Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid reference to ServiceprincipalMap when creating a StateMachine using the default IAM role #83

Open
smcroskey opened this issue May 20, 2022 · 5 comments
Open

Invalid reference to ServiceprincipalMap when creating a StateMachine using the default IAM role #83

smcroskey opened this issue May 20, 2022 · 5 comments
Labels
backlog bug Something isn't working

Comments

@smcroskey
Copy link

Versions
@cdktf/aws-cdk: 0.4.9
aws-cdk-lib: 2.24.0
cdktf: 0.10.4

I'm using the TF CDK AWS adapter to create an AWS Step Functions StateMachine, but it looks like the default IAM role references a ServiceprincipalMap that doesn't exist.

State machine definition:

new StateMachine(scope, id, {
      stateMachineName: 'my-state-machine',
      definition: sfn.Chain.start(new sfn.Pass(scope, 'Pass state'))
  })

Default role that gets created:

      "aws-adapter_ParallelComplianceLegalEntityReviewManualReviewStateMachineRole5B8BE48E_36717D91": {
        "//": {
          "metadata": {
            "path": "myStack/aws-adapter/MyStateMachineStateMachineRole5B8BE48E",
            "uniqueId": "aws-adapter_MyStateMachineStateMachineRole5B8BE48E_36717D91"
          }
        },
        "assume_role_policy": "${jsonencode({Statement = [{Action = \"sts:AssumeRole\", Effect = \"Allow\", Principal = {Service = \"ServiceprincipalMap\"[data.aws_region.aws-adapter_aws-region_D2FC9107.name][\"states\"]}}], Version = \"2012-10-17\"})}"
      },

And the error when attempting to apply:

Error: Invalid index

  on ../cdk/cdktf.out/stacks/financingRequestsStack/cdk.tf.json line 153, in resource.aws_iam_role.aws-adapter_MyStateMachineStateMachineRole5B8BE48E_36717D91:
 153:         "assume_role_policy": "${jsonencode({Statement = [{Action = \"sts:AssumeRole\", Effect = \"Allow\", Principal = {Service = \"ServiceprincipalMap\"[data.aws_region.aws-adapter_aws-region_D2FC9107.name][\"states\"]}}], Version = \"2012-10-17\"})}"
    |----------------
    | data.aws_region.aws-adapter_aws-region_D2FC9107.name is "us-east-1"

This value does not have any indices.

I'm assuming this is because there's a disconnect in how the regional service "Fact" gets resolved, as there doesn't appear to be any ServiceprincipalMap mapping anywhere in the cdktf json output.

Note that I can work around the issue by supplying my own Role, using the deprecated region option (so that the default regionalFact resolution referenced above doesn't apply):

        const stateMachineRole = new iam.Role(scope, 'my-state-machine-role', {
            assumedBy: new iam.ServicePrincipal('states.amazonaws.com', {region: 'us-east-1'})
        })
@smcroskey smcroskey changed the title Invalid reference to states.amazonaws.com service principal in cdktf json output Invalid reference to ServiceprincipalMap when creating a StateMachine using the default IAM role May 20, 2022
@ansgarm
Copy link
Member

ansgarm commented Jun 2, 2022

Ah, thanks for the example!
I think this could turn out to be related to this follow-up issue we have: #149.
Which means that it could be implemented similar to how conditions are handled and shouldn't be much work if that's the case.

@github-actions
Copy link

github-actions bot commented Aug 2, 2022

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon.

@github-actions github-actions bot added the stale An issue or pull request that has not been updated in a very long time label Aug 2, 2022
@ansgarm ansgarm removed the stale An issue or pull request that has not been updated in a very long time label Aug 2, 2022
@github-actions
Copy link

github-actions bot commented Oct 2, 2022

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon.

@github-actions github-actions bot added the stale An issue or pull request that has not been updated in a very long time label Oct 2, 2022
@ansgarm ansgarm removed the stale An issue or pull request that has not been updated in a very long time label Oct 3, 2022
@github-actions
Copy link

github-actions bot commented Dec 3, 2022

This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon.

@github-actions github-actions bot added the stale An issue or pull request that has not been updated in a very long time label Dec 3, 2022
@github-actions
Copy link

Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen.

@xiehan xiehan reopened this Dec 12, 2022
@xiehan xiehan added backlog and removed stale An issue or pull request that has not been updated in a very long time labels Dec 12, 2022
@xiehan xiehan added the bug Something isn't working label Jun 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xiehan @ansgarm @smcroskey