add iam:CreateServiceLinkedRole permission

Author: phuhung273

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-ebs.js.snapshot/emr-create-cluster-ebs.assets.json

@@ -584,6 +584,31 @@
         }
        ]
       },
+      {
+       "Action": "iam:CreateServiceLinkedRole",
+       "Condition": {
+        "StringEquals": {
+         "iam:AWSServiceName": [
+          "elasticmapreduce.amazonaws.com",
+          "elasticmapreduce.amazonaws.com.cn"
+         ]
+        }
+       },
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup*"
+         ]
+        ]
+       },
+       "Sid": "ElasticMapReduceServiceLinkedRole"
+      },
       {
        "Action": [
         "events:DescribeRule",

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-ebs.js.snapshot/emr-create-cluster-ebs.template.json

@@ -12,7 +12,7 @@ import {
 import * as iam from '../../../aws-iam';
 import * as sfn from '../../../aws-stepfunctions';
 import * as cdk from '../../../core';
-import { ValidationError } from '../../../core';
+import { Aws, ValidationError } from '../../../core';
 import { ENABLE_EMR_SERVICE_POLICY_V2 } from '../../../cx-api';
 import { integrationResourceArn, validatePatternSupported } from '../private/task-utils';
 
@@ -395,6 +395,24 @@ export class EmrCreateCluster extends sfn.TaskStateBase {
         resources: [serviceRole.roleArn, clusterRole.roleArn],
       }),
     );
+
+    // https://docs.aws.amazon.com/emr/latest/ManagementGuide/using-service-linked-roles-cleanup.html#create-service-linked-role
+    policyStatements.push(
+      new iam.PolicyStatement({
+        sid: 'ElasticMapReduceServiceLinkedRole',
+        actions: ['iam:CreateServiceLinkedRole'],
+        resources: [`arn:${Aws.PARTITION}:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup*`],
+        conditions: {
+          StringEquals: {
+            'iam:AWSServiceName': [
+              'elasticmapreduce.amazonaws.com',
+              'elasticmapreduce.amazonaws.com.cn',
+            ],
+          },
+        },
+      }),
+    );
+
     if (autoScalingRole !== undefined) {
       policyStatements.push(
         new iam.PolicyStatement({

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-ebs.js.snapshot/emrcreateclusterebsintegDefaultTestDeployAssert7DC4C06C.assets.json

@@ -2009,3 +2009,89 @@ test('Create Cluster with ManagedScalingPolicy', () => {
     },
   });
 });
+
+test('StateMachine get correct permission', () => {
+  // WHEN
+  const step = new EmrCreateCluster(stack, 'Task', {
+    instances: {},
+    name: 'Cluster',
+    integrationPattern: sfn.IntegrationPattern.RUN_JOB,
+  });
+
+  new sfn.StateMachine(stack, 'SM', {
+    definition: step,
+  });
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: [
+            'elasticmapreduce:RunJobFlow',
+            'elasticmapreduce:DescribeCluster',
+            'elasticmapreduce:TerminateJobFlows',
+            'elasticmapreduce:AddTags',
+          ],
+          Effect: 'Allow',
+          Resource: '*',
+        },
+        {
+          Action: 'iam:PassRole',
+          Effect: 'Allow',
+          Resource: [
+            { 'Fn::GetAtt': ['TaskServiceRoleBF55F61E', 'Arn'] },
+            { 'Fn::GetAtt': ['TaskInstanceRoleB72072BF', 'Arn'] },
+          ],
+        },
+        {
+          Sid: 'ElasticMapReduceServiceLinkedRole',
+          Action: 'iam:CreateServiceLinkedRole',
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup*',
+            ]],
+          },
+          Condition: {
+            StringEquals: {
+              'iam:AWSServiceName': [
+                'elasticmapreduce.amazonaws.com',
+                'elasticmapreduce.amazonaws.com.cn',
+              ],
+            },
+          },
+        },
+        {
+          Action: 'iam:PassRole',
+          Effect: 'Allow',
+          Resource: {
+            'Fn::GetAtt': ['TaskAutoScalingRoleD06F8423', 'Arn'],
+          },
+        },
+        {
+          Action: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': ['', [
+              'arn:',
+              { Ref: 'AWS::Partition' },
+              ':events:',
+              { Ref: 'AWS::Region' },
+              ':',
+              { Ref: 'AWS::AccountId' },
+              ':rule/StepFunctionsGetEventForEMRRunJobFlowRule',
+            ]],
+          },
+        },
+      ],
+      Version: '2012-10-17',
+    },
+    Roles: [
+      {
+        Ref: 'SMRole49C19C48',
+      },
+    ],
+  });
+});