From 64be93b9b6f74d2da36cb119169c7c97c315a0d6 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 27 Oct 2023 14:14:00 -0600 Subject: [PATCH 01/16] feat(stepfunctions-tasks): add support to EmrAddStep for runtime role --- ...efaultTestDeployAssert697DC891.assets.json | 19 + ...aultTestDeployAssert697DC891.template.json | 36 + ...-cdk-emr-add-step-runtime-role.assets.json | 19 + ...dk-emr-add-step-runtime-role.template.json | 384 +++++++++++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 155 +++++ .../tree.json | 641 ++++++++++++++++++ ...mr-create-cluster-add-step-runtime-role.ts | 126 ++++ .../aws-stepfunctions-tasks/README.md | 27 + .../lib/emr/emr-add-step.ts | 10 + .../test/emr/emr-add-step.test.ts | 54 ++ 12 files changed, 1484 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json new file mode 100644 index 0000000000000..4b62986ef80b7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json new file mode 100644 index 0000000000000..defeb1da3a99c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -0,0 +1,19 @@ +{ + "version": "34.0.0", + "files": { + "3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0": { + "source": { + "path": "aws-cdk-emr-add-step-runtime-role.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json new file mode 100644 index 0000000000000..ff5827a978dea --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -0,0 +1,384 @@ +{ + "Resources": { + "EmrCreateClusterServiceRole5251910D": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "elasticmapreduce.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AmazonEMRServicePolicy_v2" + ] + ] + } + ] + } + }, + "EmrCreateClusterInstanceRoleC80466F5": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "EmrCreateClusterInstanceProfileC1729180": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "InstanceProfileName": { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + }, + "Roles": [ + { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + } + ] + } + }, + "EmrCreateClusterAutoScalingRoleFDDAF4E2": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": [ + "application-autoscaling.amazonaws.com", + "elasticmapreduce.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" + ] + ] + } + ] + } + }, + "Role1ABCC5F0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": "EmrStepExecutionRole" + } + }, + "SMRole49C19C48": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "SMRoleDefaultPolicy34CA15C7": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:RunJobFlow", + "elasticmapreduce:TerminateJobFlows" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "EmrCreateClusterAutoScalingRoleFDDAF4E2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "EmrCreateClusterServiceRole5251910D", + "Arn" + ] + } + ] + }, + { + "Action": [ + "elasticmapreduce:AddJobFlowSteps", + "elasticmapreduce:AddTags", + "elasticmapreduce:CancelSteps", + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:DescribeStep", + "elasticmapreduce:TerminateJobFlows" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":elasticmapreduce:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":cluster/*" + ] + ] + } + }, + { + "Action": [ + "events:DescribeRule", + "events:PutRule", + "events:PutTargets" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRAddJobFlowStepsRule" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRRunJobFlowRule" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRTerminateJobFlowsRule" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "SMRoleDefaultPolicy34CA15C7", + "Roles": [ + { + "Ref": "SMRole49C19C48" + } + ] + } + }, + "SM934E715A": { + "Type": "AWS::StepFunctions::StateMachine", + "Properties": { + "DefinitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"EmrCreateCluster\",\"States\":{\"EmrCreateCluster\":{\"Next\":\"EmrAddStep\",\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", + { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + }, + "\",\"Name\":\"Cluster\",\"ServiceRole\":\"", + { + "Ref": "EmrCreateClusterServiceRole5251910D" + }, + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"AutoScalingRole\":\"", + { + "Ref": "EmrCreateClusterAutoScalingRoleFDDAF4E2" + }, + "\",\"ReleaseLabel\":\"emr-6.13.0\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", + { + "Fn::GetAtt": [ + "Role1ABCC5F0", + "Arn" + ] + }, + "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:terminateCluster.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\"}}}}" + ] + ] + }, + "RoleArn": { + "Fn::GetAtt": [ + "SMRole49C19C48", + "Arn" + ] + } + }, + "DependsOn": [ + "SMRoleDefaultPolicy34CA15C7", + "SMRole49C19C48" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out new file mode 100644 index 0000000000000..2313ab5436501 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"34.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json new file mode 100644 index 0000000000000..717b603cf3142 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "34.0.0", + "testCases": { + "EmrCreateClusterTest/DefaultTest": { + "stacks": [ + "aws-cdk-emr-add-step-runtime-role" + ], + "assertionStack": "EmrCreateClusterTest/DefaultTest/DeployAssert", + "assertionStackName": "EmrCreateClusterTestDefaultTestDeployAssert697DC891" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json new file mode 100644 index 0000000000000..8678b01729871 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -0,0 +1,155 @@ +{ + "version": "34.0.0", + "artifacts": { + "aws-cdk-emr-add-step-runtime-role.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "aws-cdk-emr-add-step-runtime-role.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "aws-cdk-emr-add-step-runtime-role": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "aws-cdk-emr-add-step-runtime-role.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "aws-cdk-emr-add-step-runtime-role.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "aws-cdk-emr-add-step-runtime-role.assets" + ], + "metadata": { + "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterServiceRole5251910D" + } + ], + "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterInstanceRoleC80466F5" + } + ], + "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceProfile": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterInstanceProfileC1729180" + } + ], + "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterAutoScalingRoleFDDAF4E2" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Role1ABCC5F0" + } + ], + "/aws-cdk-emr-add-step-runtime-role/SM/Role/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SMRole49C19C48" + } + ], + "/aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SMRoleDefaultPolicy34CA15C7" + } + ], + "/aws-cdk-emr-add-step-runtime-role/SM/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "SM934E715A" + } + ], + "/aws-cdk-emr-add-step-runtime-role/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/aws-cdk-emr-add-step-runtime-role/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "aws-cdk-emr-add-step-runtime-role" + }, + "EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "EmrCreateClusterTestDefaultTestDeployAssert697DC891": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets" + ], + "metadata": { + "/EmrCreateClusterTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/EmrCreateClusterTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "EmrCreateClusterTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json new file mode 100644 index 0000000000000..829cbedb4edbd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -0,0 +1,641 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "aws-cdk-emr-add-step-runtime-role": { + "id": "aws-cdk-emr-add-step-runtime-role", + "path": "aws-cdk-emr-add-step-runtime-role", + "children": { + "EmrCreateCluster": { + "id": "EmrCreateCluster", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster", + "children": { + "ServiceRole": { + "id": "ServiceRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole", + "children": { + "ImportServiceRole": { + "id": "ImportServiceRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/ImportServiceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" + } + }, + "Effect": "Allow", + "Principal": { + "Service": "elasticmapreduce.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AmazonEMRServicePolicy_v2" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "InstanceRole": { + "id": "InstanceRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole", + "children": { + "ImportInstanceRole": { + "id": "ImportInstanceRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/ImportInstanceRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "InstanceProfile": { + "id": "InstanceProfile", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceProfile", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::InstanceProfile", + "aws:cdk:cloudformation:props": { + "instanceProfileName": { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + }, + "roles": [ + { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile", + "version": "0.0.0" + } + }, + "AutoScalingRole": { + "id": "AutoScalingRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole", + "children": { + "ImportAutoScalingRole": { + "id": "ImportAutoScalingRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/ImportAutoScalingRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": [ + "application-autoscaling.amazonaws.com", + "elasticmapreduce.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrCreateCluster", + "version": "0.0.0" + } + }, + "Role": { + "id": "Role", + "path": "aws-cdk-emr-add-step-runtime-role/Role", + "children": { + "ImportRole": { + "id": "ImportRole", + "path": "aws-cdk-emr-add-step-runtime-role/Role/ImportRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "roleName": "EmrStepExecutionRole" + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "EmrAddStep": { + "id": "EmrAddStep", + "path": "aws-cdk-emr-add-step-runtime-role/EmrAddStep", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", + "version": "0.0.0" + } + }, + "EmrTerminateCluster": { + "id": "EmrTerminateCluster", + "path": "aws-cdk-emr-add-step-runtime-role/EmrTerminateCluster", + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrTerminateCluster", + "version": "0.0.0" + } + }, + "SM": { + "id": "SM", + "path": "aws-cdk-emr-add-step-runtime-role/SM", + "children": { + "Role": { + "id": "Role", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Role", + "children": { + "ImportRole": { + "id": "ImportRole", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/ImportRole", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "states.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" + } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": [ + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:RunJobFlow", + "elasticmapreduce:TerminateJobFlows" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "EmrCreateClusterAutoScalingRoleFDDAF4E2", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "EmrCreateClusterServiceRole5251910D", + "Arn" + ] + } + ] + }, + { + "Action": [ + "elasticmapreduce:AddJobFlowSteps", + "elasticmapreduce:AddTags", + "elasticmapreduce:CancelSteps", + "elasticmapreduce:DescribeCluster", + "elasticmapreduce:DescribeStep", + "elasticmapreduce:TerminateJobFlows" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":elasticmapreduce:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":cluster/*" + ] + ] + } + }, + { + "Action": [ + "events:DescribeRule", + "events:PutRule", + "events:PutTargets" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRAddJobFlowStepsRule" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRRunJobFlowRule" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":events:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":rule/StepFunctionsGetEventForEMRTerminateJobFlowsRule" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "policyName": "SMRoleDefaultPolicy34CA15C7", + "roles": [ + { + "Ref": "SMRole49C19C48" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/SM/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", + "aws:cdk:cloudformation:props": { + "definitionString": { + "Fn::Join": [ + "", + [ + "{\"StartAt\":\"EmrCreateCluster\",\"States\":{\"EmrCreateCluster\":{\"Next\":\"EmrAddStep\",\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", + { + "Ref": "EmrCreateClusterInstanceRoleC80466F5" + }, + "\",\"Name\":\"Cluster\",\"ServiceRole\":\"", + { + "Ref": "EmrCreateClusterServiceRole5251910D" + }, + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"AutoScalingRole\":\"", + { + "Ref": "EmrCreateClusterAutoScalingRoleFDDAF4E2" + }, + "\",\"ReleaseLabel\":\"emr-6.13.0\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", + { + "Fn::GetAtt": [ + "Role1ABCC5F0", + "Arn" + ] + }, + "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + { + "Ref": "AWS::Partition" + }, + ":states:::elasticmapreduce:terminateCluster.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\"}}}}" + ] + ] + }, + "roleArn": { + "Fn::GetAtt": [ + "SMRole49C19C48", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions.CfnStateMachine", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_stepfunctions.StateMachine", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-emr-add-step-runtime-role/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-emr-add-step-runtime-role/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "EmrCreateClusterTest": { + "id": "EmrCreateClusterTest", + "path": "EmrCreateClusterTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "EmrCreateClusterTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "EmrCreateClusterTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "EmrCreateClusterTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.2.70" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts new file mode 100644 index 0000000000000..6cd84f3b622f1 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -0,0 +1,126 @@ +import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; +import { App, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +/* + * Create a state machine with an EMR cluster and adds a step. + * + * PREREQUISITES: + * 1. Fill in the instances block for EmrCreateCluster + * 2. Create the security configuration as specified here: https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + * 3. Add the security configuration to EmrCreateCluster + * 4. Upload the runtime role's trust policy as outlined below + * + * Stack verification steps: + * The generated State Machine can be executed from the CLI (or Step Functions console) + * and runs with an execution status of `Succeeded`. + * + * -- aws stepfunctions start-execution --state-machine-arn provides execution arn + * -- aws stepfunctions describe-execution --execution-arn returns a status of `Succeeded` + */ + +const app = new App(); +const stack = new Stack(app, 'aws-cdk-emr-add-step-runtime-role'); + +const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', { + instances: { + /* + instanceFleets: [ + { + instanceFleetType: tasks.EmrCreateCluster.InstanceRoleType.MASTER, + instanceTypeConfigs: [ + { + instanceType: 'm5.xlarge', + }, + ], + targetOnDemandCapacity: 1, + }, + ], + ec2SubnetId: 'subnet-xxxxxx', + */ + }, + name: 'Cluster', + releaseLabel: 'emr-6.13.0', + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + tags: { + Key: 'Value', + }, + //securityConfiguration: 'security-group-configuration', + applications: [ + { + name: 'Spark', + }, + ], +}); + +const executionRole = new iam.Role(stack, 'Role', { + roleName: 'EmrStepExecutionRole', + assumedBy: new iam.ArnPrincipal(createClusterStep.clusterRole.roleArn), +}); + +/* +The trust policy of the runtime execution role needs to have the following: +@see - https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/" + }, + "Action": "sts:AssumeRole" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/" + }, + "Action": "sts:SetSourceIdentity" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/" + }, + "Action": "sts:TagSession", + "Condition": { + "StringEquals": { + "aws:RequestTag/LakeFormationAuthorizedCaller": "Amazon EMR" + } + } + } + ] +} +*/ + +const addStepStep = new tasks.EmrAddStep(stack, 'EmrAddStep', { + resultPath: sfn.JsonPath.DISCARD, // pass cluster id to terminate step + clusterId: sfn.JsonPath.stringAt('$.Cluster.Id'), + name: 'AddStepRuntimeRoleIntTest', + jar: 'command-runner.jar', + args: [ + 'spark-example', + 'SparkPi', + '1', + ], + executionRole: executionRole.roleArn, + actionOnFailure: tasks.ActionOnFailure.TERMINATE_CLUSTER, +}); + +const terminationStep = new tasks.EmrTerminateCluster(stack, 'EmrTerminateCluster', { + clusterId: sfn.JsonPath.stringAt('$.Cluster.Id'), + integrationPattern: sfn.IntegrationPattern.RUN_JOB, +}); + +const definition = createClusterStep.next(addStepStep).next(terminationStep); + +new sfn.StateMachine(stack, 'SM', { + definition, +}); + +new IntegTest(app, 'EmrCreateClusterTest', { + testCases: [stack], +}); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index 8f32286484f39..8cc5e7ca315f7 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -660,6 +660,33 @@ new tasks.EmrAddStep(this, 'Task', { }); ``` +### Add Step with Runtime Role + +Adds a new step with a runtime role to a running cluster. +Corresponds to the [`addJobFlowSteps`](https://docs.aws.amazon.com/emr/latest/APIReference/API_AddJobFlowSteps.html) API in EMR. + +**Note:** The EMR cluster must be created with a security configuration and the runtime role must have a specific trust policy. +See this [blog](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for details. + +```ts +new tasks.EmrCreateCluster(this, 'Create Cluster', { + instances: {}, + clusterRole, + name: sfn.TaskInput.fromJsonPathAt('$.ClusterName').value, + serviceRole, + autoScalingRole, + securityConfiguration: 'SecurityConfigurationForRuntimeRoles', +}); + +new tasks.EmrAddStep(this, 'Task', { + clusterId: 'ClusterId', + executionRole: 'ExecutionRoleArn', + name: 'StepName', + jar: 'Jar', + actionOnFailure: tasks.ActionOnFailure.CONTINUE, +}); +``` + ### Cancel Step Cancels a pending step in a running cluster. diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts index b7373d0b95d9b..574ef4fe62356 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts @@ -89,6 +89,15 @@ export interface EmrAddStepProps extends sfn.TaskStateBaseProps { * @default - No properties */ readonly properties?: { [key: string]: string }; + + /** + * The Amazon Resource Name (ARN) of the runtime role for a step on the cluster. + * + * @see https://docs.aws.amazon.com/emr/latest/APIReference/API_AddJobFlowSteps.html#API_AddJobFlowSteps_RequestSyntax + * + * @default - No step-specific role, uses EC2 instance profile role + */ + readonly executionRole?: string; } /** @@ -128,6 +137,7 @@ export class EmrAddStep extends sfn.TaskStateBase { Resource: integrationResourceArn('elasticmapreduce', 'addStep', this.integrationPattern), Parameters: sfn.FieldUtils.renderObject({ ClusterId: this.props.clusterId, + ExecutionRoleArn: this.props.executionRole, Step: { Name: this.props.name, ActionOnFailure: this.actionOnFailure.valueOf(), diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index 5e3e2b8674bb7..8f7de46e12fba 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -2,6 +2,7 @@ import { Template } from '../../../assertions'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; import * as tasks from '../../lib'; +import * as iam from '../../../aws-iam'; let stack: cdk.Stack; @@ -49,6 +50,59 @@ test('Add Step with static ClusterId and Step configuration', () => { }); }); +test('Add Step with execution role ARN', () => { + const executionRole = new iam.Role(stack, 'Role', { + roleName: 'EmrStepExecutionRole', + // The actual trust policy policy required is more complicated, but abbreviated here for brevity. + // @see - https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), + }); + + // WHEN + const task = new tasks.EmrAddStep(stack, 'Task', { + clusterId: 'ClusterId', + name: 'StepName', + jar: 'Jar', + actionOnFailure: tasks.ActionOnFailure.CONTINUE, + integrationPattern: sfn.IntegrationPattern.RUN_JOB, + executionRole: executionRole.roleArn, + }); + + // THEN + expect(stack.resolve(task.toStateJson())).toEqual({ + Type: 'Task', + Resource: { + 'Fn::Join': [ + '', + [ + 'arn:', + { + Ref: 'AWS::Partition', + }, + ':states:::elasticmapreduce:addStep.sync', + ], + ], + }, + End: true, + Parameters: { + ClusterId: 'ClusterId', + ExecutionRoleArn: { + 'Fn::GetAtt': [ + 'Role1ABCC5F0', + 'Arn', + ], + }, + Step: { + Name: 'StepName', + ActionOnFailure: 'CONTINUE', + HadoopJarStep: { + Jar: 'Jar', + }, + }, + }, + }); +}); + test('Terminate cluster with ClusterId from payload and static Step configuration', () => { // WHEN const task = new tasks.EmrAddStep(stack, 'Task', { From 2cef154657cc64f75c189b35e9d2b179928bfb1a Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 27 Oct 2023 14:42:06 -0600 Subject: [PATCH 02/16] fix import order --- .../aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index 8f7de46e12fba..fa2c9ff12b3be 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -1,8 +1,8 @@ import { Template } from '../../../assertions'; +import * as iam from '../../../aws-iam'; import * as sfn from '../../../aws-stepfunctions'; import * as cdk from '../../../core'; import * as tasks from '../../lib'; -import * as iam from '../../../aws-iam'; let stack: cdk.Stack; From bd9568a5cf625bc38247dbfcdd2007d5a4626ac9 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 27 Oct 2023 15:17:07 -0600 Subject: [PATCH 03/16] fix readme --- .../integ.emr-create-cluster-add-step-runtime-role.ts | 4 ++-- .../aws-cdk-lib/aws-stepfunctions-tasks/README.md | 11 +++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index 6cd84f3b622f1..3ea0ae2350e65 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -9,9 +9,9 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; * * PREREQUISITES: * 1. Fill in the instances block for EmrCreateCluster - * 2. Create the security configuration as specified here: https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + * 2. Create the EMR security configuration: https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ * 3. Add the security configuration to EmrCreateCluster - * 4. Upload the runtime role's trust policy as outlined below + * 4. Update the runtime role's trust policy as outlined below * * Stack verification steps: * The generated State Machine can be executed from the CLI (or Step Functions console) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index 8cc5e7ca315f7..8f53ef74a7966 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -669,13 +669,20 @@ Corresponds to the [`addJobFlowSteps`](https://docs.aws.amazon.com/emr/latest/AP See this [blog](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for details. ```ts +const clusterRole = new iam.Role(this, 'ClusterRole', { + assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), +}); + +const serviceRole = new iam.Role(this, 'ServiceRole', { + assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), +}); + new tasks.EmrCreateCluster(this, 'Create Cluster', { instances: {}, clusterRole, name: sfn.TaskInput.fromJsonPathAt('$.ClusterName').value, serviceRole, - autoScalingRole, - securityConfiguration: 'SecurityConfigurationForRuntimeRoles', + securityConfiguration: 'SecurityConfiguration', }); new tasks.EmrAddStep(this, 'Task', { From d397944e30711c5e0c4344c3637575ff529b84e7 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 27 Oct 2023 15:50:12 -0600 Subject: [PATCH 04/16] minor doc edits --- .../emr/integ.emr-create-cluster-add-step-runtime-role.ts | 4 ++-- .../aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index 3ea0ae2350e65..e710698fe54af 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -5,7 +5,7 @@ import { App, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* - * Create a state machine with an EMR cluster and adds a step. + * Create a state machine with an EMR cluster and adds a step that uses a runtime role. * * PREREQUISITES: * 1. Fill in the instances block for EmrCreateCluster @@ -62,7 +62,7 @@ const executionRole = new iam.Role(stack, 'Role', { /* The trust policy of the runtime execution role needs to have the following: -@see - https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ +@see https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ { "Version": "2012-10-17", "Statement": [ diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index fa2c9ff12b3be..e31d1e61450e3 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -53,8 +53,8 @@ test('Add Step with static ClusterId and Step configuration', () => { test('Add Step with execution role ARN', () => { const executionRole = new iam.Role(stack, 'Role', { roleName: 'EmrStepExecutionRole', - // The actual trust policy policy required is more complicated, but abbreviated here for brevity. - // @see - https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + // The actual trust policy required is more complicated, but abbreviated here for brevity. + // @see https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), }); From f7cc503bb1d10b78468060975d97b68d14e36ac0 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Fri, 27 Oct 2023 15:54:56 -0600 Subject: [PATCH 05/16] fix name --- .../test/emr/integ.emr-create-cluster-add-step-runtime-role.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index e710698fe54af..e9004bfd10ddc 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -47,7 +47,7 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', tags: { Key: 'Value', }, - //securityConfiguration: 'security-group-configuration', + //securityConfiguration: 'security-configuration', applications: [ { name: 'Spark', From f6a0cc53ca6eed9632006576342bd6232240932e Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sat, 28 Oct 2023 13:27:03 -0600 Subject: [PATCH 06/16] add feedback from Luca --- ...-cdk-emr-add-step-runtime-role.assets.json | 4 +- ...dk-emr-add-step-runtime-role.template.json | 32 ++++++++- .../manifest.json | 7 +- .../tree.json | 32 ++++++++- ...mr-create-cluster-add-step-runtime-role.ts | 65 ++++++++----------- .../aws-stepfunctions-tasks/README.md | 7 +- .../test/emr/emr-add-step.test.ts | 2 +- 7 files changed, 97 insertions(+), 52 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index defeb1da3a99c..23393bc9c900e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { "version": "34.0.0", "files": { - "3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0": { + "14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0.json", + "objectKey": "14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index ff5827a978dea..1af517cb4e372 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -116,11 +116,39 @@ ] } } + }, + { + "Action": "sts:SetSourceIdentity", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + }, + { + "Action": "sts:TagSession", + "Condition": { + "StringEquals": { + "aws:RequestTag/LakeFormationAuthorizedCaller": "Amazon EMR" + } + }, + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } } ], "Version": "2012-10-17" - }, - "RoleName": "EmrStepExecutionRole" + } } }, "SMRole49C19C48": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 8678b01729871..9916d4ad677c2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/3633145dfe23cc0bea57e11a943cc5bb455f53ea3eb826810c436d948868e8d0.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -61,7 +61,10 @@ "/aws-cdk-emr-add-step-runtime-role/Role/Resource": [ { "type": "aws:cdk:logicalId", - "data": "Role1ABCC5F0" + "data": "Role1ABCC5F0", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" + ] } ], "/aws-cdk-emr-add-step-runtime-role/SM/Role/Resource": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index 829cbedb4edbd..fa42af3e07de6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -235,11 +235,39 @@ ] } } + }, + { + "Action": "sts:SetSourceIdentity", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + }, + { + "Action": "sts:TagSession", + "Condition": { + "StringEquals": { + "aws:RequestTag/LakeFormationAuthorizedCaller": "Amazon EMR" + } + }, + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } } ], "Version": "2012-10-17" - }, - "roleName": "EmrStepExecutionRole" + } } }, "constructInfo": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index e9004bfd10ddc..5f0aed6dbaa52 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -7,11 +7,11 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* * Create a state machine with an EMR cluster and adds a step that uses a runtime role. * - * PREREQUISITES: + * Prerequisites: * 1. Fill in the instances block for EmrCreateCluster - * 2. Create the EMR security configuration: https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + * 2. Create the EMR security configuration, see https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html and + * https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ * 3. Add the security configuration to EmrCreateCluster - * 4. Update the runtime role's trust policy as outlined below * * Stack verification steps: * The generated State Machine can be executed from the CLI (or Step Functions console) @@ -56,45 +56,34 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', }); const executionRole = new iam.Role(stack, 'Role', { - roleName: 'EmrStepExecutionRole', assumedBy: new iam.ArnPrincipal(createClusterStep.clusterRole.roleArn), }); -/* -The trust policy of the runtime execution role needs to have the following: -@see https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/" - }, - "Action": "sts:AssumeRole" - }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/" - }, - "Action": "sts:SetSourceIdentity" +executionRole.assumeRolePolicy?.addStatements( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + principals: [ + createClusterStep.clusterRole, + ], + actions: [ + 'sts:SetSourceIdentity', + ], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + principals: [ + createClusterStep.clusterRole, + ], + actions: [ + 'sts:TagSession', + ], + conditions: { + StringEquals: { + 'aws:RequestTag/LakeFormationAuthorizedCaller': 'Amazon EMR', }, - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/" - }, - "Action": "sts:TagSession", - "Condition": { - "StringEquals": { - "aws:RequestTag/LakeFormationAuthorizedCaller": "Amazon EMR" - } - } - } - ] -} -*/ + }, + }), +); const addStepStep = new tasks.EmrAddStep(stack, 'EmrAddStep', { resultPath: sfn.JsonPath.DISCARD, // pass cluster id to terminate step diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index 8f53ef74a7966..f113b13de70a5 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -660,13 +660,10 @@ new tasks.EmrAddStep(this, 'Task', { }); ``` -### Add Step with Runtime Role - -Adds a new step with a runtime role to a running cluster. -Corresponds to the [`addJobFlowSteps`](https://docs.aws.amazon.com/emr/latest/APIReference/API_AddJobFlowSteps.html) API in EMR. +To specify a custom runtime role use the `executionRole` property. **Note:** The EMR cluster must be created with a security configuration and the runtime role must have a specific trust policy. -See this [blog](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for details. +See this [blog post](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for more details. ```ts const clusterRole = new iam.Role(this, 'ClusterRole', { diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index e31d1e61450e3..8be8c036343a7 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -54,7 +54,7 @@ test('Add Step with execution role ARN', () => { const executionRole = new iam.Role(stack, 'Role', { roleName: 'EmrStepExecutionRole', // The actual trust policy required is more complicated, but abbreviated here for brevity. - // @see https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ + // See https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), }); From 31e5ef8cfd5a92dda28ac48df7032125f7ac44fa Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 15:58:40 -0600 Subject: [PATCH 07/16] second round of feedback --- ...-cdk-emr-add-step-runtime-role.assets.json | 4 +- ...dk-emr-add-step-runtime-role.template.json | 462 +++++++++-- .../manifest.json | 166 +++- .../tree.json | 748 ++++++++++++++++-- ...mr-create-cluster-add-step-runtime-role.ts | 37 +- .../aws-stepfunctions-tasks/README.md | 61 +- .../lib/emr/emr-add-step.ts | 7 +- .../test/emr/emr-add-step.test.ts | 2 +- 8 files changed, 1330 insertions(+), 157 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index 23393bc9c900e..07dfc046b2bdd 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { "version": "34.0.0", "files": { - "14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2": { + "8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2.json", + "objectKey": "8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index 1af517cb4e372..1e0989d7ee067 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -1,5 +1,415 @@ { "Resources": { + "Vpc8378EB38": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc" + } + ] + } + }, + "VpcPublicSubnet1Subnet5C2D37C4": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.0.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPublicSubnet1RouteTable6C95E38E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPublicSubnet1RouteTableAssociation97140677": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "VpcPublicSubnet1DefaultRoute3DA9E72A": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet1EIPD7E02669": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ] + } + }, + "VpcPublicSubnet1NATGateway4D7517AA": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ] + }, + "DependsOn": [ + "VpcPublicSubnet1DefaultRoute3DA9E72A", + "VpcPublicSubnet1RouteTableAssociation97140677" + ] + }, + "VpcPublicSubnet2Subnet691E08A3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.64.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPublicSubnet2RouteTable94F7E489": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPublicSubnet2RouteTableAssociationDD5762D8": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "VpcPublicSubnet2DefaultRoute97F91067": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "RouteTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + } + }, + "DependsOn": [ + "VpcVPCGWBF912B6E" + ] + }, + "VpcPublicSubnet2EIP3C605A87": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ] + } + }, + "VpcPublicSubnet2NATGateway9182C01D": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ] + }, + "DependsOn": [ + "VpcPublicSubnet2DefaultRoute97F91067", + "VpcPublicSubnet2RouteTableAssociationDD5762D8" + ] + }, + "VpcPrivateSubnet1Subnet536B997A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.128.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPrivateSubnet1RouteTableB2C5B500": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPrivateSubnet1RouteTableAssociation70C59FA6": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "VpcPrivateSubnet1DefaultRouteBE02A9ED": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + } + } + }, + "VpcPrivateSubnet2Subnet3788AAA1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.192.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPrivateSubnet2RouteTableA678073B": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "VpcPrivateSubnet2RouteTableAssociationA89CAD56": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "SubnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "VpcPrivateSubnet2DefaultRoute060D2087": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + }, + "RouteTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + } + } + }, + "VpcIGWD7BA715C": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-emr-add-step-runtime-role/Vpc" + } + ] + } + }, + "VpcVPCGWBF912B6E": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "VpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "EmrSecurityConfiguration": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "Name": "AddStepRuntimeRoleSecConfig", + "SecurityConfiguration": { + "AuthorizationConfiguration": { + "IAMConfiguration": { + "EnableApplicationScopedIAMRole": true, + "ApplicationScopedIAMRoleConfiguration": { + "PropagateSourceIdentity": true + } + }, + "LakeFormationConfiguration": { + "AuthorizedSessionTagValue": "Amazon EMR" + } + } + } + } + }, "EmrCreateClusterServiceRole5251910D": { "Type": "AWS::IAM::Role", "Properties": { @@ -66,40 +476,6 @@ ] } }, - "EmrCreateClusterAutoScalingRoleFDDAF4E2": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": [ - "application-autoscaling.amazonaws.com", - "elasticmapreduce.amazonaws.com" - ] - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" - ] - ] - } - ] - } - }, "Role1ABCC5F0": { "Type": "AWS::IAM::Role", "Properties": { @@ -186,12 +562,6 @@ "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ - { - "Fn::GetAtt": [ - "EmrCreateClusterAutoScalingRoleFDDAF4E2", - "Arn" - ] - }, { "Fn::GetAtt": [ "EmrCreateClusterInstanceRoleC80466F5", @@ -329,7 +699,11 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", + ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"Ec2SubnetId\":\"", + { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "\",\"InstanceFleets\":[{\"InstanceFleetType\":\"MASTER\",\"InstanceTypeConfigs\":[{\"InstanceType\":\"m5.xlarge\"}],\"TargetOnDemandCapacity\":1}],\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", { "Ref": "EmrCreateClusterInstanceRoleC80466F5" }, @@ -337,11 +711,7 @@ { "Ref": "EmrCreateClusterServiceRole5251910D" }, - "\",\"Applications\":[{\"Name\":\"Spark\"}],\"AutoScalingRole\":\"", - { - "Ref": "EmrCreateClusterAutoScalingRoleFDDAF4E2" - }, - "\",\"ReleaseLabel\":\"emr-6.13.0\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 9916d4ad677c2..2fdc207d1e832 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/14f2decff3544ff7c2f4f88741424a871213d803b68515cb4758a8922ac62dd2.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,6 +34,150 @@ "aws-cdk-emr-add-step-runtime-role.assets" ], "metadata": { + "/aws-cdk-emr-add-step-runtime-role/Vpc/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "Vpc8378EB38" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1Subnet5C2D37C4" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1RouteTable6C95E38E" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1RouteTableAssociation97140677" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1DefaultRoute3DA9E72A" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/EIP": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1EIPD7E02669" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/NATGateway": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet1NATGateway4D7517AA" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2Subnet691E08A3" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2RouteTable94F7E489" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2RouteTableAssociationDD5762D8" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2DefaultRoute97F91067" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/EIP": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2EIP3C605A87" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/NATGateway": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPublicSubnet2NATGateway9182C01D" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet1Subnet536B997A" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet1RouteTableB2C5B500" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet1RouteTableAssociation70C59FA6" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet1DefaultRouteBE02A9ED" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet2Subnet3788AAA1" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet2RouteTableA678073B" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet2RouteTableAssociationA89CAD56" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcPrivateSubnet2DefaultRoute060D2087" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/IGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcIGWD7BA715C" + } + ], + "/aws-cdk-emr-add-step-runtime-role/Vpc/VPCGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VpcVPCGWBF912B6E" + } + ], + "/aws-cdk-emr-add-step-runtime-role/EmrSecurityConfiguration": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrSecurityConfiguration" + } + ], "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -52,19 +196,10 @@ "data": "EmrCreateClusterInstanceProfileC1729180" } ], - "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "EmrCreateClusterAutoScalingRoleFDDAF4E2" - } - ], "/aws-cdk-emr-add-step-runtime-role/Role/Resource": [ { "type": "aws:cdk:logicalId", - "data": "Role1ABCC5F0", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_REPLACE" - ] + "data": "Role1ABCC5F0" } ], "/aws-cdk-emr-add-step-runtime-role/SM/Role/Resource": [ @@ -96,6 +231,15 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } + ], + "EmrCreateClusterAutoScalingRoleFDDAF4E2": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterAutoScalingRoleFDDAF4E2", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } ] }, "displayName": "aws-cdk-emr-add-step-runtime-role" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index fa42af3e07de6..73be84c08c4d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -8,6 +8,676 @@ "id": "aws-cdk-emr-add-step-runtime-role", "path": "aws-cdk-emr-add-step-runtime-role", "children": { + "Vpc": { + "id": "Vpc", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPC", + "aws:cdk:cloudformation:props": { + "cidrBlock": "10.0.0.0/16", + "enableDnsHostnames": true, + "enableDnsSupport": true, + "instanceTenancy": "default", + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "version": "0.0.0" + } + }, + "PublicSubnet1": { + "id": "PublicSubnet1", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1", + "children": { + "Subnet": { + "id": "Subnet", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.0.0/18", + "mapPublicIpOnLaunch": true, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Public" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Public" + }, + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + }, + "subnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "gatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "routeTableId": { + "Ref": "VpcPublicSubnet1RouteTable6C95E38E" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + }, + "EIP": { + "id": "EIP", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/EIP", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::EIP", + "aws:cdk:cloudformation:props": { + "domain": "vpc", + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" + } + }, + "NATGateway": { + "id": "NATGateway", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/NATGateway", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", + "aws:cdk:cloudformation:props": { + "allocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet1EIPD7E02669", + "AllocationId" + ] + }, + "subnetId": { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" + } + }, + "PublicSubnet2": { + "id": "PublicSubnet2", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2", + "children": { + "Subnet": { + "id": "Subnet", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.64.0/18", + "mapPublicIpOnLaunch": true, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Public" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Public" + }, + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + }, + "subnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "gatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "routeTableId": { + "Ref": "VpcPublicSubnet2RouteTable94F7E489" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + }, + "EIP": { + "id": "EIP", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/EIP", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::EIP", + "aws:cdk:cloudformation:props": { + "domain": "vpc", + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" + } + }, + "NATGateway": { + "id": "NATGateway", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/NATGateway", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", + "aws:cdk:cloudformation:props": { + "allocationId": { + "Fn::GetAtt": [ + "VpcPublicSubnet2EIP3C605A87", + "AllocationId" + ] + }, + "subnetId": { + "Ref": "VpcPublicSubnet2Subnet691E08A3" + }, + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" + } + }, + "PrivateSubnet1": { + "id": "PrivateSubnet1", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1", + "children": { + "Subnet": { + "id": "Subnet", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.128.0/18", + "mapPublicIpOnLaunch": false, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Private" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Private" + }, + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + }, + "subnetId": { + "Ref": "VpcPrivateSubnet1Subnet536B997A" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "natGatewayId": { + "Ref": "VpcPublicSubnet1NATGateway4D7517AA" + }, + "routeTableId": { + "Ref": "VpcPrivateSubnet1RouteTableB2C5B500" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" + } + }, + "PrivateSubnet2": { + "id": "PrivateSubnet2", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2", + "children": { + "Subnet": { + "id": "Subnet", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/Subnet", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", + "aws:cdk:cloudformation:props": { + "availabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "cidrBlock": "10.0.192.0/18", + "mapPublicIpOnLaunch": false, + "tags": [ + { + "key": "aws-cdk:subnet-name", + "value": "Private" + }, + { + "key": "aws-cdk:subnet-type", + "value": "Private" + }, + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" + } + }, + "Acl": { + "id": "Acl", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/Acl", + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "RouteTable": { + "id": "RouteTable", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/RouteTable", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" + } + ], + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" + } + }, + "RouteTableAssociation": { + "id": "RouteTableAssociation", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/RouteTableAssociation", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SubnetRouteTableAssociation", + "aws:cdk:cloudformation:props": { + "routeTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + }, + "subnetId": { + "Ref": "VpcPrivateSubnet2Subnet3788AAA1" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" + } + }, + "DefaultRoute": { + "id": "DefaultRoute", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/DefaultRoute", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::Route", + "aws:cdk:cloudformation:props": { + "destinationCidrBlock": "0.0.0.0/0", + "natGatewayId": { + "Ref": "VpcPublicSubnet2NATGateway9182C01D" + }, + "routeTableId": { + "Ref": "VpcPrivateSubnet2RouteTableA678073B" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" + } + }, + "IGW": { + "id": "IGW", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/IGW", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::InternetGateway", + "aws:cdk:cloudformation:props": { + "tags": [ + { + "key": "Name", + "value": "aws-cdk-emr-add-step-runtime-role/Vpc" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "version": "0.0.0" + } + }, + "VPCGW": { + "id": "VPCGW", + "path": "aws-cdk-emr-add-step-runtime-role/Vpc/VPCGW", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", + "aws:cdk:cloudformation:props": { + "internetGatewayId": { + "Ref": "VpcIGWD7BA715C" + }, + "vpcId": { + "Ref": "Vpc8378EB38" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" + } + }, + "EmrSecurityConfiguration": { + "id": "EmrSecurityConfiguration", + "path": "aws-cdk-emr-add-step-runtime-role/EmrSecurityConfiguration", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EMR::SecurityConfiguration", + "aws:cdk:cloudformation:props": { + "name": "AddStepRuntimeRoleSecConfig", + "securityConfiguration": { + "AuthorizationConfiguration": { + "IAMConfiguration": { + "EnableApplicationScopedIAMRole": true, + "ApplicationScopedIAMRoleConfiguration": { + "PropagateSourceIdentity": true + } + }, + "LakeFormationConfiguration": { + "AuthorizedSessionTagValue": "Amazon EMR" + } + } + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_emr.CfnSecurityConfiguration", + "version": "0.0.0" + } + }, "EmrCreateCluster": { "id": "EmrCreateCluster", "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster", @@ -137,66 +807,6 @@ "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile", "version": "0.0.0" } - }, - "AutoScalingRole": { - "id": "AutoScalingRole", - "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole", - "children": { - "ImportAutoScalingRole": { - "id": "ImportAutoScalingRole", - "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/ImportAutoScalingRole", - "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" - } - }, - "Resource": { - "id": "Resource", - "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/AutoScalingRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": [ - "application-autoscaling.amazonaws.com", - "elasticmapreduce.amazonaws.com" - ] - } - } - ], - "Version": "2012-10-17" - }, - "managedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole" - ] - ] - } - ] - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" - } } }, "constructInfo": { @@ -363,12 +973,6 @@ "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ - { - "Fn::GetAtt": [ - "EmrCreateClusterAutoScalingRoleFDDAF4E2", - "Arn" - ] - }, { "Fn::GetAtt": [ "EmrCreateClusterInstanceRoleC80466F5", @@ -526,7 +1130,11 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", + ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"Ec2SubnetId\":\"", + { + "Ref": "VpcPublicSubnet1Subnet5C2D37C4" + }, + "\",\"InstanceFleets\":[{\"InstanceFleetType\":\"MASTER\",\"InstanceTypeConfigs\":[{\"InstanceType\":\"m5.xlarge\"}],\"TargetOnDemandCapacity\":1}],\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"", { "Ref": "EmrCreateClusterInstanceRoleC80466F5" }, @@ -534,11 +1142,7 @@ { "Ref": "EmrCreateClusterServiceRole5251910D" }, - "\",\"Applications\":[{\"Name\":\"Spark\"}],\"AutoScalingRole\":\"", - { - "Ref": "EmrCreateClusterAutoScalingRoleFDDAF4E2" - }, - "\",\"ReleaseLabel\":\"emr-6.13.0\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index 5f0aed6dbaa52..0aa89f577fd73 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -1,4 +1,6 @@ import * as sfn from 'aws-cdk-lib/aws-stepfunctions'; +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as emr from 'aws-cdk-lib/aws-emr'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; import { App, Stack } from 'aws-cdk-lib'; @@ -7,12 +9,6 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* * Create a state machine with an EMR cluster and adds a step that uses a runtime role. * - * Prerequisites: - * 1. Fill in the instances block for EmrCreateCluster - * 2. Create the EMR security configuration, see https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-create-security-configuration.html and - * https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ - * 3. Add the security configuration to EmrCreateCluster - * * Stack verification steps: * The generated State Machine can be executed from the CLI (or Step Functions console) * and runs with an execution status of `Succeeded`. @@ -24,9 +20,29 @@ import { IntegTest } from '@aws-cdk/integ-tests-alpha'; const app = new App(); const stack = new Stack(app, 'aws-cdk-emr-add-step-runtime-role'); +const vpc = new ec2.Vpc(stack, 'Vpc', { restrictDefaultSecurityGroup: false }); + +const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(stack, 'EmrSecurityConfiguration', { + name: 'AddStepRuntimeRoleSecConfig', + securityConfiguration: JSON.parse(` + { + "AuthorizationConfiguration": { + "IAMConfiguration": { + "EnableApplicationScopedIAMRole": true, + "ApplicationScopedIAMRoleConfiguration": + { + "PropagateSourceIdentity": true + } + }, + "LakeFormationConfiguration": { + "AuthorizedSessionTagValue": "Amazon EMR" + } + } + }`), +}); + const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', { instances: { - /* instanceFleets: [ { instanceFleetType: tasks.EmrCreateCluster.InstanceRoleType.MASTER, @@ -38,8 +54,7 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', targetOnDemandCapacity: 1, }, ], - ec2SubnetId: 'subnet-xxxxxx', - */ + ec2SubnetId: vpc.publicSubnets[0].subnetId, }, name: 'Cluster', releaseLabel: 'emr-6.13.0', @@ -47,7 +62,7 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', tags: { Key: 'Value', }, - //securityConfiguration: 'security-configuration', + securityConfiguration: cfnSecurityConfiguration.name, applications: [ { name: 'Spark', @@ -95,7 +110,7 @@ const addStepStep = new tasks.EmrAddStep(stack, 'EmrAddStep', { 'SparkPi', '1', ], - executionRole: executionRole.roleArn, + executionRoleArn: executionRole.roleArn, actionOnFailure: tasks.ActionOnFailure.TERMINATE_CLUSTER, }); diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index f113b13de70a5..dc3d7e8bf48b3 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -666,25 +666,64 @@ To specify a custom runtime role use the `executionRole` property. See this [blog post](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for more details. ```ts -const clusterRole = new iam.Role(this, 'ClusterRole', { - assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'), -}); - -const serviceRole = new iam.Role(this, 'ServiceRole', { - assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), +const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(stack, 'EmrSecurityConfiguration', { + name: 'AddStepRuntimeRoleSecConfig', + securityConfiguration: JSON.parse(` + { + "AuthorizationConfiguration": { + "IAMConfiguration": { + "EnableApplicationScopedIAMRole": true, + "ApplicationScopedIAMRoleConfiguration": + { + "PropagateSourceIdentity": true + } + }, + "LakeFormationConfiguration": { + "AuthorizedSessionTagValue": "Amazon EMR" + } + } + }`), }); -new tasks.EmrCreateCluster(this, 'Create Cluster', { +const task = new tasks.EmrCreateCluster(this, 'Create Cluster', { instances: {}, - clusterRole, name: sfn.TaskInput.fromJsonPathAt('$.ClusterName').value, - serviceRole, - securityConfiguration: 'SecurityConfiguration', + securityConfiguration: cfnSecurityConfiguration.name, +}); + +const executionRole = new iam.Role(stack, 'Role', { + assumedBy: new iam.ArnPrincipal(task.clusterRole.roleArn), }); +executionRole.assumeRolePolicy?.addStatements( + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + principals: [ + task.clusterRole, + ], + actions: [ + 'sts:SetSourceIdentity', + ], + }), + new iam.PolicyStatement({ + effect: iam.Effect.ALLOW, + principals: [ + task.clusterRole, + ], + actions: [ + 'sts:TagSession', + ], + conditions: { + StringEquals: { + 'aws:RequestTag/LakeFormationAuthorizedCaller': 'Amazon EMR', + }, + }, + }), +); + new tasks.EmrAddStep(this, 'Task', { clusterId: 'ClusterId', - executionRole: 'ExecutionRoleArn', + executionRole: executionRole.roleArn, name: 'StepName', jar: 'Jar', actionOnFailure: tasks.ActionOnFailure.CONTINUE, diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts index 574ef4fe62356..a1c6c92a6b6e3 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts @@ -95,9 +95,10 @@ export interface EmrAddStepProps extends sfn.TaskStateBaseProps { * * @see https://docs.aws.amazon.com/emr/latest/APIReference/API_AddJobFlowSteps.html#API_AddJobFlowSteps_RequestSyntax * - * @default - No step-specific role, uses EC2 instance profile role + * @default - Uses EC2 instance profile role */ - readonly executionRole?: string; + // eslint-disable-next-line + readonly executionRoleArn?: string; } /** @@ -137,7 +138,7 @@ export class EmrAddStep extends sfn.TaskStateBase { Resource: integrationResourceArn('elasticmapreduce', 'addStep', this.integrationPattern), Parameters: sfn.FieldUtils.renderObject({ ClusterId: this.props.clusterId, - ExecutionRoleArn: this.props.executionRole, + ExecutionRoleArn: this.props.executionRoleArn, Step: { Name: this.props.name, ActionOnFailure: this.actionOnFailure.valueOf(), diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index 8be8c036343a7..218ef3fd4951a 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -65,7 +65,7 @@ test('Add Step with execution role ARN', () => { jar: 'Jar', actionOnFailure: tasks.ActionOnFailure.CONTINUE, integrationPattern: sfn.IntegrationPattern.RUN_JOB, - executionRole: executionRole.roleArn, + executionRoleArn: executionRole.roleArn, }); // THEN From b03280a87e5c5ff84381db206dadddcaae1dbece Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 16:01:31 -0600 Subject: [PATCH 08/16] update executionRole naming --- packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index dc3d7e8bf48b3..e8aba01747680 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -660,7 +660,7 @@ new tasks.EmrAddStep(this, 'Task', { }); ``` -To specify a custom runtime role use the `executionRole` property. +To specify a custom runtime role use the `executionRoleArn` property. **Note:** The EMR cluster must be created with a security configuration and the runtime role must have a specific trust policy. See this [blog post](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for more details. @@ -723,7 +723,7 @@ executionRole.assumeRolePolicy?.addStatements( new tasks.EmrAddStep(this, 'Task', { clusterId: 'ClusterId', - executionRole: executionRole.roleArn, + executionRoleArn: executionRole.roleArn, name: 'StepName', jar: 'Jar', actionOnFailure: tasks.ActionOnFailure.CONTINUE, From 4ad9fea0b5fea8bfdfabec4f7af8f968cedc6f76 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 16:02:10 -0600 Subject: [PATCH 09/16] update comment --- .../aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts index 218ef3fd4951a..0b8e81daa4828 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/emr/emr-add-step.test.ts @@ -53,7 +53,7 @@ test('Add Step with static ClusterId and Step configuration', () => { test('Add Step with execution role ARN', () => { const executionRole = new iam.Role(stack, 'Role', { roleName: 'EmrStepExecutionRole', - // The actual trust policy required is more complicated, but abbreviated here for brevity. + // The actual trust policy required is more complicated. // See https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/ assumedBy: new iam.ServicePrincipal('elasticmapreduce.amazonaws.com'), }); From 4c1f69347f6a5f8ad9d1895d2b0f35ce1cb37214 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 16:57:25 -0600 Subject: [PATCH 10/16] ignore arn linting error --- .../aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts | 1 - packages/aws-cdk-lib/awslint.json | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts index a1c6c92a6b6e3..4be2b7bbd9c3f 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/emr/emr-add-step.ts @@ -97,7 +97,6 @@ export interface EmrAddStepProps extends sfn.TaskStateBaseProps { * * @default - Uses EC2 instance profile role */ - // eslint-disable-next-line readonly executionRoleArn?: string; } diff --git a/packages/aws-cdk-lib/awslint.json b/packages/aws-cdk-lib/awslint.json index 93e13f1dc2642..6d19ae862876e 100644 --- a/packages/aws-cdk-lib/awslint.json +++ b/packages/aws-cdk-lib/awslint.json @@ -58,6 +58,7 @@ "construct-ctor-props-optional:aws-cdk-lib.aws_stepfunctions.StateMachine", "props-no-arn-refs:aws-cdk-lib.aws_stepfunctions_tasks.BatchSubmitJobProps.jobDefinitionArn", "props-no-arn-refs:aws-cdk-lib.aws_stepfunctions_tasks.BatchSubmitJobProps.jobQueueArn", + "props-no-arn-refs:aws-cdk-lib.aws_stepfunctions_tasks.EmrAddStepProps.executionRoleArn", "props-no-cfn-types:aws-cdk-lib.cloudformation_include.CfnIncludeProps.loadNestedStacks", "construct-ctor-props-optional:aws-cdk-lib.custom_resources.AwsCustomResource", "props-physical-name:aws-cdk-lib.CustomResourceProps", From 49704597d3f6d8afa4350c19c9933553457d8aff Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 17:40:26 -0600 Subject: [PATCH 11/16] fix readme lint errors --- packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index e8aba01747680..a4baed339ede4 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -666,7 +666,7 @@ To specify a custom runtime role use the `executionRoleArn` property. See this [blog post](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for more details. ```ts -const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(stack, 'EmrSecurityConfiguration', { +const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(this, 'EmrSecurityConfiguration', { name: 'AddStepRuntimeRoleSecConfig', securityConfiguration: JSON.parse(` { @@ -691,7 +691,7 @@ const task = new tasks.EmrCreateCluster(this, 'Create Cluster', { securityConfiguration: cfnSecurityConfiguration.name, }); -const executionRole = new iam.Role(stack, 'Role', { +const executionRole = new iam.Role(this, 'Role', { assumedBy: new iam.ArnPrincipal(task.clusterRole.roleArn), }); From 73dcb2b9c7622452a6fd399b780a27be646fd934 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Sun, 29 Oct 2023 18:16:26 -0600 Subject: [PATCH 12/16] this time --- packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md index a4baed339ede4..79dd04ba3315f 100644 --- a/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md +++ b/packages/aws-cdk-lib/aws-stepfunctions-tasks/README.md @@ -666,6 +666,8 @@ To specify a custom runtime role use the `executionRoleArn` property. See this [blog post](https://aws.amazon.com/blogs/big-data/introducing-runtime-roles-for-amazon-emr-steps-use-iam-roles-and-aws-lake-formation-for-access-control-with-amazon-emr/) for more details. ```ts +import * as emr from 'aws-cdk-lib/aws-emr'; + const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(this, 'EmrSecurityConfiguration', { name: 'AddStepRuntimeRoleSecConfig', securityConfiguration: JSON.parse(` From 9c64d952b51a49e8ef5bb699a1e70ece33870cf8 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Thu, 7 Dec 2023 08:40:57 -0800 Subject: [PATCH 13/16] new files --- ...efaultTestDeployAssert697DC891.assets.json | 2 +- ...-cdk-emr-add-step-runtime-role.assets.json | 6 +- ...dk-emr-add-step-runtime-role.template.json | 11 +- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 21 +- .../tree.json | 267 +++++++++--------- ...mr-create-cluster-add-step-runtime-role.ts | 4 +- 8 files changed, 155 insertions(+), 160 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json index 4b62986ef80b7..eb3094e013ba1 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "35.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index 07dfc046b2bdd..71eebfdf01331 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { - "version": "34.0.0", + "version": "35.0.0", "files": { - "8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e": { + "40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e.json", + "objectKey": "40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index 1e0989d7ee067..178069453c008 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -476,7 +476,7 @@ ] } }, - "Role1ABCC5F0": { + "EmrExecutionRoleF584820F": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -715,14 +715,7 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", - { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - }, - "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out index 2313ab5436501..c5cb2e5de6344 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"34.0.0"} \ No newline at end of file +{"version":"35.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json index 717b603cf3142..9de79234d84a2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "35.0.0", "testCases": { "EmrCreateClusterTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 2fdc207d1e832..15ecd8212bfe8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "34.0.0", + "version": "35.0.0", "artifacts": { "aws-cdk-emr-add-step-runtime-role.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/8de157a5dd03c1169364dbe7f19595c7cbd503a878ead1e759ee4335181c999e.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -196,10 +196,10 @@ "data": "EmrCreateClusterInstanceProfileC1729180" } ], - "/aws-cdk-emr-add-step-runtime-role/Role/Resource": [ + "/aws-cdk-emr-add-step-runtime-role/EmrExecutionRole/Resource": [ { "type": "aws:cdk:logicalId", - "data": "Role1ABCC5F0" + "data": "EmrExecutionRoleF584820F" } ], "/aws-cdk-emr-add-step-runtime-role/SM/Role/Resource": [ @@ -232,10 +232,19 @@ "data": "CheckBootstrapVersion" } ], - "EmrCreateClusterAutoScalingRoleFDDAF4E2": [ + "InstanceRole3CCE2F1D": [ { "type": "aws:cdk:logicalId", - "data": "EmrCreateClusterAutoScalingRoleFDDAF4E2", + "data": "InstanceRole3CCE2F1D", + "trace": [ + "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" + ] + } + ], + "InstanceProfile": [ + { + "type": "aws:cdk:logicalId", + "data": "InstanceProfile", "trace": [ "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" ] diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index 73be84c08c4d5..9f2cc00916d0c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -31,8 +31,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "PublicSubnet1": { @@ -75,16 +75,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTable": { @@ -105,8 +105,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTableAssociation": { @@ -124,8 +124,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultRoute": { @@ -144,8 +144,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EIP": { @@ -164,8 +164,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "NATGateway": { @@ -192,14 +192,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "PublicSubnet2": { @@ -242,16 +242,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTable": { @@ -272,8 +272,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTableAssociation": { @@ -291,8 +291,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultRoute": { @@ -311,8 +311,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EIP": { @@ -331,8 +331,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "NATGateway": { @@ -359,14 +359,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "PrivateSubnet1": { @@ -409,16 +409,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTable": { @@ -439,8 +439,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTableAssociation": { @@ -458,8 +458,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultRoute": { @@ -478,14 +478,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "PrivateSubnet2": { @@ -528,16 +528,16 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTable": { @@ -558,8 +558,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "RouteTableAssociation": { @@ -577,8 +577,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultRoute": { @@ -597,14 +597,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "IGW": { @@ -622,8 +622,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "VPCGW": { @@ -641,14 +641,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_ec2.Vpc", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EmrSecurityConfiguration": { @@ -674,8 +674,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_emr.CfnSecurityConfiguration", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EmrCreateCluster": { @@ -690,8 +690,8 @@ "id": "ImportServiceRole", "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -734,14 +734,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "InstanceRole": { @@ -752,8 +752,8 @@ "id": "ImportInstanceRole", "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/ImportInstanceRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -777,14 +777,14 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "InstanceProfile": { @@ -804,31 +804,31 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrCreateCluster", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, - "Role": { - "id": "Role", - "path": "aws-cdk-emr-add-step-runtime-role/Role", + "EmrExecutionRole": { + "id": "EmrExecutionRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrExecutionRole", "children": { - "ImportRole": { - "id": "ImportRole", - "path": "aws-cdk-emr-add-step-runtime-role/Role/ImportRole", + "ImportEmrExecutionRole": { + "id": "ImportEmrExecutionRole", + "path": "aws-cdk-emr-add-step-runtime-role/EmrExecutionRole/ImportEmrExecutionRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { "id": "Resource", - "path": "aws-cdk-emr-add-step-runtime-role/Role/Resource", + "path": "aws-cdk-emr-add-step-runtime-role/EmrExecutionRole/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::IAM::Role", "aws:cdk:cloudformation:props": { @@ -881,30 +881,30 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EmrAddStep": { "id": "EmrAddStep", "path": "aws-cdk-emr-add-step-runtime-role/EmrAddStep", "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EmrTerminateCluster": { "id": "EmrTerminateCluster", "path": "aws-cdk-emr-add-step-runtime-role/EmrTerminateCluster", "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrTerminateCluster", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "SM": { @@ -919,8 +919,8 @@ "id": "ImportRole", "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/ImportRole", "constructInfo": { - "fqn": "aws-cdk-lib.Resource", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -944,8 +944,8 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnRole", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "DefaultPolicy": { @@ -1100,20 +1100,20 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Policy", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_iam.Role", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "Resource": { @@ -1146,14 +1146,7 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", - { - "Fn::GetAtt": [ - "Role1ABCC5F0", - "Arn" - ] - }, - "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, @@ -1170,36 +1163,36 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions.CfnStateMachine", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions.StateMachine", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-emr-add-step-runtime-role/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-emr-add-step-runtime-role/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "EmrCreateClusterTest": { @@ -1215,7 +1208,7 @@ "path": "EmrCreateClusterTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -1226,22 +1219,22 @@ "id": "BootstrapVersion", "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnParameter", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "aws-cdk-lib.CfnRule", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.Stack", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } }, @@ -1261,13 +1254,13 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "aws-cdk-lib.App", - "version": "0.0.0" + "fqn": "constructs.Construct", + "version": "10.3.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index 0aa89f577fd73..b218d634488b6 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -7,7 +7,7 @@ import { App, Stack } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* - * Create a state machine with an EMR cluster and adds a step that uses a runtime role. + * Create a state machine with an EMR cluster and add a step that uses a runtime role. * * Stack verification steps: * The generated State Machine can be executed from the CLI (or Step Functions console) @@ -70,7 +70,7 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', ], }); -const executionRole = new iam.Role(stack, 'Role', { +const executionRole = new iam.Role(stack, 'EmrExecutionRole', { assumedBy: new iam.ArnPrincipal(createClusterStep.clusterRole.roleArn), }); From ed75bcf9ddd8e1629d4e707447fd40186151b7bc Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Thu, 7 Dec 2023 09:53:05 -0800 Subject: [PATCH 14/16] new --- ...-cdk-emr-add-step-runtime-role.assets.json | 4 +- ...dk-emr-add-step-runtime-role.template.json | 14 +- .../manifest.json | 20 +- .../tree.json | 254 +++++++++--------- 4 files changed, 139 insertions(+), 153 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index 71eebfdf01331..b52a0ff1246da 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { "version": "35.0.0", "files": { - "40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3": { + "dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3.json", + "objectKey": "dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index 178069453c008..978c23da4496c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -417,11 +417,6 @@ "Statement": [ { "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" - } - }, "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" @@ -715,7 +710,14 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", + { + "Fn::GetAtt": [ + "EmrExecutionRoleF584820F", + "Arn" + ] + }, + "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 15ecd8212bfe8..574ea20e876ba 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/40364d5e1052cffd66bde7b42f5598e97c91f93ba88650ea9f4b40e2e3a3bfb3.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -231,24 +231,6 @@ "type": "aws:cdk:logicalId", "data": "CheckBootstrapVersion" } - ], - "InstanceRole3CCE2F1D": [ - { - "type": "aws:cdk:logicalId", - "data": "InstanceRole3CCE2F1D", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } - ], - "InstanceProfile": [ - { - "type": "aws:cdk:logicalId", - "data": "InstanceProfile", - "trace": [ - "!!DESTRUCTIVE_CHANGES: WILL_DESTROY" - ] - } ] }, "displayName": "aws-cdk-emr-add-step-runtime-role" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index 9f2cc00916d0c..b92eb2ced9322 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -31,8 +31,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", + "version": "0.0.0" } }, "PublicSubnet1": { @@ -75,16 +75,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -105,8 +105,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -124,8 +124,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -144,8 +144,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -164,8 +164,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -192,14 +192,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PublicSubnet2": { @@ -242,16 +242,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -272,8 +272,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -291,8 +291,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -311,8 +311,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } }, "EIP": { @@ -331,8 +331,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", + "version": "0.0.0" } }, "NATGateway": { @@ -359,14 +359,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", + "version": "0.0.0" } }, "PrivateSubnet1": { @@ -409,16 +409,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -439,8 +439,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -458,8 +458,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -478,14 +478,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "PrivateSubnet2": { @@ -528,16 +528,16 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", + "version": "0.0.0" } }, "Acl": { "id": "Acl", "path": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -558,8 +558,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", + "version": "0.0.0" } }, "RouteTableAssociation": { @@ -577,8 +577,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", + "version": "0.0.0" } }, "DefaultRoute": { @@ -597,14 +597,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", + "version": "0.0.0" } }, "IGW": { @@ -622,8 +622,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", + "version": "0.0.0" } }, "VPCGW": { @@ -641,14 +641,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" } }, "EmrSecurityConfiguration": { @@ -674,8 +674,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_emr.CfnSecurityConfiguration", + "version": "0.0.0" } }, "EmrCreateCluster": { @@ -690,8 +690,8 @@ "id": "ImportServiceRole", "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/ImportServiceRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -704,11 +704,6 @@ "Statement": [ { "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" - } - }, "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" @@ -734,14 +729,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "InstanceRole": { @@ -752,8 +747,8 @@ "id": "ImportInstanceRole", "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/ImportInstanceRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -777,14 +772,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "InstanceProfile": { @@ -804,14 +799,14 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnInstanceProfile", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", + "version": "0.0.0" } }, "EmrExecutionRole": { @@ -822,8 +817,8 @@ "id": "ImportEmrExecutionRole", "path": "aws-cdk-emr-add-step-runtime-role/EmrExecutionRole/ImportEmrExecutionRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -881,30 +876,30 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "EmrAddStep": { "id": "EmrAddStep", "path": "aws-cdk-emr-add-step-runtime-role/EmrAddStep", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrAddStep", + "version": "0.0.0" } }, "EmrTerminateCluster": { "id": "EmrTerminateCluster", "path": "aws-cdk-emr-add-step-runtime-role/EmrTerminateCluster", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrTerminateCluster", + "version": "0.0.0" } }, "SM": { @@ -919,8 +914,8 @@ "id": "ImportRole", "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/ImportRole", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "Resource": { @@ -944,8 +939,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnRole", + "version": "0.0.0" } }, "DefaultPolicy": { @@ -1100,20 +1095,20 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_iam.Role", + "version": "0.0.0" } }, "Resource": { @@ -1146,7 +1141,14 @@ { "Ref": "AWS::Partition" }, - ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", + ":states:::elasticmapreduce:addStep.sync\",\"Parameters\":{\"ClusterId.$\":\"$.Cluster.Id\",\"ExecutionRoleArn\":\"", + { + "Fn::GetAtt": [ + "EmrExecutionRoleF584820F", + "Arn" + ] + }, + "\",\"Step\":{\"Name\":\"AddStepRuntimeRoleIntTest\",\"ActionOnFailure\":\"TERMINATE_CLUSTER\",\"HadoopJarStep\":{\"Jar\":\"command-runner.jar\",\"Args\":[\"spark-example\",\"SparkPi\",\"1\"]}}}},\"EmrTerminateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, @@ -1163,36 +1165,36 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.CfnStateMachine", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.aws_stepfunctions.StateMachine", + "version": "0.0.0" } }, "BootstrapVersion": { "id": "BootstrapVersion", "path": "aws-cdk-emr-add-step-runtime-role/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "aws-cdk-emr-add-step-runtime-role/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } }, "EmrCreateClusterTest": { @@ -1219,22 +1221,22 @@ "id": "BootstrapVersion", "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" } }, "CheckBootstrapVersion": { "id": "CheckBootstrapVersion", "path": "EmrCreateClusterTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.CfnRule", + "version": "0.0.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" } } }, @@ -1259,8 +1261,8 @@ } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file From 139148a2c483ab82fa110b4a152514a88925a2d9 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Thu, 7 Dec 2023 16:33:26 -0800 Subject: [PATCH 15/16] more --- .../aws-cdk-emr-add-step-runtime-role.assets.json | 4 ++-- .../aws-cdk-emr-add-step-runtime-role.template.json | 2 +- .../manifest.json | 2 +- .../tree.json | 4 ++-- .../emr/integ.emr-create-cluster-add-step-runtime-role.ts | 3 ++- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index b52a0ff1246da..48e27356d5821 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { "version": "35.0.0", "files": { - "dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136": { + "802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136.json", + "objectKey": "802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index 978c23da4496c..ddd5f7053905d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -706,7 +706,7 @@ { "Ref": "EmrCreateClusterServiceRole5251910D" }, - "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"},{\"Key\":\"for-use-with-amazon-emr-managed-policies\",\"Value\":\"true\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 574ea20e876ba..874d447eb0f47 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/dc8513788878e79a03171b88e99afb3331bb4e08836abc3da0845cbc3df9e136.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index b92eb2ced9322..a6b386704213b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -890,7 +890,7 @@ "id": "EmrAddStep", "path": "aws-cdk-emr-add-step-runtime-role/EmrAddStep", "constructInfo": { - "fqn": "aws-cdk-lib.aws_stepfunctions_tasks.EmrAddStep", + "fqn": "aws-cdk-lib.aws_stepfunctions.TaskStateBase", "version": "0.0.0" } }, @@ -1137,7 +1137,7 @@ { "Ref": "EmrCreateClusterServiceRole5251910D" }, - "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", + "\",\"Applications\":[{\"Name\":\"Spark\"}],\"ReleaseLabel\":\"emr-6.13.0\",\"SecurityConfiguration\":\"AddStepRuntimeRoleSecConfig\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"},{\"Key\":\"for-use-with-amazon-emr-managed-policies\",\"Value\":\"true\"}],\"VisibleToAllUsers\":true}},\"EmrAddStep\":{\"Next\":\"EmrTerminateCluster\",\"Type\":\"Task\",\"ResultPath\":null,\"Resource\":\"arn:", { "Ref": "AWS::Partition" }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index b218d634488b6..6cd46e540803a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -60,7 +60,8 @@ const createClusterStep = new tasks.EmrCreateCluster(stack, 'EmrCreateCluster', releaseLabel: 'emr-6.13.0', integrationPattern: sfn.IntegrationPattern.RUN_JOB, tags: { - Key: 'Value', + 'Key': 'Value', + 'for-use-with-amazon-emr-managed-policies': 'true', }, securityConfiguration: cfnSecurityConfiguration.name, applications: [ From e3c70a7b9aae8112f4be8088a7c7c2a1cbbc2884 Mon Sep 17 00:00:00 2001 From: Michael Sambol Date: Mon, 11 Dec 2023 15:46:45 -0800 Subject: [PATCH 16/16] verify int test --- ...-cdk-emr-add-step-runtime-role.assets.json | 4 +- ...dk-emr-add-step-runtime-role.template.json | 99 ++++++++++++-- .../manifest.json | 20 ++- .../tree.json | 125 ++++++++++++++++-- ...mr-create-cluster-add-step-runtime-role.ts | 6 +- 5 files changed, 223 insertions(+), 31 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json index 48e27356d5821..5ea9154dd1acb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.assets.json @@ -1,7 +1,7 @@ { "version": "35.0.0", "files": { - "802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8": { + "b0ad12ea0ccf78882a5f85949321e82fa339a67df23c0197b2e17d024ad472a4": { "source": { "path": "aws-cdk-emr-add-step-runtime-role.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8.json", + "objectKey": "b0ad12ea0ccf78882a5f85949321e82fa339a67df23c0197b2e17d024ad472a4.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json index ddd5f7053905d..9033231bdb9a2 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/aws-cdk-emr-add-step-runtime-role.template.json @@ -8,6 +8,10 @@ "EnableDnsSupport": true, "InstanceTenancy": "default", "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc" @@ -37,6 +41,10 @@ "Key": "aws-cdk:subnet-type", "Value": "Public" }, + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -51,6 +59,10 @@ "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -92,6 +104,10 @@ "Properties": { "Domain": "vpc", "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -112,6 +128,10 @@ "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -145,6 +165,10 @@ "Key": "aws-cdk:subnet-type", "Value": "Public" }, + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -159,6 +183,10 @@ "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -200,6 +228,10 @@ "Properties": { "Domain": "vpc", "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -220,6 +252,10 @@ "Ref": "VpcPublicSubnet2Subnet691E08A3" }, "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -253,6 +289,10 @@ "Key": "aws-cdk:subnet-type", "Value": "Private" }, + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" @@ -267,6 +307,10 @@ "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" @@ -322,6 +366,10 @@ "Key": "aws-cdk:subnet-type", "Value": "Private" }, + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" @@ -336,6 +384,10 @@ "Type": "AWS::EC2::RouteTable", "Properties": { "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" @@ -373,6 +425,10 @@ "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ + { + "Key": "for-use-with-amazon-emr-managed-policies", + "Value": "true" + }, { "Key": "Name", "Value": "aws-cdk-emr-add-step-runtime-role/Vpc" @@ -441,6 +497,32 @@ ] } }, + "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32", + "Roles": [ + { + "Ref": "EmrCreateClusterServiceRole5251910D" + } + ] + } + }, "EmrCreateClusterInstanceRoleC80466F5": { "Type": "AWS::IAM::Role", "Properties": { @@ -522,7 +604,7 @@ } } }, - "SMRole49C19C48": { + "StateMachineRoleB840431D": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { @@ -539,13 +621,14 @@ } } }, - "SMRoleDefaultPolicy34CA15C7": { + "StateMachineRoleDefaultPolicyDF1E6607": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": [ + "elasticmapreduce:AddTags", "elasticmapreduce:DescribeCluster", "elasticmapreduce:RunJobFlow", "elasticmapreduce:TerminateJobFlows" @@ -675,15 +758,15 @@ ], "Version": "2012-10-17" }, - "PolicyName": "SMRoleDefaultPolicy34CA15C7", + "PolicyName": "StateMachineRoleDefaultPolicyDF1E6607", "Roles": [ { - "Ref": "SMRole49C19C48" + "Ref": "StateMachineRoleB840431D" } ] } }, - "SM934E715A": { + "StateMachine2E01A3A5": { "Type": "AWS::StepFunctions::StateMachine", "Properties": { "DefinitionString": { @@ -727,14 +810,14 @@ }, "RoleArn": { "Fn::GetAtt": [ - "SMRole49C19C48", + "StateMachineRoleB840431D", "Arn" ] } }, "DependsOn": [ - "SMRoleDefaultPolicy34CA15C7", - "SMRole49C19C48" + "StateMachineRoleDefaultPolicyDF1E6607", + "StateMachineRoleB840431D" ], "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json index 874d447eb0f47..b55cd0bf9239a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/802536ab04968d5023a2308ec30af0144698bc97c2795c0f6f49ab7ceadd6fa8.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/b0ad12ea0ccf78882a5f85949321e82fa339a67df23c0197b2e17d024ad472a4.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -184,6 +184,12 @@ "data": "EmrCreateClusterServiceRole5251910D" } ], + "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32" + } + ], "/aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/InstanceRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -202,22 +208,22 @@ "data": "EmrExecutionRoleF584820F" } ], - "/aws-cdk-emr-add-step-runtime-role/SM/Role/Resource": [ + "/aws-cdk-emr-add-step-runtime-role/StateMachine/Role/Resource": [ { "type": "aws:cdk:logicalId", - "data": "SMRole49C19C48" + "data": "StateMachineRoleB840431D" } ], - "/aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy/Resource": [ + "/aws-cdk-emr-add-step-runtime-role/StateMachine/Role/DefaultPolicy/Resource": [ { "type": "aws:cdk:logicalId", - "data": "SMRoleDefaultPolicy34CA15C7" + "data": "StateMachineRoleDefaultPolicyDF1E6607" } ], - "/aws-cdk-emr-add-step-runtime-role/SM/Resource": [ + "/aws-cdk-emr-add-step-runtime-role/StateMachine/Resource": [ { "type": "aws:cdk:logicalId", - "data": "SM934E715A" + "data": "StateMachine2E01A3A5" } ], "/aws-cdk-emr-add-step-runtime-role/BootstrapVersion": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json index a6b386704213b..13071594c3743 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.js.snapshot/tree.json @@ -23,6 +23,10 @@ "enableDnsSupport": true, "instanceTenancy": "default", "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc" @@ -64,6 +68,10 @@ "key": "aws-cdk:subnet-type", "value": "Public" }, + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -94,6 +102,10 @@ "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -156,6 +168,10 @@ "aws:cdk:cloudformation:props": { "domain": "vpc", "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -184,6 +200,10 @@ "Ref": "VpcPublicSubnet1Subnet5C2D37C4" }, "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet1" @@ -231,6 +251,10 @@ "key": "aws-cdk:subnet-type", "value": "Public" }, + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -261,6 +285,10 @@ "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -323,6 +351,10 @@ "aws:cdk:cloudformation:props": { "domain": "vpc", "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -351,6 +383,10 @@ "Ref": "VpcPublicSubnet2Subnet691E08A3" }, "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PublicSubnet2" @@ -398,6 +434,10 @@ "key": "aws-cdk:subnet-type", "value": "Private" }, + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" @@ -428,6 +468,10 @@ "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet1" @@ -517,6 +561,10 @@ "key": "aws-cdk:subnet-type", "value": "Private" }, + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" @@ -547,6 +595,10 @@ "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc/PrivateSubnet2" @@ -614,6 +666,10 @@ "aws:cdk:cloudformation:type": "AWS::EC2::InternetGateway", "aws:cdk:cloudformation:props": { "tags": [ + { + "key": "for-use-with-amazon-emr-managed-policies", + "value": "true" + }, { "key": "Name", "value": "aws-cdk-emr-add-step-runtime-role/Vpc" @@ -732,6 +788,50 @@ "fqn": "aws-cdk-lib.aws_iam.CfnRole", "version": "0.0.0" } + }, + "DefaultPolicy": { + "id": "DefaultPolicy", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/DefaultPolicy", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-emr-add-step-runtime-role/EmrCreateCluster/ServiceRole/DefaultPolicy/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Policy", + "aws:cdk:cloudformation:props": { + "policyDocument": { + "Statement": [ + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EmrCreateClusterInstanceRoleC80466F5", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "policyName": "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32", + "roles": [ + { + "Ref": "EmrCreateClusterServiceRole5251910D" + } + ] + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.CfnPolicy", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_iam.Policy", + "version": "0.0.0" + } } }, "constructInfo": { @@ -902,17 +1002,17 @@ "version": "0.0.0" } }, - "SM": { - "id": "SM", - "path": "aws-cdk-emr-add-step-runtime-role/SM", + "StateMachine": { + "id": "StateMachine", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine", "children": { "Role": { "id": "Role", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Role", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Role", "children": { "ImportRole": { "id": "ImportRole", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/ImportRole", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Role/ImportRole", "constructInfo": { "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" @@ -920,7 +1020,7 @@ }, "Resource": { "id": "Resource", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/Resource", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Role/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::IAM::Role", "aws:cdk:cloudformation:props": { @@ -945,11 +1045,11 @@ }, "DefaultPolicy": { "id": "DefaultPolicy", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Role/DefaultPolicy", "children": { "Resource": { "id": "Resource", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Role/DefaultPolicy/Resource", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Role/DefaultPolicy/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::IAM::Policy", "aws:cdk:cloudformation:props": { @@ -957,6 +1057,7 @@ "Statement": [ { "Action": [ + "elasticmapreduce:AddTags", "elasticmapreduce:DescribeCluster", "elasticmapreduce:RunJobFlow", "elasticmapreduce:TerminateJobFlows" @@ -1086,10 +1187,10 @@ ], "Version": "2012-10-17" }, - "policyName": "SMRoleDefaultPolicy34CA15C7", + "policyName": "StateMachineRoleDefaultPolicyDF1E6607", "roles": [ { - "Ref": "SMRole49C19C48" + "Ref": "StateMachineRoleB840431D" } ] } @@ -1113,7 +1214,7 @@ }, "Resource": { "id": "Resource", - "path": "aws-cdk-emr-add-step-runtime-role/SM/Resource", + "path": "aws-cdk-emr-add-step-runtime-role/StateMachine/Resource", "attributes": { "aws:cdk:cloudformation:type": "AWS::StepFunctions::StateMachine", "aws:cdk:cloudformation:props": { @@ -1158,7 +1259,7 @@ }, "roleArn": { "Fn::GetAtt": [ - "SMRole49C19C48", + "StateMachineRoleB840431D", "Arn" ] } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts index 6cd46e540803a..ef9ce254fc70a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-add-step-runtime-role.ts @@ -3,7 +3,7 @@ import * as ec2 from 'aws-cdk-lib/aws-ec2'; import * as emr from 'aws-cdk-lib/aws-emr'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks'; -import { App, Stack } from 'aws-cdk-lib'; +import { App, Stack, Tags } from 'aws-cdk-lib'; import { IntegTest } from '@aws-cdk/integ-tests-alpha'; /* @@ -21,6 +21,8 @@ const app = new App(); const stack = new Stack(app, 'aws-cdk-emr-add-step-runtime-role'); const vpc = new ec2.Vpc(stack, 'Vpc', { restrictDefaultSecurityGroup: false }); +// https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html#manually-tagged-resources +Tags.of(vpc).add('for-use-with-amazon-emr-managed-policies', 'true'); const cfnSecurityConfiguration = new emr.CfnSecurityConfiguration(stack, 'EmrSecurityConfiguration', { name: 'AddStepRuntimeRoleSecConfig', @@ -122,7 +124,7 @@ const terminationStep = new tasks.EmrTerminateCluster(stack, 'EmrTerminateCluste const definition = createClusterStep.next(addStepStep).next(terminationStep); -new sfn.StateMachine(stack, 'SM', { +new sfn.StateMachine(stack, 'StateMachine', { definition, });