chore(release): 2.227.0 (#36137)

mergify[bot] · web-flow · commit 5bb9e1101cd6 · 2025-11-20T22:15:16.000Z
See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.227.0/CHANGELOG.md)
diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -8,9 +8,7 @@ All notable changes to this project will be documented in this file. See [standa
 ### Features
 
 * **bedrock-agentcore-alpha:** agentcore gateway L2 construct ([#35771](https://github.com/aws/aws-cdk/issues/35771)) ([07c4a0d](https://github.com/aws/aws-cdk/commit/07c4a0dfd4f26519f433ec3dc19b4c294ae8d56e))
-* **imagebuilder-alpha:** add support for Component Construct ([#36006](https://github.com/aws/aws-cdk/issues/36006)) ([5ebf07d](https://github.com/aws/aws-cdk/commit/5ebf07d095005f29b5e7205df750bc81cb879aa4)), closes [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789) [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789)
 * **imagebuilder-alpha:** add support for Component Construct ([#36107](https://github.com/aws/aws-cdk/issues/36107)) ([93a76e4](https://github.com/aws/aws-cdk/commit/93a76e481e79bb7e0df1aabcb158cc9b064345bf)), closes [#36006](https://github.com/aws/aws-cdk/issues/36006) [#36104](https://github.com/aws/aws-cdk/issues/36104)
-* **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36005](https://github.com/aws/aws-cdk/issues/36005)) ([c36f43d](https://github.com/aws/aws-cdk/commit/c36f43d88adefb3473dbd729e7bec58e7f06c8cf)), closes [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789) [aws/aws-cdk-rfcs#789](https://github.com/aws/aws-cdk-rfcs/issues/789)
 * **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36108](https://github.com/aws/aws-cdk/issues/36108)) ([6051039](https://github.com/aws/aws-cdk/commit/605103939894a785062422f04ee31f5460b18d6f)), closes [#36005](https://github.com/aws/aws-cdk/issues/36005)
 
 
@@ -19,11 +17,6 @@ All notable changes to this project will be documented in this file. See [standa
 * **bedrock-agentcore-alpha:** fix unexpected validation error when properties are Token  ([#35978](https://github.com/aws/aws-cdk/issues/35978)) ([084b736](https://github.com/aws/aws-cdk/commit/084b736f80959ee17a28c2d9c355b0dcf1faa393))
 
 
-### Reverts
-
-* **imagebuilder-alpha:** add support for Component Construct ([#36104](https://github.com/aws/aws-cdk/issues/36104)) ([689ad05](https://github.com/aws/aws-cdk/commit/689ad05b20a1332c5113b2084737e95a16bbd9ed)), closes [aws/aws-cdk#36006](https://github.com/aws/aws-cdk/issues/36006)
-* **imagebuilder-alpha:** add support for Distribution Configuration Construct ([#36103](https://github.com/aws/aws-cdk/issues/36103)) ([8d6867a](https://github.com/aws/aws-cdk/commit/8d6867ab94d1efe0835e922f28c9d3ac4aebcbf2)), closes [aws/aws-cdk#36005](https://github.com/aws/aws-cdk/issues/36005)
-
 ## [2.226.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.225.0-alpha.0...v2.226.0-alpha.0) (2025-11-20)
 
 ## [2.225.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.224.0-alpha.0...v2.225.0-alpha.0) (2025-11-17)
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. See [standa
 
 ### Features
 
+* **stepfunctions:** add `StateMachineGrants` ([#36094](https://github.com/aws/aws-cdk/issues/36094)) ([59ef00d](https://github.com/aws/aws-cdk/commit/59ef00d6768ced403a88ed00da437e4d64489267))
 * update L1 CloudFormation resource definitions ([#36122](https://github.com/aws/aws-cdk/issues/36122)) ([51d805e](https://github.com/aws/aws-cdk/commit/51d805e8b06ff6c22097fe10f6cf71f84af119e0))
 * **core:** cfn constructs (L1s) can now accept constructs as parameters for known resource relationships ([#35838](https://github.com/aws/aws-cdk/issues/35838)) ([6be7b4b](https://github.com/aws/aws-cdk/commit/6be7b4bdad74fe2889bb0b7b33e9d5ad7ef2e415))
 * factory methods for Grants made public ([#36123](https://github.com/aws/aws-cdk/issues/36123)) ([f9a894f](https://github.com/aws/aws-cdk/commit/f9a894fe4dc35415405295ae60f713b8c32de375))
diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/index.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/index.ts
@@ -4,6 +4,7 @@ export * from './input';
 export * from './types';
 export * from './condition';
 export * from './state-machine';
+export * from './state-machine-grants';
 export * from './state-machine-fragment';
 export * from './state-transition-metrics';
 export * from './chain';
diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine-grants.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine-grants.ts
@@ -0,0 +1,157 @@
+import * as stepfunctions from './stepfunctions.generated';
+import * as iam from '../../aws-iam';
+import { Arn, ArnFormat, Stack } from '../../core';
+
+/**
+ * Properties for StateMachineGrants
+ */
+export interface StateMachineGrantsProps {
+  /**
+   * The resource on which actions will be allowed
+   */
+  readonly resource: stepfunctions.IStateMachineRef;
+}
+
+/**
+ * Collection of grant methods for a IStateMachineRef
+ */
+export class StateMachineGrants {
+  /**
+   * Creates grants for StateMachineGrants
+   *
+   * @internal
+   */
+  public static _fromStateMachine(resource: stepfunctions.IStateMachineRef): StateMachineGrants {
+    return new StateMachineGrants({
+      resource: resource,
+    });
+  }
+
+  protected readonly resource: stepfunctions.IStateMachineRef;
+
+  private constructor(props: StateMachineGrantsProps) {
+    this.resource = props.resource;
+  }
+
+  /**
+   * Grant the given identity task response permissions on a state machine
+   */
+  public taskResponse(grantee: iam.IGrantable): iam.Grant {
+    const actions = ['states:SendTaskSuccess', 'states:SendTaskFailure', 'states:SendTaskHeartbeat'];
+    return iam.Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [stepfunctions.CfnStateMachine.arnForStateMachine(this.resource)],
+    });
+  }
+
+  /**
+   * Grant the given identity permission to redrive the execution of the state machine
+   */
+  public redriveExecution(grantee: iam.IGrantable): iam.Grant {
+    const actions = ['states:RedriveExecution'];
+    return iam.Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [stepfunctions.CfnStateMachine.arnForStateMachine(this.resource) + ':*'],
+    });
+  }
+
+  /**
+   * Grant the given identity permissions to read results from state
+   * machine.
+   */
+  public read(grantee: iam.IGrantable): iam.Grant {
+    iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions: [
+        'states:ListExecutions',
+        'states:ListStateMachines',
+      ],
+      resourceArns: [stepfunctions.CfnStateMachine.arnForStateMachine(this.resource)],
+    });
+    iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions: [
+        'states:DescribeExecution',
+        'states:DescribeStateMachineForExecution',
+        'states:GetExecutionHistory',
+      ],
+      resourceArns: [this.executionArn() + ':*'],
+    });
+    return iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions: [
+        'states:ListActivities',
+        'states:DescribeStateMachine',
+        'states:DescribeActivity',
+      ],
+      resourceArns: ['*'],
+    });
+  }
+
+  /**
+   * Grant the given identity permissions to start an execution of this state
+   * machine.
+   *
+   * @param grantee The principal
+   */
+  public startExecution(grantee: iam.IGrantable): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions: ['states:StartExecution'],
+      resourceArns: [this.resource.stateMachineRef.stateMachineArn],
+    });
+  }
+
+  /**
+   * Grant the given identity permissions to start a synchronous execution of
+   * this state machine.
+   *
+   * @param grantee The principal
+   */
+  public startSyncExecution(grantee: iam.IGrantable): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions: ['states:StartSyncExecution'],
+      resourceArns: [this.resource.stateMachineRef.stateMachineArn],
+    });
+  }
+
+  /**
+   * Grant the given identity permissions to start an execution of
+   * this state machine.
+   *
+   * @param grantee The principal
+   */
+  public execution(grantee: iam.IGrantable, ...actions: string[]) {
+    return iam.Grant.addToPrincipal({
+      grantee: grantee,
+      actions,
+      resourceArns: [this.executionArn() + ':*'],
+    });
+  }
+
+  /**
+   * Grant the given identity custom permissions
+   */
+  public actions(identity: iam.IGrantable, ...actions: string[]): iam.Grant {
+    return iam.Grant.addToPrincipal({
+      grantee: identity,
+      actions,
+      resourceArns: [this.resource.stateMachineRef.stateMachineArn],
+    });
+  }
+
+  /**
+   * Returns the pattern for the execution ARN's of the state machine
+   */
+  private executionArn(): string {
+    return Stack.of(this.resource).formatArn({
+      resource: 'execution',
+      service: 'states',
+      resourceName: Arn.split(this.resource.stateMachineRef.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME).resourceName,
+      arnFormat: ArnFormat.COLON_RESOURCE_NAME,
+    });
+  }
+}
diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts
@@ -3,14 +3,15 @@ import { CustomerManagedEncryptionConfiguration } from './customer-managed-key-e
 import { EncryptionConfiguration } from './encryption-configuration';
 import { buildEncryptionConfiguration } from './private/util';
 import { StateGraph } from './state-graph';
+import { StateMachineGrants } from './state-machine-grants';
 import { StatesMetrics } from './stepfunctions-canned-metrics.generated';
-import { CfnStateMachine } from './stepfunctions.generated';
+import { CfnStateMachine, IStateMachineRef, StateMachineReference } from './stepfunctions.generated';
 import { IChainable, QueryLanguage } from './types';
 import * as cloudwatch from '../../aws-cloudwatch';
 import * as iam from '../../aws-iam';
 import * as logs from '../../aws-logs';
 import * as s3_assets from '../../aws-s3-assets';
-import { Arn, ArnFormat, Duration, IResource, RemovalPolicy, Resource, Stack, Token, ValidationError } from '../../core';
+import { ArnFormat, Duration, IResource, RemovalPolicy, Resource, Stack, Token, ValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
@@ -215,87 +216,53 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
    */
   public abstract readonly grantPrincipal: iam.IPrincipal;
 
+  /**
+   * Collection of grant methods for a StateMachine
+   */
+  public grants = StateMachineGrants._fromStateMachine(this);
+
+  public get stateMachineRef(): StateMachineReference {
+    return {
+      stateMachineArn: this.stateMachineArn,
+    };
+  }
+
   /**
    * Grant the given identity permissions to start an execution of this state
    * machine.
    */
   public grantStartExecution(identity: iam.IGrantable): iam.Grant {
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: ['states:StartExecution'],
-      resourceArns: [this.stateMachineArn],
-    });
+    return this.grants.startExecution(identity);
   }
 
   /**
    * Grant the given identity permissions to start a synchronous execution of
    * this state machine.
    */
   public grantStartSyncExecution(identity: iam.IGrantable): iam.Grant {
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: ['states:StartSyncExecution'],
-      resourceArns: [this.stateMachineArn],
-    });
+    return this.grants.startSyncExecution(identity);
   }
 
   /**
    * Grant the given identity permissions to read results from state
    * machine.
    */
   public grantRead(identity: iam.IGrantable): iam.Grant {
-    iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: [
-        'states:ListExecutions',
-        'states:ListStateMachines',
-      ],
-      resourceArns: [this.stateMachineArn],
-    });
-    iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: [
-        'states:DescribeExecution',
-        'states:DescribeStateMachineForExecution',
-        'states:GetExecutionHistory',
-      ],
-      resourceArns: [`${this.executionArn()}:*`],
-    });
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: [
-        'states:ListActivities',
-        'states:DescribeStateMachine',
-        'states:DescribeActivity',
-      ],
-      resourceArns: ['*'],
-    });
+    return this.grants.read(identity);
   }
 
   /**
    * Grant the given identity task response permissions on a state machine
    */
   public grantTaskResponse(identity: iam.IGrantable): iam.Grant {
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions: [
-        'states:SendTaskSuccess',
-        'states:SendTaskFailure',
-        'states:SendTaskHeartbeat',
-      ],
-      resourceArns: [this.stateMachineArn],
-    });
+    return this.grants.taskResponse(identity);
   }
 
   /**
    * Grant the given identity permissions on all executions of the state machine
    */
   public grantExecution(identity: iam.IGrantable, ...actions: string[]) {
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions,
-      resourceArns: [`${this.executionArn()}:*`],
-    });
+    return this.grants.execution(identity, ...actions);
   }
 
   /**
@@ -309,11 +276,7 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
    * Grant the given identity custom permissions
    */
   public grant(identity: iam.IGrantable, ...actions: string[]): iam.Grant {
-    return iam.Grant.addToPrincipal({
-      grantee: identity,
-      actions,
-      resourceArns: [this.stateMachineArn],
-    });
+    return this.grants.actions(identity, ...actions);
   }
 
   /**
@@ -395,18 +358,6 @@ abstract class StateMachineBase extends Resource implements IStateMachine {
     return this.cannedMetric(StatesMetrics.executionTimeAverage, props);
   }
 
-  /**
-   * Returns the pattern for the execution ARN's of the state machine
-   */
-  private executionArn(): string {
-    return Stack.of(this).formatArn({
-      resource: 'execution',
-      service: 'states',
-      resourceName: Arn.split(this.stateMachineArn, ArnFormat.COLON_RESOURCE_NAME).resourceName,
-      arnFormat: ArnFormat.COLON_RESOURCE_NAME,
-    });
-  }
-
   private cannedMetric(
     fn: (dims: { StateMachineArn: string }) => cloudwatch.MetricProps,
     props?: cloudwatch.MetricOptions): cloudwatch.Metric {
@@ -657,7 +608,7 @@ export class StateMachine extends StateMachineBase {
 /**
  * A State Machine
  */
-export interface IStateMachine extends IResource, iam.IGrantable {
+export interface IStateMachine extends IResource, iam.IGrantable, IStateMachineRef {
   /**
    * The ARN of the state machine
    * @attribute
