feat(stepfunctions): support cross-account task invocations #23012
Conversation
|
|
github-actions
bot
added
feature-request
github-actions
bot
added
the
valued-contributor
|
This is a first stab at such support. |
| * The ARN of the IAM role to be assumed. | ||
| * Either a fixed value or a JSONPath expression can be used. | ||
| */ | ||
| readonly roleArn: string; |
There was a problem hiding this comment.
This can be much nicer if there was a concrete type denoting json path e.g.
role: iam.IRole | JsonPath;
There was a problem hiding this comment.
We wouldn't want to add this depth to these props just to get a roleArn. Typically, we pass IRole, but I see what you're trying to do here so I suggest you take the example of Schedule and do something like what they did there with an enum like class.
There was a problem hiding this comment.
I am not sure I 100% follow
- When you say "this depth", do you mean the
iam.IRole | JsonPathbit, or do you mean the hierarchy of of the propCredentials.roleArn? If hierarchy, i.e. whether roleArn should be top level or not, the only reason I didn't do that, is I thought maybe in the future their can be more attributes in the Credentials object e.g. session name, etc. - The role - rather than Credentials - is what really might benefit from different modelling similar to
Schedule.
If we go for modelling a Role class here it would be something along the lines of
class Role {
public static jsonExpression(expression: string): Role
public static role(role: iam.Role): Role
}The other thing is, I don't think there's a strong type for json expressions (to the best of my knowledge)
There was a problem hiding this comment.
I introduced a new change to introduce TaskRole (inspired by Schedule as you suggested)
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
There was a problem hiding this comment.
There's a bit that I would comment on in here but the comment inline will likely change a lot of that so I'm just going to leave it there for the moment. If you want to make a Credentials class, modeling it similar to the class I linked inline would be the best approach.
| * The ARN of the IAM role to be assumed. | ||
| * Either a fixed value or a JSONPath expression can be used. | ||
| */ | ||
| readonly roleArn: string; |
There was a problem hiding this comment.
We wouldn't want to add this depth to these props just to get a roleArn. Typically, we pass IRole, but I see what you're trying to do here so I suggest you take the example of Schedule and do something like what they did there with an enum like class.
mergify
bot
dismissed
TheRealAmazonKendra’s stale review
Pull request has been modified.
humanzz
changed the title
| @@ -278,6 +280,75 @@ describe('State Machine', () => { | |||
| }); | |||
| }); | |||
|
|
|||
| test('Instantiate a State Machine with a task assuming a literal roleArn', () => { | |||
There was a problem hiding this comment.
Can you also add a test using fromRoleName using a stack with a different
account from the state machine? I want to make sure it builds the arn/reference
correctly.
There was a problem hiding this comment.
@humanzz I think this is still unresolved.
There was a problem hiding this comment.
I think I've misunderstood your intention - twice now :)
The last change breaks this test case into 2; one for cross-account role assumption, and one for same-account role assumption.
For integ tests, I wasn't sure how the cross-account behaviour can be tested i.e. can we create stacks in different test accounts, so I used fromRoleArn there.
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
Updated the integ tests. |
humanzz
requested review from
corymhall and
aws-cdk-automation
and removed request for
corymhall
| @@ -278,6 +280,75 @@ describe('State Machine', () => { | |||
| }); | |||
| }); | |||
|
|
|||
| test('Instantiate a State Machine with a task assuming a literal roleArn', () => { | |||
There was a problem hiding this comment.
@humanzz I think this is still unresolved.
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
support configuring a role to be assumed for task invocations https://docs.aws.amazon.com/step-functions/latest/dg/concepts-access-cross-acct-resources.html closes aws#22994 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
support configuring a role to be assumed for task invocations https://docs.aws.amazon.com/step-functions/latest/dg/concepts-access-cross-acct-resources.html closes aws#22994 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
support configuring a role to be assumed for task invocations https://docs.aws.amazon.com/step-functions/latest/dg/concepts-access-cross-acct-resources.html closes aws#22994 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
support configuring a role to be assumed for task invocations https://docs.aws.amazon.com/step-functions/latest/dg/concepts-access-cross-acct-resources.html
closes #22994
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license