feat: add support for nested workflows

closes #242

Author: theburningmonk

lib/deploy/stepFunctions/compileIamRole.js

@@ -202,6 +202,31 @@ function getLambdaPermissions(state) {
   }];
 }
 
+function getStepFunctionsPermissions(state) {
+  const stateMachineArn = state.Parameters['StateMachineArn.$']
+    ? '*'
+    : state.Parameters.StateMachineArn;
+
+  return [{
+    action: 'states:StartExecution',
+    resource: stateMachineArn,
+  }, {
+    action: 'states:DescribeExecution,states:StopExecution',
+    // this is excessive but mirrors behaviour in the console
+    // also, DescribeExecution supports executions as resources but StopExecution
+    // doesn't support resources
+    resource: '*',
+  }, {
+    action: 'events:PutTargets,events:PutRule,events:DescribeRule',
+    resource: {
+      'Fn::Sub': [
+        'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule',
+        {},
+      ],
+    },
+  }];
+}
+
 // if there are multiple permissions with the same action, then collapsed them into one
 // permission instead, and collect the resources into an array
 function consolidatePermissionsByAction(permissions) {
@@ -276,6 +301,11 @@ function getIamPermissions(taskStates) {
       case 'arn:aws:states:::lambda:invoke.waitForTaskToken':
         return getLambdaPermissions.bind(this)(state);
 
+      case 'arn:aws:states:::states:startExecution':
+      case 'arn:aws:states:::states:startExecution.sync':
+      case 'arn:aws:states:::states:startExecution.waitForTaskToken':
+        return getStepFunctionsPermissions(state);
+
       default:
         if (isIntrinsic(state.Resource) || state.Resource.startsWith('arn:aws:lambda')) {
           return [{

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -1369,4 +1369,127 @@ describe('#compileIamRole', () => {
     ];
     expect(lambdaPermissions[0].Resource).to.deep.eq(lambdaArns);
   });
+
+  it('should give step functions permissions (too permissive, but mirrors console behaviour)', () => {
+    const stateMachineArn = 'arn:aws:states:us-east-1:123456789:stateMachine:HelloStateMachine';
+    const genStateMachine = name => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution',
+            Parameters: {
+              StateMachineArn: stateMachineArn,
+              Input: {},
+            },
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution.sync',
+            Parameters: {
+              StateMachineArn: stateMachineArn,
+              Input: {},
+            },
+            Next: 'C',
+          },
+          C: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution.waitForTaskToken',
+            Parameters: {
+              StateMachineArn: stateMachineArn,
+              Input: {},
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('stateMachineBeta1'),
+        myStateMachine2: genStateMachine('stateMachineBeta2'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const stateMachinePermissions = statements.filter(s => _.isEqual(s.Action, ['states:StartExecution']));
+    expect(stateMachinePermissions).to.have.lengthOf(1);
+    expect(stateMachinePermissions[0].Resource).to.deep.eq([stateMachineArn]);
+
+    const executionPermissions = statements.filter(s => _.isEqual(s.Action, ['states:DescribeExecution', 'states:StopExecution']));
+    expect(executionPermissions).to.have.lengthOf(1);
+    expect(executionPermissions[0].Resource).to.equal('*');
+
+    const eventPermissions = statements.filter(s => _.isEqual(s.Action, ['events:PutTargets', 'events:PutRule', 'events:DescribeRule']));
+    expect(eventPermissions).to.have.lengthOf(1);
+    expect(eventPermissions[0].Resource).to.deep.eq([{
+      'Fn::Sub': [
+        'arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule',
+        {},
+      ],
+    }]);
+  });
+
+  it('should give step functions permission to * whenever StateMachineArn.$ is seen', () => {
+    const stateMachineArn = 'arn:aws:states:us-east-1:123456789:stateMachine:HelloStateMachine';
+    const genStateMachine = name => ({
+      name,
+      definition: {
+        StartAt: 'A',
+        States: {
+          A: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution',
+            Parameters: {
+              'StateMachineArn.$': '$.arn',
+              Input: {},
+            },
+            Next: 'B',
+          },
+          B: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution.sync',
+            Parameters: {
+              StateMachineArn: stateMachineArn,
+              Input: {},
+            },
+            Next: 'C',
+          },
+          C: {
+            Type: 'Task',
+            Resource: 'arn:aws:states:::states:startExecution.waitForTaskToken',
+            Parameters: {
+              StateMachineArn: stateMachineArn,
+              Input: {},
+            },
+            End: true,
+          },
+        },
+      },
+    });
+
+    serverless.service.stepFunctions = {
+      stateMachines: {
+        myStateMachine1: genStateMachine('stateMachineBeta1'),
+        myStateMachine2: genStateMachine('stateMachineBeta2'),
+      },
+    };
+
+    serverlessStepFunctions.compileIamRole();
+    const statements = serverlessStepFunctions.serverless.service
+      .provider.compiledCloudFormationTemplate.Resources.IamRoleStateMachineExecution
+      .Properties.Policies[0].PolicyDocument.Statement;
+
+    const stateMachinePermissions = statements.filter(s => _.includes(s.Action, 'states:StartExecution'));
+    expect(stateMachinePermissions).to.have.lengthOf(1);
+    expect(stateMachinePermissions[0].Resource).to.equal('*');
+  });
 });