Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-stepfunctions-tasks: CallAwsService for elasticloadbalancingv2 produces invalid IAM role policies #32417

Closed
1 task
tomykaira opened this issue Dec 8, 2024 · 6 comments · Fixed by #32419
Closed
1 task

aws-stepfunctions-tasks: CallAwsService for elasticloadbalancingv2 produces invalid IAM role policies #32417

tomykaira opened this issue Dec 8, 2024 · 6 comments · Fixed by #32419
Labels
@aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@tomykaira
Copy link

Describe the bug

sfn.StateMachine with tasks.CallAwsService helps to setup an IAM role by scanning the task definition.

When the task definition contains CallAwsService with service: 'elasticloadbalancingv2',
the state machine's IAM role has a policy like this:

"Action": "elasticloadbalancingv2:describeTargetGroups",

However, elasticloadbalancingv2 is invalid in IAM actions. It should be elasticloadbalancing.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It produces IAM role policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "elasticloadbalancing:describeTargetGroups",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Current Behavior

It produces IAM role policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "elasticloadbalancingv2:describeTargetGroups",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Reproduction Steps

Include this state machine declaration in a stack.

    new sfn.StateMachine(this, 'BugReportSample1', {
      definition: new tasks.CallAwsService(this, 'GetTargetGroups', {
        service: 'elasticloadbalancingv2',
        action: 'describeTargetGroups',
        resultPath: '$.targetGroups',
        iamResources: ['*'],
      }),
    });

Possible Solution

Add some conversion here: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts#L116

Additional Information/Context

No response

CDK CLI Version

2.172.0 (build 0f666c5)

Framework Version

No response

Node.js Version

v20.12.2

OS

Fedora release 38 (Thirty Eight)

Language

TypeScript

Language Version

5.6.3

Other information

No response
@tomykaira tomykaira added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 8, 2024
@nmussy nmussy mentioned this issue Dec 8, 2024
Merged
1 task
@nmussy
Copy link
Contributor

nmussy commented Dec 8, 2024

Thanks for the very clear bug report, I've opened a PR to address this issue 👍

@pahud
Copy link
Contributor

pahud commented Dec 9, 2024

Thank you @tomykaira and @nmussy for your immediate PR support!!

@pahud pahud added p2 p1 and removed needs-triage This issue or PR still needs to be triaged. p2 labels Dec 9, 2024
@pahud
Copy link
Contributor

pahud commented Dec 9, 2024

Just checked the IAM console. When selecting ELBv2 describeTargetGroups I actually get this policy.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "elasticloadbalancing:DescribeTargetGroups",
			"Resource": "*"
		}
	]
}

@pahud pahud added the effort/medium Medium work item – several days of effort label Dec 9, 2024
@nmussy
Copy link
Contributor

nmussy commented Dec 9, 2024
edited
Loading

Yeah that's the expected result, and what my PR generates: https://github.com/aws/aws-cdk/pull/32419/files#diff-c366bafc63a0d3f2bf3e8ec4c85c8b48bffce5352ce7cd5d77f460d34372160bR404-R406

The statement prior to the change is elasticloadbalancingv2:DescribeTargetGroups

EDIT: Unless you're talking about the difference in casing, which shouldn't matter (docs):

The prefix and the action name are case insensitive

@mergify mergify bot closed this as completed in #32419 Dec 10, 2024
@mergify mergify bot closed this as completed in 2677fce Dec 10, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(stepfunctions-task): elasticloadbalancingv2 service policy nmussy/aws-cdk
3 participants
@pahud @tomykaira @nmussy