Skip to content

chore(stepfunctions-tasks): make iamResources optional in CallAwsService #35239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore(stepfunctions-tasks): make iamResources optional in CallAwsService #35239

wants to merge 3 commits into from

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Aug 14, 2025
edited
Loading

Issue # (if applicable)

Closes #35236.

Reason for this change

The current CallAwsService construct requires the iamResources parameter, forcing users to provide dummy or placeholder ARN values in scenarios where automatic IAM policy generation is not appropriate or possible. This creates several pain points:

  1. Recursive Step Functions: State machines that need to call operations on themselves cannot provide their own ARN at synthesis time, leading to circular dependency issues
  2. Dynamic resource ARNs: Resources that don't exist at synthesis time cannot be referenced in iamResources
  3. Manual IAM management: Users who prefer to handle permissions separately through existing IAM constructs are forced to provide dummy values
  4. Code quality degradation: Developers resort to placeholder values like ['*'] or dummy ARNs, making code less maintainable and confusing

This change enables proper manual IAM management for complex scenarios while maintaining full backward compatibility with existing code.

Description of changes

  • Interface modification: Made iamResources parameter optional in CallAwsServiceOptions interface (iamResources: string[]iamResources?: string[])
  • Conditional IAM policy generation: Added logic to skip automatic IAM policy generation when iamResources is undefined
  • Edge case handling: Properly handles scenarios where only additionalIamStatements are provided without iamResources
  • Documentation updates: Updated JSDoc comments and README.md to explain manual IAM management requirements
  • Comprehensive testing: Added unit tests covering all three scenarios (with iamResources, with only additionalIamStatements, with neither)

The implementation follows existing CDK patterns found in other constructs like InvokeActivity, where taskPolicies can be conditionally assigned. The framework's TaskStateBase already safely handles undefined taskPolicies by defaulting to an empty array.

Key implementation pattern:

if (props.iamResources) {
  // Generate automatic IAM policies (existing behavior)
  this.taskPolicies = [
    new iam.PolicyStatement({
      resources: props.iamResources,
      actions: [props.iamAction ?? `${iamService}:${props.action}`],
    }),
    ...props.additionalIamStatements ?? [],
  ];
} else if (props.additionalIamStatements?.length) {
  // Only include additional statements
  this.taskPolicies = [...props.additionalIamStatements];
}
// Otherwise taskPolicies remains undefined (manual IAM management)

This change enables use cases like:

  • Recursive Step Functions that reference themselves
  • Dynamic resource scenarios where ARNs are determined at runtime
  • Complex IAM setups managed through separate IAM constructs
  • Cross-account or cross-region scenarios with custom permission management

Describe any new or updated permissions being added

N/A - This change does not add new permissions. Instead, it provides an option to skip automatic IAM policy generation, requiring users to manually manage permissions when iamResources is omitted.

Description of how you validated changes

Unit tests: Added 3 comprehensive test cases to call-aws-service.test.ts:

  1. CallAwsService without iamResources - no IAM policy generated: Verifies no IAM policies are created when iamResources is omitted
  2. CallAwsService with only additionalIamStatements - only additional statements included: Tests edge case where only additional statements are provided
  3. CallAwsService without iamResources and without additionalIamStatements - no IAM policy generated: Confirms complete manual IAM management scenario

All existing 14 unit tests continue to pass unchanged, ensuring full backward compatibility.

Integration tests: Created new integration test integ.call-aws-service-optional-iam.ts demonstrating:

  • Recursive Step Functions scenario with CallAwsService calling itself
  • Manual IAM management with only additionalIamStatements
  • CloudFormation template generation verification for both scenarios
  • Real AWS deployment validation (deployed successfully to us-east-1)

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team August 14, 2025 20:24
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Aug 14, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Aug 14, 2025
@pahud pahud marked this pull request as ready for review August 14, 2025 21:52
@github-actions github-actions bot mentioned this pull request Sep 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-stepfunctions-tasks): Make iamResources optional for CallAwsService

1 participant

@pahud