diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets.json new file mode 100644 index 0000000000000..86ef0aec81ed3 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets.json @@ -0,0 +1,20 @@ +{ + "version": "41.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1 Template", + "source": { + "path": "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets.json new file mode 100644 index 0000000000000..c0907a38d36c5 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets.json @@ -0,0 +1,20 @@ +{ + "version": "41.0.0", + "files": { + "90e39e7d20be2f0a430ed9ef0e746d437e00f6aca3dcd5f6a5ce8e06725ede9b": { + "displayName": "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ Template", + "source": { + "path": "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "90e39e7d20be2f0a430ed9ef0e746d437e00f6aca3dcd5f6a5ce8e06725ede9b.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.template.json new file mode 100644 index 0000000000000..b452c653cd5b7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.template.json @@ -0,0 +1,182 @@ +{ + "Resources": { + "MyFunction1746741702260ServiceRoleA2A903A4": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "MyFunction174674170226001FDC800": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "exports.handler = async (event) => {\n return {\n statusCode: '200',\n body: 'hello, world!',\n timestamp: '1746741702260',\n ...event,\n };\n };" + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "MyFunction1746741702260ServiceRoleA2A903A4", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "MyFunction1746741702260ServiceRoleA2A903A4" + ] + }, + "MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956": { + "Type": "AWS::Lambda::Version", + "Properties": { + "FunctionName": { + "Ref": "MyFunction174674170226001FDC800" + } + } + }, + "StateMachineRoleB840431D": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "StateMachineRoleDefaultPolicyDF1E6607": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + { + "Ref": "MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956" + }, + ":*" + ] + ] + }, + { + "Ref": "MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956" + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "StateMachineRoleDefaultPolicyDF1E6607", + "Roles": [ + { + "Ref": "StateMachineRoleB840431D" + } + ] + } + }, + "StateMachine2E01A3A5": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"InvokeLambda\",\"States\":{\"InvokeLambda\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"", + { + "Ref": "MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956" + }, + "\",\"Payload.$\":\"$\"}}},\"TimeoutSeconds\":30}" + ] + ] + }, + "RoleArn": { + "Fn::GetAtt": [ + "StateMachineRoleB840431D", + "Arn" + ] + } + }, + "DependsOn": [ + "StateMachineRoleDefaultPolicyDF1E6607", + "StateMachineRoleB840431D" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/cdk.out new file mode 100644 index 0000000000000..188478b55560e --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"41.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/integ.json new file mode 100644 index 0000000000000..a820d4dec3ee7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "41.0.0", + "testCases": { + "LambdaInvokeAllVersionsIntegTest/DefaultTest": { + "stacks": [ + "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ" + ], + "assertionStack": "LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert", + "assertionStackName": "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/manifest.json new file mode 100644 index 0000000000000..13e3ae98f106f --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/manifest.json @@ -0,0 +1,299 @@ +{ + "version": "42.0.0", + "artifacts": { + "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/90e39e7d20be2f0a430ed9ef0e746d437e00f6aca3dcd5f6a5ce8e06725ede9b.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ.assets" + ], + "metadata": { + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "code": "*", + "runtime": "*", + "handler": "*" + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + }, + "managedPolicies": [ + { + "managedPolicyArn": "*" + } + ] + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole/ImportServiceRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction1746741702260ServiceRoleA2A903A4" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction174674170226001FDC800" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/CurrentVersion": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "lambda": "*" + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/CurrentVersion/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "definition": "*", + "timeout": "*" + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToRolePolicy": [ + {} + ] + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/ImportRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineRoleB840431D" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachineRoleDefaultPolicyDF1E6607" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "StateMachine2E01A3A5" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ], + "MyFunction1746740485266ServiceRoleA9060927": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction1746740485266ServiceRoleA9060927", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "MyFunction1746740485266E43D826D": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction1746740485266E43D826D", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "MyFunction1746740485266CurrentVersion8CE9670D19fc4564ce37a5df5a7beae372144117": [ + { + "type": "aws:cdk:logicalId", + "data": "MyFunction1746740485266CurrentVersion8CE9670D19fc4564ce37a5df5a7beae372144117", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ] + }, + "displayName": "aws-stepfunctions-tasks-lambda-invoke-all-versions-integ" + }, + "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "LambdaInvokeAllVersionsIntegTestDefaultTestDeployAssertA82B09A1.assets" + ], + "metadata": { + "/LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + }, + "minimumCliVersion": "2.1006.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/tree.json new file mode 100644 index 0000000000000..95de785bcd5bb --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","children":{"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ":{"id":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ","children":{"MyFunction1746741702260":{"id":"MyFunction1746741702260","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260","children":{"ServiceRole":{"id":"ServiceRole","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole","children":{"ImportServiceRole":{"id":"ImportServiceRole","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole/ImportServiceRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/ServiceRole/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"managedPolicyArns":[{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]]}]}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"},"managedPolicies":[{"managedPolicyArn":"*"}]}]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Function","aws:cdk:cloudformation:props":{"code":{"zipFile":"exports.handler = async (event) => {\n return {\n statusCode: '200',\n body: 'hello, world!',\n timestamp: '1746741702260',\n ...event,\n };\n };"},"handler":"index.handler","role":{"Fn::GetAtt":["MyFunction1746741702260ServiceRoleA2A903A4","Arn"]},"runtime":"nodejs18.x"}},"constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnFunction","version":"0.0.0"}},"CurrentVersion":{"id":"CurrentVersion","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/CurrentVersion","children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/MyFunction1746741702260/CurrentVersion/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::Lambda::Version","aws:cdk:cloudformation:props":{"functionName":{"Ref":"MyFunction174674170226001FDC800"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.CfnVersion","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Version","version":"0.0.0","metadata":[{"lambda":"*"}]}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_lambda.Function","version":"0.0.0","metadata":[{"code":"*","runtime":"*","handler":"*"}]}},"InvokeLambda":{"id":"InvokeLambda","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/InvokeLambda","constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions_tasks.LambdaInvoke","version":"0.0.0"}},"StateMachine":{"id":"StateMachine","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine","children":{"Role":{"id":"Role","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role","children":{"ImportRole":{"id":"ImportRole","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/ImportRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"states.amazonaws.com"}}],"Version":"2012-10-17"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"}},"DefaultPolicy":{"id":"DefaultPolicy","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/DefaultPolicy","children":{"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Role/DefaultPolicy/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":[{"Fn::Join":["",[{"Ref":"MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956"},":*"]]},{"Ref":"MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956"}]}],"Version":"2012-10-17"},"policyName":"StateMachineRoleDefaultPolicyDF1E6607","roles":[{"Ref":"StateMachineRoleB840431D"}]}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]}]}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]}]}},"Resource":{"id":"Resource","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/StateMachine/Resource","attributes":{"aws:cdk:cloudformation:type":"AWS::StepFunctions::StateMachine","aws:cdk:cloudformation:props":{"definitionString":{"Fn::Join":["",["{\"StartAt\":\"InvokeLambda\",\"States\":{\"InvokeLambda\":{\"End\":true,\"Retry\":[{\"ErrorEquals\":[\"Lambda.ClientExecutionTimeoutException\",\"Lambda.ServiceException\",\"Lambda.AWSLambdaException\",\"Lambda.SdkClientException\"],\"IntervalSeconds\":2,\"MaxAttempts\":6,\"BackoffRate\":2}],\"Type\":\"Task\",\"OutputPath\":\"$.Payload\",\"Resource\":\"arn:",{"Ref":"AWS::Partition"},":states:::lambda:invoke\",\"Parameters\":{\"FunctionName\":\"",{"Ref":"MyFunction1746741702260CurrentVersion0D97F60Cddf07e876dc1d6e3c64dfdecd0a82956"},"\",\"Payload.$\":\"$\"}}},\"TimeoutSeconds\":30}"]]},"roleArn":{"Fn::GetAtt":["StateMachineRoleB840431D","Arn"]}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.CfnStateMachine","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.aws_stepfunctions.StateMachine","version":"0.0.0","metadata":[{"definition":"*","timeout":"*"},{"addToRolePolicy":[{}]}]}},"BootstrapVersion":{"id":"BootstrapVersion","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"aws-stepfunctions-tasks-lambda-invoke-all-versions-integ/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"}},"LambdaInvokeAllVersionsIntegTest":{"id":"LambdaInvokeAllVersionsIntegTest","path":"LambdaInvokeAllVersionsIntegTest","children":{"DefaultTest":{"id":"DefaultTest","path":"LambdaInvokeAllVersionsIntegTest/DefaultTest","children":{"Default":{"id":"Default","path":"LambdaInvokeAllVersionsIntegTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert","children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"LambdaInvokeAllVersionsIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}},"constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"}}},"constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"}}},"constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}},"constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.ts new file mode 100644 index 0000000000000..d72ea3a98ad74 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/lambda/integ.invoke.all-versions.ts @@ -0,0 +1,75 @@ +import * as cdk from 'aws-cdk-lib'; +import * as lambda from 'aws-cdk-lib/aws-lambda'; +import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; +import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as assertions from 'aws-cdk-lib/assertions'; +import { STANDARD_NODEJS_RUNTIME } from '../../../config'; + +/** + * Integration test for the Lambda invoke all versions permission feature. + * + * This test validates the State Machine's IAM role has the permission to invoke any version of the Lambda. + * + * The core functionality being tested is that the LambdaInvoke construct grants permission to all versions + * when the feature flag is enabled. + */ +const app = new cdk.App({ + context: { + '@aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions': true, + }, +}); + +const stack = new cdk.Stack(app, 'aws-stepfunctions-tasks-lambda-invoke-all-versions-integ'); + +const uniqueSuffix = Date.now().toString(); + +const fn = new lambda.Function(stack, `MyFunction${uniqueSuffix}`, { + code: lambda.Code.fromInline(`exports.handler = async (event) => { + return { + statusCode: '200', + body: 'hello, world!', + timestamp: '${uniqueSuffix}', + ...event, + }; + };`), + runtime: STANDARD_NODEJS_RUNTIME, + handler: 'index.handler', +}); + +const invokeLambda = new tasks.LambdaInvoke(stack, 'InvokeLambda', { + lambdaFunction: fn.currentVersion, + outputPath: '$.Payload', +}); + +new sfn.StateMachine(stack, 'StateMachine', { + definition: invokeLambda, + timeout: cdk.Duration.seconds(30), +}); + +new integ.IntegTest(app, 'LambdaInvokeAllVersionsIntegTest', { + testCases: [stack], +}); + +// Add assertions to test if the State Machine role has permission to invoke any version +const template = assertions.Template.fromStack(stack); + +// Test assertion validating that the StateMachine role policy allows invoking any version +// of the Lambda function (i.e., that the resource ends with ":*") +template.hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: assertions.Match.arrayWith([ + assertions.Match.objectLike({ + Action: 'lambda:InvokeFunction', + Effect: 'Allow', + }), + ]), + }, +}); + +const templateJson = JSON.stringify(template.toJSON()); +if (!templateJson.includes('":*"')) { + throw new Error('Expected IAM policy to include ":*" permission for all Lambda versions'); +} + +app.synth(); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/lambda/invoke.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/lambda/invoke.ts index 6fc2b77f61f8f..339d3a083bea3 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/lambda/invoke.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/lambda/invoke.ts @@ -3,6 +3,7 @@ import * as iam from '../../../aws-iam'; import * as lambda from '../../../aws-lambda'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; +import * as cxapi from '../../../cx-api'; import { ValidationError } from '../../../core'; import { integrationResourceArn, validatePatternSupported } from '../private/task-utils'; @@ -150,9 +151,22 @@ export class LambdaInvoke extends sfn.TaskStateBase { }, }; + const grantAllVersions = cdk.FeatureFlags.of(this).isEnabled(cxapi.STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONS); + const functionArn = this.props.lambdaFunction.functionArn; + let resources: string[]; + if (grantAllVersions) { + const baseArn = functionArn.replace(/:[^:]*$/, ''); + resources = [ + functionArn, + `${baseArn}:*`, + ]; + } else { + resources = this.props.lambdaFunction.resourceArnsForGrantInvoke; + } + this.taskPolicies = [ new iam.PolicyStatement({ - resources: this.props.lambdaFunction.resourceArnsForGrantInvoke, + resources, actions: ['lambda:InvokeFunction'], }), ]; diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/lambda/invoke.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/lambda/invoke.test.ts index df63ef06b8c94..8172d7c63b0d0 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/lambda/invoke.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/lambda/invoke.test.ts @@ -1,6 +1,8 @@ import { testDeprecated } from '@aws-cdk/cdk-build-tools'; +import * as iam from '../../../aws-iam'; import * as lambda from '../../../aws-lambda'; import * as sfn from '../../../aws-stepfunctions'; +import * as cdk from '../../../core'; import { Stack } from '../../../core'; import { LambdaInvocationType, LambdaInvoke } from '../../lib'; @@ -371,6 +373,64 @@ describe('LambdaInvoke', () => { }); }); + test('with feature flag enabled, grants permissions to all versions of the Lambda function', () => { + const flags = { isEnabled: () => true }; + jest.spyOn(cdk.FeatureFlags, 'of').mockImplementation(() => flags as any); + + const versionedFunction = lambda.Version.fromVersionArn( + stack, + 'Version', + `${lambdaFunction.functionArn}:42`, + ); + + const task = new LambdaInvoke(stack, 'VersionedTask', { + lambdaFunction: versionedFunction, + }); + + const policies = (task as any).taskPolicies as iam.PolicyStatement[]; + const resources = policies[0].resources; + + expect(resources).toContain(`${lambdaFunction.functionArn}:42`); + expect(resources).toContain(`${lambdaFunction.functionArn}:*`); + }); + + test('with feature flag disabled, grants permissions only to the specific version', () => { + const flags = { isEnabled: () => false }; + jest.spyOn(cdk.FeatureFlags, 'of').mockImplementation(() => flags as any); + + const versionedFunction = lambda.Version.fromVersionArn( + stack, + 'Version', + `${lambdaFunction.functionArn}:42`, + ); + + const task = new LambdaInvoke(stack, 'VersionedTaskNoFlag', { + lambdaFunction: versionedFunction, + }); + + const policies = (task as any).taskPolicies as iam.PolicyStatement[]; + const resources = policies[0].resources; + + expect(resources).toContain(`${lambdaFunction.functionArn}:42`); + expect(resources).not.toContain(`${lambdaFunction.functionArn}:*`); + expect(resources.length).toBe(1); + }); + + test('with feature flag enabled, grants permissions to all versions when using non-versioned Lambda function', () => { + const flags = { isEnabled: () => true }; + jest.spyOn(cdk.FeatureFlags, 'of').mockImplementation(() => flags as any); + + const task = new LambdaInvoke(stack, 'RegularTask', { + lambdaFunction: lambdaFunction, + }); + + const policies = (task as any).taskPolicies as iam.PolicyStatement[]; + const resources = policies[0].resources; + + expect(resources).toContain(lambdaFunction.functionArn); + expect(resources).toContain(`${lambdaFunction.functionArn}:*`); + }); + test('fails when integrationPattern used with payloadResponseOnly', () => { expect(() => { new LambdaInvoke(stack, 'Task', { diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index e7112c6f9c9e2..34d083ed030f4 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -100,6 +100,7 @@ Flags come in three types: | [@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope](#aws-cdkpipelinesreducecrossaccountactionroletrustscope) | When enabled, scopes down the trust policy for the cross-account action role | 2.189.0 | new default | | [@aws-cdk/core:aspectPrioritiesMutating](#aws-cdkcoreaspectprioritiesmutating) | When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING. | 2.189.1 | new default | | [@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions](#aws-cdks3-notificationsadds3trustkeypolicyforsnssubscriptions) | Add an S3 trust policy to a KMS key resource policy for SNS subscriptions. | 2.195.0 | fix | +| [@aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions](#aws-cdkaws-stepfunctions-taskslambdainvokegrantallversions) | When enabled, LambdaInvoke grants permissions to all versions of a Lambda function by default | V2NEXT | fix | | [@aws-cdk/aws-s3:publicAccessBlockedByDefault](#aws-cdkaws-s3publicaccessblockedbydefault) | When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined. | V2NEXT | fix | @@ -185,6 +186,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-dynamodb:retainTableReplica": true, "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true, "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true, + "@aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions": true, "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true } } @@ -2107,6 +2109,25 @@ When this feature flag is enabled, a S3 trust policy will be added to the KMS ke | 2.195.0 | `false` | `true` | +### @aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions + +*When enabled, LambdaInvoke grants permissions to all versions of a Lambda function by default* + +Flag type: Backwards incompatible bugfix + +When a Step Function invokes a Lambda function version, it requires IAM permissions specifically for that version. +Currently, the AWS CDK's `LambdaInvoke` construct automatically creates IAM permissions for the specific Lambda +version referenced, but these permissions are updated during redeployment to only include the new version, removing +access to previous versions. + +This can cause in-flight Step Function executions to fail when new Lambda versions are deployed. + +When this feature flag is enabled, the `LambdaInvoke` construct will automatically grant permissions to both: +- The specific Lambda version referenced +- All versions of the Lambda function (using a wildcard) + +This ensures that in-flight executions continue to work even after deploying updates to Lambda functions. + ### @aws-cdk/aws-s3:publicAccessBlockedByDefault *When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined.* diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 026535906bfcd..19f73ae64b168 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -137,6 +137,7 @@ export const DYNAMODB_TABLE_RETAIN_TABLE_REPLICA = '@aws-cdk/aws-dynamodb:retain export const LOG_USER_POOL_CLIENT_SECRET_VALUE = '@aws-cdk/cognito:logUserPoolClientSecretValue'; export const PIPELINE_REDUCE_CROSS_ACCOUNT_ACTION_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope'; export const S3_TRUST_KEY_POLICY_FOR_SNS_SUBSCRIPTIONS = '@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions'; +export const STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONS = '@aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions'; export const USE_RESOURCEID_FOR_VPCV2_MIGRATION = '@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration'; export const S3_PUBLIC_ACCESS_BLOCKED_BY_DEFAULT = '@aws-cdk/aws-s3:publicAccessBlockedByDefault'; @@ -341,7 +342,7 @@ export const FLAGS: Record = { summary: 'Enable this feature flag to have elastic file systems encrypted at rest by default.', detailsMd: ` Encryption can also be configured explicitly using the \`encrypted\` property. - `, + `, introducedIn: { v1: '1.98.0' }, defaults: { v2: true }, recommendedValue: true, @@ -1576,8 +1577,6 @@ export const FLAGS: Record = { introducedIn: { v2: '2.195.0' }, recommendedValue: true, }, - - ////////////////////////////////////////////////////////////////////// [USE_RESOURCEID_FOR_VPCV2_MIGRATION]: { type: FlagType.ApiDefault, summary: 'When enabled, use resource IDs for VPC V2 migration', @@ -1605,6 +1604,28 @@ export const FLAGS: Record = { introducedIn: { v2: 'V2NEXT' }, recommendedValue: true, }, + + ////////////////////////////////////////////////////////////////////// + [STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONS]: { + type: FlagType.BugFix, + summary: 'When enabled, LambdaInvoke grants permissions to all versions of a Lambda function by default', + detailsMd: ` + When a Step Function invokes a Lambda function version, it requires IAM permissions specifically for that version. + Currently, the AWS CDK's \`LambdaInvoke\` construct automatically creates IAM permissions for the specific Lambda + version referenced, but these permissions are updated during redeployment to only include the new version, removing + access to previous versions. + + This can cause in-flight Step Function executions to fail when new Lambda versions are deployed. + + When this feature flag is enabled, the \`LambdaInvoke\` construct will automatically grant permissions to both: + - The specific Lambda version referenced + - All versions of the Lambda function (using a wildcard) + + This ensures that in-flight executions continue to work even after deploying updates to Lambda functions. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, }; const CURRENT_MV = 'v2'; diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index b847d4afb96b6..640449e474361 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -72,5 +72,6 @@ "@aws-cdk/aws-dynamodb:retainTableReplica": true, "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true, "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true, + "@aws-cdk/aws-stepfunctions-tasks:lambdaInvokeGrantAllVersions": true, "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true } \ No newline at end of file