aws_stepfunctions: StateMachine construct doesn't generate a valid policy for default StateMachineRole

[JamieClayton7]

Describe the bug

When using aws_stepfunctions.StateMachine, the default IAM policy for the state machine role does not generate the correct statement for the action ecs:RunTask.

The difference being that we now must specify the revision number (or all revisions by omitting the number and simply adding :) tagged onto the task definition ARN.

From 15th October 2024, the statement generated will result in an AccessDeniedException when the state machine attempts to RunTask on the non-tagged task definition ARN.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

N/A

Expected Behavior

The valid statement that should be generated:

{
    "Action": "ecs:RunTask",
    "Resource": "arn:aws:ecs:eu-west-1:12345:task-definition/TaskDefinitionABC1234:1",
    "Effect": "Allow"
}

Current Behavior

The statement generated:

{
    "Action": "ecs:RunTask",
    "Resource": "arn:aws:ecs:eu-west-1:12345:task-definition/TaskDefinitionABC1234",
    "Effect": "Allow"
}

Reproduction Steps

// exectionRole

const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDefinition', {
  cpu: 256,
  executionRole,
  memoryLimitMiB: 512,
});

// container definitions...

const stateMachineDefinition = new tasks.EcsRunTask(this, 'Run Traffic DB maintenance jobs', {
  cluster,
  launchTarget: new tasks.EcsFargateLaunchTarget(),
  taskDefinition,
  integrationPattern: sfn.IntegrationPattern.RUN_JOB,
});

const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
    definition: stateMachineDefinition,
    stateMachineName: 'StateMachine',
    stateMachineType: sfn.StateMachineType.STANDARD,
    timeout: Duration.hours(2),
    tracingEnabled: true,
});

Possible Solution

CDK synth should generate the correct IAM statement for state machines ecs:RunTask by using the task definition role ARN with the revision tag attached to the task definition.

Work around for the time being:

// exectionRole

const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDefinition', {
  cpu: 256,
  executionRole,
  memoryLimitMiB: 512,
});

// container definitions...

const stateMachineDefinition = new tasks.EcsRunTask(this, 'Run Traffic DB maintenance jobs', {
  cluster,
  launchTarget: new tasks.EcsFargateLaunchTarget(),
  taskDefinition,
  integrationPattern: sfn.IntegrationPattern.RUN_JOB,
});

const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
    definition: stateMachineDefinition,
    stateMachineName: 'StateMachine',
    stateMachineType: sfn.StateMachineType.STANDARD,
    timeout: Duration.hours(2),
    tracingEnabled: true,
});

// WORK AROUND 
// Create a new policy
const policy = new iam.Policy(this, 'RunTaskPolicy', {
  statements: [
    new iam.PolicyStatement({
      actions: ['ecs:RunTask'],
      resources: [`${taskDefinition.taskDefinitionArn}`]
    })
  ]
});

// Attach the new policy to the state machine
policy.attachToRole(stateMachine.role)

Additional Information/Context

No response

CDK CLI Version

2.161.1 (build 0a606c9)

Framework Version

No response

Node.js Version

v22.9.0

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @JamieClayton7 , thanks for reaching out.

I tried to deploy the source code -

    const cluster = new ecs.Cluster(this, 'Cluster', {
      vpc: new cdk.aws_ec2.Vpc(this, 'Vpc', { maxAzs: 1 }),
    });

    cluster.addCapacity('DefaultAutoScalingGroup', {
      instanceType: new cdk.aws_ec2.InstanceType('t2.micro'),
    });

    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDefinition', {
      cpu: 256,
      memoryLimitMiB: 512,
      runtimePlatform: {
        operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
        cpuArchitecture: ecs.CpuArchitecture.X86_64
      },
    });

    taskDefinition.addContainer('Container', {
      image: ecs.ContainerImage.fromRegistry('amazonlinux'),
      memoryLimitMiB: 512,
      cpu: 256,
    });
    
    const stateMachineDefinition = new tasks.EcsRunTask(this, 'Run Traffic DB maintenance jobs', {
      cluster,
      launchTarget: new tasks.EcsFargateLaunchTarget(),
      taskDefinition,
      integrationPattern: sfn.IntegrationPattern.RUN_JOB,
    });

    const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
      definition: stateMachineDefinition,
      stateMachineName: 'StateMachine',
      stateMachineType: sfn.StateMachineType.STANDARD,
      timeout: cdk.Duration.hours(2),
      tracingEnabled: true,
  });

  new cdk.CfnOutput(this, 'StateMachineArn', {
    value: stateMachine.stateMachineArn,
  })

and see this ecs:runtask policy added to the role as -

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Action": "ecs:RunTask",
			"Resource": "arn:aws:ecs:us-west-1:123456789012:task-definition/StepfunctionIssueStackTaskDefinition64A4E983:*",
			"Effect": "Allow"
		},

which seems exactly as its supposed to be.

This PR introduced the change to correct the arn returned -(Original issue).

[khushail]

I found an article on this task definition with revision number -

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html#amazonelasticcontainerservice-task-definition

and this PR seems to be merged 3 days ago -#31615 which addresses the same issue for event-targets.

Marking this issue as P1 as the Task definition ARN in IAM policy resource should include revision number.

Reaching out to on-call to provide inputs here as if its something already on their radar or share insights if possible.
Thanks