fix(stepfunctions): permission race condition on state machine deleti…

…on (#5466) Lambda State Machines now depend on their policies. Fixes #5336
aws · Dec 24, 2019 · d2a45e7 · d2a45e7
1 parent 584e713
commit d2a45e7
Show file tree

Hide file tree

Showing 9 changed files with 69 additions and 9 deletions.
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json
@@ -897,7 +897,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleDefaultPolicyDF1E6607",
+        "StateMachineRoleB840431D"
+      ]
     }
   },
   "Parameters": {

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.evaluate-expression.expected.json
@@ -170,7 +170,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleDefaultPolicyDF1E6607",
+        "StateMachineRoleB840431D"
+      ]
     }
   },
   "Parameters": {

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.fargate-task.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.fargate-task.expected.json
@@ -489,7 +489,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleDefaultPolicyDF1E6607",
+        "StateMachineRoleB840431D"
+      ]
     }
   },
   "Parameters": {

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.invoke-function.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.invoke-function.expected.json
@@ -266,7 +266,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleDefaultPolicyDF1E6607",
+        "StateMachineRoleB840431D"
+      ]
     }
   },
   "Parameters": {

diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.job-poller.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.job-poller.expected.json
@@ -69,7 +69,10 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleB840431D"
+      ]
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.sagemaker.expected.json
@@ -390,7 +390,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "StateMachineRoleDefaultPolicyDF1E6607",
+        "StateMachineRoleB840431D"
+      ]
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-stepfunctions/lib/state-machine.ts b/packages/@aws-cdk/aws-stepfunctions/lib/state-machine.ts
@@ -139,6 +139,8 @@ export class StateMachine extends StateMachineBase {
             definitionString: Stack.of(this).toJsonString(graph.toGraphJson()),
         });
 
+        resource.node.addDependency(this.role);
+
         for (const statement of graph.policyStatements) {
             this.addToRolePolicy(statement);
         }

diff --git a/packages/@aws-cdk/aws-stepfunctions/test/test.state-machine-resources.ts b/packages/@aws-cdk/aws-stepfunctions/test/test.state-machine-resources.ts
@@ -1,4 +1,4 @@
-import { expect, haveResource } from '@aws-cdk/assert';
+import { expect, haveResource, ResourcePart } from '@aws-cdk/assert';
 import * as iam from '@aws-cdk/aws-iam';
 import * as cdk from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -250,6 +250,37 @@ export = {
         });
 
         test.done();
-    }
+    },
+
+    'State machines must depend on their roles'(test: Test) {
+        // GIVEN
+        const stack = new cdk.Stack();
+        const task = new stepfunctions.Task(stack, 'Task', {
+            task: {
+                bind: () => ({
+                    resourceArn: 'resource',
+                    policyStatements: [
+                        new iam.PolicyStatement({
+                            resources: ['resource'],
+                            actions: ["lambda:InvokeFunction"],
+                        })
+                    ],
+                })
+            }
+        });
+        new stepfunctions.StateMachine(stack, 'StateMachine', {
+            definition: task
+        });
+
+        // THEN
+        expect(stack).to(haveResource('AWS::StepFunctions::StateMachine', {
+            DependsOn: [
+                'StateMachineRoleDefaultPolicyDF1E6607',
+                'StateMachineRoleB840431D'
+            ]
+        }, ResourcePart.CompleteDefinition));
+
+        test.done();
+    },
 
 };
diff --git a/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json b/packages/@aws-cdk/custom-resources/test/provider-framework/integ.provider.expected.json
@@ -1022,7 +1022,11 @@
             "Arn"
           ]
         }
-      }
+      },
+      "DependsOn": [
+        "comamazonawscdkcustomresourcess3assertproviderwaiterstatemachineRoleDefaultPolicy9882AB39",
+        "comamazonawscdkcustomresourcess3assertproviderwaiterstatemachineRole39E8529F"
+      ]
     }
   },
   "Parameters": {
-Original file line number
+Diff line change
@@ Expand Up / @@ -69,7 +69,10 @@ @@
                 "Arn"
               ]
             }
-          }
+          },
+          "DependsOn": [
+            "StateMachineRoleB840431D"
+          ]
         }
       }
     }