Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(stepfunctions): distributed maps under branches do not have necessary permissions #29913

Closed
wants to merge 1 commit into from

Conversation

curquhart
Copy link
Contributor

@curquhart curquhart commented Apr 20, 2024

Issue

Closes #29266

Reason for this change

distributed maps under branch states (i.e., Parallel) do not apply the necessary permissions to run the state.

Description of changes

this moves the bind functionality into state and calls it on both state and all child (branch) states. Previously it did not run on branch states and as such did not work for example a distributed map under a parallel state without adding the permissions out of band.

An alternative would be to have a bind method that the user calls out of band on the distributed map (or in my case, in a wrapper class, but it's clunky)

Description of how you validated changes

Unit tests

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p2 labels Apr 20, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team April 20, 2024 17:33
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@curquhart
Copy link
Contributor Author

ahh re pull request validator failing for no integration test update, i will look at that later this weekend of sometime next week.

@curquhart curquhart force-pushed the fix_distributed_map_perms branch from 526527e to 62f08f4 Compare April 21, 2024 15:10
@aws-cdk-automation aws-cdk-automation dismissed their stale review April 21, 2024 15:12

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@curquhart
Copy link
Contributor Author

added a couple integration tests and fixed the linting problems

@curquhart curquhart force-pushed the fix_distributed_map_perms branch 2 times, most recently from 1a2ed6f to 38c98b2 Compare April 21, 2024 15:35
@curquhart
Copy link
Contributor Author

curquhart commented Apr 21, 2024

i was wondering about my approach... because branches aren't exposed, i moved the policy stuff into State. however, State cannot depend on DistributedMap because of a cyclic dependency. To deal with this, I just passed isDistributedMap into the method call. This is based on the assumption that branches is hidden for a reason.

This works but could be cleaner. I was wondering about thoughts on a few alternative solutions:

  • could i expose branches in State? then this stuff could be entirely (other than that visibility change in State) be in StateGraph
  • add containsDistributedMap to State (as in, StateGraph would call state.containsDistributedState())... in the base class, this would return false, in DistributedMap this would return true
  • processorMode is already in State... it's protected but if we made it public we might be also use that to determine if distributed map (by swapping with a getter, throwing the real value in _processorMode, and then having the getter traverse any children)... i do worry about side effects on this one though since we'd be considering processorMode as distributed if any of the children are distributed

from my point of view, anything is fine, i just want to remove the manual perms from my cdk since it's weird that cdk sometimes but not always adds them (depending on how the graph is shaped) heh

anyway will update if needed!

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Apr 21, 2024
@curquhart
Copy link
Contributor Author

👋 just wanted to touch base on this... I'm happy to make changes if yall don't like the approach!

thanks :)

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 and removed p2 labels May 5, 2024
@curquhart
Copy link
Contributor Author

just saw there is also an issue reported for this - linked it in desc... just following up again though, is someone able to look at this? Thanks :)

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels May 5, 2024
@curquhart curquhart force-pushed the fix_distributed_map_perms branch from 38c98b2 to a820573 Compare May 8, 2024 19:04
@curquhart
Copy link
Contributor Author

just following up... again i'm happy to make changes, would appreciate feedback! thanks :)

Copy link
Contributor

@comcalvi comcalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

branches is protected because many of the stepfunctions features live on the base class but are defined and exposed in subclasses, as explained here: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-stepfunctions/lib/states/state.ts#L163, and since branches is only usable with Parallel states, I don't think it makes sense to expose it.

I don't think the processor mode approach is the right one either, for the the reason you outlined.

The design suggests we should include IsDistributedMap on the base class, as you describe in option 2. This is an odd placement, because the base class should not know anything about its Distributed subclass variant - but we've already broken this assumption by declaring all of these subclass-unique properties on the base class, so we may as well include isDistributedMap on the base class.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jun 17, 2024
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

distributed maps under branch states (i.e., Parallel) do not apply the
necessary permissions to run the state.

instead of only iterating states in the parent graph, iterate all children as well. if any of them are distributed maps, add the necessary policy.
@curquhart curquhart force-pushed the fix_distributed_map_perms branch from a820573 to a1f8263 Compare July 9, 2024 18:00
@curquhart
Copy link
Contributor Author

sorry finally got back to this... I realized adding isDistributedMap was impractical because of DistributedMap. isDistributedMap being public which would make making it an instance method a breaking change to the public interface and dug a bit more through the innards

i realized that child graphs are contained within allContainedStates which means we can just recursively call bind on each graph in that collection, which in turn avoids making changes outside of the original StateGraph logic (so less code touched, woohoo).

anyway! updated to do that, let me know if this makes sense

@mergify mergify bot dismissed comcalvi’s stale review July 9, 2024 18:00

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: a1f8263
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jul 9, 2024
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I can see that a lot of hard work went into this and it looks right. I just have a couple requests inline for improving the testing a bit.

/**
* Stack verification steps:
*
* -- aws stepfunctions describe-state-machine --state-machine-arn <stack-output> has a status of `ACTIVE`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add an assertion that does this instead of making it a manual verification step?

timeout: cdk.Duration.seconds(30),
});

new cdk.CfnOutput(stack, 'StateMachine1ARN', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These outputs are great but we should do something with them. Perhaps add assertions that get the machine state of each of these?

// is that our permissions adding doesn't create infinite recursion as we iterate through all nested graphs.
// a failure in this test case (for the thing it is meant to test) would present as a stack overflow ("maximum call
// stack size exceeded" error.)
template.hasResource('AWS::IAM::Policy', createPolicyProps(stateMachineLogicalId));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we check for the expected amount of policies based off the amount of child states?

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jul 24, 2024
@curquhart
Copy link
Contributor Author

oh i just saw your comments! thanks for looking :D I'll try to address them this weekend - i looked at a couple integ tests and the (manual) way i did it was based on an existing test, i didn't realize there's a framework in other tests for validating via api, that'll be much nicer :)

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@aws-cdk-automation
Copy link
Collaborator

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

@aws-cdk-automation aws-cdk-automation added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Aug 22, 2024
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

stepfunctions: DistributedMap in Parallel doesn't create DistributedMapPolicy
4 participants