search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.37k stars 3.78k forks source link

aws-cdk-lib/aws-stepfunctions: incorrect resource in ECS ecs:RunTask for State Machines #30751

Open nicor88 opened 5 days ago

nicor88 commented 5 days ago

Describe the bug

The policy generated in case of ECS tasks trigger in a state machine are of this type:

{
    "Action": "ecs:RunTask",
    "Resource": [
        "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",
        "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task"
    ],
    "Effect": "Allow"
},

the Resource "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task" is not a valid one, the policy validator fail in the UI (even if I'm able to deploy) and there is an AWS notification about my state machine role.

Expected Behavior

The resource used for ecs:RunTask is simply: "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",

Current Behavior

the resources for ecs:RunTask are:

Reproduction Steps

Create a state machine invoking an ecs task

Possible Solution

Simply remove the not necessary resource from then policy attach to the IAM role used by the statemachine. Creating a role, and passing to sfn.StateMachine doesn't help, because an inline policy with the wrong inline policy is attach to the custom role.

Additional Information/Context

No response

CDK CLI Version

2.147.3

Framework Version

No response

Node.js Version

v18.0.0

OS

MacOs

Language

TypeScript

Language Version

No response

Other information

No response

ashishdhingra commented 4 days ago

Reproducible using below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';

export class StepStack extends cdk.Stack {
  constructor(app: cdk.App, id: string, props: cdk.StackProps) {
    super(app, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', {
      isDefault: true,
    });

    const cluster = new ecs.Cluster(this, 'Ec2Cluster', { vpc });

    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TD', {
      cpu: 256,
      memoryLimitMiB: 512,
    });

    taskDefinition.addContainer('TheContainer', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/docker/library/busybox:unstable-uclibc'),
      memoryLimitMiB: 256,
      command: ['sh', '-c', 'ping google.com -c 2'],
      logging: new ecs.AwsLogDriver({
        streamPrefix: 'demo',
      }),
    });

    const runTask = new tasks.EcsRunTask(this, 'Run', {
      integrationPattern: sfn.IntegrationPattern.RUN_JOB,
      cluster,
      taskDefinition,
      assignPublicIp: true,
      launchTarget: new tasks.EcsFargateLaunchTarget(),
    });

    const startState = new sfn.Pass(this, 'StartState');
    const definition = startState
      .next(runTask);

    new sfn.StateMachine(this, 'StateMachine', {
      definition,
      timeout: cdk.Duration.minutes(5),
    });
  }
}

It generates State Machine role with default policy as shown below (clearly flagging Invalid ARN Resource error):

Screenshot 2024-07-05 at 2 30 33 PM

Most likely an issue here.

msambol commented 3 days ago

I believe I fixed this in https://github.com/aws/aws-cdk/pull/30389, but we decided to leave the original permission and add a FF. @GavinZZ, shall I remove the FF and default it to only be ${taskDefinitionFamilyArn}:*?

nicor88 commented 2 days ago

@ashishdhingra thanks for the snippet.

@msambol default to ${taskDefinitionFamilyArn}:*should do the job. But pretty much the recap of this issue, is that ${taskDefinitionFamilyArn} resource should go away from the policy to avoid: