diff --git a/lib/workload/components/icav2-copy-files-batch/index.ts b/lib/workload/components/icav2-copy-files-batch/index.ts index c0d98b378..8370d63e4 100644 --- a/lib/workload/components/icav2-copy-files-batch/index.ts +++ b/lib/workload/components/icav2-copy-files-batch/index.ts @@ -7,6 +7,7 @@ import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha'; import path from 'path'; import { ICAv2CopyFilesConstruct } from '../icav2-copy-files'; +import { NagSuppressions } from 'cdk-nag'; export interface ICAv2CopyFilesBatchConstructProps { /* Constructs */ @@ -56,6 +57,10 @@ export class ICAv2CopyBatchUtilityConstruct extends Construct { // Add execution permissions to stateMachine role manifestInverterLambda.currentVersion.grantInvoke(this.icav2CopyFilesBatchSfnObj); + // Add state machine execution permissions to stateMachineBatch role + this.icav2CopyFilesSfnObj.grantStartExecution(this.icav2CopyFilesBatchSfnObj); + this.icav2CopyFilesSfnObj.grantRead(this.icav2CopyFilesBatchSfnObj); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr this.icav2CopyFilesBatchSfnObj.addToRolePolicy( @@ -67,7 +72,18 @@ export class ICAv2CopyBatchUtilityConstruct extends Construct { }) ); - // Add state machine execution permissions to stateMachineBatch role - this.icav2CopyFilesSfnObj.grantStartExecution(this.icav2CopyFilesBatchSfnObj); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + this.icav2CopyFilesBatchSfnObj, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); } } diff --git a/lib/workload/components/sfn-generate-workflowrunstatechange-ready-event/index.ts b/lib/workload/components/sfn-generate-workflowrunstatechange-ready-event/index.ts index 333df31db..c9a22314a 100644 --- a/lib/workload/components/sfn-generate-workflowrunstatechange-ready-event/index.ts +++ b/lib/workload/components/sfn-generate-workflowrunstatechange-ready-event/index.ts @@ -14,6 +14,7 @@ import * as cdk from 'aws-cdk-lib'; import { PythonLambdaFlattenListOfObjectsConstruct } from '../python-lambda-flatten-list-of-objects'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { Duration } from 'aws-cdk-lib'; +import { NagSuppressions } from 'cdk-nag'; export interface WorkflowRunStateChangeInternalInputMakerProps { /* Object name prefixes */ @@ -164,6 +165,8 @@ export class GenerateWorkflowRunStateChangeReadyConstruct extends Construct { /* Part 3 - Connect permissions between state-machines */ + engineParameterGeneratorStateMachineSfn.grantStartExecution(this.stepFunctionObj); + engineParameterGeneratorStateMachineSfn.grantRead(this.stepFunctionObj); /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role @@ -176,7 +179,20 @@ export class GenerateWorkflowRunStateChangeReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - engineParameterGeneratorStateMachineSfn.grantStartExecution(this.stepFunctionObj); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + this.stepFunctionObj, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Allow step function to send events */ props.eventBusObj.grantPutEventsTo(this.stepFunctionObj); diff --git a/lib/workload/components/sfn-icav2-ready-event-handler/index.ts b/lib/workload/components/sfn-icav2-ready-event-handler/index.ts index f9c4c651c..15354bbc1 100644 --- a/lib/workload/components/sfn-icav2-ready-event-handler/index.ts +++ b/lib/workload/components/sfn-icav2-ready-event-handler/index.ts @@ -11,6 +11,7 @@ import * as lambda_python from '@aws-cdk/aws-lambda-python-alpha'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import { Duration } from 'aws-cdk-lib'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import { NagSuppressions } from 'cdk-nag'; export interface WfmWorkflowStateChangeIcav2ReadyEventHandlerConstructProps { /* Names of table to write to */ @@ -134,6 +135,10 @@ export class WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct extends Const /* Grant the state machine access to the ssm parameter path */ pipeline_id_ssm_param_obj.grantRead(this.stateMachineObj); + // Grant the state machine the ability to start the internal generate inputs sfn + props.generateInputsJsonSfn.grantStartExecution(this.stateMachineObj); + props.generateInputsJsonSfn.grantRead(this.stateMachineObj); + /* Grant the state machine access to invoke the internal launch sfn machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -146,8 +151,19 @@ export class WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct extends Const }) ); - // Grant the state machine the ability to start the internal generate inputs sfn - props.generateInputsJsonSfn.grantStartExecution(this.stateMachineObj); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + this.stateMachineObj, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Grant the state machine read and write access to the table */ table_obj.grantReadWriteData(this.stateMachineObj); diff --git a/lib/workload/components/sfn-icav2-state-change-event-handler/index.ts b/lib/workload/components/sfn-icav2-state-change-event-handler/index.ts index 4cd2fdca0..4c0b5fdcc 100644 --- a/lib/workload/components/sfn-icav2-state-change-event-handler/index.ts +++ b/lib/workload/components/sfn-icav2-state-change-event-handler/index.ts @@ -6,6 +6,7 @@ import * as events from 'aws-cdk-lib/aws-events'; import * as events_targets from 'aws-cdk-lib/aws-events-targets'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as cdk from 'aws-cdk-lib'; +import { NagSuppressions } from 'cdk-nag'; export interface Icav2AnalysisEventHandlerConstructProps { /* Names of objects to get */ @@ -75,6 +76,7 @@ export class Icav2AnalysisEventHandlerConstruct extends Construct { /* Grant state machine permissions to run the output json step function */ props.generateOutputsJsonSfn.grantStartExecution(this.stateMachineObj); + props.generateOutputsJsonSfn.grantRead(this.stateMachineObj); /* Grant the state machine access to invoke the internal launch sfn machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role @@ -88,6 +90,20 @@ export class Icav2AnalysisEventHandlerConstruct extends Construct { }) ); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + this.stateMachineObj, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); + const rulePrefix = this.coerce_names(`umccr__automated__${props.workflowName}`); // Create a rule for this state machine diff --git a/lib/workload/stateless/stacks/bssh-icav2-fastq-copy-manager/deploy/constructs/bssh-icav2-fastq-copy-manager/index.ts b/lib/workload/stateless/stacks/bssh-icav2-fastq-copy-manager/deploy/constructs/bssh-icav2-fastq-copy-manager/index.ts index bfb39cf74..c614bf3ac 100644 --- a/lib/workload/stateless/stacks/bssh-icav2-fastq-copy-manager/deploy/constructs/bssh-icav2-fastq-copy-manager/index.ts +++ b/lib/workload/stateless/stacks/bssh-icav2-fastq-copy-manager/deploy/constructs/bssh-icav2-fastq-copy-manager/index.ts @@ -8,6 +8,7 @@ import { DefinitionBody } from 'aws-cdk-lib/aws-stepfunctions'; import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha'; import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; +import { NagSuppressions } from 'cdk-nag'; interface BsshIcav2FastqCopyStateMachineConstructProps { prefix: string; // bsshFastqCopy @@ -61,10 +62,14 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct { }); // Add execution permissions to stateMachine role - props.bclconvertSuccessEventHandlerLambdaObj.currentVersion.grantInvoke(stateMachine.role); + props.bclconvertSuccessEventHandlerLambdaObj.currentVersion.grantInvoke(stateMachine); // Allow the icav2 copy batch statemachine to be started by the bssh fastq copy manager + // State machine + props.icav2CopyBatchStateMachineObj.grantStartExecution(stateMachine); + props.icav2CopyBatchStateMachineObj.grantRead(stateMachine); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr stateMachine.addToRolePolicy( @@ -76,8 +81,19 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct { }) ); - // State machine - props.icav2CopyBatchStateMachineObj.grantStartExecution(stateMachine.role); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + stateMachine, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); // Trigger state machine on event const rule = new events.Rule(this, 'bssh_fastq_copy_trigger_rule', { @@ -100,6 +116,6 @@ export class BsshIcav2FastqCopyStateMachineConstruct extends Construct { ); // Allow the statemachine to submit events to the event bus - props.eventBusObj.grantPutEventsTo(stateMachine.role); + props.eventBusObj.grantPutEventsTo(stateMachine); } } diff --git a/lib/workload/stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts b/lib/workload/stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts index 9e938de6f..1a938e25d 100644 --- a/lib/workload/stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts +++ b/lib/workload/stateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts @@ -12,6 +12,7 @@ import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha'; import { Icav2AnalysisEventHandlerConstruct } from '../../../../../../components/sfn-icav2-state-change-event-handler'; import { WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct } from '../../../../../../components/sfn-icav2-ready-event-handler'; import { DockerImageFunction } from 'aws-cdk-lib/aws-lambda'; +import { NagSuppressions } from 'cdk-nag'; interface Cttsov2Icav2PipelineManagerConstructProps { /* Stack Objects */ @@ -105,6 +106,10 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct { // Allow state machine to read/write to dynamodb table props.dynamodbTableObj.grantReadWriteData(configureInputsSfn); + // Add state machine execution permissions to stateMachine role + props.icav2CopyFilesStateMachineObj.grantStartExecution(configureInputsSfn); + props.icav2CopyFilesStateMachineObj.grantRead(configureInputsSfn); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr configureInputsSfn.addToRolePolicy( @@ -116,8 +121,19 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct { }) ); - // Add state machine execution permissions to stateMachine role - props.icav2CopyFilesStateMachineObj.grantStartExecution(configureInputsSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + configureInputsSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); // Update checkNumRunningSfnsLambdaObj env var to include the state machine arn of // the icav2 copy files sfn diff --git a/lib/workload/stateless/stacks/ora-compression-manager/deploy/index.ts b/lib/workload/stateless/stacks/ora-compression-manager/deploy/index.ts index b6e988853..b86f25050 100644 --- a/lib/workload/stateless/stacks/ora-compression-manager/deploy/index.ts +++ b/lib/workload/stateless/stacks/ora-compression-manager/deploy/index.ts @@ -37,6 +37,7 @@ import { Icav2AnalysisEventHandlerConstruct } from '../../../../components/sfn-i import { OraDecompressionConstruct } from '../../../../components/ora-file-decompression-fq-pair-sfn'; import * as iam from 'aws-cdk-lib/aws-iam'; import { GzipRawMd5sumDecompressionConstruct } from '../../../../components/gzip-raw-md5sum-fq-pair-sfn'; +import { NagSuppressions } from 'cdk-nag'; export interface OraCompressionIcav2PipelineManagerConfig { /* @@ -208,6 +209,10 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack { } ); + // Configure step function invoke access to the gzip raw md5sum sfn + gzipRawMd5sumSfnObj.grantStartExecution(configureInputsSfn); + gzipRawMd5sumSfnObj.grantRead(configureInputsSfn); + // Configure the step function to have invoke access to the gzip raw md5sum sfn /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role @@ -220,7 +225,20 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - gzipRawMd5sumSfnObj.grantStartExecution(configureInputsSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + configureInputsSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Generate the outputs sfn @@ -299,6 +317,10 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack { lambda_obj.currentVersion.grantInvoke(configureOutputsSfn); }); + // Configure step function invoke access to the ora decompression sfn + oraDecompressionSfn.grantStartExecution(configureOutputsSfn); + oraDecompressionSfn.grantRead(configureOutputsSfn); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -311,8 +333,19 @@ export class OraCompressionIcav2PipelineManagerStack extends cdk.Stack { }) ); - // Configure step function invoke access to the ora decompression sfn - oraDecompressionSfn.grantStartExecution(configureOutputsSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + configureOutputsSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); // Generate state machine for handling the 'READY' event const handleWfmReadyEventSfn = new WfmWorkflowStateChangeIcav2ReadyEventHandlerConstruct( diff --git a/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts b/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts index 637ae52c5..50893d69f 100644 --- a/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts +++ b/lib/workload/stateless/stacks/ora-decompression-manager/deploy/index.ts @@ -7,6 +7,7 @@ import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; import path from 'path'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as eventsTargets from 'aws-cdk-lib/aws-events-targets'; +import { NagSuppressions } from 'cdk-nag'; export interface OraDecompressionPipelineManagerConfig { /* Stack essentials */ @@ -62,6 +63,10 @@ export class OraDecompressionManagerStack extends cdk.Stack { }, }); + /* Grant the state machine access to invoke the internal launch sfn machine */ + oraDecompressionSfnConstruct.sfnObject.grantStartExecution(oraManagerSfn); + oraDecompressionSfnConstruct.sfnObject.grantRead(oraManagerSfn); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr oraManagerSfn.addToRolePolicy( @@ -73,8 +78,19 @@ export class OraDecompressionManagerStack extends cdk.Stack { }) ); - /* Grant the state machine access to invoke the internal launch sfn machine */ - oraDecompressionSfnConstruct.sfnObject.grantStartExecution(oraManagerSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + oraManagerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); // Create a rule to trigger the state machine const rule = new events.Rule(this, 'rule', { diff --git a/lib/workload/stateless/stacks/pieriandx-pipeline-manager/deploy/constructs/pieriandx_launch_step_function.ts b/lib/workload/stateless/stacks/pieriandx-pipeline-manager/deploy/constructs/pieriandx_launch_step_function.ts index 44e40692c..3249a40bb 100644 --- a/lib/workload/stateless/stacks/pieriandx-pipeline-manager/deploy/constructs/pieriandx_launch_step_function.ts +++ b/lib/workload/stateless/stacks/pieriandx-pipeline-manager/deploy/constructs/pieriandx_launch_step_function.ts @@ -10,6 +10,7 @@ import { DefinitionBody } from 'aws-cdk-lib/aws-stepfunctions'; import { PythonFunction, PythonLayerVersion } from '@aws-cdk/aws-lambda-python-alpha'; import { LambdaLayerConstruct } from './lambda_layer'; import * as events_targets from 'aws-cdk-lib/aws-events-targets'; +import { NagSuppressions } from 'cdk-nag'; interface PieriandxLaunchStepFunctionConstructProps { /* Stack Objects */ @@ -108,6 +109,16 @@ export class PieriandxLaunchStepFunctionStateMachineConstruct extends Construct // Allow state machine to read/write to dynamodb table props.dynamodbTableObj.grantReadWriteData(stateMachine.role); + // Allow sub-state launch machines to be invoked by this statemachine + [ + props.launchPieriandxCaseCreationStepfunctionObj, + props.launchPieriandxInformaticsjobCreationStepfunctionObj, + props.launchPieriandxSequencerrunCreationStepfunctionObj, + ].forEach((state_machine_obj) => { + state_machine_obj.grantStartExecution(stateMachine); + state_machine_obj.grantRead(stateMachine); + }); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr stateMachine.addToRolePolicy( @@ -118,15 +129,19 @@ export class PieriandxLaunchStepFunctionStateMachineConstruct extends Construct actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - - // Allow sub-state launch machines to be invoked by this statemachine - [ - props.launchPieriandxCaseCreationStepfunctionObj, - props.launchPieriandxInformaticsjobCreationStepfunctionObj, - props.launchPieriandxSequencerrunCreationStepfunctionObj, - ].forEach((state_machine_obj) => { - state_machine_obj.grantStartExecution(stateMachine); - }); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + stateMachine, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); // Get event bus from event bus name const eventBusObj = events.EventBus.fromEventBusName(this, 'eventBus', props.eventBusName); diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/elmer/part_1/bclconvert-succeeded-to-bssh-fastq-copy/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/elmer/part_1/bclconvert-succeeded-to-bssh-fastq-copy/index.ts index ba3e2f3ad..583da4c49 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/elmer/part_1/bclconvert-succeeded-to-bssh-fastq-copy/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/elmer/part_1/bclconvert-succeeded-to-bssh-fastq-copy/index.ts @@ -12,6 +12,7 @@ import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { LambdaB64GzTranslatorConstruct } from '../../../../../../../components/python-lambda-b64gz-translator'; import { GetLibraryObjectsFromSamplesheetConstruct } from '../../../../../../../components/python-lambda-get-metadata-objects-from-samplesheet'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; /* Part 1 @@ -152,6 +153,12 @@ export class BsshFastqCopyManagerReadyMakerConstruct extends Construct { lambda.currentVersion.grantInvoke(inputsMakerSfn); }); + // Add state machine execution permissions to stateMachine role + [sfnPreamble, engineParametersAndReadyLaunchSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(inputsMakerSfn); + sfnObj.grantRead(inputsMakerSfn); + }); + // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr inputsMakerSfn.addToRolePolicy( @@ -163,9 +170,19 @@ export class BsshFastqCopyManagerReadyMakerConstruct extends Construct { }) ); - // Add state machine execution permissions to stateMachine role - sfnPreamble.grantStartExecution(inputsMakerSfn); - engineParametersAndReadyLaunchSfn.grantStartExecution(inputsMakerSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + inputsMakerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); const eventRule = new events.Rule(this, 'update_database_on_new_samplesheet_event_rule', { ruleName: `stacky-${this.bsshFastqCopyManagerDraftMakerEventMap.prefix}-event-rule`, diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/gorilla/part_1/bclconvert-interop-qc-draft-event-maker/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/gorilla/part_1/bclconvert-interop-qc-draft-event-maker/index.ts index 7d24da1e6..0f1dfabea 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/gorilla/part_1/bclconvert-interop-qc-draft-event-maker/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/gorilla/part_1/bclconvert-interop-qc-draft-event-maker/index.ts @@ -9,6 +9,7 @@ import * as cdk from 'aws-cdk-lib'; import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; /* Part 1 @@ -62,7 +63,7 @@ export class BclconvertInteropQcDraftMakerConstruct extends Construct { /* Part 1: Generate the preamble (sfn to generate the portal run id and the workflow run name) */ - const sfn_preamble = new WorkflowDraftRunStateChangeCommonPreambleConstruct( + const sfnPreamble = new WorkflowDraftRunStateChangeCommonPreambleConstruct( this, `${this.bclconvertInteropQcDraftMakerEventMap.prefix}_sfn_preamble`, { @@ -118,7 +119,7 @@ export class BclconvertInteropQcDraftMakerConstruct extends Construct { __workflow_version__: this.bclconvertInteropQcDraftMakerEventMap.workflowVersion, __payload_version__: this.bclconvertInteropQcDraftMakerEventMap.payloadVersion, // Subfunctions - __sfn_preamble_state_machine_arn__: sfn_preamble.stateMachineArn, + __sfn_preamble_state_machine_arn__: sfnPreamble.stateMachineArn, __launch_ready_event_sfn_arn__: engineParametersAndReadyLaunchSfn.stateMachineArn, }, }); @@ -126,6 +127,10 @@ export class BclconvertInteropQcDraftMakerConstruct extends Construct { /* Part 2: Grant the sfn permissions */ + [sfnPreamble, engineParametersAndReadyLaunchSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(inputsMakerSfn); + sfnObj.grantRead(inputsMakerSfn); + }); // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -138,9 +143,19 @@ export class BclconvertInteropQcDraftMakerConstruct extends Construct { }) ); - // Add state machine execution permissions to stateMachine role - sfn_preamble.grantStartExecution(inputsMakerSfn); - engineParametersAndReadyLaunchSfn.grantStartExecution(inputsMakerSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + inputsMakerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus for this event type diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/handy-pal/part_3/launch-oncoanalyser-ready-events/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/handy-pal/part_3/launch-oncoanalyser-ready-events/index.ts index 4f10824d1..4c95275d7 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/handy-pal/part_3/launch-oncoanalyser-ready-events/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/handy-pal/part_3/launch-oncoanalyser-ready-events/index.ts @@ -21,6 +21,7 @@ import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; import { GetMetadataLambdaConstruct } from '../../../../../../../components/python-lambda-metadata-mapper'; +import { NagSuppressions } from 'cdk-nag'; /* Part 3 @@ -186,6 +187,12 @@ export class OncoanalyserDnaOrRnaReadyConstruct extends Construct { // allow the step function to invoke the lambdas generateDnaEventLambdaObj.currentVersion.grantInvoke(tnCompleteToOncoDraftSfn); + // Allow the step function to call the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(tnCompleteToOncoDraftSfn); + sfnObj.grantRead(tnCompleteToOncoDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -197,9 +204,20 @@ export class OncoanalyserDnaOrRnaReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(tnCompleteToOncoDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(tnCompleteToOncoDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + tnCompleteToOncoDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn @@ -344,6 +362,12 @@ export class OncoanalyserDnaOrRnaReadyConstruct extends Construct { lambdaObj.currentVersion.grantInvoke(qcCompleteToDraftSfn); }); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(qcCompleteToDraftSfn); + sfnObj.grantRead(qcCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -355,9 +379,20 @@ export class OncoanalyserDnaOrRnaReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(qcCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(qcCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + qcCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/jb-weld/part_3/fastq-list-row-event-shower-complete-to-cttsov2-ready/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/jb-weld/part_3/fastq-list-row-event-shower-complete-to-cttsov2-ready/index.ts index 9bcf6e5e1..1c870b85c 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/jb-weld/part_3/fastq-list-row-event-shower-complete-to-cttsov2-ready/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/jb-weld/part_3/fastq-list-row-event-shower-complete-to-cttsov2-ready/index.ts @@ -12,6 +12,7 @@ import * as cdk from 'aws-cdk-lib'; import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; /* Part 4 @@ -201,6 +202,12 @@ export class Cttsov2FastqListRowShowerCompleteToWorkflowDraftConstruct extends C // Allow the sfn to invoke the lambda buildCttsoV2Samplesheet.currentVersion.grantInvoke(inputMakerSfn); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(inputMakerSfn); + sfnObj.grantRead(inputMakerSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -212,9 +219,20 @@ export class Cttsov2FastqListRowShowerCompleteToWorkflowDraftConstruct extends C actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(inputMakerSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(inputMakerSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + inputMakerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 4: Subscribe to the event bus for this event type diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/kwik/part_3/fastq-list-rows-shower-complete-to-wgts-qc/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/kwik/part_3/fastq-list-rows-shower-complete-to-wgts-qc/index.ts index 4d6f679db..fb46c36a9 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/kwik/part_3/fastq-list-rows-shower-complete-to-wgts-qc/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/kwik/part_3/fastq-list-rows-shower-complete-to-wgts-qc/index.ts @@ -12,6 +12,7 @@ import * as cdk from 'aws-cdk-lib'; import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; /* Part 3 @@ -186,6 +187,12 @@ export class WgtsQcFastqListRowShowerCompleteToWorkflowReadyConstruct extends Co // Allow the sfn to invoke the lambda generateEventDataLambdaObj.currentVersion.grantInvoke(inputMakerSfn); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(inputMakerSfn); + sfnObj.grantRead(inputMakerSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -198,9 +205,19 @@ export class WgtsQcFastqListRowShowerCompleteToWorkflowReadyConstruct extends Co }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(inputMakerSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(inputMakerSfn); + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + inputMakerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 4: Subscribe to the event bus for this event type diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/loctite/part_3/library-qc-complete-db-to-tn-ready/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/loctite/part_3/library-qc-complete-db-to-tn-ready/index.ts index bc5dc3521..8522b4eff 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/loctite/part_3/library-qc-complete-db-to-tn-ready/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/loctite/part_3/library-qc-complete-db-to-tn-ready/index.ts @@ -13,6 +13,7 @@ import * as lambda from 'aws-cdk-lib/aws-lambda'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; import { GetMetadataLambdaConstruct } from '../../../../../../../components/python-lambda-metadata-mapper'; +import { NagSuppressions } from 'cdk-nag'; /* Part 3 @@ -188,6 +189,11 @@ export class LibraryQcCompleteToTnReadyConstruct extends Construct { } ); + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(inputMakerSfn); + sfnObj.grantRead(inputMakerSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -199,9 +205,20 @@ export class LibraryQcCompleteToTnReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(inputMakerSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(inputMakerSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + inputMakerSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/mod-podge/part_3/library-qc-complete-to-wts/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/mod-podge/part_3/library-qc-complete-to-wts/index.ts index ec20034b0..36180d832 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/mod-podge/part_3/library-qc-complete-to-wts/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/mod-podge/part_3/library-qc-complete-to-wts/index.ts @@ -13,6 +13,7 @@ import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; import { GetMetadataLambdaConstruct } from '../../../../../../../components/python-lambda-metadata-mapper'; +import { NagSuppressions } from 'cdk-nag'; /* Part 4 @@ -158,6 +159,12 @@ export class LibraryQcCompleteToWtsReadyConstruct extends Construct { // allow the step function to invoke the lambdas generateEventDataLambdaObj.currentVersion.grantInvoke(qcCompleteToDraftSfn); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(qcCompleteToDraftSfn); + sfnObj.grantRead(qcCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -169,9 +176,20 @@ export class LibraryQcCompleteToWtsReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(qcCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(qcCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + qcCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/pva/part_2/tn-complete-to-umccrise-draft/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/pva/part_2/tn-complete-to-umccrise-draft/index.ts index abe258157..493922ae1 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/pva/part_2/tn-complete-to-umccrise-draft/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/pva/part_2/tn-complete-to-umccrise-draft/index.ts @@ -12,6 +12,7 @@ import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; /* Part 2 @@ -153,6 +154,12 @@ export class TnCompleteToUmccriseReadyConstruct extends Construct { // allow the step function to invoke the lambdas generateEventDataLambdaObj.currentVersion.grantInvoke(qcCompleteToDraftSfn); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(qcCompleteToDraftSfn); + sfnObj.grantRead(qcCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -164,9 +171,20 @@ export class TnCompleteToUmccriseReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(qcCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(qcCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + qcCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/roket/part_2/umccrise-and-wts-complete-to-rnasum-draft/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/roket/part_2/umccrise-and-wts-complete-to-rnasum-draft/index.ts index 2b10cdf84..2ac61453c 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/roket/part_2/umccrise-and-wts-complete-to-rnasum-draft/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/roket/part_2/umccrise-and-wts-complete-to-rnasum-draft/index.ts @@ -14,6 +14,7 @@ import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../ import { GetMetadataLambdaConstruct } from '../../../../../../../components/python-lambda-metadata-mapper'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; import { rnasumIcav2PipelineVersion } from '../../../../../../../../../config/constants'; +import { NagSuppressions } from 'cdk-nag'; /* Part 4 @@ -197,6 +198,12 @@ export class UmccriseAndWtsCompleteToRnasumReadyConstruct extends Construct { lambda.currentVersion.grantInvoke(umccriseAndWtsCompleteToDraftSfn); }); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(umccriseAndWtsCompleteToDraftSfn); + sfnObj.grantRead(umccriseAndWtsCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -208,9 +215,20 @@ export class UmccriseAndWtsCompleteToRnasumReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(umccriseAndWtsCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(umccriseAndWtsCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + umccriseAndWtsCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_2/oncoanalyser-dna-complete-to-sash-ready/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_2/oncoanalyser-dna-complete-to-sash-ready/index.ts index dd6a59ace..e7584b1dc 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_2/oncoanalyser-dna-complete-to-sash-ready/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_2/oncoanalyser-dna-complete-to-sash-ready/index.ts @@ -20,6 +20,7 @@ import * as ssm from 'aws-cdk-lib/aws-ssm'; import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; +import { NagSuppressions } from 'cdk-nag'; export interface OncoanalyserDnaToSashReadyConstructProps { /* Events */ @@ -142,6 +143,12 @@ export class OncoanalyserDnaToSashReadyConstruct extends Construct { // allow the step function to invoke the lambdas generateEventDataLambdaObj.currentVersion.grantInvoke(dnaCompleteToDraftSfn); + // Allow the state machine to be able to invoke the preamble sfn + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(dnaCompleteToDraftSfn); + sfnObj.grantRead(dnaCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -153,9 +160,20 @@ export class OncoanalyserDnaToSashReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(dnaCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(dnaCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + dnaCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn diff --git a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_3/oncoanalyser-dna-or-rna-to-oncoanalyser-both-ready/index.ts b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_3/oncoanalyser-dna-or-rna-to-oncoanalyser-both-ready/index.ts index 3410de4f4..37c52e239 100644 --- a/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_3/oncoanalyser-dna-or-rna-to-oncoanalyser-both-ready/index.ts +++ b/lib/workload/stateless/stacks/stacky-mcstackface/glue-constructs/t-rex/part_3/oncoanalyser-dna-or-rna-to-oncoanalyser-both-ready/index.ts @@ -17,10 +17,10 @@ import * as eventsTargets from 'aws-cdk-lib/aws-events-targets'; import { PythonFunction } from '@aws-cdk/aws-lambda-python-alpha'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as ssm from 'aws-cdk-lib/aws-ssm'; -import * as secretsManager from 'aws-cdk-lib/aws-secretsmanager'; import { WorkflowDraftRunStateChangeCommonPreambleConstruct } from '../../../../../../../components/sfn-workflowdraftrunstatechange-common-preamble'; import { GenerateWorkflowRunStateChangeReadyConstruct } from '../../../../../../../components/sfn-generate-workflowrunstatechange-ready-event'; import { GetMetadataLambdaConstruct } from '../../../../../../../components/python-lambda-metadata-mapper'; +import { NagSuppressions } from 'cdk-nag'; export interface OncoanalyserDnaRnaReadyConstructProps { /* Events */ @@ -188,6 +188,12 @@ export class OncoanalyserDnaRnaReadyConstruct extends Construct { lambdaObj.currentVersion.grantInvoke(dnaCompleteToDraftSfn); }); + // Allow the state machine to be able to invoke the preamble sfns + [sfnPreamble, engineParameterAndReadyEventMakerSfn].forEach((sfnObj) => { + sfnObj.grantStartExecution(dnaCompleteToDraftSfn); + sfnObj.grantRead(dnaCompleteToDraftSfn); + }); + /* Allow step function to call nested state machine */ // Because we run a nested state machine, we need to add the permissions to the state machine role // See https://stackoverflow.com/questions/60612853/nested-step-function-in-a-step-function-unknown-error-not-authorized-to-cr @@ -199,9 +205,20 @@ export class OncoanalyserDnaRnaReadyConstruct extends Construct { actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'], }) ); - // Allow the state machine to be able to invoke the preamble sfn - sfnPreamble.grantStartExecution(dnaCompleteToDraftSfn); - engineParameterAndReadyEventMakerSfn.grantStartExecution(dnaCompleteToDraftSfn); + + // https://docs.aws.amazon.com/step-functions/latest/dg/connect-stepfunctions.html#sync-async-iam-policies + // Polling requires permission for states:DescribeExecution + NagSuppressions.addResourceSuppressions( + dnaCompleteToDraftSfn, + [ + { + id: 'AwsSolutions-IAM5', + reason: + 'grantRead uses asterisk at the end of executions, as we need permissions for all execution invocations', + }, + ], + true + ); /* Part 3: Subscribe to the event bus and trigger the internal sfn