Resolve missing configuration on stepfunction publisher

Author: gudivt

template.yaml

@@ -2648,113 +2648,6 @@ Resources:
       Principal: !Sub "events.${AWS::URLSuffix}"
       SourceArn: !GetAtt WorkflowStateChangeRule.Arn
 
-  ##########################################################################
-  # Step Functions Subscription Publisher
-  ##########################################################################
-  StepFunctionSubscriptionPublisher:
-    Type: AWS::Serverless::Function
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: W89
-            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
-          - id: W92
-            reason: "Function does not require reserved concurrency as it scales based on demand"
-          - id: W12
-            reason: "Lambda requires CloudWatch logs permissions"
-    # checkov:skip=CKV_AWS_116: "DLQ not required for subscription publisher function"
-    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
-    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
-    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
-    Properties:
-      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
-      CodeUri: src/lambda/stepfunction_subscription_publisher/
-      Handler: index.handler
-      Runtime: python3.12
-      Architectures:
-        - x86_64
-      MemorySize: 256
-      Timeout: 30
-      LoggingConfig:
-        LogGroup: !Ref StepFunctionSubscriptionPublisherLogGroup
-      Environment:
-        Variables:
-          APPSYNC_API_URL: !GetAtt GraphQLApi.GraphQLUrl
-          LOG_LEVEL: !Ref LogLevel
-      Policies:
-        - Statement:
-            - Effect: Allow
-              Action:
-                - states:DescribeExecution
-                - states:GetExecutionHistory
-              Resource: 
-                - !Sub
-                  - "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:execution:${StateMachineName}*"
-                  - StateMachineName: !If
-                    - IsPattern3
-                    - !GetAtt PATTERN3STACK.Outputs.StateMachineName
-                    - !If
-                      - IsPattern2
-                      - !GetAtt PATTERN2STACK.Outputs.StateMachineName
-                      - !GetAtt PATTERN1STACK.Outputs.StateMachineName
-            - Effect: Allow
-              Action:
-                - appsync:GraphQL
-              Resource:
-                - !Sub "${GraphQLApi.Arn}/types/Subscription/*"
-                - !Sub "${GraphQLApi.Arn}/types/Mutation/*"
-            - Effect: Allow
-              Action:
-                - kms:Encrypt
-                - kms:Decrypt
-                - kms:ReEncrypt*
-                - kms:GenerateDataKey*
-                - kms:DescribeKey
-              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
-
-  StepFunctionSubscriptionPublisherLogGroup:
-    Type: AWS::Logs::LogGroup
-    Properties:
-      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
-      RetentionInDays: !Ref LogRetentionDays
-
-  StepFunctionSubscriptionRule:
-    Type: AWS::Events::Rule
-    Properties:
-      EventPattern:
-        source:
-          - aws.states
-        detail-type:
-          - Step Functions Execution Status Change
-        detail:
-          stateMachineArn:
-            - !If
-              - IsPattern3
-              - !GetAtt PATTERN3STACK.Outputs.StateMachineArn
-              - !If
-                - IsPattern2
-                - !GetAtt PATTERN2STACK.Outputs.StateMachineArn
-                - !GetAtt PATTERN1STACK.Outputs.StateMachineArn
-          status:
-            - RUNNING
-            - SUCCEEDED
-            - FAILED
-            - TIMED_OUT
-            - ABORTED
-      Targets:
-        - Arn: !GetAtt StepFunctionSubscriptionPublisher.Arn
-          Id: "StepFunctionSubscriptionPublisher"
-          RetryPolicy:
-            MaximumRetryAttempts: 3
-
-  StepFunctionSubscriptionPublisherPermission:
-    Type: AWS::Lambda::Permission
-    Properties:
-      Action: lambda:InvokeFunction
-      FunctionName: !Ref StepFunctionSubscriptionPublisher
-      Principal: !Sub "events.${AWS::URLSuffix}"
-      SourceArn: !GetAtt StepFunctionSubscriptionRule.Arn
-
   ##########################################################################
   # Optional Post Processing Lambda Hook
   ##########################################################################
@@ -5406,71 +5299,6 @@ Resources:
       TypeName: Query
       FieldName: getStepFunctionExecution
 
-  PublishStepFunctionUpdateResolverFunction:
-    Type: AWS::Serverless::Function
-    Metadata:
-      cfn_nag:
-        rules_to_suppress:
-          - id: W89
-            reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
-          - id: W92
-            reason: "Function does not require reserved concurrency as it scales based on demand"
-          - id: W12
-            reason: "Lambda requires CloudWatch logs permissions"
-    # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver function"
-    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
-    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
-    # checkov:skip=CKV_AWS_173: "Environment variables do not contain sensitive data - only configuration values like feature flags and non-sensitive settings"
-    Properties:
-      PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
-      CodeUri: src/lambda/publish_stepfunction_update_resolver/
-      Handler: index.lambda_handler
-      Runtime: python3.12
-      Architectures:
-        - x86_64
-      MemorySize: 256
-      Timeout: 30
-      LoggingConfig:
-        LogGroup: !Ref PublishStepFunctionUpdateResolverFunctionLogGroup
-      Environment:
-        Variables:
-          LOG_LEVEL: !Ref LogLevel
-      Policies:
-        - Statement:
-            - Effect: Allow
-              Action:
-                - kms:Encrypt
-                - kms:Decrypt
-                - kms:ReEncrypt*
-                - kms:GenerateDataKey*
-                - kms:DescribeKey
-              Resource: !GetAtt CustomerManagedEncryptionKey.Arn
-
-  PublishStepFunctionUpdateResolverFunctionLogGroup:
-    Type: AWS::Logs::LogGroup
-    Properties:
-      KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
-      RetentionInDays: !Ref LogRetentionDays
-
-  PublishStepFunctionUpdateDataSource:
-    Type: AWS::AppSync::DataSource
-    Properties:
-      ApiId: !GetAtt GraphQLApi.ApiId
-      Name: PublishStepFunctionUpdate
-      Description: Lambda function to publish Step Functions execution updates via GraphQL API
-      Type: AWS_LAMBDA
-      ServiceRoleArn: !GetAtt AppSyncServiceRole.Arn
-      LambdaConfig:
-        LambdaFunctionArn: !GetAtt PublishStepFunctionUpdateResolverFunction.Arn
-
-  PublishStepFunctionUpdateResolver:
-    Type: AWS::AppSync::Resolver
-    DependsOn: GraphQLSchema
-    Properties:
-      ApiId: !GetAtt GraphQLApi.ApiId
-      DataSourceName: !GetAtt PublishStepFunctionUpdateDataSource.Name
-      TypeName: Mutation
-      FieldName: publishStepFunctionExecutionUpdate
 
   ConfigurationResolverFunction:
       Type: AWS::Serverless::Function