tests(stepfunction-tasks): grant step function permissions to invoke …

…all versions of a lambda function
aws · Jul 19, 2022 · 910bd85 · 910bd85
1 parent ad67594
commit 910bd85
Showing 1 changed file with 87 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/invoke.test.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/test/lambda/invoke.test.ts
@@ -1,3 +1,4 @@
+import { Match, Template } from '@aws-cdk/assertions';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as sfn from '@aws-cdk/aws-stepfunctions';
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
@@ -391,4 +392,90 @@ describe('LambdaInvoke', () => {
       });
     }).toThrow(/Unsupported service integration pattern. Supported Patterns: REQUEST_RESPONSE,WAIT_FOR_TASK_TOKEN. Received: RUN_JOB/);
   });
+
+  describe('TaskPolicy Resources', () => {
+
+    test('invoke a Function', () => {
+      // WHEN
+      const task = new LambdaInvoke(stack, 'Task', {
+        lambdaFunction,
+      });
+      new sfn.StateMachine(stack, 'SM', {
+        definition: task,
+      });
+
+      // THEN
+      Template.fromStack(stack).resourceCountIs('AWS::Lambda::Alias', 0);
+      Template.fromStack(stack).resourceCountIs('AWS::Lambda::Version', 0);
+      Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: Match.objectLike({
+          Statement: [
+            {
+              Action: 'lambda:InvokeFunction',
+              Effect: 'Allow',
+              Resource: [Match.anyValue(), Match.anyValue()],
+            },
+          ],
+        }),
+      });
+    });
+
+    test('invoke an Alias', () => {
+      // WHEN
+      const alias = lambdaFunction.addAlias('test');
+      const task = new LambdaInvoke(stack, 'Task', {
+        lambdaFunction: alias,
+      });
+      new sfn.StateMachine(stack, 'SM', {
+        definition: task,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Alias', {
+        Name: 'test',
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: Match.objectLike({
+          Statement: [
+            {
+              Action: 'lambda:InvokeFunction',
+              Effect: 'Allow',
+              Resource: {
+                Ref: Match.anyValue(),
+              },
+            },
+          ],
+        }),
+      });
+    });
+
+    test('invoke a Version', () => {
+      // WHEN
+      const version = lambdaFunction.currentVersion;
+      const task = new LambdaInvoke(stack, 'Task', {
+        lambdaFunction: version,
+      });
+      new sfn.StateMachine(stack, 'SM', {
+        definition: task,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Version', {
+        FunctionName: {
+          Ref: 'Fn9270CBC0',
+        },
+      });
+      Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+        PolicyDocument: Match.objectLike({
+          Statement: [
+            {
+              Action: 'lambda:InvokeFunction',
+              Effect: 'Allow',
+              Resource: [Match.anyValue(), Match.anyValue()],
+            },
+          ],
+        }),
+      });
+    });
+  });
 });