Add grantRead to parent step functions

Nag Suppressions required since grantRead uses a * since it requires read on all invocations of a step function

lib/workload/components/icav2-copy-files-batch/index.ts

@@ -7,6 +7,7 @@ import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager';
 import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha';
 import path from 'path';
 import { ICAv2CopyFilesConstruct } from '../icav2-copy-files';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface ICAv2CopyFilesBatchConstructProps {
   /* Constructs */
@@ -56,6 +57,10 @@ export class ICAv2CopyBatchUtilityConstruct extends Construct {
     // Add execution permissions to stateMachine role
     manifestInverterLambda.currentVersion.grantInvoke(this.icav2CopyFilesBatchSfnObj);
 
+    // Add state machine execution permissions to stateMachineBatch role
+    this.icav2CopyFilesSfnObj.grantStartExecution(this.icav2CopyFilesBatchSfnObj);
+    this.icav2CopyFilesSfnObj.grantRead(this.icav2CopyFilesBatchSfnObj);
+
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
     this.icav2CopyFilesBatchSfnObj.addToRolePolicy(
@@ -67,7 +72,18 @@ export class ICAv2CopyBatchUtilityConstruct extends Construct {
       })
     );
 
-    // Add state machine execution permissions to stateMachineBatch role
-    this.icav2CopyFilesSfnObj.grantStartExecution(this.icav2CopyFilesBatchSfnObj);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      this.icav2CopyFilesBatchSfnObj,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
   }
 }

lib/workload/components/sfn-generate-workflowrunstatechange-ready-event/index.ts

@@ -14,6 +14,7 @@ import * as cdk from 'aws-cdk-lib';
 import { PythonLambdaFlattenListOfObjectsConstruct } from '../python-lambda-flatten-list-of-objects';
 import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager';
 import { Duration } from 'aws-cdk-lib';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface WorkflowRunStateChangeInternalInputMakerProps {
   /* Object name prefixes */
@@ -164,6 +165,8 @@ export class GenerateWorkflowRunStateChangeReadyConstruct extends Construct {
     /*
     Part 3 - Connect permissions between state-machines
     */
+    engineParameterGeneratorStateMachineSfn.grantStartExecution(this.stepFunctionObj);
+    engineParameterGeneratorStateMachineSfn.grantRead(this.stepFunctionObj);
 
     /* Allow step function to call nested state machine */
     // Because we run a nested state machine, we need to add the permissions to the state machine role
@@ -176,7 +179,20 @@ export class GenerateWorkflowRunStateChangeReadyConstruct extends Construct {
         actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
       })
     );
-    engineParameterGeneratorStateMachineSfn.grantStartExecution(this.stepFunctionObj);
+
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      this.stepFunctionObj,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     /* Allow step function to send events */
     props.eventBusObj.grantPutEventsTo(this.stepFunctionObj);

lib/workload/components/sfn-icav2-ready-event-handler/index.ts

@@ -11,6 +11,7 @@ import * as lambda_python from '@aws-cdk/aws-lambda-python-alpha';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface WfmWorkflowStateChangeIcav2ReadyEventHandlerConstructProps {
   /* Names of table to write to */
@@ -134,6 +135,10 @@ export class WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct extends Const
     /* Grant the state machine access to the ssm parameter path */
     pipeline_id_ssm_param_obj.grantRead(this.stateMachineObj);
 
+    // Grant the state machine the ability to start the internal generate inputs sfn
+    props.generateInputsJsonSfn.grantStartExecution(this.stateMachineObj);
+    props.generateInputsJsonSfn.grantRead(this.stateMachineObj);
+
     /* Grant the state machine access to invoke the internal launch sfn machine */
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
@@ -146,8 +151,19 @@ export class WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct extends Const
       })
     );
 
-    // Grant the state machine the ability to start the internal generate inputs sfn
-    props.generateInputsJsonSfn.grantStartExecution(this.stateMachineObj);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      this.stateMachineObj,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     /* Grant the state machine read and write access to the table */
     table_obj.grantReadWriteData(this.stateMachineObj);

lib/workload/components/sfn-icav2-state-change-event-handler/index.ts

@@ -6,6 +6,7 @@ import * as events from 'aws-cdk-lib/aws-events';
 import * as events_targets from 'aws-cdk-lib/aws-events-targets';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as cdk from 'aws-cdk-lib';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface Icav2AnalysisEventHandlerConstructProps {
   /* Names of objects to get */
@@ -75,6 +76,7 @@ export class Icav2AnalysisEventHandlerConstruct extends Construct {
 
     /* Grant state machine permissions to run the output json step function */
     props.generateOutputsJsonSfn.grantStartExecution(this.stateMachineObj);
+    props.generateOutputsJsonSfn.grantRead(this.stateMachineObj);
 
     /* Grant the state machine access to invoke the internal launch sfn machine */
     // Because we run a nested state machine, we need to add the permissions to the state machine role
@@ -88,6 +90,20 @@ export class Icav2AnalysisEventHandlerConstruct extends Construct {
       })
     );
 
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      this.stateMachineObj,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
+
     const rulePrefix = this.coerce_names(`umccr__automated__${props.workflowName}`);
 
     // Create a rule for this state machine

lib/workload/stateless/stacks/bssh-icav2-fastq-copy-manager/deploy/constructs/bssh-icav2-fastq-copy-manager/index.ts

@@ -8,6 +8,7 @@ import { DefinitionBody } from 'aws-cdk-lib/aws-stepfunctions';
 
 import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { NagSuppressions } from 'cdk-nag';
 
 interface BsshIcav2FastqCopyStateMachineConstructProps {
   prefix: string; // bsshFastqCopy
@@ -61,10 +62,14 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct {
     });
 
     // Add execution permissions to stateMachine role
-    props.bclconvertSuccessEventHandlerLambdaObj.currentVersion.grantInvoke(stateMachine.role);
+    props.bclconvertSuccessEventHandlerLambdaObj.currentVersion.grantInvoke(stateMachine);
 
     // Allow the icav2 copy batch statemachine to be started by the bssh fastq copy manager
 
+    // State machine
+    props.icav2CopyBatchStateMachineObj.grantStartExecution(stateMachine);
+    props.icav2CopyBatchStateMachineObj.grantRead(stateMachine);
+
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
     stateMachine.addToRolePolicy(
@@ -76,8 +81,19 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct {
       })
     );
 
-    // State machine
-    props.icav2CopyBatchStateMachineObj.grantStartExecution(stateMachine.role);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      stateMachine,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     // Trigger state machine on event
     const rule = new events.Rule(this, 'bssh_fastq_copy_trigger_rule', {
@@ -100,6 +116,6 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct {
     );
 
     // Allow the statemachine to submit events to the event bus
-    props.eventBusObj.grantPutEventsTo(stateMachine.role);
+    props.eventBusObj.grantPutEventsTo(stateMachine);
   }
 }

lib/workload/stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts

@@ -12,6 +12,7 @@ import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha';
 import { Icav2AnalysisEventHandlerConstruct } from '../../../../../../components/sfn-icav2-state-change-event-handler';
 import { WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct } from '../../../../../../components/sfn-icav2-ready-event-handler';
 import { DockerImageFunction } from 'aws-cdk-lib/aws-lambda';
+import { NagSuppressions } from 'cdk-nag';
 
 interface Cttsov2Icav2PipelineManagerConstructProps {
   /* Stack Objects */
@@ -105,6 +106,10 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct {
     // Allow state machine to read/write to dynamodb table
     props.dynamodbTableObj.grantReadWriteData(configureInputsSfn);
 
+    // Add state machine execution permissions to stateMachine role
+    props.icav2CopyFilesStateMachineObj.grantStartExecution(configureInputsSfn);
+    props.icav2CopyFilesStateMachineObj.grantRead(configureInputsSfn);
+
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
     configureInputsSfn.addToRolePolicy(
@@ -116,8 +121,19 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct {
       })
     );
 
-    // Add state machine execution permissions to stateMachine role
-    props.icav2CopyFilesStateMachineObj.grantStartExecution(configureInputsSfn);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      configureInputsSfn,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     // Update checkNumRunningSfnsLambdaObj env var to include the state machine arn of
     // the icav2 copy files sfn

lib/workload/stateless/stacks/ora-compression-manager/deploy/index.ts

@@ -37,6 +37,7 @@ import { Icav2AnalysisEventHandlerConstruct } from '../../../../components/sfn-i
 import { OraDecompressionConstruct } from '../../../../components/ora-file-decompression-fq-pair-sfn';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { GzipRawMd5sumDecompressionConstruct } from '../../../../components/gzip-raw-md5sum-fq-pair-sfn';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface OraCompressionIcav2PipelineManagerConfig {
   /*
@@ -208,6 +209,10 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack {
       }
     );
 
+    // Configure step function invoke access to the gzip raw md5sum sfn
+    gzipRawMd5sumSfnObj.grantStartExecution(configureInputsSfn);
+    gzipRawMd5sumSfnObj.grantRead(configureInputsSfn);
+
     // Configure the step function to have invoke access to the gzip raw md5sum sfn
     /* Allow step function to call nested state machine */
     // Because we run a nested state machine, we need to add the permissions to the state machine role
@@ -220,7 +225,20 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack {
         actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
       })
     );
-    gzipRawMd5sumSfnObj.grantStartExecution(configureInputsSfn);
+
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      configureInputsSfn,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     /*
     Generate the outputs sfn
@@ -299,6 +317,10 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack {
       lambda_obj.currentVersion.grantInvoke(configureOutputsSfn);
     });
 
+    // Configure step function invoke access to the ora decompression sfn
+    oraDecompressionSfn.grantStartExecution(configureOutputsSfn);
+    oraDecompressionSfn.grantRead(configureOutputsSfn);
+
     /* Allow step function to call nested state machine */
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
@@ -311,8 +333,19 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack {
       })
     );
 
-    // Configure step function invoke access to the ora decompression sfn
-    oraDecompressionSfn.grantStartExecution(configureOutputsSfn);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      configureOutputsSfn,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     // Generate state machine for handling the 'READY' event
     const handleWfmReadyEventSfn = new WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct(

lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts

@@ -7,6 +7,7 @@ import * as sfn from 'aws-cdk-lib/aws-stepfunctions';
 import path from 'path';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as eventsTargets from 'aws-cdk-lib/aws-events-targets';
+import { NagSuppressions } from 'cdk-nag';
 
 export interface OraDecompressionPipelineManagerConfig {
   /* Stack essentials */
@@ -62,6 +63,10 @@ export class OraDecompressionManagerStack extends cdk.Stack {
       },
     });
 
+    /* Grant the state machine access to invoke the internal launch sfn machine */
+    oraDecompressionSfnConstruct.sfnObject.grantStartExecution(oraManagerSfn);
+    oraDecompressionSfnConstruct.sfnObject.grantRead(oraManagerSfn);
+
     // Because we run a nested state machine, we need to add the permissions to the state machine role
     // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr
     oraManagerSfn.addToRolePolicy(
@@ -73,8 +78,19 @@ export class OraDecompressionManagerStack extends cdk.Stack {
       })
     );
 
-    /* Grant the state machine access to invoke the internal launch sfn machine */
-    oraDecompressionSfnConstruct.sfnObject.grantStartExecution(oraManagerSfn);
+    // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies
+    // Polling requires permission for states:DescribeExecution
+    NagSuppressions.addResourceSuppressions(
+      oraManagerSfn,
+      [
+        {
+          id: 'AwsSolutions-IAM5',
+          reason:
+            'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations',
+        },
+      ],
+      true
+    );
 
     // Create a rule to trigger the state machine
     const rule = new events.Rule(this, 'rule', {