fix(stepfunctions): distributed maps under branches do not have necessary permissions

[curquhart]

Issue

Closes #29266

Reason for this change

distributed maps under branch states (i.e., Parallel) do not apply the necessary permissions to run the state.

Description of changes

this moves the bind functionality into state and calls it on both state and all child (branch) states. Previously it did not run on branch states and as such did not work for example a distributed map under a parallel state without adding the permissions out of band.

An alternative would be to have a bind method that the user calls out of band on the distributed map (or in my case, in a wrapper class, but it's clunky)

Description of how you validated changes

Unit tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[curquhart]

ahh re pull request validator failing for no integration test update, i will look at that later this weekend of sometime next week.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[curquhart]

added a couple integration tests and fixed the linting problems

[curquhart]

i was wondering about my approach... because branches aren't exposed, i moved the policy stuff into State. however, State cannot depend on DistributedMap because of a cyclic dependency. To deal with this, I just passed isDistributedMap into the method call. This is based on the assumption that branches is hidden for a reason.

This works but could be cleaner. I was wondering about thoughts on a few alternative solutions:

• could i expose branches in State? then this stuff could be entirely (other than that visibility change in State) be in StateGraph
• add containsDistributedMap to State (as in, StateGraph would call state.containsDistributedState())... in the base class, this would return false, in DistributedMap this would return true
• processorMode is already in State... it's protected but if we made it public we might be also use that to determine if distributed map (by swapping with a getter, throwing the real value in _processorMode, and then having the getter traverse any children)... i do worry about side effects on this one though since we'd be considering processorMode as distributed if any of the children are distributed

from my point of view, anything is fine, i just want to remove the manual perms from my cdk since it's weird that cdk sometimes but not always adds them (depending on how the graph is shaped) heh

anyway will update if needed!

[curquhart]

👋 just wanted to touch base on this... I'm happy to make changes if yall don't like the approach!

thanks :)

[curquhart]

just saw there is also an issue reported for this - linked it in desc... just following up again though, is someone able to look at this? Thanks :)

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a820573
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository