aws-cdk-lib/aws-stepfunctions: incorrect resource in ECS ecs:RunTask for State Machines

[nicor88]

Describe the bug

The policy generated in case of ECS tasks trigger in a state machine are of this type:

{
    "Action": "ecs:RunTask",
	"Resource": [
		"arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",
		"arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task"
	],
	"Effect": "Allow"
},

the Resource "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task" is not a valid one, the policy validator fail in the UI (even if I'm able to deploy) and there is an AWS notification about my state machine role.

Expected Behavior

The resource used for ecs:RunTask is simply:
"arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",

Current Behavior

the resources for ecs:RunTask are:

• "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task:*",
• "arn:aws:ecs:eu-central-1:xxxx:task-definition/my-task"

Reproduction Steps

Create a state machine invoking an ecs task

Possible Solution

Simply remove the not necessary resource from then policy attach to the IAM role used by the statemachine.
Creating a role, and passing to sfn.StateMachine doesn't help, because an inline policy with the wrong inline policy is attach to the custom role.

Additional Information/Context

No response

CDK CLI Version

2.147.3

Framework Version

No response

Node.js Version

v18.0.0

OS

MacOs

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

Reproducible using below CDK code:

import * as cdk from 'aws-cdk-lib';
import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';
import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';

export class StepStack extends cdk.Stack {
  constructor(app: cdk.App, id: string, props: cdk.StackProps) {
    super(app, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', {
      isDefault: true,
    });

    const cluster = new ecs.Cluster(this, 'Ec2Cluster', { vpc });

    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TD', {
      cpu: 256,
      memoryLimitMiB: 512,
    });

    taskDefinition.addContainer('TheContainer', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/docker/library/busybox:unstable-uclibc'),
      memoryLimitMiB: 256,
      command: ['sh', '-c', 'ping google.com -c 2'],
      logging: new ecs.AwsLogDriver({
        streamPrefix: 'demo',
      }),
    });

    const runTask = new tasks.EcsRunTask(this, 'Run', {
      integrationPattern: sfn.IntegrationPattern.RUN_JOB,
      cluster,
      taskDefinition,
      assignPublicIp: true,
      launchTarget: new tasks.EcsFargateLaunchTarget(),
    });

    const startState = new sfn.Pass(this, 'StartState');
    const definition = startState
      .next(runTask);

    new sfn.StateMachine(this, 'StateMachine', {
      definition,
      timeout: cdk.Duration.minutes(5),
    });
  }
}

It generates State Machine role with default policy as shown below (clearly flagging Invalid ARN Resource error):

Most likely an issue here.

[msambol]

I believe I fixed this in #30389, but we decided to leave the original permission and add a FF. @GavinZZ, shall I remove the FF and default it to only be ${taskDefinitionFamilyArn}:*?

[nicor88]

@ashishdhingra thanks for the snippet.

@msambol default to ${taskDefinitionFamilyArn}:*should do the job. But pretty much the recap of this issue, is that ${taskDefinitionFamilyArn} resource should go away from the policy to avoid:

• validation issues in the UI
• AWS to raise some notification errors in the AWS notification center.