From d8b695ef1e48c2485971006a93f8ca4848e26905 Mon Sep 17 00:00:00 2001 From: Justin Terry Date: Wed, 31 Jul 2024 17:02:05 -0700 Subject: [PATCH] Add sfn policy --- app/routes/jobs/job.py | 2 +- terraform/data.tf | 7 ++++++ terraform/iam.tf | 7 +++++- terraform/main.tf | 3 ++- .../templates/step_function_policy.json.tmpl | 23 +++++++++++++++++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 terraform/templates/step_function_policy.json.tmpl diff --git a/app/routes/jobs/job.py b/app/routes/jobs/job.py index 23bc00447..52e842f49 100644 --- a/app/routes/jobs/job.py +++ b/app/routes/jobs/job.py @@ -64,7 +64,7 @@ async def _get_user_job(job_id: UUID) -> UserJob: async def _get_sfn_execution(job_id: UUID) -> Dict[str, Any]: execution_arn = f"{RASTER_ANALYSIS_STATE_MACHINE_ARN.replace('stateMachines', 'execution')}:{str(job_id)}" - execution = get_sfn_client().describe_execution(execution_arn) + execution = get_sfn_client().describe_execution(executionArn=execution_arn) return execution diff --git a/terraform/data.tf b/terraform/data.tf index 7767e5b42..d3748b037 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -183,4 +183,11 @@ data "template_file" "tile_cache_bucket_policy" { vars = { bucket_arn = data.terraform_remote_state.tile_cache.outputs.tile_cache_bucket_arn } +} + +data "template_file" "step_function_policy" { + template = file("${path.root}/templates/step_function_policy.json.tmpl") + vars = { + raster_analysis_state_machine_arn = data.terraform_remote_state.raster_analysis_lambda.outputs.raster_analysis_state_machine_arn + } } \ No newline at end of file diff --git a/terraform/iam.tf b/terraform/iam.tf index 6d7691880..e0a137b49 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -37,4 +37,9 @@ resource "aws_iam_policy" "read_new_relic_secret" { resource "aws_iam_policy" "tile_cache_bucket_policy" { name = substr("${local.project}-tile_cache_bucket_policy${local.name_suffix}", 0, 64) policy = data.template_file.tile_cache_bucket_policy.rendered -} \ No newline at end of file +} + +resource "aws_iam_policy" "step_function_policy" { + name = substr("${local.project}-step_function_policy${local.name_suffix}", 0, 64) + policy = data.template_file.step_function_policy.rendered +} diff --git a/terraform/main.tf b/terraform/main.tf index 92b41c23f..263d70da0 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -106,7 +106,8 @@ module "fargate_autoscaling" { aws_iam_policy.read_gcs_secret.arn, data.terraform_remote_state.tile_cache.outputs.ecs_update_service_policy_arn, aws_iam_policy.tile_cache_bucket_policy.arn, - data.terraform_remote_state.tile_cache.outputs.cloudfront_invalidation_policy_arn + data.terraform_remote_state.tile_cache.outputs.cloudfront_invalidation_policy_arn, + aws_iam_policy.step_function_policy.arn, ] task_execution_role_policies = [ aws_iam_policy.query_batch_jobs.arn, diff --git a/terraform/templates/step_function_policy.json.tmpl b/terraform/templates/step_function_policy.json.tmpl new file mode 100644 index 000000000..41c402842 --- /dev/null +++ b/terraform/templates/step_function_policy.json.tmpl @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "states:StartExecution" + ], + "Resource": [ + "${raster_analysis_state_machine_arn}" + ] + }, + { + "Effect": "Allow", + "Action": [ + "states:DescribeExecution", + "states:DescribeMapRun", + "states:ListMapRuns" + ], + "Resource": "*" + } + ] +} \ No newline at end of file