diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.assets.json index e4a7c7b822ca8..3ea93a51b4a29 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "a2ab39fe0d946767a488ce04eb51fffb041276b29879387f4fe7dcad7f577c37": { + "034d7f988da203540ca02686cfe2cc037bc70239c1f4d051a369c99f8fa0fac1": { "source": { "path": "aws-sfn-tasks-ecs-run-task.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a2ab39fe0d946767a488ce04eb51fffb041276b29879387f4fe7dcad7f577c37.json", + "objectKey": "034d7f988da203540ca02686cfe2cc037bc70239c1f4d051a369c99f8fa0fac1.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.template.json index b805e97be7941..f696732ceecda 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.template.json @@ -1070,231 +1070,118 @@ { "Action": "ecs:RunTask", "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - } - ] + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 2, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 4, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + ":*" ] - } - ] + ] + } }, { "Action": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/manifest.json index 2106df50715cf..53c3cd6139c3f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a2ab39fe0d946767a488ce04eb51fffb041276b29879387f4fe7dcad7f577c37.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/034d7f988da203540ca02686cfe2cc037bc70239c1f4d051a369c99f8fa0fac1.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/tree.json index 35d22c14f4287..c79ff6d13fd7e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/tree.json @@ -1765,7 +1765,7 @@ "id": "Run", "path": "aws-sfn-tasks-ecs-run-task/Run", "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EcsRunTask", + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", "version": "0.0.0" } }, @@ -1825,231 +1825,118 @@ { "Action": "ecs:RunTask", "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - } - ] + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 2, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 4, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + ":*" ] - } - ] + ] + } }, { "Action": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts index 05cb571dbd3d7..e4af41e57113b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts @@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -20,6 +20,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); +stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'Ec2Cluster'); cluster.addCapacity('DefaultAutoScalingGroup', { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.assets.json index cb324b8ac0ca7..7ecf04e0d81ff 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "0ca0554ec9ca9ad5a8c05f7cd0009a3e53dd3645de04e448b2afe776f7d1c945": { + "c53e190df9c2b45bab08c41d91ec855dce842f2caccb0d3a17a8304f6fe53059": { "source": { "path": "aws-sfn-tasks-ecs-fargate-run-task.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "0ca0554ec9ca9ad5a8c05f7cd0009a3e53dd3645de04e448b2afe776f7d1c945.json", + "objectKey": "c53e190df9c2b45bab08c41d91ec855dce842f2caccb0d3a17a8304f6fe53059.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.template.json index 44394dfa9a8ef..bcb8e3e62506c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/aws-sfn-tasks-ecs-fargate-run-task.template.json @@ -617,231 +617,118 @@ { "Action": "ecs:RunTask", "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - } - ] + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 2, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 4, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + ":*" ] - } - ] + ] + } }, { "Action": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/manifest.json index 1c19eb3e4901a..ba001677be308 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/0ca0554ec9ca9ad5a8c05f7cd0009a3e53dd3645de04e448b2afe776f7d1c945.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c53e190df9c2b45bab08c41d91ec855dce842f2caccb0d3a17a8304f6fe53059.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/tree.json index 9bb649587067d..6a5da72d4e382 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.js.snapshot/tree.json @@ -20,8 +20,8 @@ "aws:cdk:cloudformation:props": {} }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecs.CfnCluster", + "version": "0.0.0" } }, "Vpc": { @@ -47,8 +47,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "version": "0.0.0" } }, "PublicSubnet1": { @@ -91,16 +91,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-sfn-tasks-ecs-fargate-run-task/FargateCluster/Vpc/PublicSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -121,8 +121,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -140,8 +140,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -160,8 +160,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -180,8 +180,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -208,14 +208,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PublicSubnet2": { @@ -258,16 +258,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-sfn-tasks-ecs-fargate-run-task/FargateCluster/Vpc/PublicSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -288,8 +288,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -307,8 +307,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -327,8 +327,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -347,8 +347,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -375,14 +375,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PrivateSubnet1": { @@ -425,16 +425,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-sfn-tasks-ecs-fargate-run-task/FargateCluster/Vpc/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -455,8 +455,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -474,8 +474,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -494,14 +494,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "PrivateSubnet2": { @@ -544,16 +544,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-sfn-tasks-ecs-fargate-run-task/FargateCluster/Vpc/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -574,8 +574,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -593,8 +593,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -613,14 +613,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "IGW": { @@ -638,8 +638,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "version": "0.0.0" } }, "VPCGW": { @@ -657,20 +657,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecs.Cluster", + "version": "0.0.0" } }, "TaskDef": { @@ -685,8 +685,8 @@ "id": "ImportTaskRole", "path": "aws-sfn-tasks-ecs-fargate-run-task/TaskDef/TaskRole/ImportTaskRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -710,14 +710,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "Resource": { @@ -770,8 +770,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecs.CfnTaskDefinition", + "version": "0.0.0" } }, "TheContainer": { @@ -786,22 +786,22 @@ "id": "Staging", "path": "aws-sfn-tasks-ecs-fargate-run-task/TaskDef/TheContainer/AssetImage/Staging", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.AssetStaging", + "version": "0.0.0" } }, "Repository": { "id": "Repository", "path": "aws-sfn-tasks-ecs-fargate-run-task/TaskDef/TheContainer/AssetImage/Repository", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecr.RepositoryBase", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecr_assets.DockerImageAsset", + "version": "0.0.0" } }, "LogGroup": { @@ -816,20 +816,20 @@ "aws:cdk:cloudformation:props": {} }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_logs.CfnLogGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_logs.LogGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecs.ContainerDefinition", + "version": "0.0.0" } }, "ExecutionRole": { @@ -840,8 +840,8 @@ "id": "ImportExecutionRole", "path": "aws-sfn-tasks-ecs-fargate-run-task/TaskDef/ExecutionRole/ImportExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -865,8 +865,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -942,34 +942,34 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ecs.FargateTaskDefinition", + "version": "0.0.0" } }, "Start": { "id": "Start", "path": "aws-sfn-tasks-ecs-fargate-run-task/Start", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.Pass", + "version": "0.0.0" } }, "FargateTask": { @@ -1000,20 +1000,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", + "version": "0.0.0" } }, "FargateTaskSetRevisionNumber": { @@ -1044,20 +1044,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", + "version": "0.0.0" } }, "FargateTaskWithPropagatedTag": { @@ -1088,20 +1088,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", + "version": "0.0.0" } }, "StateMachine": { @@ -1116,8 +1116,8 @@ "id": "ImportRole", "path": "aws-sfn-tasks-ecs-fargate-run-task/StateMachine/Role/ImportRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -1141,8 +1141,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -1160,231 +1160,118 @@ { "Action": "ecs:RunTask", "Effect": "Allow", - "Resource": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - ":*" - ] - ] - }, - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 2, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 3, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 4, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - }, - ":", - { - "Fn::Select": [ - 0, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - }, - "/", - { - "Fn::Select": [ - 1, - { - "Fn::Split": [ - "/", - { - "Fn::Select": [ - 5, - { - "Fn::Split": [ - ":", - { - "Ref": "TaskDef54694570" - } - ] - } - ] - } - ] - } - ] - } - ] + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 2, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 3, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 4, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + }, + ":", + { + "Fn::Select": [ + 0, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + "/", + { + "Fn::Select": [ + 1, + { + "Fn::Split": [ + "/", + { + "Fn::Select": [ + 5, + { + "Fn::Split": [ + ":", + { + "Ref": "TaskDef54694570" + } + ] + } + ] + } + ] + } + ] + }, + ":*" ] - } - ] + ] + } }, { "Action": [ @@ -1452,20 +1339,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "Resource": { @@ -1569,44 +1456,44 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.CfnStateMachine", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.StateMachine", + "version": "0.0.0" } }, "stateMachineArn": { "id": "stateMachineArn", "path": "aws-sfn-tasks-ecs-fargate-run-task/stateMachineArn", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnOutput", + "version": "0.0.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-sfn-tasks-ecs-fargate-run-task/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-sfn-tasks-ecs-fargate-run-task/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "SfnTasksEcsFargateRunTaskTest": { @@ -1633,22 +1520,22 @@ "id": "BootstrapVersion", "path": "SfnTasksEcsFargateRunTaskTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "SfnTasksEcsFargateRunTaskTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } } }, @@ -1673,8 +1560,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts index 3dad45d7604a3..98a31e84b9520 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts @@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import * as cdk from 'aws-cdk-lib'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api'; +import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -19,6 +19,7 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task'); stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false); +stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); const cluster = new ecs.Cluster(stack, 'FargateCluster'); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts index 72c0da31a447b..f23a0d68fc567 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts @@ -5,6 +5,7 @@ import * as ecs from '../../../aws-ecs'; import * as iam from '../../../aws-iam'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; +import * as cxapi from '../../../cx-api'; import { integrationResourceArn, validatePatternSupported } from '../private/task-utils'; /** @@ -346,16 +347,31 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { private makePolicyStatements(): iam.PolicyStatement[] { const stack = cdk.Stack.of(this); - // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn(); - const policyStatements = [ - new iam.PolicyStatement({ - actions: ['ecs:RunTask'], - resources: [ - taskDefinitionFamilyArn, - `${taskDefinitionFamilyArn}:*`, - ], - }), + const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS); + let policyStatements = []; + + // https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html + if (reduceRunTaskPermissions) { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [`${taskDefinitionFamilyArn}:*`], + }), + ); + } else { + policyStatements.push( + new iam.PolicyStatement({ + actions: ['ecs:RunTask'], + resources: [ + taskDefinitionFamilyArn, + `${taskDefinitionFamilyArn}:*`, + ], + }), + ); + } + + policyStatements.push( new iam.PolicyStatement({ actions: ['ecs:StopTask', 'ecs:DescribeTasks'], resources: ['*'], @@ -364,7 +380,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable { actions: ['iam:PassRole'], resources: this.taskExecutionRoles().map((r) => r.roleArn), }), - ]; + ); if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) { policyStatements.push( diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts new file mode 100644 index 0000000000000..a4b8cf53b812e --- /dev/null +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks-feature-flag.test.ts @@ -0,0 +1,488 @@ +import { Template } from '../../../assertions'; +import * as autoscaling from '../../../aws-autoscaling'; +import * as ec2 from '../../../aws-ec2'; +import * as ecs from '../../../aws-ecs'; +import * as sfn from '../../../aws-stepfunctions'; +import { Stack } from '../../../core'; +import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; +import * as tasks from '../../lib'; + +let stack: Stack; +let vpc: ec2.Vpc; +let cluster: ecs.Cluster; + +/* eslint-disable quote-props */ + +test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to false grants extra permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: [{ + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ], + ], + }, { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }], + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); + +test('Leaving ECS_REDUCE_RUN_TASK_PERMISSIONS as the default (false) grants extra permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, false); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: [{ + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ], + ], + }, { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }], + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); + +test('Setting ECS_REDUCE_RUN_TASK_PERMISSIONS to true reduces permissions', () => { + stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); + vpc = new ec2.Vpc(stack, 'Vpc'); + cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); + cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { + autoScalingGroup: new autoscaling.AutoScalingGroup(stack, 'ASG', { + vpc, + instanceType: new ec2.InstanceType('t3.medium'), + machineImage: ec2.MachineImage.latestAmazonLinux2023(), + }), + })); + + const taskDefinition = new ecs.TaskDefinition(stack, 'TD', { + memoryMiB: '512', + cpu: '256', + compatibility: ecs.Compatibility.FARGATE, + }); + const containerDefinition = taskDefinition.addContainer('TheContainer', { + image: ecs.ContainerImage.fromRegistry('foo/bar'), + memoryLimitMiB: 256, + }); + + // WHEN + const runTask = new tasks.EcsRunTask(stack, 'RunFargate', { + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + cluster, + taskDefinition, + containerOverrides: [ + { + containerDefinition, + environment: [{ name: 'SOME_KEY', value: sfn.JsonPath.stringAt('$.SomeKey') }], + }, + ], + launchTarget: new tasks.EcsFargateLaunchTarget({ + platformVersion: ecs.FargatePlatformVersion.VERSION1_4, + }), + }); + + new sfn.StateMachine(stack, 'SM', { + definitionBody: sfn.DefinitionBody.fromChainable(runTask), + }); + + // THEN + expect(stack.resolve(runTask.toStateJson())).toEqual({ + End: true, + Parameters: { + Cluster: { 'Fn::GetAtt': ['ClusterEB0386A7', 'Arn'] }, + LaunchType: 'FARGATE', + NetworkConfiguration: { + AwsvpcConfiguration: { + SecurityGroups: [{ 'Fn::GetAtt': ['RunFargateSecurityGroup709740F2', 'GroupId'] }], + Subnets: [{ Ref: 'VpcPrivateSubnet1Subnet536B997A' }, { Ref: 'VpcPrivateSubnet2Subnet3788AAA1' }], + }, + }, + PlatformVersion: '1.4.0', + TaskDefinition: 'TD', + Overrides: { + ContainerOverrides: [ + { + Environment: [ + { + Name: 'SOME_KEY', + 'Value.$': '$.SomeKey', + }, + ], + Name: 'TheContainer', + }, + ], + }, + }, + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::ecs:runTask.sync', + ], + ], + }, + Type: 'Task', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: [ + { + Action: 'ecs:RunTask', + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, + ':', + { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + '/', + { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, + ':*', + ], + ], + }, + }, + { + Action: ['ecs:StopTask', 'ecs:DescribeTasks'], + Effect: 'Allow', + Resource: '*', + }, + { + Action: 'iam:PassRole', + Effect: 'Allow', + Resource: { 'Fn::GetAtt': ['TDTaskRoleC497AFFC', 'Arn'] }, + }, + { + Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], + Effect: 'Allow', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':events:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':rule/StepFunctionsGetEventsForECSTaskRule', + ], + ], + }, + }, + ], + }, + }); +}); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts index d7a0ad00510b9..785a96ba4f075 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/ecs/run-tasks.test.ts @@ -4,6 +4,7 @@ import * as ec2 from '../../../aws-ec2'; import * as ecs from '../../../aws-ecs'; import * as sfn from '../../../aws-stepfunctions'; import { Stack } from '../../../core'; +import { ECS_REDUCE_RUN_TASK_PERMISSIONS } from '../../../cx-api'; import * as tasks from '../../lib'; let stack: Stack; @@ -15,6 +16,7 @@ let cluster: ecs.Cluster; beforeEach(() => { // GIVEN stack = new Stack(); + stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true); vpc = new ec2.Vpc(stack, 'Vpc'); cluster = new ecs.Cluster(stack, 'Cluster', { vpc }); cluster.addAsgCapacityProvider(new ecs.AsgCapacityProvider(stack, 'Capacity', { @@ -289,26 +291,7 @@ test('Running a Fargate Task', () => { { Action: 'ecs:RunTask', Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, - { + Resource: { 'Fn::Join': [ '', [ @@ -327,7 +310,7 @@ test('Running a Fargate Task', () => { ':*', ], ], - }], + }, }, { Action: ['ecs:StopTask', 'ecs:DescribeTasks'], @@ -431,26 +414,7 @@ test('Running an EC2 Task with bridge network', () => { { Action: 'ecs:RunTask', Effect: 'Allow', - Resource: [{ - 'Fn::Join': [ - '', - [ - 'arn:', - { 'Fn::Select': [1, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [2, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [3, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [4, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }, - ':', - { 'Fn::Select': [0, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - '/', - { 'Fn::Select': [1, { 'Fn::Split': ['/', { 'Fn::Select': [5, { 'Fn::Split': [':', { 'Ref': 'TD49C78F36' }] }] }] }] }, - ], - ], - }, - { + Resource: { 'Fn::Join': [ '', [ @@ -469,7 +433,7 @@ test('Running an EC2 Task with bridge network', () => { ':*', ], ], - }], + }, }, { Action: ['ecs:StopTask', 'ecs:DescribeTasks'], diff --git a/packages/aws-cdk-lib/cx-api/README.md b/packages/aws-cdk-lib/cx-api/README.md index 86d6cdd7039aa..2aca6f69abaf9 100644 --- a/packages/aws-cdk-lib/cx-api/README.md +++ b/packages/aws-cdk-lib/cx-api/README.md @@ -358,3 +358,21 @@ _cdk.json_ } } ``` + +* `@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions` + +When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. + +When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. +The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html +for more details. + +_cdk.json_ + +```json +{ + "context": { + "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true + } +} +``` diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 6163361f943f6..8d0faf244f2f6 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -102,6 +102,7 @@ export const CODEPIPELINE_CROSS_ACCOUNT_KEYS_DEFAULT_VALUE_TO_FALSE = '@aws-cdk/ export const CODEPIPELINE_DEFAULT_PIPELINE_TYPE_TO_V2 = '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2'; export const KMS_REDUCE_CROSS_ACCOUNT_REGION_POLICY_SCOPE = '@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope'; export const PIPELINE_REDUCE_ASSET_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceAssetRoleTrustScope'; +export const ECS_REDUCE_RUN_TASK_PERMISSIONS = '@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions'; export const EKS_NODEGROUP_NAME = '@aws-cdk/aws-eks:nodegroupNameAttribute'; export const EBS_DEFAULT_GP3 = '@aws-cdk/aws-ec2:ebsDefaultGp3Volume'; export const ECS_REMOVE_DEFAULT_DEPLOYMENT_ALARM = '@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm'; @@ -1107,6 +1108,19 @@ export const FLAGS: Record = { introducedIn: { v2: '2.145.0' }, recommendedValue: false, }, + + ////////////////////////////////////////////////////////////////////// + [ECS_REDUCE_RUN_TASK_PERMISSIONS]: { + type: FlagType.BugFix, + summary: 'When enabled, IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN.', + detailsMd: ` + When this feature flag is enabled, the IAM Policy created to run tasks won\'t include the task definition ARN, only the revision ARN. + The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html + for more details. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2';