What is the problem?

Using stepfunction auto generate of stepfunction roles and also use versioned lambdas in the step functions. On deployment, the stepfunction role is updated with the new lambda version. This causes invoke:lambda role failures in in-flight stepfunction executions as they will have the previous lambda version in their stepfunction execution definition but will now have the newer lambda version in the stepfunction role.

Is there way to have stepfunction auto generated roles to not include the lambda version in the role?

Reproduction Steps

Create a stepfunction that invokes a lambda version. The stepfunction role will contain a lambda version

What did you expect to happen?

Stepfunctions to not fail on inflight executions during a deployment

What actually happened?

Stepfunction lambda:invoke errors on mismatched lambda versions:
Error

Lambda.AWSLambdaException

Cause

User: arn:aws:sts::335321747591:assumed-role/TidewaterWorkflowsCreateJ-CreateJournalStateMachin-184QJ29APKE3O/VAqgLpXDrcGwUULKzfuDBGJmuwiKLfzI is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:335321747591:function:LogResources:28 because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 6ccb7c61-369f-4826-9fc6-113954ec38c8; Proxy: null)

CDK CLI Version

1.130.0 (build 9c094ae)

Framework Version

No response

Node.js Version

12

OS

macos 10.15.7

Language

Typescript

Language Version

No response

Other information

No response