Skip to content

Commit 82b163d

Browse files
msambolmsambol
authored
fix(stepfunctions-tasks): run task perm no longer valid (#30788)
### Issue # (if applicable) Closes #30751. ### Reason for this change `runTask` on `${taskDefinitionFamilyArn}` is no longer relevant (see validation errors in the linked issue. This was currently disabled with a FF. This PR removes the permission entirely, and removes the FF. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
1 parent 7278d42 commit 82b163d

File tree

6 files changed

+8
-535
lines changed

6 files changed

+8
-535
lines changed

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts

+1-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
44
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
55
import * as cdk from 'aws-cdk-lib';
66
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
7-
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
7+
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
88
import { IntegTest } from '@aws-cdk/integ-tests-alpha';
99

1010
/*
@@ -20,7 +20,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
2020
const app = new cdk.App();
2121
const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-run-task');
2222
stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
23-
stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);
2423

2524
const cluster = new ecs.Cluster(stack, 'Ec2Cluster');
2625
cluster.addCapacity('DefaultAutoScalingGroup', {

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts

+1-2
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ import * as ecs from 'aws-cdk-lib/aws-ecs';
33
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
44
import * as cdk from 'aws-cdk-lib';
55
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
6-
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ECS_REDUCE_RUN_TASK_PERMISSIONS } from 'aws-cdk-lib/cx-api';
6+
import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
77
import { IntegTest } from '@aws-cdk/integ-tests-alpha';
88

99
/*
@@ -19,7 +19,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha';
1919
const app = new cdk.App();
2020
const stack = new cdk.Stack(app, 'aws-sfn-tasks-ecs-fargate-run-task');
2121
stack.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
22-
stack.node.setContext(ECS_REDUCE_RUN_TASK_PERMISSIONS, true);
2322

2423
const cluster = new ecs.Cluster(stack, 'FargateCluster');
2524

Diff for: packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts

+6-27
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import * as ecs from '../../../aws-ecs';
55
import * as iam from '../../../aws-iam';
66
import * as sfn from '../../../aws-stepfunctions';
77
import * as cdk from '../../../core';
8-
import * as cxapi from '../../../cx-api';
98
import { integrationResourceArn, validatePatternSupported } from '../private/task-utils';
109

1110
/**
@@ -347,31 +346,11 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
347346
private makePolicyStatements(): iam.PolicyStatement[] {
348347
const stack = cdk.Stack.of(this);
349348

350-
const taskDefinitionFamilyArn = this.getTaskDefinitionFamilyArn();
351-
const reduceRunTaskPermissions = cdk.FeatureFlags.of(this).isEnabled(cxapi.ECS_REDUCE_RUN_TASK_PERMISSIONS);
352-
let policyStatements = [];
353-
354-
// https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
355-
if (reduceRunTaskPermissions) {
356-
policyStatements.push(
357-
new iam.PolicyStatement({
358-
actions: ['ecs:RunTask'],
359-
resources: [`${taskDefinitionFamilyArn}:*`],
360-
}),
361-
);
362-
} else {
363-
policyStatements.push(
364-
new iam.PolicyStatement({
365-
actions: ['ecs:RunTask'],
366-
resources: [
367-
taskDefinitionFamilyArn,
368-
`${taskDefinitionFamilyArn}:*`,
369-
],
370-
}),
371-
);
372-
}
373-
374-
policyStatements.push(
349+
const policyStatements = [
350+
new iam.PolicyStatement({
351+
actions: ['ecs:RunTask'],
352+
resources: [`${this.getTaskDefinitionFamilyArn()}:*`],
353+
}),
375354
new iam.PolicyStatement({
376355
actions: ['ecs:StopTask', 'ecs:DescribeTasks'],
377356
resources: ['*'],
@@ -380,7 +359,7 @@ export class EcsRunTask extends sfn.TaskStateBase implements ec2.IConnectable {
380359
actions: ['iam:PassRole'],
381360
resources: this.taskExecutionRoles().map((r) => r.roleArn),
382361
}),
383-
);
362+
];
384363

385364
if (this.integrationPattern === sfn.IntegrationPattern.RUN_JOB) {
386365
policyStatements.push(

0 commit comments

Comments
 (0)