Skip to content

Commit 3694670

Browse files
RomainMullerRomainMuller
authored
fix(codepipeline): incorrect cross-account permissions with StepFunct ionInvokeAction (#25850)
When the StateMachine being invoked by CodePipeline is not in the same account/region as the CodePipeline, the `DescribeExecutions` permission was granted on the incorrect account/region pair (that of the pipeline, and not that of the StateMachine), due to the transforming of the state machine's ARN into a state machine execution ARN pattern not copying the account & region of the original ARN. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent dd16cf8 commit 3694670

File tree

8 files changed

+251
-177
lines changed

8 files changed

+251
-177
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.assets.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
{
2-
"version": "30.0.0",
2+
"version": "32.0.0",
33
"files": {
4-
"9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d": {
4+
"367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631": {
55
"source": {
66
"path": "aws-cdk-codepipeline-stepfunctions.template.json",
77
"packaging": "file"
88
},
99
"destinations": {
1010
"current_account-current_region": {
1111
"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
12-
"objectKey": "9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d.json",
12+
"objectKey": "367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631.json",
1313
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
1414
}
1515
}

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.template.json

Lines changed: 33 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -538,15 +538,45 @@
538538
[
539539
"arn:",
540540
{
541-
"Ref": "AWS::Partition"
541+
"Fn::Select": [
542+
1,
543+
{
544+
"Fn::Split": [
545+
":",
546+
{
547+
"Ref": "SimpleStateMachineE8E2CF40"
548+
}
549+
]
550+
}
551+
]
542552
},
543553
":states:",
544554
{
545-
"Ref": "AWS::Region"
555+
"Fn::Select": [
556+
3,
557+
{
558+
"Fn::Split": [
559+
":",
560+
{
561+
"Ref": "SimpleStateMachineE8E2CF40"
562+
}
563+
]
564+
}
565+
]
546566
},
547567
":",
548568
{
549-
"Ref": "AWS::AccountId"
569+
"Fn::Select": [
570+
4,
571+
{
572+
"Fn::Split": [
573+
":",
574+
{
575+
"Ref": "SimpleStateMachineE8E2CF40"
576+
}
577+
]
578+
}
579+
]
550580
},
551581
":execution:",
552582
{

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/cdk.out

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"version":"30.0.0"}
1+
{"version":"32.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/integ.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "30.0.0",
2+
"version": "32.0.0",
33
"testCases": {
44
"integ.pipeline-stepfunctions": {
55
"stacks": [

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/manifest.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"version": "30.0.0",
2+
"version": "32.0.0",
33
"artifacts": {
44
"aws-cdk-codepipeline-stepfunctions.assets": {
55
"type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
1717
"validateOnSynth": false,
1818
"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
1919
"cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
20-
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d.json",
20+
"stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631.json",
2121
"requiresBootstrapStackVersion": 6,
2222
"bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
2323
"additionalDependencies": [

0 commit comments

Comments
 (0)