feat: Add RolePath support for AWS::Serverless::StateMachine (#2684)

Connor Robertson · hoffa · web-flow · commit 5d700f75b7c4 · 2022-11-30T10:41:41.000-08:00
Co-authored-by: Chris Rehn &lt;1280602+hoffa@users.noreply.github.com&gt;
diff --git a/integration/resources/expected/single/state_machine_with_role_path.json b/integration/resources/expected/single/state_machine_with_role_path.json
@@ -0,0 +1,10 @@
+[
+  {
+    "LogicalResourceId": "MyBasicStateMachine",
+    "ResourceType": "AWS::StepFunctions::StateMachine"
+  },
+  {
+    "LogicalResourceId": "MyBasicStateMachineRole",
+    "ResourceType": "AWS::IAM::Role"
+  }
+]
diff --git a/integration/resources/templates/single/state_machine_with_role_path.yaml b/integration/resources/templates/single/state_machine_with_role_path.yaml
@@ -0,0 +1,20 @@
+Resources:
+  MyBasicStateMachine:
+    Type: AWS::Serverless::StateMachine
+    Properties:
+      Type: STANDARD
+      Definition:
+        Comment: A Hello World example of the Amazon States Language using Pass states
+        StartAt: Hello
+        States:
+          Hello:
+            Type: Pass
+            Result: Hello
+            Next: World
+          World:
+            Type: Pass
+            Result: World
+            End: true
+      RolePath: /foo/bar/
+Metadata:
+  SamTransformTest: true
diff --git a/integration/single/test_basic_state_machine.py b/integration/single/test_basic_state_machine.py
@@ -34,6 +34,18 @@ def test_basic_state_machine_with_tags(self):
         self._verify_tag_presence(tags, "TagOne", "ValueOne")
         self._verify_tag_presence(tags, "TagTwo", "ValueTwo")
 
+    def test_state_machine_with_role_path(self):
+        """
+        Creates a State machine with a Role Path
+        """
+        self.create_and_verify_stack("single/state_machine_with_role_path")
+
+        role_name = self.get_physical_id_by_type("AWS::IAM::Role")
+        iam_client = self.client_provider.iam_client
+        response = iam_client.get_role(RoleName=role_name)
+
+        self.assertEqual(response["Role"]["Path"], "/foo/bar/")
+
     def _verify_tag_presence(self, tags, key, value):
         """
         Verifies the presence of a tag and its value
diff --git a/samtranslator/model/sam_resources.py b/samtranslator/model/sam_resources.py
@@ -1691,6 +1691,7 @@ class SamStateMachine(SamResourceMacro):
         "DefinitionUri": PropertyType(False, one_of(is_str(), is_type(dict))),
         "Logging": PropertyType(False, is_type(dict)),
         "Role": PropertyType(False, is_str()),
+        "RolePath": PassThroughProperty(False),
         "DefinitionSubstitutions": PropertyType(False, is_type(dict)),
         "Events": PropertyType(False, dict_of(is_str(), is_type(dict))),
         "Name": PropertyType(False, is_str()),
@@ -1705,6 +1706,7 @@ class SamStateMachine(SamResourceMacro):
     DefinitionUri: Optional[Intrinsicable[str]]
     Logging: Optional[Dict[str, Any]]
     Role: Optional[Intrinsicable[str]]
+    RolePath: Optional[PassThrough]
     DefinitionSubstitutions: Optional[Dict[str, Any]]
     Events: Optional[Dict[str, Any]]
     Name: Optional[Intrinsicable[str]]
@@ -1738,6 +1740,7 @@ def to_cloudformation(self, **kwargs):  # type: ignore[no-untyped-def]
             permissions_boundary=self.PermissionsBoundary,
             definition_substitutions=self.DefinitionSubstitutions,
             role=self.Role,
+            role_path=self.RolePath,
             state_machine_type=self.Type,
             tracing=self.Tracing,
             events=self.Events,
diff --git a/samtranslator/model/stepfunctions/generators.py b/samtranslator/model/stepfunctions/generators.py
@@ -44,6 +44,7 @@ def __init__(  # type: ignore[no-untyped-def]
         events,
         event_resources,
         event_resolver,
+        role_path=None,
         tags=None,
         resource_attributes=None,
         passthrough_resource_attributes=None,
@@ -63,6 +64,7 @@ def __init__(  # type: ignore[no-untyped-def]
         :param permissions_boundary: The ARN of the policy used to set the permissions boundary for the role
         :param definition_substitutions: Variable-to-value mappings to be replaced in the State Machine definition
         :param role: Role ARN to use for the execution role
+        :param role_path: The file path of the execution role
         :param state_machine_type: Type of the State Machine
         :param tracing: Tracing configuration for the State Machine
         :param events: List of event sources for the State Machine
@@ -86,6 +88,7 @@ def __init__(  # type: ignore[no-untyped-def]
         self.permissions_boundary = permissions_boundary
         self.definition_substitutions = definition_substitutions
         self.role = role
+        self.role_path = role_path
         self.type = state_machine_type
         self.tracing = tracing
         self.events = events
@@ -220,6 +223,7 @@ def _construct_role(self):  # type: ignore[no-untyped-def]
 
         execution_role = construct_role_for_resource(
             resource_logical_id=self.logical_id,
+            role_path=self.role_path,
             attributes=self.passthrough_resource_attributes,
             managed_policy_map=self.managed_policy_map,
             assume_role_policy_document=IAMRolePolicies.stepfunctions_assume_role_policy(),  # type: ignore[no-untyped-call]
diff --git a/samtranslator/schema/aws_serverless_statemachine.py b/samtranslator/schema/aws_serverless_statemachine.py
@@ -145,6 +145,7 @@ class Properties(BaseModel):
     PermissionsBoundary: Optional[PassThrough] = properties("PermissionsBoundary")
     Policies: Optional[Union[str, DictStrAny, List[Union[str, DictStrAny]]]] = properties("Policies")
     Role: Optional[PassThrough] = properties("Role")
+    RolePath: Optional[PassThrough]  # TODO: Add docs
     Tags: Optional[DictStrAny] = properties("Tags")
     Tracing: Optional[PassThrough] = properties("Tracing")
     Type: Optional[PassThrough] = properties("Type")
diff --git a/samtranslator/schema/schema.json b/samtranslator/schema/schema.json
@@ -4900,6 +4900,9 @@
           "description": "The ARN of an IAM role to use as this state machine's execution role\\.  \nYou must provide either a `Role` or `Policies`\\.  \n*Type*: String  \n*Required*: Conditional  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`RoleArn`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-rolearn) property of an `AWS::StepFunctions::StateMachine` resource\\.",
           "markdownDescription": "The ARN of an IAM role to use as this state machine's execution role\\.  \nYou must provide either a `Role` or `Policies`\\.  \n*Type*: String  \n*Required*: Conditional  \n*AWS CloudFormation compatibility*: This property is passed directly to the [`RoleArn`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-rolearn) property of an `AWS::StepFunctions::StateMachine` resource\\."
         },
+        "RolePath": {
+          "title": "Rolepath"
+        },
         "Tags": {
           "title": "Tags",
           "description": "A string\\-to\\-string map that specifies the tags added to the state machine and the corresponding execution role\\. For information about valid keys and values for tags, see the [Tags](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-tags) property of an [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html) resource\\.  \n*Type*: Map  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is similar to the [`Tags`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-stepfunctions-statemachine.html#cfn-stepfunctions-statemachine-tags) property of an `AWS::StepFunctions::StateMachine` resource\\. AWS SAM automatically adds a `stateMachine:createdBy:SAM` tag to this resource, and to the default role that is generated for it\\.",
diff --git a/tests/translator/input/state_machine_with_role_path.yaml b/tests/translator/input/state_machine_with_role_path.yaml
@@ -0,0 +1,20 @@
+Resources:
+  MyBasicStateMachine:
+    Type: AWS::Serverless::StateMachine
+    Properties:
+      Type: STANDARD
+      Definition:
+        Comment: A Hello World example of the Amazon States Language using Pass states
+        StartAt: Hello
+        States:
+          Hello:
+            Type: Pass
+            Result: Hello
+            Next: World
+          World:
+            Type: Pass
+            Result: World
+            End: true
+      RolePath: /foo/bar/
+Metadata:
+  SamTransformTest: true
diff --git a/tests/translator/output/aws-cn/state_machine_with_role_path.json b/tests/translator/output/aws-cn/state_machine_with_role_path.json
@@ -0,0 +1,77 @@
+{
+  "Metadata": {
+    "SamTransformTest": true
+  },
+  "Resources": {
+    "MyBasicStateMachine": {
+      "Properties": {
+        "DefinitionString": {
+          "Fn::Join": [
+            "\n",
+            [
+              "{",
+              "    \"Comment\": \"A Hello World example of the Amazon States Language using Pass states\",",
+              "    \"StartAt\": \"Hello\",",
+              "    \"States\": {",
+              "        \"Hello\": {",
+              "            \"Next\": \"World\",",
+              "            \"Result\": \"Hello\",",
+              "            \"Type\": \"Pass\"",
+              "        },",
+              "        \"World\": {",
+              "            \"End\": true,",
+              "            \"Result\": \"World\",",
+              "            \"Type\": \"Pass\"",
+              "        }",
+              "    }",
+              "}"
+            ]
+          ]
+        },
+        "RoleArn": {
+          "Fn::GetAtt": [
+            "MyBasicStateMachineRole",
+            "Arn"
+          ]
+        },
+        "StateMachineType": "STANDARD",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::StepFunctions::StateMachine"
+    },
+    "MyBasicStateMachineRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "states.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [],
+        "Path": "/foo/bar/",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
diff --git a/tests/translator/output/aws-us-gov/state_machine_with_role_path.json b/tests/translator/output/aws-us-gov/state_machine_with_role_path.json
@@ -0,0 +1,77 @@
+{
+  "Metadata": {
+    "SamTransformTest": true
+  },
+  "Resources": {
+    "MyBasicStateMachine": {
+      "Properties": {
+        "DefinitionString": {
+          "Fn::Join": [
+            "\n",
+            [
+              "{",
+              "    \"Comment\": \"A Hello World example of the Amazon States Language using Pass states\",",
+              "    \"StartAt\": \"Hello\",",
+              "    \"States\": {",
+              "        \"Hello\": {",
+              "            \"Next\": \"World\",",
+              "            \"Result\": \"Hello\",",
+              "            \"Type\": \"Pass\"",
+              "        },",
+              "        \"World\": {",
+              "            \"End\": true,",
+              "            \"Result\": \"World\",",
+              "            \"Type\": \"Pass\"",
+              "        }",
+              "    }",
+              "}"
+            ]
+          ]
+        },
+        "RoleArn": {
+          "Fn::GetAtt": [
+            "MyBasicStateMachineRole",
+            "Arn"
+          ]
+        },
+        "StateMachineType": "STANDARD",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::StepFunctions::StateMachine"
+    },
+    "MyBasicStateMachineRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "states.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [],
+        "Path": "/foo/bar/",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
diff --git a/tests/translator/output/state_machine_with_role_path.json b/tests/translator/output/state_machine_with_role_path.json
@@ -0,0 +1,77 @@
+{
+  "Metadata": {
+    "SamTransformTest": true
+  },
+  "Resources": {
+    "MyBasicStateMachine": {
+      "Properties": {
+        "DefinitionString": {
+          "Fn::Join": [
+            "\n",
+            [
+              "{",
+              "    \"Comment\": \"A Hello World example of the Amazon States Language using Pass states\",",
+              "    \"StartAt\": \"Hello\",",
+              "    \"States\": {",
+              "        \"Hello\": {",
+              "            \"Next\": \"World\",",
+              "            \"Result\": \"Hello\",",
+              "            \"Type\": \"Pass\"",
+              "        },",
+              "        \"World\": {",
+              "            \"End\": true,",
+              "            \"Result\": \"World\",",
+              "            \"Type\": \"Pass\"",
+              "        }",
+              "    }",
+              "}"
+            ]
+          ]
+        },
+        "RoleArn": {
+          "Fn::GetAtt": [
+            "MyBasicStateMachineRole",
+            "Arn"
+          ]
+        },
+        "StateMachineType": "STANDARD",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::StepFunctions::StateMachine"
+    },
+    "MyBasicStateMachineRole": {
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "sts:AssumeRole"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "Service": [
+                  "states.amazonaws.com"
+                ]
+              }
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "ManagedPolicyArns": [],
+        "Path": "/foo/bar/",
+        "Tags": [
+          {
+            "Key": "stateMachine:createdBy",
+            "Value": "SAM"
+          }
+        ]
+      },
+      "Type": "AWS::IAM::Role"
+    }
+  }
+}
