Skip to content

Commit e0434ac

Browse files
zirkelczirkelc
authored
fix: aws partition (#661)
1 parent ab6f6e6 commit e0434ac

File tree

2 files changed

+68
-5
lines changed

2 files changed

+68
-5
lines changed

lib/deploy/stepFunctions/compileIamRole.js

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,7 @@ function getStateMachineArn(state) {
464464
function getStepFunctionsPermissions(state) {
465465
let stateMachineArn = state.Mode === 'DISTRIBUTED' ? {
466466
'Fn::Sub': [
467-
`arn:aws:states:\${AWS::Region}:\${AWS::AccountId}:stateMachine:${state.StateMachineName}`,
467+
`arn:\${AWS::Partition}:states:\${AWS::Region}:\${AWS::AccountId}:stateMachine:${state.StateMachineName}`,
468468
{},
469469
],
470470
} : null;
@@ -496,7 +496,7 @@ function getStepFunctionsPermissions(state) {
496496
function getStepFunctionsSDKPermissions(state) {
497497
let stateMachineArn = state.Mode === 'DISTRIBUTED' ? {
498498
'Fn::Sub': [
499-
`arn:aws:states:\${AWS::Region}:\${AWS::AccountId}:stateMachine:${state.StateMachineName}`,
499+
`arn:\${AWS::Partition}:states:\${AWS::Region}:\${AWS::AccountId}:stateMachine:${state.StateMachineName}`,
500500
{},
501501
],
502502
} : null;
@@ -736,7 +736,12 @@ function consolidatePermissionsByResource(permissions) {
736736

737737
function getIamPermissions(taskStates) {
738738
return _.flatMap(taskStates, (state) => {
739-
const resourceName = typeof state.Resource === 'string' ? state.Resource.replace(/^arn:aws(-[a-z]+)*:/, 'arn:aws:') : state.Resource;
739+
// Normalize resource ARN to handle different partition formats:
740+
// - arn:aws:, arn:aws-cn:, arn:aws-us-gov: (literal partitions)
741+
// - arn:${AWS::Partition}: (CloudFormation intrinsic)
742+
const resourceName = typeof state.Resource === 'string'
743+
? state.Resource.replace(/^arn:(aws(-[a-z]+)*|\$\{AWS::Partition\}):/, 'arn:aws:')
744+
: state.Resource;
740745
switch (resourceName) {
741746
case 'arn:aws:states:::sqs:sendMessage':
742747
case 'arn:aws:states:::sqs:sendMessage.waitForTaskToken':

lib/deploy/stepFunctions/compileIamRole.test.js

Lines changed: 60 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3274,6 +3274,64 @@ describe('#compileIamRole', () => {
32743274
],
32753275
}]);
32763276
});
3277+
3278+
it('should handle ${AWS::Partition} in resource ARN', () => {
3279+
const stateMachineArn = 'arn:aws:states:us-east-1:123456789:stateMachine:HelloStateMachine';
3280+
const genStateMachine = id => ({
3281+
id,
3282+
definition: {
3283+
StartAt: 'A',
3284+
States: {
3285+
A: {
3286+
Type: 'Task',
3287+
Resource: 'arn:${AWS::Partition}:states:::states:startExecution',
3288+
Parameters: {
3289+
StateMachineArn: stateMachineArn,
3290+
Input: {},
3291+
},
3292+
Next: 'B',
3293+
},
3294+
B: {
3295+
Type: 'Task',
3296+
Resource: 'arn:${AWS::Partition}:states:::states:startExecution.sync',
3297+
Parameters: {
3298+
StateMachineArn: stateMachineArn,
3299+
Input: {},
3300+
},
3301+
End: true,
3302+
},
3303+
},
3304+
},
3305+
});
3306+
3307+
serverless.service.stepFunctions = {
3308+
stateMachines: {
3309+
myStateMachine1: genStateMachine('StateMachine1'),
3310+
},
3311+
};
3312+
3313+
serverlessStepFunctions.compileIamRole();
3314+
const statements = serverlessStepFunctions.serverless.service
3315+
.provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
3316+
.Properties.Policies[0].PolicyDocument.Statement;
3317+
3318+
const stateMachinePermissions = statements.filter(s => _.isEqual(s.Action, ['states:StartExecution']));
3319+
expect(stateMachinePermissions).to.have.lengthOf(1);
3320+
expect(stateMachinePermissions[0].Resource).to.deep.eq([stateMachineArn]);
3321+
3322+
const executionPermissions = statements.filter(s => _.isEqual(s.Action, ['states:DescribeExecution', 'states:StopExecution']));
3323+
expect(executionPermissions).to.have.lengthOf(1);
3324+
expect(executionPermissions[0].Resource).to.equal('*');
3325+
3326+
const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['events:PutTargets', 'events:PutRule', 'events:DescribeRule']));
3327+
expect(eventPermissions).to.have.lengthOf(1);
3328+
expect(eventPermissions[0].Resource).to.deep.eq([{
3329+
'Fn::Sub': [
3330+
'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule',
3331+
{},
3332+
],
3333+
}]);
3334+
});
32773335
});
32783336

32793337
describe('should give step functions using sdk permissions (too permissive, but mirrors console behavior)', () => {
@@ -3660,7 +3718,7 @@ describe('#compileIamRole', () => {
36603718
expect(stepFunctionPermission).to.have.lengthOf(1);
36613719
expect(stepFunctionPermission[0].Resource).to.deep.eq([{
36623720
'Fn::Sub': [
3663-
'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:myStateMachine',
3721+
'arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:myStateMachine',
36643722
{},
36653723
],
36663724
},
@@ -3711,7 +3769,7 @@ describe('#compileIamRole', () => {
37113769
expect(stepFunctionPermission).to.have.lengthOf(1);
37123770
expect(stepFunctionPermission[0].Resource).to.deep.eq([{
37133771
'Fn::Sub': [
3714-
'arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:DistributedMapper',
3772+
'arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:DistributedMapper',
37153773
{},
37163774
],
37173775
},

0 commit comments

Comments
 (0)