(aws-stepfunctions-tasks): CallApiGatewayHttpApiEndpoint produces an incorrect IAM policy for dynamic api paths #17464
Description
What is the problem?
The CallApiGatewayHttpApiEndpoint task produces an incorrect IAM policy with an apiPath derived from an ASL intrinsic function expression. As a result, any attempt to use this step functions task to invoke an HTTP API Gateway that uses IAM authorization fails.
Reproduction Steps
Clone this repository: https://github.com/misterjoshua/sfn-iam-bug
Run these commands in the repository:
yarn
cdk deployThen, inspect the IAM policy intended to invoke the HTTP API on the role associated with the state machine.
What did you expect to happen?
The IAM policy should allow access to the HTTP API or CallApiGatewayHttpApiEndpoint should indicate that it can't figure out how to produce the correct policy. For the SSCCE I provided above, I'd have expected a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:ca-central-1:111111111111:a111111111/$default/GET/*",
"Effect": "Allow"
}
]
}What actually happened?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:ca-central-1:111111111111:a111111111/undefined/GETStates.Format('/{}', $.statusCode)",
"Effect": "Allow"
}
]
}There are two problems here:
- The API's stage is 'undefined' when it should be '$default'
apiPathis concatenated to the end of the resource without regard for the fact that we're using an ASL intrinsic function.
CDK CLI Version
1.132.0 (build 5c75891)
Framework Version
1.132.0
Node.js Version
v14.17.6
OS
Linux
Language
Typescript
Language Version
TypeScript ~3.9.7
Other information
You can run the state machine in the SSCCE stack with any input. If you run it as-is, the Call API Gateway state should fail. If you uncomment the code starting at line 59, you can cause the step function to succeed.