Add sfn policy

wri · Aug 1, 2024 · d8b695e · d8b695e
1 parent 42b1784
commit d8b695e
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 3 deletions.
diff --git a/app/routes/jobs/job.py b/app/routes/jobs/job.py
@@ -64,7 +64,7 @@ async def _get_user_job(job_id: UUID) -> UserJob:
 
 async def _get_sfn_execution(job_id: UUID) -> Dict[str, Any]:
     execution_arn = f"{RASTER_ANALYSIS_STATE_MACHINE_ARN.replace('stateMachines', 'execution')}:{str(job_id)}"
-    execution = get_sfn_client().describe_execution(execution_arn)
+    execution = get_sfn_client().describe_execution(executionArn=execution_arn)
     return execution
 
 

diff --git a/terraform/data.tf b/terraform/data.tf
@@ -183,4 +183,11 @@ data "template_file" "tile_cache_bucket_policy" {
   vars = {
     bucket_arn = data.terraform_remote_state.tile_cache.outputs.tile_cache_bucket_arn
   }
+}
+
+data "template_file" "step_function_policy" {
+  template = file("${path.root}/templates/step_function_policy.json.tmpl")
+  vars = {
+    raster_analysis_state_machine_arn = data.terraform_remote_state.raster_analysis_lambda.outputs.raster_analysis_state_machine_arn
+  }
 }
diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -37,4 +37,9 @@ resource "aws_iam_policy" "read_new_relic_secret" {
 resource "aws_iam_policy" "tile_cache_bucket_policy" {
   name   = substr("${local.project}-tile_cache_bucket_policy${local.name_suffix}", 0, 64)
   policy = data.template_file.tile_cache_bucket_policy.rendered
-}
+}
+
+resource "aws_iam_policy" "step_function_policy" {
+  name   = substr("${local.project}-step_function_policy${local.name_suffix}", 0, 64)
+  policy = data.template_file.step_function_policy.rendered
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -106,7 +106,8 @@ module "fargate_autoscaling" {
     aws_iam_policy.read_gcs_secret.arn,
     data.terraform_remote_state.tile_cache.outputs.ecs_update_service_policy_arn,
     aws_iam_policy.tile_cache_bucket_policy.arn,
-    data.terraform_remote_state.tile_cache.outputs.cloudfront_invalidation_policy_arn
+    data.terraform_remote_state.tile_cache.outputs.cloudfront_invalidation_policy_arn,
+    aws_iam_policy.step_function_policy.arn,
   ]
   task_execution_role_policies = [
     aws_iam_policy.query_batch_jobs.arn,

diff --git a/terraform/templates/step_function_policy.json.tmpl b/terraform/templates/step_function_policy.json.tmpl
@@ -0,0 +1,23 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "states:StartExecution"
+            ],
+            "Resource": [
+                "${raster_analysis_state_machine_arn}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "states:DescribeExecution",
+                "states:DescribeMapRun",
+                "states:ListMapRuns"
+            ],
+            "Resource": "*"
+        }
+    ]
+}