New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
StepFunctions: Multi-accounts compatibility #9119
Conversation
TO BE REVERTED BEFORE MERGE
c6c71f9
to
14eb9a2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the changes! I would like the separation between building the evaluation tree and evaluating runtime values to remain consistent. We achieve this with Component and EvalComponent classes. Adding these runtime values to the environment is valid, but not in the preprocessor. Also a question about parameter validation of the new clients.
...ctions/asl/component/state/state_execution/state_task/service/state_task_service_dynamodb.py
Outdated
Show resolved
Hide resolved
...ck/services/stepfunctions/asl/component/state/state_execution/state_task/service/resource.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resources are now evaluation components for ResourceRuntimePart
which includes the region and account. This means that the request's account and region are used if none is declared in the resource Arn. All other staticResource properties are still accessible from the declaration objects themselves.
Motivation
This PR introduces multi-account support to the legacy StepFunctions provider. It also makes multi-account friendly fixes to the work-in-progress StepFunctions v2 provider.
cc: @MEPalma
Implementation
The legacy provider uses StepFunctions Local which itself does not support namespacing. So we take an approach similar to Kinesis. Each account+region combo will run its own instance of SFLocal. Of course this is not optimal but should fulfill simple usecases.
However, SFLocal does not respect the
--account-id
argument and overwrites ARNs like Lambda Functions during invocations. So I guess the way forward is to only support true multi-accounts in the new SF provider and keep this limitation in the legacy one. The multi-region parameter is maintained.Criteria for merging: all stepfunctions tests (legacy as well as the ci/circleci: itest-sfn-v2-provider job) pass when
AWS_ACCESS_KEY_ID
is set to a non-default account ID or whenAWS_REGION_NAME
is set to non-us-east-1
region.79ec46e must be reverted before merge
Related
Closes #8205