(stepfunctions): CDK generated stepfunction roles breaking inflight stepfunction executions with versioned lambdas #17515
Description
What is the problem?
Using stepfunction auto generate of stepfunction roles and also use versioned lambdas in the step functions. On deployment, the stepfunction role is updated with the new lambda version. This causes invoke:lambda role failures in in-flight stepfunction executions as they will have the previous lambda version in their stepfunction execution definition but will now have the newer lambda version in the stepfunction role.
Is there way to have stepfunction auto generated roles to not include the lambda version in the role?
Reproduction Steps
Create a stepfunction that invokes a lambda version. The stepfunction role will contain a lambda version
What did you expect to happen?
Stepfunctions to not fail on inflight executions during a deployment
What actually happened?
Stepfunction lambda:invoke errors on mismatched lambda versions:
Error
Lambda.AWSLambdaException
Cause
User: arn:aws:sts::335321747591:assumed-role/TidewaterWorkflowsCreateJ-CreateJournalStateMachin-184QJ29APKE3O/VAqgLpXDrcGwUULKzfuDBGJmuwiKLfzI is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:335321747591:function:LogResources:28 because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 6ccb7c61-369f-4826-9fc6-113954ec38c8; Proxy: null)
CDK CLI Version
1.130.0 (build 9c094ae)
Framework Version
No response
Node.js Version
12
OS
macos 10.15.7
Language
Typescript
Language Version
No response
Other information
No response