stepfunction: DistributedMap incorrect Describe/StopExecution and missing RedriveExecution permissions on state machine role #35390
Description
Describe the bug
Currently when adding a DistributedMap to a statemachine, the permissions run run the Distributed map is not quite right and the permissions needed to redrive the distributed map is not present at all. These are required as stated here: https://docs.aws.amazon.com/step-functions/latest/dg/iam-policies-eg-dist-map.html
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
The distributedmap should apply the correct permissions to the state machine
action: ["states:DescribeExecution", "states:StopExecution"]
- resource: "arn:aws:states:us-east-2:account-id:stateMachine:myStateMachine:*"
+ resource: "arn:aws:states:us-east-2:account-id:execution:myStateMachine:*"
//...
+ action: "states:RedriveExecution"
+ resource: "arn:aws:states:us-east-2:account-id:execution:myStateMachine/*:*"Current Behavior
Some users report errors with running the distributedmap (See this issue for long list of comments: #28820), this could be attributed to the typo in the permissions. Currently, redriving a state machine with a failed distributedmap deployed via CDK is not possible out of the box.
Reproduction Steps
The following map, when added to a state machine cannot be redrived:
const map = new DistributedMap(this, 'map').itemProcessor(new Fail(this, 'fail'))Possible Solution
Add the appropriate redrive permissions
Additional Information/Context
The same issue is relevant with distributedmaps created in nested state graphs, like a Parallel branch, except more severe because those state machines cannot even be run.
AWS CDK Library version (aws-cdk-lib)
v2.213.0
AWS CDK CLI version
2.1023.0
Node.js Version
20
OS
Macos
Language
TypeScript
Language Version
No response
Other information
Fixed by #34760