Fixes cdk-nag error on grant read to statemachine object

Statemachine objects have no object 'current' version.
umccr · Oct 8, 2024 · 6355897 · 6355897
1 parent be48b09
commit 6355897
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/...ateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts b/...ateless/stacks/cttso-v2-pipeline-manager/deploy/constructs/cttsov2-icav2-manager/index.ts
@@ -124,9 +124,23 @@ export class Cttsov2Icav2PipelineManagerConstruct extends Construct {
     );
 
     // Allow the check num running sfns lambda to list the number of running icav2 copy file sfns running
+    /*
+    // FIXME: this is the ideal setup but not approved by cdk nag, since we
+    // FIXME: are granting the lambda permissions to all versions of the step function
     props.icav2CopyFilesStateMachineObj.grantRead(
       props.checkNumRunningSfnsLambdaObj.currentVersion
     );
+    */
+    props.checkNumRunningSfnsLambdaObj.currentVersion.addToRolePolicy(
+      new iam.PolicyStatement({
+        actions: [
+          'states:ListActivities',
+          'states:DescribeStateMachine',
+          'states:DescribeActivity',
+        ],
+        resources: [props.icav2CopyFilesStateMachineObj.stateMachineArn],
+      })
+    );
 
     /*
         Part 2: Configure the lambdas and outputs step function