(stepfunctions): SqsSendMessage is not adding policy sqs:sendMessage since v2.127.0

[orekav]

Describe the bug

Permission missing for step function to perform SQS's send message action when using SqsSendMessage construct together with @aws-solutions-constructs/aws-s3-stepfunctions.
It happens to any @aws-solutions-constructs that uses buildStateMachine

Expected Behavior

CloudFormation output for the State Machine should contain

"S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleDefaultPolicy56D2BF03": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "logs:CreateLogDelivery",
        "logs:GetLogDelivery",
        "logs:UpdateLogDelivery",
        "logs:DeleteLogDelivery",
        "logs:ListLogDeliveries"
       ],
       "Effect": "Allow",
       "Resource": "*"
      },
      {
       "Action": "sqs:SendMessage",
       "Effect": "Allow",
       "Resource": {
        "Fn::GetAtt": [
         "MySqsQueue317E6770",
         "Arn"
        ]
       }
      },
      {
       "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeResourcePolicies",
        "logs:PutResourcePolicy"
       ],
       "Effect": "Allow",
       "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":logs:",
          {
           "Ref": "AWS::Region"
          },
          ":",
          {
           "Ref": "AWS::AccountId"
          },
          ":*"
         ]
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleDefaultPolicy56D2BF03",
    "Roles": [
     {
      "Ref": "S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleB52EB61B"
     }
    ]
   },
   "Metadata": {
    "aws:cdk:path": "MainStack/S3ToStepfunctions/S3ToStepfunctions-event-rule-step-function-construct/StateMachine/Role/DefaultPolicy/Resource",
    "cfn_nag": {
     "rules_to_suppress": [
      {
       "id": "W12",
       "reason": "The 'LogDelivery' actions do not support resource-level authorizations"
      }
     ]
    }
   }
  },

Current Behavior

CloudFormation output for the State Machine doesn't contain

      {
       "Action": "sqs:SendMessage",
       "Effect": "Allow",
       "Resource": {
        "Fn::GetAtt": [
         "MySqsQueue317E6770",
         "Arn"
        ]
       }
      },

"S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleDefaultPolicy56D2BF03": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
       "PolicyDocument": {
        "Statement": [
         {
          "Action": [
           "logs:CreateLogDelivery",
           "logs:GetLogDelivery",
           "logs:UpdateLogDelivery",
           "logs:DeleteLogDelivery",
           "logs:ListLogDeliveries"
          ],
          "Effect": "Allow",
          "Resource": {
           "Fn::GetAtt": [
            "MySqsQueue317E6770",
            "Arn"
           ]
          }
         },
         {
          "Action": [
           "logs:CreateLogDelivery",
           "logs:DeleteLogDelivery",
           "logs:DescribeLogGroups",
           "logs:DescribeResourcePolicies",
           "logs:GetLogDelivery",
           "logs:ListLogDeliveries",
           "logs:PutResourcePolicy",
           "logs:UpdateLogDelivery"
          ],
          "Effect": "Allow",
          "Resource": "*"
         },
         {
          "Action": [
           "logs:DescribeLogGroups",
           "logs:DescribeResourcePolicies",
           "logs:PutResourcePolicy"
          ],
          "Effect": "Allow",
          "Resource": {
           "Fn::Join": [
            "",
            [
             "arn:",
             {
              "Ref": "AWS::Partition"
             },
             ":logs:",
             {
              "Ref": "AWS::Region"
             },
             ":",
             {
              "Ref": "AWS::AccountId"
             },
             ":*"
            ]
           ]
          }
         }
        ],
        "Version": "2012-10-17"
       },
       "PolicyName": "S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleDefaultPolicy56D2BF03",
       "Roles": [
        {
         "Ref": "S3ToStepfunctionsS3ToStepfunctionseventrulestepfunctionconstructStateMachineRoleB52EB61B"
        }
       ]
      },
      "Metadata": {
       "aws:cdk:path": "MainStack/S3ToStepfunctions/S3ToStepfunctions-event-rule-step-function-construct/StateMachine/Role/DefaultPolicy/Resource",
       "cfn_nag": {
        "rules_to_suppress": [
         {
          "id": "W12",
          "reason": "The 'LogDelivery' actions do not support resource-level authorizations"
         }
        ]
       }
      }
     },

Difference

Reproduction Steps

Create a step function using SqsSendMessage from

import type { Construct } from 'constructs';
import * as cdk from 'aws-cdk-lib';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as sfnTasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import { S3ToStepfunctions } from '@aws-solutions-constructs/aws-s3-stepfunctions';
import { buildStateMachine } from "@aws-solutions-constructs/core";

export class MainStack extends cdk.Stack {
  constructor(scope: Construct, id: string, private props: cdk.StackProps) {
    super(scope, id, props);

    const mySqsQueue = new sqs.Queue(this, 'MySqsQueue', {});

    const chainable = new sfnTasks.SqsSendMessage(this, 'SQS Send', {
          comment: 'Send message to SQS',
          queue: mySqsQueue,
          messageBody: sfn.TaskInput.fromText('Hello, BUG!'),
          resultPath: sfn.JsonPath.DISCARD,
        });

    const definitionBody = sfn.DefinitionBody.fromChainable(chainable)

    // new sfn.StateMachine(this, 'MyStateMachine', {
    //   definitionBody,
    // });

    buildStateMachine(this, { definitionBody })

    // const { stateMachine } = new S3ToStepfunctions(this, S3ToStepfunctions.name, {
    //     deployCloudTrail: false,
    //     createCloudWatchAlarms: false,
    //     stateMachineProps: {
    //       stateMachineType: sfn.StateMachineType.EXPRESS,
    //       definitionBody,
    //     },
    //   });
  }
}

package.json

{
  "name": "app",
  "version": "0.1.0",
  "bin": {
    "app": "bin/app.js"
  },
  "scripts": {
    "build": "tsc",
    "watch": "tsc -w",
    "test": "jest",
    "cdk": "cdk"
  },
  "devDependencies": {
    "@aws-appsync/eslint-plugin": "^1.6.0",
    "@aws-appsync/utils": "^1.7.0",
    "@aws-solutions-constructs/aws-s3-stepfunctions": "2.52.1",
    "@types/jest": "^29.5.12",
    "@types/node": "20.11.16",
    "esbuild": "0.20.0",
    "cdk-appsync-typescript-resolver": "^0.0.24",
    "jest": "^29.7.0",
    "ts-jest": "^29.1.2",
    "aws-cdk": "2.127.0",
    "aws-cdk-lib": "2.127.0",
    "ts-node": "10.9.2",
    "typescript": "5.3.3"
  },
  "dependencies": {
    "constructs": "10.3.0",
    "source-map-support": "^0.5.21"
  },
  "engines": {
    "node": "20"
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.127.0

Framework Version

No response

Node.js Version

20.11.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[orekav]

Furthermore, if I add this

const { stateMachine }  = buildStateMachine(this, { definitionBody });
console.log(JSON.stringify((stateMachine.node.children[0] as any).defaultPolicy.document.statements, null, 2));

I get

[
  {
    "Action": "sqs:SendMessage",
    "Effect": "Allow",
    "Resource": "${Token[TOKEN.632]}"
  },
  {
    "Action": [
      "logs:CreateLogDelivery",
      "logs:GetLogDelivery",
      "logs:UpdateLogDelivery",
      "logs:DeleteLogDelivery",
      "logs:ListLogDeliveries",
      "logs:PutResourcePolicy",
      "logs:DescribeResourcePolicies",
      "logs:DescribeLogGroups"
    ],
    "Effect": "Allow",
    "Resource": "*"
  },
  {
    "Action": [
      "logs:PutResourcePolicy",
      "logs:DescribeResourcePolicies",
      "logs:DescribeLogGroups"
    ],
    "Effect": "Allow",
    "Resource": "arn:${Token[AWS.Partition.4]}:logs:${Token[AWS.Region.5]}:${Token[AWS.AccountId.1]}:*"
  }
]

Which mean that at the moment of creation it exists, but it doesn't end up in the CloudFormation Template

[pahud]

Sounds like this issue should go to aws-solutions-constructs ?

[orekav]

Sounds like this issue should go to aws-solutions-constructs ?

I was thinking the same but, why does it happen with v2.127.0 or higher and not with v2.126.0 and lower?

[orekav]

This is the piece of code that generates the conflict but I still don't see how is this affected by CDK >= v.2.127.0

As soon as I remove that highlighted code, the error goes away.

[orekav]

I have checked a bit further the v2.127.0 release
The changes on 97e3827 to packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts are the ones provoking this issue.

As soon as I rollback this file and use as it was in v2.126.0, it starts working again.

[orekav]

With the changes in v2.127.0 when we bind ChainDefinitionBody, now we are no longer using this.role, we use this (StateMachine).

Fragment A

Fragment B

Sounds like this issue should go to aws-solutions-constructs ?

[orekav]

By moving back the statement for (const statement of graph.policyStatements) { , this issue stops happening