search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.71k stars 3.94k forks source link

aws-stepfunctions: Auto generated IAM Policy has region in S3 resource #22445

Closed kostiantyn-priv closed 2 years ago

kostiantyn-priv commented 2 years ago

Describe the bug

cdk generates invalid S3 resources in the IAM Policy (add region) if I use aws_s3.Location in the aws_stepfunctions_tasks.AthenaStartQueryExecution task definition

      "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":s3:us-west-2:123456789:",
          {
           "Fn::ImportValue": "test:ExportsOutputReftestbucketBE15FED9C91D11B3"
          },
          "/athena/"
         ]
        ]
       }

Expected Behavior

Successful stack deployment

Current Behavior

test | UPDATE_FAILED        | AWS::IAM::Policy                 | state-machine/Role/DefaultPolicy (statemachineRoleDefaultPolicyDBF71609) Resource
 arn:aws:s3:us-west-2:123456789:test/athena can not contain region information. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyD
ocument; Request ID: d7a906eb-709a-445c-aacd-b163dc317a8a; Proxy: null)

Reproduction Steps

  test_job = aws_stepfunctions_tasks.AthenaStartQueryExecution(
          scope=self,
          id='test',
          query_string="<SQL command>",
          work_group='primary',
          query_execution_context=aws_stepfunctions_tasks.QueryExecutionContext(
              database_name='test',
              catalog_name='AwsDataCatalog'
          ),
          result_configuration=aws_stepfunctions_tasks.ResultConfiguration(
              encryption_configuration=aws_stepfunctions_tasks.EncryptionConfiguration(
                  encryption_option=aws_stepfunctions_tasks.EncryptionOption.S3_MANAGED
              ),
              output_location=aws_s3.Location(
                  bucket_name='test',
                  object_key='athena/'
              )
          )
      )

       state_machine = aws_stepfunctions.StateMachine(
            scope=self,
            id='state-machine',
            definition=test_job,
            state_machine_name='test',
            state_machine_type=aws_stepfunctions.StateMachineType.STANDARD,
            timeout=Duration.minutes(30)
        )

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.45.0 (build af1fb7c)

Framework Version

No response

Node.js Version

v16.17.0

OS

Windows 10 21H2

Language

Python

Language Version

3.7.9

Other information

No response

kaizencc commented 2 years ago

Closing this as a dup of #22445. I know this came first, but i ended up commenting on the other issue first.

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.