fix(codepipeline): incorrect cross-account permissions with StepFunct…

… ionInvokeAction (#25850) When the StateMachine being invoked by CodePipeline is not in the same account/region as the CodePipeline, the `DescribeExecutions` permission was granted on the incorrect account/region pair (that of the pipeline, and not that of the StateMachine), due to the transforming of the state machine's ARN into a state machine execution ARN pattern not copying the account & region of the original ARN. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jun 5, 2023 · 3694670 · 3694670
1 parent dd16cf8
commit 3694670
Show file tree

Hide file tree

Showing 8 changed files with 251 additions and 177 deletions.
diff --git a/...t/integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.assets.json b/...t/integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.assets.json
@@ -1,15 +1,15 @@
 {
-  "version": "30.0.0",
+  "version": "32.0.0",
   "files": {
-    "9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d": {
+    "367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631": {
       "source": {
         "path": "aws-cdk-codepipeline-stepfunctions.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d.json",
+          "objectKey": "367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.template.json b/...integ.pipeline-stepfunctions.js.snapshot/aws-cdk-codepipeline-stepfunctions.template.json
@@ -538,15 +538,45 @@
          [
           "arn:",
           {
-           "Ref": "AWS::Partition"
+           "Fn::Select": [
+            1,
+            {
+             "Fn::Split": [
+              ":",
+              {
+               "Ref": "SimpleStateMachineE8E2CF40"
+              }
+             ]
+            }
+           ]
           },
           ":states:",
           {
-           "Ref": "AWS::Region"
+           "Fn::Select": [
+            3,
+            {
+             "Fn::Split": [
+              ":",
+              {
+               "Ref": "SimpleStateMachineE8E2CF40"
+              }
+             ]
+            }
+           ]
           },
           ":",
           {
-           "Ref": "AWS::AccountId"
+           "Fn::Select": [
+            4,
+            {
+             "Fn::Split": [
+              ":",
+              {
+               "Ref": "SimpleStateMachineE8E2CF40"
+              }
+             ]
+            }
+           ]
           },
           ":execution:",
           {

diff --git a/...integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/cdk.out b/...integ/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"30.0.0"}
+{"version":"32.0.0"}
diff --git a/...eg/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/integ.json b/...eg/test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "32.0.0",
   "testCases": {
     "integ.pipeline-stepfunctions": {
       "stacks": [

diff --git a/...test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/manifest.json b/...test/aws-codepipeline-actions/test/integ.pipeline-stepfunctions.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "30.0.0",
+  "version": "32.0.0",
   "artifacts": {
     "aws-cdk-codepipeline-stepfunctions.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/9c2191cf64f5d0c7288c4daeb90518584cb5076983557a2d930df85cbf8b1e4d.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/367d7f35f59c5f8e0a4ffcbe34f936dffd0eb167b6d1261e138577db0e7da631.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [