aws-cdk-lib/aws-stepfunctions: incorrect resource in ECS ecs:RunTask for State Machines #30751
Comments
nicor88
added
bug
ashishdhingra
added
needs-reproduction
|
Reproducible using below CDK code: import * as cdk from 'aws-cdk-lib';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';
export class StepStack extends cdk.Stack {
constructor(app: cdk.App, id: string, props: cdk.StackProps) {
super(app, id, props);
const vpc = ec2.Vpc.fromLookup(this, 'Vpc', {
isDefault: true,
});
const cluster = new ecs.Cluster(this, 'Ec2Cluster', { vpc });
const taskDefinition = new ecs.FargateTaskDefinition(this, 'TD', {
cpu: 256,
memoryLimitMiB: 512,
});
taskDefinition.addContainer('TheContainer', {
image: ecs.ContainerImage.fromRegistry('public.ecr.aws/docker/library/busybox:unstable-uclibc'),
memoryLimitMiB: 256,
command: ['sh', '-c', 'ping google.com -c 2'],
logging: new ecs.AwsLogDriver({
streamPrefix: 'demo',
}),
});
const runTask = new tasks.EcsRunTask(this, 'Run', {
integrationPattern: sfn.IntegrationPattern.RUN_JOB,
cluster,
taskDefinition,
assignPublicIp: true,
launchTarget: new tasks.EcsFargateLaunchTarget(),
});
const startState = new sfn.Pass(this, 'StartState');
const definition = startState
.next(runTask);
new sfn.StateMachine(this, 'StateMachine', {
definition,
timeout: cdk.Duration.minutes(5),
});
}
}It generates State Machine role with default policy as shown below (clearly flagging Most likely an issue here. |
ashishdhingra
added
p2
effort/small
|
@ashishdhingra thanks for the snippet. @msambol default to
|
|
Sorry for the delayed response. That sounds like the right thing to do. Before approving the PR, I want to quickly double check the following:
|
|
|
Thanks for the clarification. I approved the PR by @msambol. |
|
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
|
Comments on closed issues and PRs are hard for our team to see. |
### Issue # (if applicable) Closes aws#30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the bug
The policy generated in case of ECS tasks trigger in a state machine are of this type:
the Resource
"arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task"is not a valid one, the policy validator fail in the UI (even if I'm able to deploy) and there is an AWS notification about my state machine role.Expected Behavior
The resource used for ecs:RunTask is simply:
"arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",Current Behavior
the resources for ecs:RunTask are:
Reproduction Steps
Create a state machine invoking an ecs task
Possible Solution
Simply remove the not necessary resource from then policy attach to the IAM role used by the statemachine.
Creating a role, and passing to sfn.StateMachine doesn't help, because an inline policy with the wrong inline policy is attach to the custom role.
Additional Information/Context
No response
CDK CLI Version
2.147.3
Framework Version
No response
Node.js Version
v18.0.0
OS
MacOs
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: