Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lambda State Machine should depend on its IAM Policies #5336

Closed
mshober opened this issue Dec 7, 2019 · 2 comments · Fixed by #5466
Closed

Lambda State Machine should depend on its IAM Policies #5336

mshober opened this issue Dec 7, 2019 · 2 comments · Fixed by #5466
Assignees
@rix0rrr
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. in-progress This issue is being actively worked on. p1

Comments

@mshober
Copy link
Contributor

mshober commented Dec 7, 2019

The policies created with a @aws-cdk/aws-stepfunctions.StateMachine have no references/dependencies to them. Therefore, when a stack deletion is initiated, the policies might be deleted first, then the state machine.

In my situation, I am using the provider framework from @aws-cdk/custom-resources, which uses a State Machine to handle custom resource creation/deletion. When trying to delete a custom resource (via a stack deletion), the stack deletes the state machine's IAM policy before the state machine is finished deleting the custom resource. The state machine then loses its permission to invoke its associated lambda functions, and the custom resource remains in a DELETE_IN_PROGRESS state until a stack timeout occurs.

Solution

See the fix in the code below. This is also how @aws-cdk/aws-lambda.Function handles its IAM dependencies.

@aws-cdk/aws-stepfunctions/lib/state-machine.js

class StateMachine extends StateMachineBase {
    constructor(scope, id, props) {
        super(scope, id, {
            physicalName: props.stateMachineName,
        });
        this.role = props.role || new iam.Role(this, 'Role', {
            assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
        });
        const graph = new state_graph_1.StateGraph(props.definition.startState, `State Machine ${id} definition`);
        graph.timeout = props.timeout;
        const resource = new stepfunctions_generated_1.CfnStateMachine(this, 'Resource', {
            stateMachineName: this.physicalName,
            roleArn: this.role.roleArn,
            definitionString: core_1.Stack.of(this).toJsonString(graph.toGraphJson()),
        });
        for (const statement of graph.policyStatements) {
            this.addToRolePolicy(statement);
        }

        // This will add a dependency to its policy as well as the role
        resource.node.addDependency(this.role); // <- Add This

        this.stateMachineName = this.getResourceNameAttribute(resource.attrName);
        this.stateMachineArn = this.getResourceArnAttribute(resource.ref, {
            service: 'states',
            resource: 'stateMachine',
            resourceName: this.physicalName,
            sep: ':',
        });
    }
...

Environment

  • Environment
  • CLI Version : 1.18
  • Framework Version: 1.18
  • Language : Typescript

This is 🐛 Bug Report
@mshober mshober added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 7, 2019
@SomayaB SomayaB added the @aws-cdk/aws-stepfunctions Related to AWS StepFunctions label Dec 9, 2019
@rix0rrr
Copy link
Contributor

rix0rrr commented Dec 13, 2019

Sounds like a great fix! Would you mind turning this into a Pull Request?

@rix0rrr rix0rrr added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2019
@mshober mshober mentioned this issue Dec 18, 2019
Merged
@mshober
Copy link
Contributor Author

mshober commented Dec 18, 2019

Hi @rix0rrr, I've submitted a pull request!

@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Dec 18, 2019
rix0rrr pushed a commit that referenced this issue Dec 24, 2019
@mshober @rix0rrr
fix(stepfunctions): permission race condition on state machine deleti…
c3ac965 
…on (#5466)

Lambda State Machines now depend on their policies.

Fixes #5336
eladb pushed a commit that referenced this issue Dec 24, 2019
@mshober
fix(stepfunctions): permission race condition on state machine deleti…
d2a45e7 
…on (#5466)

Lambda State Machines now depend on their policies.

Fixes #5336
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(stepfunctions): permission race condition on state machine deletion
3 participants
@rix0rrr @SomayaB @mshober