Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_stepfunctions_tasks : Generates wrong action in role policy #27573

Closed
Smotrov opened this issue Oct 17, 2023 · 3 comments · Fixed by #27623
Closed

aws_stepfunctions_tasks : Generates wrong action in role policy #27573

Smotrov opened this issue Oct 17, 2023 · 3 comments · Fixed by #27623

Comments

@Smotrov
Copy link

Smotrov commented Oct 17, 2023

Describe the bug

Following code is properly creates a step in the Step Function

  // Create log stream step  using arn:aws:states:::aws-sdk:cloudwatchlogs:createLogStream
  const createLogStream = new tasks.CallAwsService(scope, 'Create log stream', {
    service: 'cloudwatchlogs',
    action: 'createLogStream',
    parameters: {
      LogGroupName: myLogGroup.logGroupName,
      LogStreamName: sfn.JsonPath.stringAt('$$.Execution.Name'),
    },
    resultPath: sfn.JsonPath.DISCARD,
    iamResources: [myLogGroup.logGroupArn],
  });

However, it creates wrong statement in the role action

{
 "Action": "cloudwatchlogs:createLogStream",
 "Resource": "arn:aws:logs:eu-west-1:408064982279:log-group:some_name:*",
 "Effect": "Allow"
},

Expected Behavior

action should be logs:CreateLogStream

Current Behavior

Action is cloudwatchlogs:createLogStream

Reproduction Steps

Create a step function with provided code.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

v2.101.1

Framework Version

No response

Node.js Version

v18.16.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

@Smotrov Smotrov added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 17, 2023
@pahud pahud self-assigned this Oct 17, 2023
@pahud
Copy link
Contributor

pahud commented Oct 17, 2023

We probably should improve here

https://github.com/aws/aws-cdk/blob/c445b8cc6e20d17e4a536f17262646b291a0fe36/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts#L86C24-L86C37

But for now, I believe you should specify this instead.

service: 'logs',

@pahud pahud removed their assignment Oct 17, 2023
@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 17, 2023
@Smotrov
Copy link
Author

Smotrov commented Oct 18, 2023

service: 'logs',

Unfortunately this doesn't works. There is an error on deployment stage

Resource handler returned message: "Invalid State Machine Definition: 'SCHEMA_VALIDATION_FAILED: 
The resource provided arn:aws:states:::aws-sdk:logs:createLogStream is not recognized. 
The value is not a valid resource ARN, or the resource is not available in this region.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 18, 2023
@mergify mergify bot closed this as completed in #27623 Oct 24, 2023
mergify bot pushed a commit that referenced this issue Oct 24, 2023
…on in role policy (#27623)

This PR fixes the bug that a wrong action in role policy is generated when `cloudwatchlogs` service is specified.

A correct action is `logs:xxx`, but current behavior is to `cloudwatchlogs:xxx` by using the `service` property.

Closes #27573.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mrgrain pushed a commit that referenced this issue Nov 1, 2023
…on in role policy (#27623)

This PR fixes the bug that a wrong action in role policy is generated when `cloudwatchlogs` service is specified.

A correct action is `logs:xxx`, but current behavior is to `cloudwatchlogs:xxx` by using the `service` property.

Closes #27573.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants