing CallAwsService construct (and it should), which also does not support normalizing service names.

[nmussy]

I'll let the maintainer weigh in, I think it's a nice piece of QoL, but I understand your maintainability concern

[GavinZZ]

To help me understand, can you elaborate on your concern? What maintenance cost are you concerned with using AwsSdkCall code.

[tmokmss]

AwsSdkCall's code is mainly to solve the v2-v3 compatibility problem. Since this construct does not require such compatibility, I think there is little advantage to using the existing code. After all, the new Lambda is only code under 100 lines. Also, if we want to reuse the existing code, we need to refactor it first (for example, currently it's only for CFn custom resource handler, but this one is for invocation from SFn). Given the ROI, I'd rather keep them independent.

[nmussy]

See comment about normalizeServiceName

[nmussy]

Similarly, you should be able to use normalizeActionName, see AwsSdkCall:

aws-cdk/packages/@aws-cdk/aws-custom-resource-sdk-adapter/lib/sdk-info.ts

Lines 10 to 16 in fff9cf6

	export function normalizeServiceName(service: string) {
	service = service.toLowerCase(); // Lowercase
	service = service.replace(/^@aws-sdk\/client-/, ''); // Strip the start of a V3 package name
	service = v2ToV3Mapping()?.[service] ?? service; // Optionally map v2 name -> v3 name
	return service;
	}

[tmokmss]

Same as service name, I'd like to intentionally only support action names in camelCase.

[nmussy]

See comment about normalizeActionName

[tmokmss]

Hi @nmussy, thanks for the comments.

reuse the existing CallAwsService, and just to add an optional crossRegionTarget prop

I considered this approach as well but chose the current approach, because with the current approach we can easily avoid from future breaking changes when SFn will officially start to support cross-region API call; we can just deprecate CallAwsServiceCrossRegion construct and add the official functionality to CallAwsService construct.

[nmussy]

LGTM, just a couple of pending comments

[GavinZZ]

Left some minor feedbacks. Also have a high-level questions I want to clarify on. There's already a stepfunctions task for CallAwsService. Is the reason of building this cross-region-aws-sdk-handler using custom resource lambda function because the AWS SDK service integrations do not support cross region invocation?

[GavinZZ]

Question: does it only support one single action? What would users do if I want to support multiple actions?

[tmokmss]

In that case, you can use additionalIamStatements. I agree that this should ideally be iamActions?: string[], but then the API becomes less compatible with CallAwsService construct. I think it's okay to leave this as-is because most API only requires a single IAM action anyway. Wdyt?

[GavinZZ]

Can you share an example how to use additionalIamStatements with another action? I also think it would be nice to add this example to the readme file.

[tmokmss]

Sure, but that is same as CallAwsService, which is described here:

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md

Lines 233 to 245 in c826d8f

	```ts
	const detectLabels = new tasks.CallAwsService(this, 'DetectLabels', {
	service: 'rekognition',
	action: 'detectLabels',
	iamResources: ['*'],
	additionalIamStatements: [
	new iam.PolicyStatement({
	actions: ['s3:getObject'],
	resources: ['arn:aws:s3:::my-bucket/*'],
	}),
	],
	});
	```

so I added a line as below:

Other properties such as additionalIamStatements can be used in the same way as the CallAwsService task.

[GavinZZ]

Sounds good, thank you!

[GavinZZ]

To help me understand, can you elaborate on your concern? What maintenance cost are you concerned with using AwsSdkCall code.

[tmokmss]

Hi @GavinZZ, thank you so much for the review!

Is the reason of building this cross-region-aws-sdk-handler using custom resource lambda function because the AWS SDK service integrations do not support cross region invocation

Yes. According to the doc:

Currently, cross-Region AWS SDK integration and cross-Region AWS resource access aren't available in Step Functions.
https://docs.aws.amazon.com/step-functions/latest/dg/concepts-access-cross-acct-resources.html

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[tmokmss]

@GavinZZ Integ test failed due to a recent mainline change #30108. Looking forward to your re-approval 🙏 Thanks!

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 6e6693e
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.