v2 of Start SFN execution policy (#2955)

ssenchenko · web-flow · commit 9c8fa6f84fe2 · 2023-02-27T14:31:38.000-08:00
diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json
@@ -2303,6 +2303,35 @@
         }
       }
     },
+    "StepFunctionsExecutionPolicy_v2": {
+      "Definition": {
+        "Statement": [
+          {
+            "Action": [
+              "states:StartExecution",
+              "states:StartSyncExecution"
+            ],
+            "Effect": "Allow",
+            "Resource": {
+              "Fn::Sub": [
+                "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
+                {
+                  "stateMachineName": {
+                    "Ref": "StateMachineName"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      },
+      "Description": "Gives permission to start a Step Functions state machine execution",
+      "Parameters": {
+        "StateMachineName": {
+          "Description": "The name of the state machine to execute."
+        }
+      }
+    },
     "TextractDetectAnalyzePolicy": {
       "Definition": {
         "Statement": [
diff --git a/samtranslator/policy_templates_data/schema.json b/samtranslator/policy_templates_data/schema.json
@@ -69,7 +69,7 @@
     "Templates": {
       "additionalProperties": false,
       "patternProperties": {
-        "^[a-zA-Z0-9]+Policy$": {
+        "^[a-zA-Z0-9]+Policy(_v[0-9])?$": {
           "$ref": "#/definitions/template"
         }
       },
diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml
@@ -177,3 +177,6 @@ Resources:
 
       - SSMParameterWithSlashPrefixReadPolicy:
           ParameterName: /name
+
+      - StepFunctionsExecutionPolicy_v2:
+          StateMachineName: name
diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json
@@ -1639,6 +1639,28 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy60"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "states:StartExecution",
+                    "states:StartSyncExecution"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
+                      {
+                        "stateMachineName": "name"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy61"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json
@@ -1639,6 +1639,28 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy60"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "states:StartExecution",
+                    "states:StartSyncExecution"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
+                      {
+                        "stateMachineName": "name"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy61"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json
@@ -1639,6 +1639,28 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy60"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "states:StartExecution",
+                    "states:StartSyncExecution"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:states:${AWS::Region}:${AWS::AccountId}:stateMachine:${stateMachineName}",
+                      {
+                        "stateMachineName": "name"
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy61"
           }
         ],
         "Tags": [

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@`
`69`	`69`	`"Templates": {`
`70`	`70`	`"additionalProperties": false,`
`71`	`71`	`"patternProperties": {`
`72`		`- "^[a-zA-Z0-9]+Policy$": {`
	`72`	`+ "^[a-zA-Z0-9]+Policy(_v[0-9])?$": {`
`73`	`73`	`"$ref": "#/definitions/template"`
`74`	`74`	`}`
`75`	`75`	`},`