fix(stepfunctions): lambda invoke grant all versions #34398
Conversation
github-actions
bot
added
bug
GavinZZ
added
pr/do-not-merge
|
Adding a |
Y-JayKim
force-pushed
the
fix/stepfunction-allversion-permission
branch
from
11ed8dd to
f8252a2
Compare
| const functionArn = this.props.lambdaFunction.functionArn; | ||
| let resources: string[]; | ||
| if (grantAllVersions) { | ||
| const baseArn = functionArn.replace(/:[^:]*$/, ''); |
There was a problem hiding this comment.
functionArn could be a token I believe. So calling .replace on token will not work.
Maybe the resourceArnsForGrantInvoke can be used instead, or the grantInvoke method. Please verify as I haven't dived super deep on this.
| throw new Error('Expected IAM policy to include ":*" permission for all Lambda versions'); | ||
| } | ||
|
|
||
| app.synth(); |
There was a problem hiding this comment.
| app.synth(); |
This is no longer needed. It can create feature flag problems. The integ test is failing probably due to this.
(More context: I think some integ tests have this as it is the old way of writing the test before integ-runner was a thing.)
| @@ -150,9 +151,22 @@ export class LambdaInvoke extends sfn.TaskStateBase { | |||
| }, | |||
| }; | |||
|
|
|||
| const grantAllVersions = cdk.FeatureFlags.of(this).isEnabled(cxapi.STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONS); | |||
| const functionArn = this.props.lambdaFunction.functionArn; | |||
There was a problem hiding this comment.
We should update the doc for the lambdaFunction property and call out what behaviour to expect when using the property and the feature flag. By doc, I mean this: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions_tasks.LambdaInvoke.html#lambdafunction
In particular, I think we should call out that in XYZ configuration, even if user pass specific version to LambdaInvoke the permission will include ALL versions.
There was a problem hiding this comment.
updated with the new commit
| This ensures that in-flight executions continue to work even after deploying updates to Lambda functions. | ||
| `, | ||
| introducedIn: { v2: 'V2NEXT' }, | ||
| recommendedValue: true, |
There was a problem hiding this comment.
This means that when users do cdk init, the project will have this feature flag as true by default (without consciously opting into it). Can you confirm this is your intention and security review is fine with this behaviour?
There was a problem hiding this comment.
This has been discussed with security and it has been confirmed.
…ith versioned functions
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #17515 .
Reason for this change
AWS CDK-generated Step Function roles break in-flight Step Function executions when using versioned Lambda functions. During deployment, the Step Function’s IAM role is updated to include permissions for the new Lambda version but removes permissions for the previous version. This causes lambda:InvokeFunction permission failures in in-flight executions that were started before the deployment and are still trying to invoke the previous Lambda version.
This issue is particularly problematic when using Step Function Aliases with deployment preferences for traffic shaping, as a percentage of new executions are directed to the previous version of the state machine, which attempts to invoke a Lambda version it no longer has permissions for.
Description of changes
Implemented a feature flag
STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONSto control IAM permissions granted when using Lambda versions with Step Functions:Added a new feature flag in
cx-api/lib/features.tswith detailed documentationModified LambdaInvoke task implementation to check for this flag:
When enabled: grants permissions to both the specific Lambda version AND all versions using a wildcard pattern (
function-arn:*)When disabled (default behavior): maintains current behavior of granting permission only to the specific version
Updated API documentation to clearly explain the feature flag usage
Updated the README.md to include examples showing how to enable the feature flag
This approach maintains backward compatibility while giving users an opt-in solution to prevent in-flight executions from failing during deployments.
Describe any new or updated permissions being added
When the feature flag is enabled, the Step Function's IAM role will now include an additional IAM permission that grants access to all versions of the Lambda function using a wildcard pattern, e.g.:
"Resource": ["arn:aws:lambda:region:account:function:name:version"]"Resource": ["arn:aws:lambda:region:account:function:name:version", "arn:aws:lambda:region:account:function:name:*"]Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license