biffgaut
commented
8 months ago We'll take a look. Can you tell me more about sourceBucket and originBucket? Are they created in this stack or imported?
Closed orekav closed 8 months ago
biffgaut
commented
8 months ago We'll take a look. Can you tell me more about sourceBucket and originBucket? Are they created in this stack or imported?
orekav
commented
8 months ago We'll take a look. Can you tell me more about sourceBucket and originBucket? Are they created in this stack or imported?
They are created in the same stack.
Basically, since v2.53.0 the solutions-construct is removing the buckets grants.
orekav
commented
8 months ago Test code
import type { Construct } from 'constructs';
import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as sfnTasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import { S3ToStepfunctions } from '@aws-solutions-constructs/aws-s3-stepfunctions';
export class MainStack extends cdk.Stack {
constructor(scope: Construct, id: string, private props: cdk.StackProps) {
super(scope, id, props);
const sourceBucket = new s3.Bucket(this, 'SourceBucket');
const destinationBucket = new s3.Bucket(this, 'DestinationBucket');
const chainable = new sfnTasks.CallAwsService(this, 'Copy S3 object', {
service: 's3',
action: 'copyObject',
iamResources: [
sourceBucket.bucketArn,
destinationBucket.bucketArn,
],
parameters: {
CopySource: sfn.JsonPath.format(
'{}/{}',
sfn.JsonPath.stringAt('$.sourceBucketName'),
sfn.JsonPath.stringAt('$.sourceObjectKey')
),
Bucket: destinationBucket.bucketName,
Key: sfn.JsonPath.format(
'{}/{}',
sfn.JsonPath.stringAt('$.destinationFolder'),
sfn.JsonPath.stringAt('$.sourceObjectKey')
),
},
resultPath: sfn.JsonPath.DISCARD,
})
const definitionBody = sfn.DefinitionBody.fromChainable(chainable);
const stateMachineProps = { definitionBody, stateMachineName: 'MyStateMachine' };
const { stateMachine } = new S3ToStepfunctions(this, 'MockedMediaPipeline', {
deployCloudTrail: false,
createCloudWatchAlarms: false,
stateMachineProps,
existingBucketObj: sourceBucket,
});
sourceBucket.grantRead(stateMachine);
destinationBucket.grantWrite(stateMachine);
}
}
// const app = new cdk.App();
// new MainStack(app, MainStack.name, {});Output with v2.52.0
{
"Resources": {
"SourceBucketDDD2130A": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/SourceBucket/Resource"
}
},
"DestinationBucket4BECDB47": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/DestinationBucket/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineLogGroup429DAF3F": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/constructs/MainStackMockedMediaPipeline-event-rule-step-function-constructStateMachineLog-",
{
"Fn::Select": [
2,
{
"Fn::Split": [
"/",
{
"Ref": "AWS::StackId"
}
]
}
]
}
]
]
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachineLogGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W86",
"reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely"
},
{
"id": "W84",
"reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
}
]
}
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Role/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"DestinationBucket4BECDB47",
"Arn"
]
},
{
"Fn::GetAtt": [
"SourceBucketDDD2130A",
"Arn"
]
}
]
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies",
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:UpdateLogDelivery"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies",
"logs:PutResourcePolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SourceBucketDDD2130A",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"SourceBucketDDD2130A",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:Abort*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:PutObjectLegalHold",
"s3:PutObjectRetention",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"DestinationBucket4BECDB47",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"DestinationBucket4BECDB47",
"Arn"
]
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4",
"Roles": [
{
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064"
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Role/DefaultPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "The 'LogDelivery' actions do not support resource-level authorizations"
}
]
}
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Copy S3 object\",\"States\":{\"Copy S3 object\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::aws-sdk:s3:copyObject\",\"Parameters\":{\"CopySource.$\":\"States.Format('{}/{}', $.sourceBucketName, $.sourceObjectKey)\",\"Bucket\":\"",
{
"Ref": "DestinationBucket4BECDB47"
},
"\",\"Key.$\":\"States.Format('{}/{}', $.destinationFolder, $.sourceObjectKey)\"}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineLogGroup429DAF3F",
"Arn"
]
}
}
}
],
"Level": "ERROR"
},
"RoleArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064",
"Arn"
]
},
"StateMachineName": "MyStateMachine"
},
"DependsOn": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4",
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRuleRole/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleDefaultPolicy51BA4D0E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleDefaultPolicy51BA4D0E",
"Roles": [
{
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454"
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRuleRole/DefaultPolicy/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRule40050E1B": {
"Type": "AWS::Events::Rule",
"Properties": {
"EventPattern": {
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"bucket": {
"name": [
{
"Ref": "SourceBucketDDD2130A"
}
]
}
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A"
},
"Id": "Target0",
"RoleArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454",
"Arn"
]
}
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRule/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/11PXUvEMBD8LX1P9/qB4KNaxBcFaX0/culezTWXHNmkRUL+u6RVrH3a2Z0ZZraCUFb3UGR8plz0Y67kCULnuBgZn+kYqIbw5MWIjjVnvaLIyOHt7LVw0mg6Ok4jQcOVepypQztJgUyZgSC8muHFGn9L5l+8sy9xDt+4+JQak3C7Ryb5FUJr1EIt890oKb7SuqLIcELtCELrf2ReYYysRTLeivW0wY3RvUzhkd1VUGQP6Xsyyi+FcmE0OeuFo0MiAtX5/8Zd/WG67WUtcLKyH3Cnff5jdqYYmTY9woUOU1VAWUKZXUjK3Hrt5BWhXec3V18jPqQBAAA="
},
"Metadata": {
"aws:cdk:path": "MainStack/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
"Conditions": {
"CDKMetadataAvailable": {
"Fn::Or": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"af-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-northwest-1"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"sa-east-1"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-2"
]
}
]
}
]
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}Output with v2.53.0
{
"Resources": {
"SourceBucketDDD2130A": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/SourceBucket/Resource"
}
},
"DestinationBucket4BECDB47": {
"Type": "AWS::S3::Bucket",
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/DestinationBucket/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineLogGroup429DAF3F": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/vendedlogs/states/constructs/MainStackMockedMediaPipeline-event-rule-step-function-constructStateMachineLog-",
{
"Fn::Select": [
2,
{
"Fn::Split": [
"/",
{
"Ref": "AWS::StackId"
}
]
}
]
}
]
]
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachineLogGroup/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W86",
"reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely"
},
{
"id": "W84",
"reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
}
]
}
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Role/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:copyObject",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"DestinationBucket4BECDB47",
"Arn"
]
},
{
"Fn::GetAtt": [
"SourceBucketDDD2130A",
"Arn"
]
}
]
},
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeResourcePolicies",
"logs:PutResourcePolicy"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":*"
]
]
}
},
{
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery",
"logs:GetLogDelivery",
"logs:ListLogDeliveries",
"logs:UpdateLogDelivery"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4",
"Roles": [
{
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064"
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Role/DefaultPolicy/Resource",
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "The 'LogDelivery' actions do not support resource-level authorizations"
}
]
}
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A": {
"Type": "AWS::StepFunctions::StateMachine",
"Properties": {
"DefinitionString": {
"Fn::Join": [
"",
[
"{\"StartAt\":\"Copy S3 object\",\"States\":{\"Copy S3 object\":{\"End\":true,\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:",
{
"Ref": "AWS::Partition"
},
":states:::aws-sdk:s3:copyObject\",\"Parameters\":{\"CopySource.$\":\"States.Format('{}/{}', $.sourceBucketName, $.sourceObjectKey)\",\"Bucket\":\"",
{
"Ref": "DestinationBucket4BECDB47"
},
"\",\"Key.$\":\"States.Format('{}/{}', $.destinationFolder, $.sourceObjectKey)\"}}}}"
]
]
},
"LoggingConfiguration": {
"Destinations": [
{
"CloudWatchLogsLogGroup": {
"LogGroupArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineLogGroup429DAF3F",
"Arn"
]
}
}
}
],
"Level": "ERROR"
},
"RoleArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064",
"Arn"
]
},
"StateMachineName": "MyStateMachine"
},
"DependsOn": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleDefaultPolicyC47E8BC4",
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachineRoleB5BE7064"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/StateMachine/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRuleRole/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleDefaultPolicy51BA4D0E": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A"
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleDefaultPolicy51BA4D0E",
"Roles": [
{
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454"
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRuleRole/DefaultPolicy/Resource"
}
},
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRule40050E1B": {
"Type": "AWS::Events::Rule",
"Properties": {
"EventPattern": {
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"bucket": {
"name": [
{
"Ref": "SourceBucketDDD2130A"
}
]
}
}
},
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Ref": "MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructStateMachine6CB0E85A"
},
"Id": "Target0",
"RoleArn": {
"Fn::GetAtt": [
"MockedMediaPipelineMockedMediaPipelineeventrulestepfunctionconstructEventsRuleRoleC1D8E454",
"Arn"
]
}
}
]
},
"Metadata": {
"aws:cdk:path": "MainStack/MockedMediaPipeline/MockedMediaPipeline-event-rule-step-function-construct/EventsRule/Resource"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/11PXUvEMBD8LX1P9/qB4KNaxBcFaX0/culezTWXHNmkRUL+u6RVrH3a2Z0ZZraCUFb3UGR8plz0Y67kCULnuBgZn+kYqIbw5MWIjjVnvaLIyOHt7LVw0mg6Ok4jQcOVepypQztJgUyZgSC8muHFGn9L5l+8sy9xDt+4+JQak3C7Ryb5FUJr1EIt890oKb7SuqLIcELtCELrf2ReYYysRTLeivW0wY3RvUzhkd3VUGQP6Xsyyi+FcmE0OeuFo0MiAtX5/8Zd/WG67WUtcLKyH3Cnff5jdqYYmTY9woUOU1VAWUKZXUjK3Hrt5BWhXec3y6ZW0aQBAAA="
},
"Metadata": {
"aws:cdk:path": "MainStack/CDKMetadata/Default"
},
"Condition": "CDKMetadataAvailable"
}
},
"Conditions": {
"CDKMetadataAvailable": {
"Fn::Or": [
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"af-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-northeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ap-southeast-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"ca-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"cn-northwest-1"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-north-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"eu-west-3"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"il-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-central-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"me-south-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"sa-east-1"
]
}
]
},
{
"Fn::Or": [
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-2"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-1"
]
},
{
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-west-2"
]
}
]
}
]
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}Differences
This first screenshot look correct.
But the following ones are wrong
biffgaut
commented
8 months ago Does the sample app perform correctly for Solutions Constructs 2.52.0? When I launch it, it doesn't appear to work. The eventBridgeEnabled property is not set on the source bucket, so the S3 events are not being sent to EventBridge which would prevent EventBridge from kicking off the state machine.
biffgaut
commented
8 months ago When I change the source bucket instantiation to this, the state machine executes:
const sourceBucket = new s3.Bucket(this, 'SourceBucket', {
eventBridgeEnabled: true
});(this is independent of the altered IAM policy, it's just something I found while digging deeply into the issue).
biffgaut
commented
8 months ago (sorry, shouldn't have closed - clicked the wrong button)
biffgaut
commented
8 months ago 2.54.0 should fix the issue with the State Machine policy not accepting/retaining the bucket permissions.
orekav
commented
8 months ago When I change the source bucket instantiation to this, the state machine executes:
const sourceBucket = new s3.Bucket(this, 'SourceBucket', { eventBridgeEnabled: true });(this is independent of the altered IAM policy, it's just something I found while digging deeply into the issue).
I haven't been looking at this, sorry for the late response. The point of this issue is IAM policies, not the entire thing working. I could have used any X to StepFunction construct, the point was the missing IAM Policies for the StepFunction instance to invoke other services.
orekav
commented
8 months ago 2.54.0 should fix the issue with the State Machine policy not accepting/retaining the bucket permissions.
I'll take a look, thanks 😄
Since I have updated the dependencies in my project to v2.53.0 I am having issues when I use grant permissions.
Reproduction Steps
Error Log
These are the differences, now my deployment is missing the policies on the right hand size of the screenshot
Environment
Other
This is :bug: Bug Report