Skip to content

Commit

Permalink
feat(stepfunctions): add grantStartExecution() (#2793)
Browse files Browse the repository at this point in the history
Grant the given identity permissions to start an execution of a
state machine (`states:StartExecution`).
jogold authored and rix0rrr committed Jun 11, 2019
1 parent acf015d commit da32176
Showing 2 changed files with 66 additions and 4 deletions.
25 changes: 22 additions & 3 deletions packages/@aws-cdk/aws-stepfunctions/lib/state-machine.ts
Original file line number Diff line number Diff line change
@@ -37,20 +37,39 @@ export interface StateMachineProps {
}

/**
* Define a StepFunctions State Machine
* A new or imported state machine.
*/
export class StateMachine extends Resource implements IStateMachine {
abstract class StateMachineBase extends Resource implements IStateMachine {
/**
* Import a state machine
*/
public static fromStateMachineArn(scope: Construct, id: string, stateMachineArn: string): IStateMachine {
class Import extends Resource implements IStateMachine {
class Import extends StateMachineBase {
public readonly stateMachineArn = stateMachineArn;
}

return new Import(scope, id);
}

public abstract readonly stateMachineArn: string;

/**
* Grant the given identity permissions to start an execution of this state
* machine.
*/
public grantStartExecution(identity: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee: identity,
actions: ['states:StartExecution'],
resourceArns: [this.stateMachineArn]
});
}
}

/**
* Define a StepFunctions State Machine
*/
export class StateMachine extends StateMachineBase {
/**
* Execution role of this state machine
*/
Original file line number Diff line number Diff line change
@@ -129,4 +129,47 @@ export = {
test.done();
},

};
'Can grant start execution to a role'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
const task = new stepfunctions.Task(stack, 'Task', {
task: {
bind: () => ({ resourceArn: 'resource' })
}
});
const stateMachine = new stepfunctions.StateMachine(stack, 'StateMachine', {
definition: task
});
const role = new iam.Role(stack, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});

// WHEN
stateMachine.grantStartExecution(role);

// THEN
expect(stack).to(haveResource('AWS::IAM::Policy', {
PolicyDocument: {
Statement: [
{
Action: 'states:StartExecution',
Effect: 'Allow',
Resource: {
Ref: 'StateMachine2E01A3A5'
}
}
],
Version: '2012-10-17',
},
PolicyName: 'RoleDefaultPolicy5FFB7DAB',
Roles: [
{
Ref: 'Role1ABCC5F0'
}
]
}));

test.done();
}

};

0 comments on commit da32176

Please sign in to comment.