Wrong policy state machine generation for lambda arn

[nikita-sheremet-clearscale]

This is a Bug Report

Description

Entire reproducable code you can find here

The prblem is a policy generation error for state machine when it need to invoke lambda function. The problem appeared when lambda function is passed as arn with pseudo parameters.

MyArn: arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:${file(${self:custom.varFile}):custom.Name}

MyStateMachine:
  name: "my_state_machine"
  definition:
    StartAt: Start
    States:
      Start:
        Type: Task
        Resource: "${self:custom.MyArn}"
        Parameters:
          arnAsValue: "${file(${self:custom.varFile}):custom.MyArn}"
        Next: Some
      "Some":
        Type: Task
        Resource: arn:aws:states:::glue:startJobRun.sync
        Parameters:
          JobName: myJOb
        End: true

``

For bug reports:

• What went wrong? - Policy was geenrated wrong
• What did you expect should have happened? - state machen should be deployed
• What stacktrace or error message from your provider did you see?

cmd.exe /c "serverless deploy"
 
 Serverless Warning --------------------------------------
 
  A valid option to satisfy the declaration 'opt:stage' could not be found.
 
Serverless: Added parameters to template
Serverless: Packaging service...
Serverless: Added parameters to template
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
....
Serverless: Operation failed!
Serverless: View the full error output: https://us-east-2.console.aws.amazon.com/cloudformation/...
 
  Serverless Error ---------------------------------------
 
  An error occurred: MyUnderscorestateUnderscoremachineRole - The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: ).
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     Operating System:          win32
     Node Version:              10.15.0
     Framework Version:         1.53.0
     Plugin Version:            3.1.1
     SDK Version:               2.1.1
     Components Core Version:   1.1.1
     Components CLI Version:    1.2.3
 

Process finished with exit code 1

Feel free to ask any questions.

[theburningmonk]

@nikita-clearscale do you have an example of the State Machine IAM role that was generated? you can find it in the CF update stack in the .serverless folder

[nikita-sheremet-clearscale]

@theburningmonk
Many thanks for quick reply!

Yes look at generate role:

    "MyUnderscorestateUnderscoremachineRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "states.us-east-2.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "dev-us-east-2-myservice-statemachine",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "lambda:InvokeFunction"
                  ],
                  "Resource": [
                    {
                      "Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:my_app_dev"
                    },
                    {
                      "Fn::Sub": [
                        "${functionArn}:*",
                        {
                          "functionArn": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:my_app_dev"
                        }
                      ]
                    }
                  ]
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "glue:StartJobRun",
                    "glue:GetJobRun",
                    "glue:GetJobRuns",
                    "glue:BatchStopJobRun"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    }

Recall - you can generate this manually from github project - https://github.com/C-h-e-r-r-y/step-function-policy-generation-bug

[nikita-sheremet-clearscale]

Looks like there is shoud be one "additional" Fn::Sub call from "functionArn" value.

[nikita-sheremet-clearscale]

@theburningmonk

As a workaround - use dummy Fn::Sub, like Fn::Sub: ${self:custom.MyArn}:

service: myservice

frameworkVersion: ">=1.38.0 <2.0.0"

plugins:
  - serverless-step-functions
  - serverless-pseudo-parameters
  - serverless-cf-vars
  - serverless-parameters

provider:
  name: aws
  stage: ${opt:stage}
  region: us-east-2

custom:
  varFile:                                          ../vars.yml
  MyArn:                                            ${file(${self:custom.varFile}):custom.MyArn}

stepFunctions:
  stateMachines:
    MyStateMachine:
      name: "my_state_machine"
      definition:
        StartAt: Start
        States:
          Start:
            Type: Task
            Resource:
              Fn::Sub: ${self:custom.MyArn}
            Parameters:
              arnAsValue: "${file(${self:custom.varFile}):custom.MyArn}"
            Next: Some
          "Some":
            Type: Task
            Resource: arn:aws:states:::glue:startJobRun.sync
            Parameters:
              JobName: myJOb
            End: true

[cward-extron]

@lopburny This is the same issue I was referencing in #542.

Adding the ARN as a custom param and passing it into deploy addresses the issue, but being able to use intrinsic functions to reference the specific state machine by convention would be preferred.