Skip to content

feat: allow additional permissions to StepFunctions plus defaults #6759 #6779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MengLinMaker wants to merge 3 commits into
base: dev
Choose a base branch
from
+93 −19
Draft

feat: allow additional permissions to StepFunctions plus defaults #6759 #6779

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1ad4193
enable RedriveExecution by default
MengLinMaker Apr 20, 2026
1b165db
enable StopExecution by default
MengLinMaker Apr 20, 2026
5fc883d
add permission extending
MengLinMaker Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 0 additions & 18 deletions examples/aws-task/sst-env.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,6 @@

declare module "sst" {
export interface Resource {
"MyApp": {
"name": string
"type": "sst.aws.Function"
"url": string
}
"MyBucket": {
"name": string
"type": "sst.aws.Bucket"
}
"MyTask": {
"assignPublicIp": boolean
"cluster": string
"containers": any
"securityGroups": any
"subnets": any
"taskDefinition": string
"type": "sst.aws.Task"
}
"MyVpc": {
"type": "sst.aws.Vpc"
}
Expand Down
94 changes: 93 additions & 1 deletion platform/src/components/aws/step-functions.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import {
interpolate,
output,
} from "@pulumi/pulumi";
import { Component, Transform, transform } from "../component";
import { Component, Prettify, Transform, transform } from "../component";
import { cloudwatch, iam, sfn } from "@pulumi/aws";
import { Link } from "../link";
import { permission } from "./permission";
Expand All @@ -31,6 +31,77 @@ import { physicalName } from "../naming";
import { functionBuilder } from "./helpers/function-builder";
import { Function } from "./function.js";

export type PermissionArgs = {
/**
* Configures whether the permission is allowed or denied.
* @default `"allow"`
* @example
* ```ts
* {
* effect: "deny"
* }
* ```
*/
effect?: "allow" | "deny";
/**
* The [IAM actions](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#actions_table) that can be performed.
* @example
* ```js
* {
* actions: ["s3:*"]
* }
* ```
*/
actions: string[];
/**
* The resourcess specified using the [IAM ARN format](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html).
* @example
* ```js
* {
* resources: ["arn:aws:s3:::my-bucket/*"]
* }
* ```
*/
resources: Input<Input<string>[]>;
/**
* Configure specific conditions for when the policy is in effect.
*
* @example
* ```js
* {
* conditions: [
* {
* test: "StringEquals",
* variable: "s3:x-amz-server-side-encryption",
* values: ["AES256"]
* },
* {
* test: "IpAddress",
* variable: "aws:SourceIp",
* values: ["10.0.0.0/16"]
* }
* ]
* }
* ```
*/
conditions?: Input<
Input<{
/**
* Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate.
*/
test: Input<string>;
/**
* Name of a [Context Variable](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) to apply the condition to. Context variables may either be standard AWS variables starting with `aws:` or service-specific variables prefixed with the service name.
*/
variable: Input<string>;
/**
* The values to evaluate the condition against. If multiple values are provided, the condition matches if at least one of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
*/
values: Input<Input<string>[]>;
}>[]
>;
};

export interface StepFunctionsArgs {
/**
* The type of state machine workflow to create.
Expand Down Expand Up @@ -129,6 +200,24 @@ export interface StepFunctionsArgs {
level?: Input<"all" | "error" | "fatal">;
}
>;
/**
* Permissions and the resources that the function needs to access. These permissions are
* used to create the function's IAM role.
*
* @example
* Allow the step function return scheduled activities to all resources.
* ```js
* {
* permissions: [
* {
* actions: ["state:GetActivityTask"],
* resources: ["*"]
* }
* ]
* }
* ```
*/
permissions?: Prettify<PermissionArgs>[];
/**
* [Transform](/docs/components#transform) how this component creates its underlying resources.
*/
Expand Down Expand Up @@ -269,6 +358,7 @@ export class StepFunctions extends Component implements Link.Linkable {
name: "inline",
policy: iam.getPolicyDocumentOutput({
statements: [
...(args.permissions ?? []),
{
actions: ["events:*"],
resources: ["*"],
Expand All @@ -291,7 +381,9 @@ export class StepFunctions extends Component implements Link.Linkable {
{
actions: [
"states:StartExecution",
"states:StopExecution",
"states:DescribeExecution",
"states:RedriveExecution",
],
resources: ["*"],
},
Expand Down