Skip to content

Commit 8ebfade

Browse files
msambolmsambol
authored
fix(stepfunctions-tasks): run task permission is too broad (under feature flag) (#30389)
Closes #30368. Doc: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies
1 parent 1b1cff7 commit 8ebfade

File tree

15 files changed

+1157
-1107
lines changed

15 files changed

+1157
-1107
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.assets.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/aws-sfn-tasks-ecs-run-task.template.json

Lines changed: 111 additions & 224 deletions
Original file line numberDiff line numberDiff line change
@@ -1070,231 +1070,118 @@
10701070
{
10711071
"Action": "ecs:RunTask",
10721072
"Effect": "Allow",
1073-
"Resource": [
1074-
{
1075-
"Fn::Join": [
1076-
"",
1077-
[
1078-
"arn:",
1079-
{
1080-
"Fn::Select": [
1081-
1,
1082-
{
1083-
"Fn::Split": [
1084-
":",
1085-
{
1086-
"Ref": "TaskDef54694570"
1087-
}
1088-
]
1089-
}
1090-
]
1091-
},
1092-
":",
1093-
{
1094-
"Fn::Select": [
1095-
2,
1096-
{
1097-
"Fn::Split": [
1098-
":",
1099-
{
1100-
"Ref": "TaskDef54694570"
1101-
}
1102-
]
1103-
}
1104-
]
1105-
},
1106-
":",
1107-
{
1108-
"Fn::Select": [
1109-
3,
1110-
{
1111-
"Fn::Split": [
1112-
":",
1113-
{
1114-
"Ref": "TaskDef54694570"
1115-
}
1116-
]
1117-
}
1118-
]
1119-
},
1120-
":",
1121-
{
1122-
"Fn::Select": [
1123-
4,
1124-
{
1125-
"Fn::Split": [
1126-
":",
1127-
{
1128-
"Ref": "TaskDef54694570"
1129-
}
1130-
]
1131-
}
1132-
]
1133-
},
1134-
":",
1135-
{
1136-
"Fn::Select": [
1137-
0,
1138-
{
1139-
"Fn::Split": [
1140-
"/",
1141-
{
1142-
"Fn::Select": [
1143-
5,
1144-
{
1145-
"Fn::Split": [
1146-
":",
1147-
{
1148-
"Ref": "TaskDef54694570"
1149-
}
1150-
]
1151-
}
1152-
]
1153-
}
1154-
]
1155-
}
1156-
]
1157-
},
1158-
"/",
1159-
{
1160-
"Fn::Select": [
1161-
1,
1162-
{
1163-
"Fn::Split": [
1164-
"/",
1165-
{
1166-
"Fn::Select": [
1167-
5,
1168-
{
1169-
"Fn::Split": [
1170-
":",
1171-
{
1172-
"Ref": "TaskDef54694570"
1173-
}
1174-
]
1175-
}
1176-
]
1177-
}
1178-
]
1179-
}
1180-
]
1181-
},
1182-
":*"
1183-
]
1184-
]
1185-
},
1186-
{
1187-
"Fn::Join": [
1188-
"",
1189-
[
1190-
"arn:",
1191-
{
1192-
"Fn::Select": [
1193-
1,
1194-
{
1195-
"Fn::Split": [
1196-
":",
1197-
{
1198-
"Ref": "TaskDef54694570"
1199-
}
1200-
]
1201-
}
1202-
]
1203-
},
1204-
":",
1205-
{
1206-
"Fn::Select": [
1207-
2,
1208-
{
1209-
"Fn::Split": [
1210-
":",
1211-
{
1212-
"Ref": "TaskDef54694570"
1213-
}
1214-
]
1215-
}
1216-
]
1217-
},
1218-
":",
1219-
{
1220-
"Fn::Select": [
1221-
3,
1222-
{
1223-
"Fn::Split": [
1224-
":",
1225-
{
1226-
"Ref": "TaskDef54694570"
1227-
}
1228-
]
1229-
}
1230-
]
1231-
},
1232-
":",
1233-
{
1234-
"Fn::Select": [
1235-
4,
1236-
{
1237-
"Fn::Split": [
1238-
":",
1239-
{
1240-
"Ref": "TaskDef54694570"
1241-
}
1242-
]
1243-
}
1244-
]
1245-
},
1246-
":",
1247-
{
1248-
"Fn::Select": [
1249-
0,
1250-
{
1251-
"Fn::Split": [
1252-
"/",
1253-
{
1254-
"Fn::Select": [
1255-
5,
1256-
{
1257-
"Fn::Split": [
1258-
":",
1259-
{
1260-
"Ref": "TaskDef54694570"
1261-
}
1262-
]
1263-
}
1264-
]
1265-
}
1266-
]
1267-
}
1268-
]
1269-
},
1270-
"/",
1271-
{
1272-
"Fn::Select": [
1273-
1,
1274-
{
1275-
"Fn::Split": [
1276-
"/",
1277-
{
1278-
"Fn::Select": [
1279-
5,
1280-
{
1281-
"Fn::Split": [
1282-
":",
1283-
{
1284-
"Ref": "TaskDef54694570"
1285-
}
1286-
]
1287-
}
1288-
]
1289-
}
1290-
]
1291-
}
1292-
]
1293-
}
1294-
]
1073+
"Resource": {
1074+
"Fn::Join": [
1075+
"",
1076+
[
1077+
"arn:",
1078+
{
1079+
"Fn::Select": [
1080+
1,
1081+
{
1082+
"Fn::Split": [
1083+
":",
1084+
{
1085+
"Ref": "TaskDef54694570"
1086+
}
1087+
]
1088+
}
1089+
]
1090+
},
1091+
":",
1092+
{
1093+
"Fn::Select": [
1094+
2,
1095+
{
1096+
"Fn::Split": [
1097+
":",
1098+
{
1099+
"Ref": "TaskDef54694570"
1100+
}
1101+
]
1102+
}
1103+
]
1104+
},
1105+
":",
1106+
{
1107+
"Fn::Select": [
1108+
3,
1109+
{
1110+
"Fn::Split": [
1111+
":",
1112+
{
1113+
"Ref": "TaskDef54694570"
1114+
}
1115+
]
1116+
}
1117+
]
1118+
},
1119+
":",
1120+
{
1121+
"Fn::Select": [
1122+
4,
1123+
{
1124+
"Fn::Split": [
1125+
":",
1126+
{
1127+
"Ref": "TaskDef54694570"
1128+
}
1129+
]
1130+
}
1131+
]
1132+
},
1133+
":",
1134+
{
1135+
"Fn::Select": [
1136+
0,
1137+
{
1138+
"Fn::Split": [
1139+
"/",
1140+
{
1141+
"Fn::Select": [
1142+
5,
1143+
{
1144+
"Fn::Split": [
1145+
":",
1146+
{
1147+
"Ref": "TaskDef54694570"
1148+
}
1149+
]
1150+
}
1151+
]
1152+
}
1153+
]
1154+
}
1155+
]
1156+
},
1157+
"/",
1158+
{
1159+
"Fn::Select": [
1160+
1,
1161+
{
1162+
"Fn::Split": [
1163+
"/",
1164+
{
1165+
"Fn::Select": [
1166+
5,
1167+
{
1168+
"Fn::Split": [
1169+
":",
1170+
{
1171+
"Ref": "TaskDef54694570"
1172+
}
1173+
]
1174+
}
1175+
]
1176+
}
1177+
]
1178+
}
1179+
]
1180+
},
1181+
":*"
12951182
]
1296-
}
1297-
]
1183+
]
1184+
}
12981185
},
12991186
{
13001187
"Action": [

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.js.snapshot/manifest.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)