Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Event sources do not invoke versioned state machines by their alias #3624

Closed
aidansteele opened this issue Jul 9, 2024 · 4 comments
Closed

Event sources do not invoke versioned state machines by their alias #3624

aidansteele opened this issue Jul 9, 2024 · 4 comments
Labels
stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. type/bug

Comments

@aidansteele
Copy link

Description

I am using the state machine versioning introduced in v1.70.0, specifically the AutoPublishAlias property of AWS::Serverless::StateMachine. My state machines are invoked by EventBridge via an event source defined on the state machine's Events property. I expect EventBridge to invoke my state machine by its alias ARN, but EventBridge is actually invoking the underlying (i.e. unqualified) ARN. This reduces the utility of state machine versioning and is inconsistent with how versioned Lambda function event sources work in SAM.

Steps to reproduce

Let's use the following SAM template as an example

Transform:
  - AWS::LanguageExtensions
  - AWS::Serverless-2016-10-31
Resources:
  ExampleFunction:
    Type: AWS::Serverless::Function
    Properties:
      Runtime: provided.al2023
      Handler: bootstrap
      CodeUri: s3://aws-sam-cli-managed-default-samclisourcebucket-example/example-fn
      Events:
        LambdaExample:
          Type: EventBridgeRule
          Properties:
            Pattern:
              source: [ aws.tag ]
  ExampleMachine:
    Type: AWS::Serverless::StateMachine
    Properties:
      AutoPublishAlias: live
      Events:
        SoftDeleteRequested:
          Type: EventBridgeRule
          Properties:
            Pattern:
              source: [aws.tag]
      DefinitionUri:
        Bucket: aws-sam-cli-managed-default-samclisourcebucket-example
        Key: example-asl

Observed result

The above SAM template is transformed (at the time of writing) into the following template (I have converted JSON back to YAML for ease of reading):

Resources:
  ExampleFunction:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: aws-sam-cli-managed-default-samclisourcebucket-example
        S3Key: example-fn
      Handler: bootstrap
      Role:
        Fn::GetAtt:
          - ExampleFunctionRole
          - Arn
      Runtime: provided.al2023
      Tags:
        - Key: lambda:createdBy
          Value: SAM
  ExampleFunctionVersiona971cfac47:
    Type: AWS::Lambda::Version
    DeletionPolicy: Retain
    Properties:
      FunctionName:
        Ref: ExampleFunction
  ExampleFunctionAliaslive:
    Type: AWS::Lambda::Alias
    Properties:
      Name: live
      FunctionName:
        Ref: ExampleFunction
      FunctionVersion:
        Fn::GetAtt:
          - ExampleFunctionVersiona971cfac47
          - Version
  ExampleFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Tags:
        - Key: lambda:createdBy
          Value: SAM
  ExampleFunctionLambdaExample:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.tag
      Targets:
        - Arn:
            Ref: ExampleFunctionAliaslive
          Id: ExampleFunctionLambdaExampleLambdaTarget
  ExampleFunctionLambdaExamplePermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName:
        Ref: ExampleFunctionAliaslive
      Principal: events.amazonaws.com
      SourceArn:
        Fn::GetAtt:
          - ExampleFunctionLambdaExample
          - Arn
  ExampleMachine:
    Type: AWS::StepFunctions::StateMachine
    Properties:
      DefinitionS3Location:
        Bucket: aws-sam-cli-managed-default-samclisourcebucket-example
        Key: example-asl
      RoleArn:
        Fn::GetAtt:
          - ExampleMachineRole
          - Arn
      Tags:
        - Key: stateMachine:createdBy
          Value: SAM
  ExampleMachineRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - states.amazonaws.com
      ManagedPolicyArns: [ ]
      Tags:
        - Key: stateMachine:createdBy
          Value: SAM
  ExampleMachineVersion:
    Type: AWS::StepFunctions::StateMachineVersion
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      StateMachineArn:
        Ref: ExampleMachine
      StateMachineRevisionId:
        Fn::GetAtt:
          - ExampleMachine
          - StateMachineRevisionId
  ExampleMachineAliaslive:
    Type: AWS::StepFunctions::StateMachineAlias
    Properties:
      Name: live
      DeploymentPreference:
        Type: ALL_AT_ONCE
        StateMachineVersionArn:
          Ref: ExampleMachineVersion
  ExampleMachineMachineExample:
    Type: AWS::Events::Rule
    Properties:
      EventPattern:
        source:
          - aws.tag
      Targets:
        - Arn:
            Ref: ExampleMachine
          Id: ExampleMachineMachineExampleStepFunctionsTarget
          RoleArn:
            Fn::GetAtt:
              - ExampleMachineMachineExampleRole
              - Arn
  ExampleMachineMachineExampleRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
      Policies:
        - PolicyName: ExampleMachineMachineExampleRoleStartExecutionPolicy
          PolicyDocument:
            Statement:
              - Action: states:StartExecution
                Effect: Allow
                Resource:
                  Ref: ExampleMachine

Note that the generated ExampleMachineMachineExample resource has a target ARN of !Ref ExampleMachine, whereas the ExampleFunctionLambdaExample resource has a target ARN of !Ref ExampleFunctionAliaslive.

Expected result

I would expect ExampleMachineMachineExample resource has a target ARN of !Ref ExampleMachineAliaslive. This would mean that the alias actually gets invoked by EventBridge. This would make state machines consistent with Lambda functions.

NOTE: I didn't experiment with other event source types (e.g. schedules and API GW) but I would expect them to behave the same way.
@aidansteele aidansteele added the stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. label Jul 9, 2024
@aaythapa
Copy link
Contributor

Hi @aidansteele thanks for reporting this issue. This does look like a bug on our side and the target should be referencing the alias resource and not the statemachine resource. As a workaround for EventBridgeRule event you can use the Target property to reference the alias resource

@aidansteele
Copy link
Author

Hi @aaythapa thanks for looking into this. I forgot to mention in my initial bug report that I tried that, but it didn't help. Setting the Target property just changes the this value in the AWS::Events::Rule resource: Id: ExampleMachineMachineExampleStepFunctionsTarget. It doesn't actually change the Arn property, which is the important one.

@aaythapa
Copy link
Contributor

I see thanks for letting me know and I can see in the transformed template the arn is still pointing to the statemachine resource and not the alias. Fixing this directly would be backwards incompatible so the best next step is probably introduce the Arn property in the events and pass that directly into the events rule resource. Will get back to you with a PR once this is implemented.

@aidansteele aidansteele changed the title Event sources do not inoke versioned state machines by their alias Event sources do not invoke versioned state machines by their alias Jul 22, 2024
@scorbiere scorbiere mentioned this issue Jul 22, 2024
Merged
5 tasks
@github-actions GitHub Actions
Copy link
Contributor

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aidansteele @scorbiere @aaythapa