diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/fake-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/fake-task.ts index 784040751559c..6ab69af8b42f0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/fake-task.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/fake-task.ts @@ -35,3 +35,33 @@ export class FakeTask extends sfn.TaskStateBase { }; } } + +/** + * JSONata-compatible task for integ testing + */ +export class FakeTaskJsonata extends sfn.TaskStateBase { + protected readonly taskMetrics?: sfn.TaskMetricsConfig; + protected readonly taskPolicies?: iam.PolicyStatement[]; + protected readonly parameters?: { [key: string]: string }; + + constructor(scope: constructs.Construct, id: string, props: FakeTaskProps = {}) { + super(scope, id, props); + this.parameters = props.parameters; + } + + protected _renderTask(): any { + return { + Type: 'Task', + Resource: 'arn:aws:states:::dynamodb:putItem', + Arguments: { + TableName: 'my-cool-table', + Item: { + id: { + S: 'my-entry', + }, + }, + ...this.parameters, + }, + }; + } +} diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.assets.json index dba14180ecd79..4d76e70074ee3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.assets.json @@ -1,13 +1,14 @@ { - "version": "30.0.0", + "version": "48.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D Template", "source": { "path": "StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-d8d86b35": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.assets.json index 1c77d55543ef4..bbb6ee56a5219 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.assets.json @@ -1,15 +1,16 @@ { - "version": "30.0.0", + "version": "48.0.0", "files": { - "a5a1631e8d04a1f6f1e456a613f298d29c8fb564271da7b38a6ca3bc8b007b44": { + "c1a09861c476713e9ef451db19da973ceb80b3bf0d83c94474afcbf6857f4ee4": { + "displayName": "aws-stepfunctions-state-machine-credentials-integ Template", "source": { "path": "aws-stepfunctions-state-machine-credentials-integ.template.json", "packaging": "file" }, "destinations": { - "current_account-current_region": { + "current_account-current_region-fe07a169": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "a5a1631e8d04a1f6f1e456a613f298d29c8fb564271da7b38a6ca3bc8b007b44.json", + "objectKey": "c1a09861c476713e9ef451db19da973ceb80b3bf0d83c94474afcbf6857f4ee4.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.template.json index f48f98bf62bfc..98f80d1750d31 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/aws-stepfunctions-state-machine-credentials-integ.template.json @@ -9,22 +9,7 @@ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } + "Service": "states.amazonaws.com" } } ], @@ -78,12 +63,6 @@ "StateMachineWithLiteralCredentialsBF5A67AE": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { - "RoleArn": { - "Fn::GetAtt": [ - "StateMachineWithLiteralCredentialsRole1F1DEEC1", - "Arn" - ] - }, "DefinitionString": { "Fn::Join": [ "", @@ -98,6 +77,12 @@ "\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" ] ] + }, + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineWithLiteralCredentialsRole1F1DEEC1", + "Arn" + ] } }, "DependsOn": [ @@ -148,13 +133,13 @@ "StateMachineWithCrossAccountLiteralCredentialsA2DD713D": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { + "DefinitionString": "{\"StartAt\":\"FakeTaskWithCrossAccountLiteralCredentials\",\"States\":{\"FakeTaskWithCrossAccountLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"arn:aws:iam::123456789012:role/CrossAccountRole\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}", "RoleArn": { "Fn::GetAtt": [ "StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC", "Arn" ] - }, - "DefinitionString": "{\"StartAt\":\"FakeTaskWithCrossAccountLiteralCredentials\",\"States\":{\"FakeTaskWithCrossAccountLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"arn:aws:iam::123456789012:role/CrossAccountRole\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" + } }, "DependsOn": [ "StateMachineWithCrossAccountLiteralCredentialsRoleDefaultPolicy9B9943BD", @@ -204,13 +189,13 @@ "StateMachineWithJsonPathCredentials5786712E": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { + "DefinitionString": "{\"StartAt\":\"FakeTaskWithJsonPathCredentials\",\"States\":{\"FakeTaskWithJsonPathCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn.$\":\"$.RoleArn\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}", "RoleArn": { "Fn::GetAtt": [ "StateMachineWithJsonPathCredentialsRole7BDE9FA6", "Arn" ] - }, - "DefinitionString": "{\"StartAt\":\"FakeTaskWithJsonPathCredentials\",\"States\":{\"FakeTaskWithJsonPathCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn.$\":\"$.RoleArn\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" + } }, "DependsOn": [ "StateMachineWithJsonPathCredentialsRoleDefaultPolicy1DA1C50B", @@ -218,6 +203,62 @@ ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" + }, + "StateMachineWithJSONataCredentialsRole97AD3731": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "StateMachineWithJSONataCredentialsRoleDefaultPolicyF552EED1": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "StateMachineWithJSONataCredentialsRoleDefaultPolicyF552EED1", + "Roles": [ + { + "Ref": "StateMachineWithJSONataCredentialsRole97AD3731" + } + ] + } + }, + "StateMachineWithJSONataCredentialsA18E2D6C": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionString": "{\"StartAt\":\"FakeTaskWithJSONataCredentials\",\"States\":{\"FakeTaskWithJSONataCredentials\":{\"End\":true,\"Type\":\"Task\",\"Arguments\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}},\"Credentials\":{\"RoleArn\":\"{% $states.input.RoleArn %}\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\"}},\"TimeoutSeconds\":30,\"QueryLanguage\":\"JSONata\"}", + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineWithJSONataCredentialsRole97AD3731", + "Arn" + ] + } + }, + "DependsOn": [ + "StateMachineWithJSONataCredentialsRoleDefaultPolicyF552EED1", + "StateMachineWithJSONataCredentialsRole97AD3731" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" } }, "Parameters": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/cdk.out index ae4b03c54e770..523a9aac37cbf 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"30.0.0"} \ No newline at end of file +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/integ.json index 25d4bec208ee3..fef296fce9c8b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "48.0.0", "testCases": { "StateMachineCredentials/DefaultTest": { "stacks": [ @@ -8,5 +8,6 @@ "assertionStack": "StateMachineCredentials/DefaultTest/DeployAssert", "assertionStackName": "StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D" } - } + }, + "minimumCliVersion": "2.1027.0" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/manifest.json index aa16ec507d6cd..07b47f7f46b32 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "30.0.0", + "version": "48.0.0", "artifacts": { "aws-stepfunctions-state-machine-credentials-integ.assets": { "type": "cdk:asset-manifest", @@ -14,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "aws-stepfunctions-state-machine-credentials-integ.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/a5a1631e8d04a1f6f1e456a613f298d29c8fb564271da7b38a6ca3bc8b007b44.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c1a09861c476713e9ef451db19da973ceb80b3bf0d83c94474afcbf6857f4ee4.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -33,18 +34,123 @@ "aws-stepfunctions-state-machine-credentials-integ.assets" ], "metadata": { + "/aws-stepfunctions-state-machine-credentials-integ/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-stepfunctions-state-machine-credentials-integ/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "Role1ABCC5F0" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "definition": "*", + "timeout": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToRolePolicy": [ + {} + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "StateMachineWithLiteralCredentialsRole1F1DEEC1" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", @@ -57,12 +163,106 @@ "data": "StateMachineWithLiteralCredentialsBF5A67AE" } ], + "/aws-stepfunctions-state-machine-credentials-integ/CrossAccountRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "definition": "*", + "timeout": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToRolePolicy": [ + {} + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", @@ -75,12 +275,100 @@ "data": "StateMachineWithCrossAccountLiteralCredentialsA2DD713D" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "definition": "*", + "timeout": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToRolePolicy": [ + {} + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/Resource": [ { "type": "aws:cdk:logicalId", "data": "StateMachineWithJsonPathCredentialsRole7BDE9FA6" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", @@ -93,6 +381,113 @@ "data": "StateMachineWithJsonPathCredentials5786712E" } ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "definition": "*", + "queryLanguage": "JSONata", + "timeout": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToRolePolicy": [ + {} + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineWithJSONataCredentialsRole97AD3731" + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineWithJSONataCredentialsRoleDefaultPolicyF552EED1" + } + ], + "/aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineWithJSONataCredentialsA18E2D6C" + } + ], "/aws-stepfunctions-state-machine-credentials-integ/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -121,6 +516,7 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "StateMachineCredentialsDefaultTestDeployAssert3F5E6D8D.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", @@ -160,6 +556,502 @@ "properties": { "file": "tree.json" } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } } - } + }, + "minimumCliVersion": "2.1031.2" } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/tree.json index a7beb896918a0..0e0c6fb05c46e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.js.snapshot/tree.json @@ -1,546 +1 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "aws-stepfunctions-state-machine-credentials-integ": { - "id": "aws-stepfunctions-state-machine-credentials-integ", - "path": "aws-stepfunctions-state-machine-credentials-integ", - "children": { - "Role": { - "id": "Role", - "path": "aws-stepfunctions-state-machine-credentials-integ/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-stepfunctions-state-machine-credentials-integ/Role/ImportRole", - "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "AWS": { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::", - { - "Ref": "AWS::AccountId" - }, - ":root" - ] - ] - } - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" - } - }, - "FakeTaskWithLiteralCredentials": { - "id": "FakeTaskWithLiteralCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithLiteralCredentials", - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.TaskStateBase", - "version": "0.0.0" - } - }, - "StateMachineWithLiteralCredentials": { - "id": "StateMachineWithLiteralCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials", - "children": { - "Role": { - "id": "Role", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/ImportRole", - "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "states.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - } - } - ], - "Version": "2012-10-17" - }, - "policyName": "StateMachineWithLiteralCredentialsRoleDefaultPolicy331008EE", - "roles": [ - { - "Ref": "StateMachineWithLiteralCredentialsRole1F1DEEC1" - } - ] - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", - "aws:cdk:cloudformation:props": { - "roleArn": { - "Fn::GetAtt": [ - "StateMachineWithLiteralCredentialsRole1F1DEEC1", - "Arn" - ] - }, - "definitionString": { - "Fn::Join": [ - "", - [ - "{\"StartAt\":\"FakeTaskWithLiteralCredentials\",\"States\":{\"FakeTaskWithLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"", - { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - }, - "\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" - ] - ] - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.CfnStateMachine", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.StateMachine", - "version": "0.0.0" - } - }, - "CrossAccountRole": { - "id": "CrossAccountRole", - "path": "aws-stepfunctions-state-machine-credentials-integ/CrossAccountRole", - "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" - } - }, - "FakeTaskWithCrossAccountLiteralCredentials": { - "id": "FakeTaskWithCrossAccountLiteralCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithCrossAccountLiteralCredentials", - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.TaskStateBase", - "version": "0.0.0" - } - }, - "StateMachineWithCrossAccountLiteralCredentials": { - "id": "StateMachineWithCrossAccountLiteralCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials", - "children": { - "Role": { - "id": "Role", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/ImportRole", - "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "states.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::123456789012:role/CrossAccountRole" - } - ], - "Version": "2012-10-17" - }, - "policyName": "StateMachineWithCrossAccountLiteralCredentialsRoleDefaultPolicy9B9943BD", - "roles": [ - { - "Ref": "StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC" - } - ] - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", - "aws:cdk:cloudformation:props": { - "roleArn": { - "Fn::GetAtt": [ - "StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC", - "Arn" - ] - }, - "definitionString": "{\"StartAt\":\"FakeTaskWithCrossAccountLiteralCredentials\",\"States\":{\"FakeTaskWithCrossAccountLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"arn:aws:iam::123456789012:role/CrossAccountRole\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.CfnStateMachine", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.StateMachine", - "version": "0.0.0" - } - }, - "FakeTaskWithJsonPathCredentials": { - "id": "FakeTaskWithJsonPathCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithJsonPathCredentials", - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.TaskStateBase", - "version": "0.0.0" - } - }, - "StateMachineWithJsonPathCredentials": { - "id": "StateMachineWithJsonPathCredentials", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials", - "children": { - "Role": { - "id": "Role", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role", - "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/ImportRole", - "constructInfo": { - "fqn": "@aws-cdk/core.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "states.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnRole", - "version": "0.0.0" - } - }, - "DefaultPolicy": { - "id": "DefaultPolicy", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy", - "children": { - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Policy", - "aws:cdk:cloudformation:props": { - "policyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Resource": "*" - } - ], - "Version": "2012-10-17" - }, - "policyName": "StateMachineWithJsonPathCredentialsRoleDefaultPolicy1DA1C50B", - "roles": [ - { - "Ref": "StateMachineWithJsonPathCredentialsRole7BDE9FA6" - } - ] - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.CfnPolicy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Policy", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iam.Role", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", - "aws:cdk:cloudformation:props": { - "roleArn": { - "Fn::GetAtt": [ - "StateMachineWithJsonPathCredentialsRole7BDE9FA6", - "Arn" - ] - }, - "definitionString": "{\"StartAt\":\"FakeTaskWithJsonPathCredentials\",\"States\":{\"FakeTaskWithJsonPathCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn.$\":\"$.RoleArn\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}" - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.CfnStateMachine", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-stepfunctions.StateMachine", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "aws-stepfunctions-state-machine-credentials-integ/BootstrapVersion", - "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "aws-stepfunctions-state-machine-credentials-integ/CheckBootstrapVersion", - "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/core.Stack", - "version": "0.0.0" - } - }, - "StateMachineCredentials": { - "id": "StateMachineCredentials", - "path": "StateMachineCredentials", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "StateMachineCredentials/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "StateMachineCredentials/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.237" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "StateMachineCredentials/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "StateMachineCredentials/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "@aws-cdk/core.CfnParameter", - "version": "0.0.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "StateMachineCredentials/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "@aws-cdk/core.CfnRule", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/core.Stack", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.237" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/core.App", - "version": "0.0.0" - } - } -} \ No newline at end of file +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"aws-stepfunctions-state-machine-credentials-integ":{"id":"aws-stepfunctions-state-machine-credentials-integ","path":"aws-stepfunctions-state-machine-credentials-integ","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"Role":{"id":"Role","path":"aws-stepfunctions-state-machine-credentials-integ/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-state-machine-credentials-integ/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}}}}},"FakeTaskWithLiteralCredentials":{"id":"FakeTaskWithLiteralCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithLiteralCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.TaskStateBase","version":"0.0.0"}},"StateMachineWithLiteralCredentials":{"id":"StateMachineWithLiteralCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.StateMachine","version":"0.0.0","metadata":[{"definition":"*","timeout":"*"},{"addToRolePolicy":[{}]}]},"children":{"Role":{"id":"Role","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}}],"Version":"2012-10-17"},"policyName":"StateMachineWithLiteralCredentialsRoleDefaultPolicy331008EE","roles":[{"Ref":"StateMachineWithLiteralCredentialsRole1F1DEEC1"}]}}}}}}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithLiteralCredentials/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.CfnStateMachine","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::StepFunctions::StateMachine","aws:cdk:cloudformation:props":{"definitionString":{"Fn::Join":["",["{\"StartAt\":\"FakeTaskWithLiteralCredentials\",\"States\":{\"FakeTaskWithLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"",{"Fn::GetAtt":["Role1ABCC5F0","Arn"]},"\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}"]]},"roleArn":{"Fn::GetAtt":["StateMachineWithLiteralCredentialsRole1F1DEEC1","Arn"]}}}}}},"CrossAccountRole":{"id":"CrossAccountRole","path":"aws-stepfunctions-state-machine-credentials-integ/CrossAccountRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"FakeTaskWithCrossAccountLiteralCredentials":{"id":"FakeTaskWithCrossAccountLiteralCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithCrossAccountLiteralCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.TaskStateBase","version":"0.0.0"}},"StateMachineWithCrossAccountLiteralCredentials":{"id":"StateMachineWithCrossAccountLiteralCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.StateMachine","version":"0.0.0","metadata":[{"definition":"*","timeout":"*"},{"addToRolePolicy":[{}]}]},"children":{"Role":{"id":"Role","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":"arn:aws:iam::123456789012:role/CrossAccountRole"}],"Version":"2012-10-17"},"policyName":"StateMachineWithCrossAccountLiteralCredentialsRoleDefaultPolicy9B9943BD","roles":[{"Ref":"StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC"}]}}}}}}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithCrossAccountLiteralCredentials/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.CfnStateMachine","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::StepFunctions::StateMachine","aws:cdk:cloudformation:props":{"definitionString":"{\"StartAt\":\"FakeTaskWithCrossAccountLiteralCredentials\",\"States\":{\"FakeTaskWithCrossAccountLiteralCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn\":\"arn:aws:iam::123456789012:role/CrossAccountRole\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}","roleArn":{"Fn::GetAtt":["StateMachineWithCrossAccountLiteralCredentialsRole4AA04DBC","Arn"]}}}}}},"FakeTaskWithJsonPathCredentials":{"id":"FakeTaskWithJsonPathCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithJsonPathCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.TaskStateBase","version":"0.0.0"}},"StateMachineWithJsonPathCredentials":{"id":"StateMachineWithJsonPathCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.StateMachine","version":"0.0.0","metadata":[{"definition":"*","timeout":"*"},{"addToRolePolicy":[{}]}]},"children":{"Role":{"id":"Role","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"StateMachineWithJsonPathCredentialsRoleDefaultPolicy1DA1C50B","roles":[{"Ref":"StateMachineWithJsonPathCredentialsRole7BDE9FA6"}]}}}}}}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJsonPathCredentials/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.CfnStateMachine","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::StepFunctions::StateMachine","aws:cdk:cloudformation:props":{"definitionString":"{\"StartAt\":\"FakeTaskWithJsonPathCredentials\",\"States\":{\"FakeTaskWithJsonPathCredentials\":{\"End\":true,\"Type\":\"Task\",\"Credentials\":{\"RoleArn.$\":\"$.RoleArn\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\",\"Parameters\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}}}},\"TimeoutSeconds\":30}","roleArn":{"Fn::GetAtt":["StateMachineWithJsonPathCredentialsRole7BDE9FA6","Arn"]}}}}}},"FakeTaskWithJSONataCredentials":{"id":"FakeTaskWithJSONataCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/FakeTaskWithJSONataCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.TaskStateBase","version":"0.0.0"}},"StateMachineWithJSONataCredentials":{"id":"StateMachineWithJSONataCredentials","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.StateMachine","version":"0.0.0","metadata":[{"definition":"*","queryLanguage":"JSONata","timeout":"*"},{"addToRolePolicy":[{}]}]},"children":{"Role":{"id":"Role","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]},"children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Role/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Resource":"*"}],"Version":"2012-10-17"},"policyName":"StateMachineWithJSONataCredentialsRoleDefaultPolicyF552EED1","roles":[{"Ref":"StateMachineWithJSONataCredentialsRole97AD3731"}]}}}}}}},"Resource":{"id":"Resource","path":"aws-stepfunctions-state-machine-credentials-integ/StateMachineWithJSONataCredentials/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.CfnStateMachine","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::StepFunctions::StateMachine","aws:cdk:cloudformation:props":{"definitionString":"{\"StartAt\":\"FakeTaskWithJSONataCredentials\",\"States\":{\"FakeTaskWithJSONataCredentials\":{\"End\":true,\"Type\":\"Task\",\"Arguments\":{\"TableName\":\"my-cool-table\",\"Item\":{\"id\":{\"S\":\"my-entry\"}}},\"Credentials\":{\"RoleArn\":\"{% $states.input.RoleArn %}\"},\"Resource\":\"arn:aws:states:::dynamodb:putItem\"}},\"TimeoutSeconds\":30,\"QueryLanguage\":\"JSONata\"}","roleArn":{"Fn::GetAtt":["StateMachineWithJSONataCredentialsRole97AD3731","Arn"]}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-stepfunctions-state-machine-credentials-integ/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-stepfunctions-state-machine-credentials-integ/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"StateMachineCredentials":{"id":"StateMachineCredentials","path":"StateMachineCredentials","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"StateMachineCredentials/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"StateMachineCredentials/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"StateMachineCredentials/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"StateMachineCredentials/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"StateMachineCredentials/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.ts index 666b97b7ad301..df8e594bee56f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions/test/integ.state-machine-credentials.ts @@ -1,7 +1,7 @@ import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; -import { FakeTask } from './fake-task'; +import { FakeTask, FakeTaskJsonata } from './fake-task'; import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; /* @@ -13,7 +13,7 @@ const app = new cdk.App(); const stack = new cdk.Stack(app, 'aws-stepfunctions-state-machine-credentials-integ'); const role = new iam.Role(stack, 'Role', { - assumedBy: new iam.AccountPrincipal(stack.account), + assumedBy: new iam.ServicePrincipal('states.amazonaws.com'), }); new sfn.StateMachine(stack, 'StateMachineWithLiteralCredentials', { @@ -33,4 +33,10 @@ new sfn.StateMachine(stack, 'StateMachineWithJsonPathCredentials', { timeout: cdk.Duration.seconds(30), }); +new sfn.StateMachine(stack, 'StateMachineWithJSONataCredentials', { + definition: new FakeTaskJsonata(stack, 'FakeTaskWithJSONataCredentials', { credentials: { role: sfn.TaskRole.fromRoleArnJsonata('{% $states.input.RoleArn %}') } }), + queryLanguage: sfn.QueryLanguage.JSONATA, + timeout: cdk.Duration.seconds(30), +}); + new IntegTest(app, 'StateMachineCredentials', { testCases: [stack] }); diff --git a/packages/aws-cdk-lib/aws-stepfunctions/README.md b/packages/aws-cdk-lib/aws-stepfunctions/README.md index 55451f70f2bbd..42d4b26401b62 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions/README.md @@ -1247,8 +1247,10 @@ declare const iamRole: iam.Role; // use a fixed role for all task invocations const role = sfn.TaskRole.fromRole(iamRole); -// or use a json expression to resolve the role at runtime based on task inputs +// or use JSONPath expression to resolve the role at runtime based on task inputs //const role = sfn.TaskRole.fromRoleArnJsonPath('$.RoleArn'); +// or similarly use JSONata expression +//const role = sfn.TaskRole.fromRoleArnJsonata('{% $states.input.RoleArn %}'); const submitJob = new tasks.LambdaInvoke(this, 'Submit Job', { lambdaFunction: submitLambda, diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/task-credentials.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/task-credentials.ts index c2f1dc974135c..b9eb3c05fdb3b 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions/lib/task-credentials.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions/lib/task-credentials.ts @@ -1,5 +1,7 @@ import { JsonPath } from './fields'; +import { isValidJsonataExpression } from './private/jsonata'; import * as iam from '../../aws-iam'; +import { UnscopedValidationError } from '../../core'; /** * Specifies a target role assumed by the State Machine's execution role for invoking the task's resource. @@ -34,6 +36,19 @@ export abstract class TaskRole { return new JsonExpressionTaskRole(expression); } + /** + * Construct a task role retrieved from task inputs using a JSONata expression + * + * @param expression JSONata expression to roleArn + * + * @example + * + * sfn.TaskRole.fromRoleArnJsonata('{% $states.input.RoleArn %}'); + */ + public static fromRoleArnJsonata(expression: string): TaskRole { + return new JsonataExpressionTaskRole(expression); + } + /** * Construct a task role based on the provided IAM Role * @@ -65,6 +80,20 @@ class JsonExpressionTaskRole extends TaskRole { } } +class JsonataExpressionTaskRole extends TaskRole { + public readonly resource: string; + public readonly roleArn: string; + + constructor(expression: string) { + super(); + if (!isValidJsonataExpression(expression)) { + throw new UnscopedValidationError(`JSONata expression must be start with '{%' and end with '%}', got '${expression}'`); + } + this.roleArn = expression; + this.resource = '*'; + } +} + class IamRoleTaskRole extends TaskRole { public readonly resource: string; public readonly roleArn: string; diff --git a/packages/aws-cdk-lib/aws-stepfunctions/test/task-credentials.test.ts b/packages/aws-cdk-lib/aws-stepfunctions/test/task-credentials.test.ts index ad10b1ea12224..a5394694ed0b1 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions/test/task-credentials.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions/test/task-credentials.test.ts @@ -1,5 +1,6 @@ import * as iam from '../../aws-iam'; import * as cdk from '../../core'; +import { UnscopedValidationError } from '../../core'; import * as sfn from '../lib'; describe('TaskRole', () => { @@ -31,4 +32,17 @@ describe('TaskRole', () => { expect(() => sfn.TaskRole.fromRoleArnJsonPath('RoleArn')).toThrow(); }); }); + + describe('fromRoleArnJsonata()', () => { + test('returns expected roleArn and resource', () => { + const role = sfn.TaskRole.fromRoleArnJsonata('{% $states.input.RoleArn %}'); + + expect(stack.resolve(role.roleArn)).toEqual('{% $states.input.RoleArn %}'); + expect(role.resource).toEqual('*'); + }); + + test('throws error for invalid expression', () => { + expect(() => sfn.TaskRole.fromRoleArnJsonata('InvalidExpression')).toThrow(UnscopedValidationError); + }); + }); });