├── examples
    ├── complete
    │   ├── variables.tf
    │   ├── versions.tf
    │   ├── outputs.tf
    │   ├── README.md
    │   └── main.tf
    └── README.md
├── versions.tf
├── .editorconfig
├── .gitignore
├── .github
    └── workflows
    │   ├── lock.yml
    │   ├── release.yml
    │   ├── stale-actions.yaml
    │   ├── pr-title.yml
    │   └── pre-commit.yml
├── .releaserc.json
├── .pre-commit-config.yaml
├── outputs.tf
├── variables.tf
├── LICENSE
├── main.tf
├── CHANGELOG.md
├── README.md
└── locals.tf


/examples/complete/variables.tf:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = ">= 1.5.7"
 3 | 
 4 |   required_providers {
 5 |     aws = {
 6 |       source  = "hashicorp/aws"
 7 |       version = ">= 6.0"
 8 |     }
 9 |   }
10 | }
11 | 


--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = ">= 1.5.7"
 3 | 
 4 |   required_providers {
 5 |     aws = {
 6 |       source  = "hashicorp/aws"
 7 |       version = ">= 6.0"
 8 |     }
 9 |     random = {
10 |       source  = "hashicorp/random"
11 |       version = ">= 2"
12 |     }
13 |     null = {
14 |       source  = "hashicorp/null"
15 |       version = ">= 2"
16 |     }
17 |   }
18 | }
19 | 


--------------------------------------------------------------------------------
/examples/README.md:
--------------------------------------------------------------------------------
1 | # Examples
2 | 
3 | Please note - the examples provided serve two primary means:
4 | 
5 | 1. Show users working examples of the various ways in which the module can be configured and features supported
6 | 2. A means of testing/validating module changes
7 | 
8 | Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.
9 | 


--------------------------------------------------------------------------------
/.editorconfig:
--------------------------------------------------------------------------------
 1 | # EditorConfig is awesome: http://EditorConfig.org
 2 | # Uses editorconfig to maintain consistent coding styles
 3 | 
 4 | # top-most EditorConfig file
 5 | root = true
 6 | 
 7 | # Unix-style newlines with a newline ending every file
 8 | [*]
 9 | charset = utf-8
10 | end_of_line = lf
11 | indent_size = 2
12 | indent_style = space
13 | insert_final_newline = true
14 | max_line_length = 80
15 | trim_trailing_whitespace = true
16 | 
17 | [*.py]
18 | indent_size = 4
19 | 
20 | [*.{tf,tfvars}]
21 | indent_size = 2
22 | indent_style = space
23 | 
24 | [*.md]
25 | max_line_length = 0
26 | trim_trailing_whitespace = false
27 | 
28 | [Makefile]
29 | tab_width = 2
30 | indent_style = tab
31 | 
32 | [COMMIT_EDITMSG]
33 | max_line_length = 0
34 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # Terraform lockfile
 5 | .terraform.lock.hcl
 6 | 
 7 | # .tfstate files
 8 | *.tfstate
 9 | *.tfstate.*
10 | 
11 | # Crash log files
12 | crash.log
13 | 
14 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as
15 | # password, private keys, and other secrets. These should not be part of version
16 | # control as they are data points which are potentially sensitive and subject
17 | # to change depending on the environment.
18 | *.tfvars
19 | 
20 | # Ignore override files as they are usually used to override resources locally and so
21 | # are not checked in
22 | override.tf
23 | override.tf.json
24 | *_override.tf
25 | *_override.tf.json
26 | 
27 | # Ignore CLI configuration files
28 | .terraformrc
29 | terraform.rc
30 | 
31 | # Lambda build artifacts
32 | builds/
33 | __pycache__/
34 | *.zip
35 | .tox
36 | 
37 | # Local editors/macos files
38 | .DS_Store
39 | .idea
40 | 


--------------------------------------------------------------------------------
/.github/workflows/lock.yml:
--------------------------------------------------------------------------------
 1 | name: 'Lock Threads'
 2 | 
 3 | on:
 4 |   schedule:
 5 |     - cron: '50 1 * * *'
 6 | 
 7 | jobs:
 8 |   lock:
 9 |     runs-on: ubuntu-latest
10 |     steps:
11 |       - uses: dessant/lock-threads@v5
12 |         with:
13 |           github-token: ${{ secrets.GITHUB_TOKEN }}
14 |           issue-comment: >
15 |             I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
16 |             If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
17 |           issue-inactive-days: '30'
18 |           pr-comment: >
19 |             I'm going to lock this pull request because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
20 |             If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
21 |           pr-inactive-days: '30'
22 | 


--------------------------------------------------------------------------------
/.releaserc.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "branches": [
 3 |     "main",
 4 |     "master"
 5 |   ],
 6 |   "ci": false,
 7 |   "plugins": [
 8 |     [
 9 |       "@semantic-release/commit-analyzer",
10 |       {
11 |         "preset": "conventionalcommits"
12 |       }
13 |     ],
14 |     [
15 |       "@semantic-release/release-notes-generator",
16 |       {
17 |         "preset": "conventionalcommits"
18 |       }
19 |     ],
20 |     [
21 |       "@semantic-release/github",
22 |       {
23 |         "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
24 |         "labels": false,
25 |         "releasedLabels": false
26 |       }
27 |     ],
28 |     [
29 |       "@semantic-release/changelog",
30 |       {
31 |         "changelogFile": "CHANGELOG.md",
32 |         "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
33 |       }
34 |     ],
35 |     [
36 |       "@semantic-release/git",
37 |       {
38 |         "assets": [
39 |           "CHANGELOG.md"
40 |         ],
41 |         "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
42 |       }
43 |     ]
44 |   ]
45 | }
46 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
 1 | name: Release
 2 | 
 3 | on:
 4 |   workflow_dispatch:
 5 |   push:
 6 |     branches:
 7 |       - main
 8 |       - master
 9 |     paths:
10 |       - '**/*.tpl'
11 |       - '**/*.py'
12 |       - '**/*.tf'
13 |       - '.github/workflows/release.yml'
14 | 
15 | jobs:
16 |   release:
17 |     name: Release
18 |     runs-on: ubuntu-latest
19 |     # Skip running release workflow on forks
20 |     if: github.repository_owner == 'terraform-aws-modules'
21 |     steps:
22 |       - name: Checkout
23 |         uses: actions/checkout@v5
24 |         with:
25 |           persist-credentials: false
26 |           fetch-depth: 0
27 | 
28 |       - name: Set correct Node.js version
29 |         uses: actions/setup-node@v6
30 |         with:
31 |           node-version: 24
32 | 
33 |       - name: Install dependencies
34 |         run: |
35 |           npm install \
36 |             @semantic-release/changelog@6.0.3 \
37 |             @semantic-release/git@10.0.1 \
38 |             conventional-changelog-conventionalcommits@9.1.0
39 | 
40 |       - name: Release
41 |         uses: cycjimmy/semantic-release-action@v5
42 |         with:
43 |           semantic_version: 25.0.0
44 |         env:
45 |           GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
46 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | repos:
 2 |   - repo: https://github.com/antonbabenko/pre-commit-terraform
 3 |     rev: v1.103.0
 4 |     hooks:
 5 |       - id: terraform_fmt
 6 |       - id: terraform_docs
 7 |         args:
 8 |           - '--args=--lockfile=false'
 9 |       - id: terraform_tflint
10 |         args:
11 |           - '--args=--only=terraform_deprecated_interpolation'
12 |           - '--args=--only=terraform_deprecated_index'
13 |           - '--args=--only=terraform_unused_declarations'
14 |           - '--args=--only=terraform_comment_syntax'
15 |           - '--args=--only=terraform_documented_outputs'
16 |           - '--args=--only=terraform_documented_variables'
17 |           - '--args=--only=terraform_typed_variables'
18 |           - '--args=--only=terraform_module_pinned_source'
19 |           - '--args=--only=terraform_naming_convention'
20 |           - '--args=--only=terraform_required_version'
21 |           - '--args=--only=terraform_required_providers'
22 |           - '--args=--only=terraform_standard_module_structure'
23 |           - '--args=--only=terraform_workspace_remote'
24 |       - id: terraform_validate
25 |   - repo: https://github.com/pre-commit/pre-commit-hooks
26 |     rev: v6.0.0
27 |     hooks:
28 |       - id: check-merge-conflict
29 |       - id: end-of-file-fixer
30 |       - id: trailing-whitespace
31 | 


--------------------------------------------------------------------------------
/.github/workflows/stale-actions.yaml:
--------------------------------------------------------------------------------
 1 | name: 'Mark or close stale issues and PRs'
 2 | on:
 3 |   schedule:
 4 |     - cron: '0 0 * * *'
 5 | 
 6 | jobs:
 7 |   stale:
 8 |     runs-on: ubuntu-latest
 9 |     steps:
10 |       - uses: actions/stale@v10
11 |         with:
12 |           repo-token: ${{ secrets.GITHUB_TOKEN }}
13 |           # Staling issues and PR's
14 |           days-before-stale: 30
15 |           stale-issue-label: stale
16 |           stale-pr-label: stale
17 |           stale-issue-message: |
18 |             This issue has been automatically marked as stale because it has been open 30 days
19 |             with no activity. Remove stale label or comment or this issue will be closed in 10 days
20 |           stale-pr-message: |
21 |             This PR has been automatically marked as stale because it has been open 30 days
22 |             with no activity. Remove stale label or comment or this PR will be closed in 10 days
23 |           # Not stale if have this labels or part of milestone
24 |           exempt-issue-labels: bug,wip,on-hold
25 |           exempt-pr-labels: bug,wip,on-hold
26 |           exempt-all-milestones: true
27 |           # Close issue operations
28 |           # Label will be automatically removed if the issues are no longer closed nor locked.
29 |           days-before-close: 10
30 |           delete-branch: true
31 |           close-issue-message: This issue was automatically closed because of stale in 10 days
32 |           close-pr-message: This PR was automatically closed because of stale in 10 days
33 | 


--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
 1 | # State Machine
 2 | output "state_machine_id" {
 3 |   description = "The ARN of the State Machine"
 4 |   value       = module.step_function.state_machine_id
 5 | }
 6 | 
 7 | output "state_machine_arn" {
 8 |   description = "The ARN of the State Machine"
 9 |   value       = module.step_function.state_machine_arn
10 | }
11 | 
12 | output "state_machine_creation_date" {
13 |   description = "The date the State Machine was created"
14 |   value       = module.step_function.state_machine_creation_date
15 | }
16 | 
17 | output "state_machine_status" {
18 |   description = "The current status of the State Machine"
19 |   value       = module.step_function.state_machine_status
20 | }
21 | 
22 | output "state_machine_version_arn" {
23 |   description = "The ARN of state machine version"
24 |   value       = module.step_function.state_machine_version_arn
25 | }
26 | 
27 | # IAM Role
28 | output "role_arn" {
29 |   description = "The ARN of the IAM role created for the State Machine"
30 |   value       = module.step_function.role_arn
31 | }
32 | 
33 | output "role_name" {
34 |   description = "The name of the IAM role created for the State Machine"
35 |   value       = module.step_function.role_name
36 | }
37 | 
38 | # CloudWatch
39 | output "cloudwatch_log_group_arn" {
40 |   description = "The ARN of the CloudWatch log group created for the Step Function"
41 |   value       = module.step_function.cloudwatch_log_group_arn
42 | }
43 | 
44 | output "cloudwatch_log_group_name" {
45 |   description = "The name of the CloudWatch log group created for the Step Function"
46 |   value       = module.step_function.cloudwatch_log_group_name
47 | }
48 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | # Step Function
 2 | output "state_machine_id" {
 3 |   description = "The ARN of the Step Function"
 4 |   value       = try(aws_sfn_state_machine.this[0].id, "")
 5 | }
 6 | 
 7 | output "state_machine_arn" {
 8 |   description = "The ARN of the Step Function"
 9 |   value       = try(aws_sfn_state_machine.this[0].arn, "")
10 | }
11 | 
12 | output "state_machine_name" {
13 |   description = "The Name of the Step Function"
14 |   value       = try(aws_sfn_state_machine.this[0].name, "")
15 | }
16 | 
17 | output "state_machine_creation_date" {
18 |   description = "The date the Step Function was created"
19 |   value       = try(aws_sfn_state_machine.this[0].creation_date, "")
20 | }
21 | 
22 | output "state_machine_status" {
23 |   description = "The current status of the Step Function"
24 |   value       = try(aws_sfn_state_machine.this[0].status, "")
25 | }
26 | 
27 | output "state_machine_version_arn" {
28 |   description = "The ARN of state machine version"
29 |   value       = try(aws_sfn_state_machine.this[0].state_machine_version_arn, "")
30 | }
31 | 
32 | # IAM Role
33 | output "role_arn" {
34 |   description = "The ARN of the IAM role created for the Step Function"
35 |   value       = try(aws_iam_role.this[0].arn, "")
36 | }
37 | 
38 | output "role_name" {
39 |   description = "The name of the IAM role created for the Step Function"
40 |   value       = try(aws_iam_role.this[0].name, "")
41 | }
42 | 
43 | # CloudWatch
44 | output "cloudwatch_log_group_arn" {
45 |   description = "The ARN of the CloudWatch log group created for the Step Function"
46 |   value       = try(aws_cloudwatch_log_group.sfn[0].arn, "")
47 | }
48 | 
49 | output "cloudwatch_log_group_name" {
50 |   description = "The name of the CloudWatch log group created for the Step Function"
51 |   value       = try(aws_cloudwatch_log_group.sfn[0].name, "")
52 | }
53 | 


--------------------------------------------------------------------------------
/.github/workflows/pr-title.yml:
--------------------------------------------------------------------------------
 1 | name: 'Validate PR title'
 2 | 
 3 | on:
 4 |   pull_request_target:
 5 |     types:
 6 |       - opened
 7 |       - edited
 8 |       - synchronize
 9 | 
10 | jobs:
11 |   main:
12 |     name: Validate PR title
13 |     runs-on: ubuntu-latest
14 |     steps:
15 |       # Please look up the latest version from
16 |       # https://github.com/amannn/action-semantic-pull-request/releases
17 |       - uses: amannn/action-semantic-pull-request@v6.1.1
18 |         env:
19 |           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
20 |         with:
21 |           # Configure which types are allowed.
22 |           # Default: https://github.com/commitizen/conventional-commit-types
23 |           types: |
24 |             fix
25 |             feat
26 |             docs
27 |             ci
28 |             chore
29 |           # Configure that a scope must always be provided.
30 |           requireScope: false
31 |           # Configure additional validation for the subject based on a regex.
32 |           # This example ensures the subject starts with an uppercase character.
33 |           subjectPattern: ^[A-Z].+$
34 |           # If `subjectPattern` is configured, you can use this property to override
35 |           # the default error message that is shown when the pattern doesn't match.
36 |           # The variables `subject` and `title` can be used within the message.
37 |           subjectPatternError: |
38 |             The subject "{subject}" found in the pull request title "{title}"
39 |             didn't match the configured pattern. Please ensure that the subject
40 |             starts with an uppercase character.
41 |           # For work-in-progress PRs you can typically use draft pull requests
42 |           # from Github. However, private repositories on the free plan don't have
43 |           # this option and therefore this action allows you to opt-in to using the
44 |           # special "[WIP]" prefix to indicate this state. This will avoid the
45 |           # validation of the PR title and the pull request checks remain pending.
46 |           # Note that a second check will be reported if this is enabled.
47 |           wip: true
48 |           # When using "Squash and merge" on a PR with only one commit, GitHub
49 |           # will suggest using that commit message instead of the PR title for the
50 |           # merge commit, and it's easy to commit this by mistake. Enable this option
51 |           # to also validate the commit message for one commit PRs.
52 |           validateSingleCommit: false
53 | 


--------------------------------------------------------------------------------
/examples/complete/README.md:
--------------------------------------------------------------------------------
 1 | # Complete AWS Step Function example
 2 | 
 3 | Configuration in this directory creates AWS Step Function and IAM role with large variety of supported AWS Service integrations and custom policies.
 4 | 
 5 | Note: You probably don't need to set custom/additional policies but use `service_integrations` only.
 6 | 
 7 | 
 8 | ## Usage
 9 | 
10 | To run this example you need to execute:
11 | 
12 | ```bash
13 | $ terraform init
14 | $ terraform plan
15 | $ terraform apply
16 | ```
17 | 
18 | Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
19 | 
20 | <!-- BEGIN_TF_DOCS -->
21 | ## Requirements
22 | 
23 | | Name | Version |
24 | |------|---------|
25 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
26 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
27 | | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2 |
28 | | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2 |
29 | 
30 | ## Providers
31 | 
32 | | Name | Version |
33 | |------|---------|
34 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
35 | | <a name="provider_null"></a> [null](#provider\_null) | >= 2 |
36 | | <a name="provider_random"></a> [random](#provider\_random) | >= 2 |
37 | 
38 | ## Modules
39 | 
40 | | Name | Source | Version |
41 | |------|--------|---------|
42 | | <a name="module_disabled_step_function"></a> [disabled\_step\_function](#module\_disabled\_step\_function) | ../../ | n/a |
43 | | <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 |
44 | | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 8.0 |
45 | | <a name="module_step_function"></a> [step\_function](#module\_step\_function) | ../../ | n/a |
46 | | <a name="module_step_function_with_existing_log_group"></a> [step\_function\_with\_existing\_log\_group](#module\_step\_function\_with\_existing\_log\_group) | ../../ | n/a |
47 | 
48 | ## Resources
49 | 
50 | | Name | Type |
51 | |------|------|
52 | | [aws_cloudwatch_log_group.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
53 | | [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
54 | | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
55 | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
56 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
57 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
58 | 
59 | ## Inputs
60 | 
61 | No inputs.
62 | 
63 | ## Outputs
64 | 
65 | | Name | Description |
66 | |------|-------------|
67 | | <a name="output_cloudwatch_log_group_arn"></a> [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch log group created for the Step Function |
68 | | <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | The name of the CloudWatch log group created for the Step Function |
69 | | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role created for the State Machine |
70 | | <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the IAM role created for the State Machine |
71 | | <a name="output_state_machine_arn"></a> [state\_machine\_arn](#output\_state\_machine\_arn) | The ARN of the State Machine |
72 | | <a name="output_state_machine_creation_date"></a> [state\_machine\_creation\_date](#output\_state\_machine\_creation\_date) | The date the State Machine was created |
73 | | <a name="output_state_machine_id"></a> [state\_machine\_id](#output\_state\_machine\_id) | The ARN of the State Machine |
74 | | <a name="output_state_machine_status"></a> [state\_machine\_status](#output\_state\_machine\_status) | The current status of the State Machine |
75 | | <a name="output_state_machine_version_arn"></a> [state\_machine\_version\_arn](#output\_state\_machine\_version\_arn) | The ARN of state machine version |
76 | <!-- END_TF_DOCS -->
77 | 


--------------------------------------------------------------------------------
/.github/workflows/pre-commit.yml:
--------------------------------------------------------------------------------
  1 | name: Pre-Commit
  2 | 
  3 | on:
  4 |   pull_request:
  5 |     branches:
  6 |       - main
  7 |       - master
  8 | 
  9 | env:
 10 |   TERRAFORM_DOCS_VERSION: v0.20.0
 11 |   TFLINT_VERSION: v0.59.1
 12 | 
 13 | jobs:
 14 |   collectInputs:
 15 |     name: Collect workflow inputs
 16 |     runs-on: ubuntu-latest
 17 |     outputs:
 18 |       directories: ${{ steps.dirs.outputs.directories }}
 19 |     steps:
 20 |       - name: Checkout
 21 |         uses: actions/checkout@v5
 22 | 
 23 |       - name: Get root directories
 24 |         id: dirs
 25 |         uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
 26 | 
 27 |   preCommitMinVersions:
 28 |     name: Min TF pre-commit
 29 |     needs: collectInputs
 30 |     runs-on: ubuntu-latest
 31 |     strategy:
 32 |       matrix:
 33 |         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
 34 |     steps:
 35 |       - name: Install rmz
 36 |         uses: jaxxstorm/action-install-gh-release@v2.1.0
 37 |         with:
 38 |           repo: SUPERCILEX/fuc
 39 |           asset-name: x86_64-unknown-linux-gnu-rmz
 40 |           rename-to: rmz
 41 |           chmod: 0755
 42 |           extension-matching: disable
 43 | 
 44 |       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
 45 |       - name: Delete unnecessary files
 46 |         run: |
 47 |           formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
 48 |           getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
 49 | 
 50 |           BEFORE=$(getAvailableSpace)
 51 | 
 52 |           ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
 53 |           rmz -f /opt/hostedtoolcache/CodeQL &
 54 |           rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
 55 |           rmz -f /opt/hostedtoolcache/PyPy &
 56 |           rmz -f /opt/hostedtoolcache/Ruby &
 57 |           rmz -f /opt/hostedtoolcache/go &
 58 | 
 59 |           wait
 60 | 
 61 |           AFTER=$(getAvailableSpace)
 62 |           SAVED=$((AFTER-BEFORE))
 63 |           echo "=> Saved $(formatByteCount $SAVED)"
 64 | 
 65 |       - name: Checkout
 66 |         uses: actions/checkout@v5
 67 | 
 68 |       - name: Terraform min/max versions
 69 |         id: minMax
 70 |         uses: clowdhaus/terraform-min-max@v2.1.0
 71 |         with:
 72 |           directory: ${{ matrix.directory }}
 73 | 
 74 |       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
 75 |         # Run only validate pre-commit check on min version supported
 76 |         if: ${{ matrix.directory !=  '.' }}
 77 |         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
 78 |         with:
 79 |           terraform-version: ${{ steps.minMax.outputs.minVersion }}
 80 |           tflint-version: ${{ env.TFLINT_VERSION }}
 81 |           args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 82 | 
 83 |       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
 84 |         # Run only validate pre-commit check on min version supported
 85 |         if: ${{ matrix.directory ==  '.' }}
 86 |         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
 87 |         with:
 88 |           terraform-version: ${{ steps.minMax.outputs.minVersion }}
 89 |           tflint-version: ${{ env.TFLINT_VERSION }}
 90 |           args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
 91 | 
 92 |   preCommitMaxVersion:
 93 |     name: Max TF pre-commit
 94 |     runs-on: ubuntu-latest
 95 |     needs: collectInputs
 96 |     steps:
 97 |       - name: Install rmz
 98 |         uses: jaxxstorm/action-install-gh-release@v2.1.0
 99 |         with:
100 |           repo: SUPERCILEX/fuc
101 |           asset-name: x86_64-unknown-linux-gnu-rmz
102 |           rename-to: rmz
103 |           chmod: 0755
104 |           extension-matching: disable
105 | 
106 |       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
107 |       - name: Delete unnecessary files
108 |         run: |
109 |           formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
110 |           getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
111 | 
112 |           BEFORE=$(getAvailableSpace)
113 | 
114 |           ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
115 |           rmz -f /opt/hostedtoolcache/CodeQL &
116 |           rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
117 |           rmz -f /opt/hostedtoolcache/PyPy &
118 |           rmz -f /opt/hostedtoolcache/Ruby &
119 |           rmz -f /opt/hostedtoolcache/go &
120 |           sudo rmz -f /usr/local/lib/android &
121 | 
122 |           if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
123 |             sudo rmz -f /usr/share/dotnet &
124 |             sudo rmz -f /usr/local/.ghcup &
125 |             sudo apt-get -qq remove -y 'azure-.*'
126 |             sudo apt-get -qq remove -y 'cpp-.*'
127 |             sudo apt-get -qq remove -y 'dotnet-runtime-.*'
128 |             sudo apt-get -qq remove -y 'google-.*'
129 |             sudo apt-get -qq remove -y 'libclang-.*'
130 |             sudo apt-get -qq remove -y 'libllvm.*'
131 |             sudo apt-get -qq remove -y 'llvm-.*'
132 |             sudo apt-get -qq remove -y 'mysql-.*'
133 |             sudo apt-get -qq remove -y 'postgresql-.*'
134 |             sudo apt-get -qq remove -y 'php.*'
135 |             sudo apt-get -qq remove -y 'temurin-.*'
136 |             sudo apt-get -qq remove -y kubectl firefox mono-devel
137 |             sudo apt-get -qq autoremove -y
138 |             sudo apt-get -qq clean
139 |           fi
140 | 
141 |           wait
142 | 
143 |           AFTER=$(getAvailableSpace)
144 |           SAVED=$((AFTER-BEFORE))
145 |           echo "=> Saved $(formatByteCount $SAVED)"
146 | 
147 |       - name: Checkout
148 |         uses: actions/checkout@v5
149 |         with:
150 |           ref: ${{ github.event.pull_request.head.ref }}
151 |           repository: ${{github.event.pull_request.head.repo.full_name}}
152 | 
153 |       - name: Terraform min/max versions
154 |         id: minMax
155 |         uses: clowdhaus/terraform-min-max@v2.1.0
156 | 
157 |       - name: Hide template dir
158 |         # Special to this repo, we don't want to check this dir
159 |         if: ${{ github.repository ==  'terraform-aws-modules/terraform-aws-security-group' }}
160 |         run: rm -rf modules/_templates
161 | 
162 |       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
163 |         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
164 |         with:
165 |           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
166 |           tflint-version: ${{ env.TFLINT_VERSION }}
167 |           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
168 |           install-hcledit: true
169 | 


--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
  1 | provider "aws" {
  2 |   region = "eu-west-1"
  3 | 
  4 |   # Make it faster by skipping something
  5 |   skip_metadata_api_check     = true
  6 |   skip_region_validation      = true
  7 |   skip_credentials_validation = true
  8 | }
  9 | 
 10 | data "aws_caller_identity" "current" {}
 11 | data "aws_region" "current" {}
 12 | 
 13 | locals {
 14 |   name = "ex-${basename(path.cwd)}"
 15 | 
 16 |   definition_template = <<EOF
 17 | {
 18 |   "Comment": "A Hello World example of the Amazon States Language using Pass states",
 19 |   "StartAt": "Hello",
 20 |   "States": {
 21 |     "Hello": {
 22 |       "Type": "Pass",
 23 |       "Result": "Hello",
 24 |       "Next": "World"
 25 |     },
 26 |     "World": {
 27 |       "Type": "Pass",
 28 |       "Result": "World",
 29 |       "End": true
 30 |     }
 31 |   }
 32 | }
 33 | EOF
 34 | 
 35 |   tags = {
 36 |     Example    = local.name
 37 |     GithubRepo = "terraform-aws-step-functions"
 38 |     GithubOrg  = "terraform-aws-modules"
 39 |   }
 40 | }
 41 | 
 42 | module "step_function" {
 43 |   source = "../../"
 44 | 
 45 |   name = random_pet.this.id
 46 | 
 47 |   type = "express"
 48 | 
 49 |   definition = local.definition_template
 50 |   publish    = true
 51 | 
 52 |   encryption_configuration = {
 53 |     type                              = "CUSTOMER_MANAGED_KMS_KEY"
 54 |     kms_key_id                        = module.kms.key_arn
 55 |     kms_data_key_reuse_period_seconds = 600
 56 |   }
 57 | 
 58 |   logging_configuration = {
 59 |     include_execution_data = true
 60 |     level                  = "ALL"
 61 |   }
 62 | 
 63 |   service_integrations = {
 64 | 
 65 |     batch_Sync = {
 66 |       events = true
 67 |     }
 68 | 
 69 |     dynamodb = {
 70 |       dynamodb = ["arn:aws:dynamodb:eu-west-1:052212379155:table/Test"]
 71 |     }
 72 | 
 73 |     athena_StartQueryExecution_Sync = {
 74 |       athena        = ["arn:aws:athena:eu-west-1:123456789012:something1:test1"]
 75 |       glue          = ["arn:aws:glue:eu-west-1:123456789012:something2:test1"]
 76 |       s3            = true # options: true (use default value from `aws_service_policies`) or provide a list of ARNs
 77 |       lakeformation = ["arn:aws:lakeformation:eu-west-1:123456789012:something3:test1"]
 78 |     }
 79 | 
 80 |     lambda = {
 81 |       lambda = [
 82 |       module.lambda_function.lambda_function_arn, "arn:aws:lambda:eu-west-1:123456789012:function:test2"]
 83 |     }
 84 | 
 85 |     xray = {
 86 |       xray = true
 87 |     }
 88 | 
 89 |     stepfunction_Sync = {
 90 |       stepfunction          = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
 91 |       stepfunction_Wildcard = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
 92 | 
 93 |       # Set to true to use the default events (otherwise, set this to a list of ARNs; see the docs linked in locals.tf
 94 |       # for more information). Without events permissions, you will get an error similar to this:
 95 |       #   Error: AccessDeniedException: 'arn:aws:iam::xxxx:role/step-functions-role' is not authorized to
 96 |       #   create managed-rule
 97 |       events = true
 98 |     }
 99 | 
100 |     #    # NB: This will "Deny" everything (including logging)!
101 |     #    no_tasks = {
102 |     #      deny_all = true
103 |     #    }
104 |   }
105 | 
106 |   ######################
107 |   # Additional policies
108 |   # Probably you are not going to need them (use `service_integrations` instead)!
109 |   ######################
110 | 
111 |   attach_policy_json = true
112 |   policy_json        = <<EOF
113 | {
114 |     "Version": "2012-10-17",
115 |     "Statement": [
116 |         {
117 |             "Effect": "Allow",
118 |             "Action": [
119 |                 "xray:GetSamplingStatisticSummaries"
120 |             ],
121 |             "Resource": ["*"]
122 |         }
123 |     ]
124 | }
125 | EOF
126 | 
127 |   attach_policy_jsons = true
128 |   policy_jsons = [<<EOF
129 | {
130 |     "Version": "2012-10-17",
131 |     "Statement": [
132 |         {
133 |             "Effect": "Allow",
134 |             "Action": [
135 |                 "xray:*"
136 |             ],
137 |             "Resource": ["*"]
138 |         }
139 |     ]
140 | }
141 | EOF
142 |   ]
143 |   number_of_policy_jsons = 1
144 | 
145 |   attach_policy = true
146 |   policy        = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
147 | 
148 |   attach_policies    = true
149 |   policies           = ["arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess"]
150 |   number_of_policies = 1
151 | 
152 |   attach_policy_statements = true
153 |   policy_statements = {
154 |     dynamodb = {
155 |       effect    = "Allow",
156 |       actions   = ["dynamodb:BatchWriteItem"],
157 |       resources = ["arn:aws:dynamodb:eu-west-1:052212379155:table/Test"]
158 |     },
159 |     s3_read = {
160 |       effect    = "Deny",
161 |       actions   = ["s3:HeadObject", "s3:GetObject"],
162 |       resources = ["arn:aws:s3:::my-bucket/*"]
163 |     }
164 |     kms = {
165 |       effect    = "Allow"
166 |       actions   = ["kms:Decrypt", "kms:GenerateDataKey"]
167 |       resources = [module.kms.key_arn]
168 |       condition = [{
169 |         test     = "StringEquals"
170 |         variable = "kms:EncryptionContext:aws:states:stateMachineArn"
171 |         values   = ["arn:aws:states:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:stateMachine:${random_pet.this.id}"]
172 |       }]
173 |     }
174 |   }
175 | 
176 |   ###########################
177 |   # END: Additional policies
178 |   ###########################
179 | 
180 |   sfn_state_machine_timeouts = {
181 |     create = "30m"
182 |     delete = "50m"
183 |     update = "30m"
184 |   }
185 | 
186 |   tags = merge(local.tags, {
187 |     Module = "step_function"
188 |   })
189 | }
190 | 
191 | ###############################################
192 | # With CloudWatch log group created externally
193 | ###############################################
194 | 
195 | resource "aws_cloudwatch_log_group" "external" {
196 |   name = "${random_pet.this.id}-my-log-group"
197 | 
198 |   tags = local.tags
199 | }
200 | 
201 | module "step_function_with_existing_log_group" {
202 |   source = "../../"
203 | 
204 |   name = "${random_pet.this.id}-existing-log-group"
205 | 
206 |   type = "express"
207 | 
208 |   definition = local.definition_template
209 | 
210 |   use_existing_cloudwatch_log_group = true
211 |   cloudwatch_log_group_name         = aws_cloudwatch_log_group.external.name
212 | 
213 |   logging_configuration = {
214 |     include_execution_data = false
215 |     level                  = "ERROR"
216 |   }
217 | 
218 |   tags = local.tags
219 | 
220 |   depends_on = [aws_cloudwatch_log_group.external]
221 | }
222 | 
223 | #############################################
224 | # Using packaged function from Lambda module
225 | #############################################
226 | 
227 | locals {
228 |   package_url = "https://raw.githubusercontent.com/terraform-aws-modules/terraform-aws-lambda/master/examples/fixtures/python3.8-zip/existing_package.zip"
229 |   downloaded  = "downloaded_package_${md5(local.package_url)}.zip"
230 | }
231 | 
232 | resource "null_resource" "download_package" {
233 |   triggers = {
234 |     downloaded = local.downloaded
235 |   }
236 | 
237 |   provisioner "local-exec" {
238 |     command = "curl -L -o ${local.downloaded} ${local.package_url}"
239 |   }
240 | }
241 | 
242 | module "lambda_function" {
243 |   source  = "terraform-aws-modules/lambda/aws"
244 |   version = "~> 8.0"
245 | 
246 |   function_name = "${random_pet.this.id}-lambda"
247 |   description   = "My awesome lambda function"
248 |   handler       = "index.lambda_handler"
249 |   runtime       = "python3.12"
250 | 
251 |   publish = true
252 | 
253 |   create_package         = false
254 |   local_existing_package = local.downloaded
255 | 
256 |   tags = local.tags
257 | }
258 | 
259 | ###########
260 | # Disabled
261 | ###########
262 | 
263 | module "disabled_step_function" {
264 |   source = "../../"
265 | 
266 |   create = false
267 | }
268 | 
269 | ##################
270 | # Extra resources
271 | ##################
272 | 
273 | resource "random_pet" "this" {
274 |   length = 2
275 | }
276 | 
277 | resource "aws_sqs_queue" "queue" {
278 |   name = random_pet.this.id
279 | 
280 |   tags = local.tags
281 | }
282 | 
283 | module "kms" {
284 |   source      = "terraform-aws-modules/kms/aws"
285 |   version     = "~> 1.0"
286 |   description = "KMS key for step functions"
287 | 
288 |   # Aliases
289 |   aliases                 = [local.name]
290 |   aliases_use_name_prefix = true
291 | 
292 |   key_owners = [data.aws_caller_identity.current.arn]
293 | 
294 |   tags = local.tags
295 | }
296 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "create" {
  2 |   description = "Whether to create Step Function resource"
  3 |   type        = bool
  4 |   default     = true
  5 | }
  6 | 
  7 | variable "create_role" {
  8 |   description = "Whether to create IAM role for the Step Function"
  9 |   type        = bool
 10 |   default     = true
 11 | }
 12 | 
 13 | variable "use_existing_role" {
 14 |   description = "Whether to use an existing IAM role for this Step Function"
 15 |   type        = bool
 16 |   default     = false
 17 | }
 18 | 
 19 | variable "use_existing_cloudwatch_log_group" {
 20 |   description = "Whether to use an existing CloudWatch log group or create new"
 21 |   type        = bool
 22 |   default     = false
 23 | }
 24 | 
 25 | ################
 26 | # Step Function
 27 | ################
 28 | 
 29 | variable "region" {
 30 |   description = "Region where the resource(s) will be managed. Defaults to the region set in the provider configuration"
 31 |   type        = string
 32 |   default     = null
 33 | }
 34 | variable "name" {
 35 |   description = "The name of the Step Function"
 36 |   type        = string
 37 |   default     = ""
 38 | }
 39 | 
 40 | variable "definition" {
 41 |   description = "The Amazon States Language definition of the Step Function"
 42 |   type        = string
 43 |   default     = ""
 44 | }
 45 | 
 46 | variable "role_arn" {
 47 |   description = "The Amazon Resource Name (ARN) of the IAM role to use for this Step Function"
 48 |   type        = string
 49 |   default     = ""
 50 | }
 51 | 
 52 | variable "tags" {
 53 |   description = "Maps of tags to assign to the Step Function"
 54 |   type        = map(string)
 55 |   default     = {}
 56 | }
 57 | 
 58 | variable "type" {
 59 |   description = "Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD | EXPRESS"
 60 |   type        = string
 61 |   default     = "STANDARD"
 62 | 
 63 |   validation {
 64 |     condition     = contains(["STANDARD", "EXPRESS"], upper(var.type))
 65 |     error_message = "Step Function type must be one of the following (STANDARD | EXPRESS)."
 66 |   }
 67 | }
 68 | 
 69 | variable "sfn_state_machine_timeouts" {
 70 |   description = "Create, update, and delete timeout configurations for the step function."
 71 |   type        = map(string)
 72 |   default     = {}
 73 | }
 74 | 
 75 | variable "publish" {
 76 |   description = "Determines whether to set a version of the state machine when it is created."
 77 |   type        = bool
 78 |   default     = false
 79 | }
 80 | 
 81 | variable "encryption_configuration" {
 82 |   description = "Defines what encryption configuration is used to encrypt data in the State Machine."
 83 |   type        = any
 84 |   default     = {}
 85 | }
 86 | 
 87 | #################
 88 | # CloudWatch Logs
 89 | #################
 90 | 
 91 | variable "logging_configuration" {
 92 |   description = "Defines what execution history events are logged and where they are logged"
 93 |   type        = map(string)
 94 |   default     = {}
 95 | }
 96 | 
 97 | variable "cloudwatch_log_group_name" {
 98 |   description = "Name of Cloudwatch Logs group name to use."
 99 |   type        = string
100 |   default     = null
101 | }
102 | 
103 | variable "cloudwatch_log_group_retention_in_days" {
104 |   description = "Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653."
105 |   type        = number
106 |   default     = null
107 | }
108 | 
109 | variable "cloudwatch_log_group_kms_key_id" {
110 |   description = "The ARN of the KMS Key to use when encrypting log data."
111 |   type        = string
112 |   default     = null
113 | }
114 | 
115 | variable "cloudwatch_log_group_tags" {
116 |   description = "A map of tags to assign to the resource."
117 |   type        = map(string)
118 |   default     = {}
119 | }
120 | 
121 | variable "attach_cloudwatch_logs_policy" {
122 |   description = "Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function"
123 |   type        = bool
124 |   default     = true
125 | }
126 | 
127 | ###########
128 | # IAM Role
129 | ###########
130 | 
131 | variable "aws_region_assume_role" {
132 |   description = "Name of AWS regions where IAM role can be assumed by the Step Function"
133 |   type        = string
134 |   default     = ""
135 | }
136 | 
137 | variable "role_name" {
138 |   description = "Name of IAM role to use for Step Function"
139 |   type        = string
140 |   default     = null
141 | }
142 | 
143 | variable "role_description" {
144 |   description = "Description of IAM role to use for Step Function"
145 |   type        = string
146 |   default     = null
147 | }
148 | 
149 | variable "role_path" {
150 |   description = "Path of IAM role to use for Step Function"
151 |   type        = string
152 |   default     = null
153 | }
154 | 
155 | variable "role_force_detach_policies" {
156 |   description = "Specifies to force detaching any policies the IAM role has before destroying it."
157 |   type        = bool
158 |   default     = true
159 | }
160 | 
161 | variable "role_permissions_boundary" {
162 |   description = "The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function"
163 |   type        = string
164 |   default     = null
165 | }
166 | 
167 | variable "role_tags" {
168 |   description = "A map of tags to assign to IAM role"
169 |   type        = map(string)
170 |   default     = {}
171 | }
172 | 
173 | #####################################################
174 | # Predefined IAM Policies for supported AWS Services
175 | # (Lambda, DynamoDB, ECS, EKS, EMR, SageMaker, ...)
176 | #####################################################
177 | 
178 | variable "attach_policies_for_integrations" {
179 |   description = "Whether to attach AWS Service policies to IAM role"
180 |   type        = bool
181 |   default     = true
182 | }
183 | 
184 | variable "service_integrations" {
185 |   description = "Map of AWS service integrations to allow in IAM role policy"
186 |   type        = any
187 |   default     = {}
188 | }
189 | 
190 | ##########################
191 | # Various custom policies
192 | ##########################
193 | 
194 | variable "attach_policy_json" {
195 |   description = "Controls whether policy_json should be added to IAM role"
196 |   type        = bool
197 |   default     = false
198 | }
199 | 
200 | variable "attach_policy_jsons" {
201 |   description = "Controls whether policy_jsons should be added to IAM role"
202 |   type        = bool
203 |   default     = false
204 | }
205 | 
206 | variable "attach_policy" {
207 |   description = "Controls whether policy should be added to IAM role"
208 |   type        = bool
209 |   default     = false
210 | }
211 | 
212 | variable "attach_policies" {
213 |   description = "Controls whether list of policies should be added to IAM role"
214 |   type        = bool
215 |   default     = false
216 | }
217 | 
218 | variable "number_of_policy_jsons" {
219 |   description = "Number of policies JSON to attach to IAM role"
220 |   type        = number
221 |   default     = 0
222 | }
223 | 
224 | variable "number_of_policies" {
225 |   description = "Number of policies to attach to IAM role"
226 |   type        = number
227 |   default     = 0
228 | }
229 | 
230 | variable "attach_policy_statements" {
231 |   description = "Controls whether policy_statements should be added to IAM role"
232 |   type        = bool
233 |   default     = false
234 | }
235 | 
236 | variable "trusted_entities" {
237 |   description = "Step Function additional trusted entities for assuming roles (trust relationship)"
238 |   type        = list(string)
239 |   default     = []
240 | }
241 | 
242 | variable "policy_json" {
243 |   description = "An additional policy document as JSON to attach to IAM role"
244 |   type        = string
245 |   default     = null
246 | }
247 | 
248 | variable "policy_jsons" {
249 |   description = "List of additional policy documents as JSON to attach to IAM role"
250 |   type        = list(string)
251 |   default     = []
252 | }
253 | 
254 | variable "policy" {
255 |   description = "An additional policy document ARN to attach to IAM role"
256 |   type        = string
257 |   default     = null
258 | }
259 | 
260 | variable "policy_path" {
261 |   description = "Path of IAM policies to use for Step Function"
262 |   type        = string
263 |   default     = null
264 | }
265 | 
266 | variable "policies" {
267 |   description = "List of policy statements ARN to attach to IAM role"
268 |   type        = list(string)
269 |   default     = []
270 | }
271 | 
272 | variable "policy_statements" {
273 |   description = "Map of dynamic policy statements to attach to IAM role"
274 |   type        = any
275 |   default     = {}
276 | }
277 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   create_role = var.create && var.create_role && !var.use_existing_role
  3 |   aws_region  = local.create_role && var.aws_region_assume_role == "" ? data.aws_region.current[0].region : var.aws_region_assume_role
  4 | 
  5 |   enable_logging = try(var.logging_configuration["level"], "OFF") != "OFF"
  6 | 
  7 |   enable_xray_tracing = try(var.service_integrations["xray"]["xray"], false) == true
  8 | 
  9 |   # Normalize ARN by trimming ":*" because data-source has it, but resource does not have it
 10 |   log_group_arn = trimsuffix(try(data.aws_cloudwatch_log_group.sfn[0].arn, aws_cloudwatch_log_group.sfn[0].arn, ""), ":*")
 11 | 
 12 |   role_name = local.create_role ? coalesce(var.role_name, var.name) : null
 13 | }
 14 | 
 15 | resource "aws_sfn_state_machine" "this" {
 16 |   count = var.create ? 1 : 0
 17 | 
 18 |   region = var.region
 19 | 
 20 |   name = var.name
 21 | 
 22 |   role_arn   = var.use_existing_role ? var.role_arn : aws_iam_role.this[0].arn
 23 |   definition = var.definition
 24 |   publish    = var.publish
 25 | 
 26 |   dynamic "encryption_configuration" {
 27 |     for_each = length(var.encryption_configuration) > 0 ? [var.encryption_configuration] : []
 28 | 
 29 |     content {
 30 |       type                              = encryption_configuration.value.type
 31 |       kms_key_id                        = try(encryption_configuration.value.kms_key_id, null)
 32 |       kms_data_key_reuse_period_seconds = try(encryption_configuration.value.kms_data_key_reuse_period_seconds, null)
 33 |     }
 34 |   }
 35 | 
 36 |   dynamic "logging_configuration" {
 37 |     for_each = local.enable_logging ? [true] : []
 38 | 
 39 |     content {
 40 |       log_destination        = lookup(var.logging_configuration, "log_destination", "${local.log_group_arn}:*")
 41 |       include_execution_data = lookup(var.logging_configuration, "include_execution_data", null)
 42 |       level                  = lookup(var.logging_configuration, "level", null)
 43 |     }
 44 |   }
 45 | 
 46 |   dynamic "tracing_configuration" {
 47 |     for_each = local.enable_xray_tracing ? [true] : []
 48 |     content {
 49 |       enabled = true
 50 |     }
 51 |   }
 52 | 
 53 |   type = upper(var.type)
 54 | 
 55 |   timeouts {
 56 |     create = lookup(var.sfn_state_machine_timeouts, "create", null)
 57 |     delete = lookup(var.sfn_state_machine_timeouts, "delete", null)
 58 |     update = lookup(var.sfn_state_machine_timeouts, "update", null)
 59 |   }
 60 | 
 61 |   tags = merge({ Name = var.name }, var.tags)
 62 | }
 63 | 
 64 | ###########
 65 | # IAM Role
 66 | ###########
 67 | 
 68 | data "aws_region" "current" {
 69 |   count = local.create_role && var.aws_region_assume_role == "" ? 1 : 0
 70 | }
 71 | 
 72 | data "aws_iam_policy_document" "assume_role" {
 73 |   count = local.create_role ? 1 : 0
 74 | 
 75 |   statement {
 76 |     effect  = "Allow"
 77 |     actions = ["sts:AssumeRole"]
 78 | 
 79 |     principals {
 80 |       type        = "Service"
 81 |       identifiers = distinct(concat(["states.${local.aws_region}.amazonaws.com"], var.trusted_entities))
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | resource "aws_iam_role" "this" {
 87 |   count = local.create_role ? 1 : 0
 88 | 
 89 |   name                  = local.role_name
 90 |   description           = var.role_description
 91 |   path                  = var.role_path
 92 |   force_detach_policies = var.role_force_detach_policies
 93 |   permissions_boundary  = var.role_permissions_boundary
 94 |   assume_role_policy    = data.aws_iam_policy_document.assume_role[0].json
 95 | 
 96 |   tags = merge(var.tags, var.role_tags)
 97 | }
 98 | 
 99 | ##############################
100 | # Predefined service policies
101 | ##############################
102 | 
103 | data "aws_iam_policy_document" "service" {
104 |   for_each = { for k, v in var.service_integrations : k => v if local.create_role && var.attach_policies_for_integrations }
105 | 
106 |   dynamic "statement" {
107 |     for_each = each.value
108 | 
109 |     content {
110 |       effect    = lookup(local.aws_service_policies[each.key][statement.key], "effect", "Allow")
111 |       sid       = replace("${each.key}${title(statement.key)}", "/[^0-9A-Za-z]*/", "")
112 |       actions   = local.aws_service_policies[each.key][statement.key]["actions"]
113 |       resources = statement.value == true ? local.aws_service_policies[each.key][statement.key]["default_resources"] : tolist(statement.value)
114 | 
115 |       dynamic "condition" {
116 |         for_each = lookup(local.aws_service_policies[each.key][statement.key], "condition", [])
117 |         content {
118 |           test     = condition.value.test
119 |           variable = condition.value.variable
120 |           values   = condition.value.values
121 |         }
122 |       }
123 |     }
124 |   }
125 | }
126 | 
127 | resource "aws_iam_policy" "service" {
128 |   for_each = { for k, v in var.service_integrations : k => v if local.create_role && var.attach_policies_for_integrations }
129 | 
130 |   name   = "${local.role_name}-${each.key}"
131 |   path   = var.policy_path
132 |   policy = data.aws_iam_policy_document.service[each.key].json
133 |   tags   = var.tags
134 | }
135 | 
136 | resource "aws_iam_policy_attachment" "service" {
137 |   for_each = { for k, v in var.service_integrations : k => v if local.create_role && var.attach_policies_for_integrations }
138 | 
139 |   name       = "${local.role_name}-${each.key}"
140 |   roles      = [aws_iam_role.this[0].name]
141 |   policy_arn = aws_iam_policy.service[each.key].arn
142 | }
143 | 
144 | 
145 | ###########################
146 | # Additional policy (JSON)
147 | ###########################
148 | 
149 | resource "aws_iam_policy" "additional_json" {
150 |   count = local.create_role && var.attach_policy_json ? 1 : 0
151 | 
152 |   name   = local.role_name
153 |   path   = var.policy_path
154 |   policy = var.policy_json
155 |   tags   = var.tags
156 | }
157 | 
158 | resource "aws_iam_policy_attachment" "additional_json" {
159 |   count = local.create_role && var.attach_policy_json ? 1 : 0
160 | 
161 |   name       = local.role_name
162 |   roles      = [aws_iam_role.this[0].name]
163 |   policy_arn = aws_iam_policy.additional_json[0].arn
164 | }
165 | 
166 | #####################################
167 | # Additional policies (list of JSON)
168 | #####################################
169 | 
170 | resource "aws_iam_policy" "additional_jsons" {
171 |   count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
172 | 
173 |   name   = "${local.role_name}-${count.index}"
174 |   path   = var.policy_path
175 |   policy = var.policy_jsons[count.index]
176 |   tags   = var.tags
177 | }
178 | 
179 | resource "aws_iam_policy_attachment" "additional_jsons" {
180 |   count = local.create_role && var.attach_policy_jsons ? var.number_of_policy_jsons : 0
181 | 
182 |   name       = "${local.role_name}-${count.index}"
183 |   roles      = [aws_iam_role.this[0].name]
184 |   policy_arn = aws_iam_policy.additional_jsons[count.index].arn
185 | }
186 | 
187 | ###########################
188 | # ARN of additional policy
189 | ###########################
190 | 
191 | resource "aws_iam_role_policy_attachment" "additional_one" {
192 |   count = local.create_role && var.attach_policy ? 1 : 0
193 | 
194 |   role       = aws_iam_role.this[0].name
195 |   policy_arn = var.policy
196 | }
197 | 
198 | ######################################
199 | # List of ARNs of additional policies
200 | ######################################
201 | 
202 | resource "aws_iam_role_policy_attachment" "additional_many" {
203 |   count = local.create_role && var.attach_policies ? var.number_of_policies : 0
204 | 
205 |   role       = aws_iam_role.this[0].name
206 |   policy_arn = var.policies[count.index]
207 | }
208 | 
209 | ###############################
210 | # Additional policy statements
211 | ###############################
212 | 
213 | data "aws_iam_policy_document" "additional_inline" {
214 |   count = local.create_role && var.attach_policy_statements ? 1 : 0
215 | 
216 |   dynamic "statement" {
217 |     for_each = var.policy_statements
218 | 
219 |     content {
220 |       sid           = lookup(statement.value, "sid", replace(statement.key, "/[^0-9A-Za-z]*/", ""))
221 |       effect        = lookup(statement.value, "effect", null)
222 |       actions       = lookup(statement.value, "actions", null)
223 |       not_actions   = lookup(statement.value, "not_actions", null)
224 |       resources     = lookup(statement.value, "resources", null)
225 |       not_resources = lookup(statement.value, "not_resources", null)
226 | 
227 |       dynamic "principals" {
228 |         for_each = lookup(statement.value, "principals", [])
229 |         content {
230 |           type        = principals.value.type
231 |           identifiers = principals.value.identifiers
232 |         }
233 |       }
234 | 
235 |       dynamic "not_principals" {
236 |         for_each = lookup(statement.value, "not_principals", [])
237 |         content {
238 |           type        = not_principals.value.type
239 |           identifiers = not_principals.value.identifiers
240 |         }
241 |       }
242 | 
243 |       dynamic "condition" {
244 |         for_each = lookup(statement.value, "condition", [])
245 |         content {
246 |           test     = condition.value.test
247 |           variable = condition.value.variable
248 |           values   = condition.value.values
249 |         }
250 |       }
251 |     }
252 |   }
253 | }
254 | 
255 | resource "aws_iam_policy" "additional_inline" {
256 |   count = local.create_role && var.attach_policy_statements ? 1 : 0
257 | 
258 |   name   = "${local.role_name}-inline"
259 |   path   = var.policy_path
260 |   policy = data.aws_iam_policy_document.additional_inline[0].json
261 |   tags   = var.tags
262 | }
263 | 
264 | resource "aws_iam_policy_attachment" "additional_inline" {
265 |   count = local.create_role && var.attach_policy_statements ? 1 : 0
266 | 
267 |   name       = local.role_name
268 |   roles      = [aws_iam_role.this[0].name]
269 |   policy_arn = aws_iam_policy.additional_inline[0].arn
270 | }
271 | 
272 | #################################
273 | # IAM policy for Cloudwatch Logs
274 | #################################
275 | 
276 | data "aws_iam_policy_document" "logs" {
277 |   count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0
278 | 
279 |   # Copied from https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
280 |   statement {
281 |     effect = "Allow"
282 | 
283 |     actions = [
284 |       "logs:CreateLogDelivery",
285 |       "logs:GetLogDelivery",
286 |       "logs:UpdateLogDelivery",
287 |       "logs:DeleteLogDelivery",
288 |       "logs:ListLogDeliveries",
289 |       "logs:PutResourcePolicy",
290 |       "logs:DescribeResourcePolicies",
291 |       "logs:DescribeLogGroups",
292 |     ]
293 | 
294 |     resources = ["*"]
295 |   }
296 | }
297 | 
298 | resource "aws_iam_policy" "logs" {
299 |   count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0
300 | 
301 |   name   = "${local.role_name}-logs"
302 |   path   = var.policy_path
303 |   policy = data.aws_iam_policy_document.logs[0].json
304 |   tags   = var.tags
305 | }
306 | 
307 | resource "aws_iam_policy_attachment" "logs" {
308 |   count = local.create_role && local.enable_logging && var.attach_cloudwatch_logs_policy ? 1 : 0
309 | 
310 |   name       = "${local.role_name}-logs"
311 |   roles      = [aws_iam_role.this[0].name]
312 |   policy_arn = aws_iam_policy.logs[0].arn
313 | }
314 | 
315 | ##################
316 | # CloudWatch Logs
317 | ##################
318 | 
319 | data "aws_cloudwatch_log_group" "sfn" {
320 |   count = var.create && local.enable_logging && var.use_existing_cloudwatch_log_group ? 1 : 0
321 | 
322 |   name = var.cloudwatch_log_group_name
323 | }
324 | 
325 | resource "aws_cloudwatch_log_group" "sfn" {
326 |   count = var.create && local.enable_logging && !var.use_existing_cloudwatch_log_group ? 1 : 0
327 | 
328 |   region = var.region
329 | 
330 |   name              = coalesce(var.cloudwatch_log_group_name, "/aws/vendedlogs/states/${var.name}")
331 |   retention_in_days = var.cloudwatch_log_group_retention_in_days
332 |   kms_key_id        = var.cloudwatch_log_group_kms_key_id
333 | 
334 |   tags = merge(var.tags, var.cloudwatch_log_group_tags)
335 | }
336 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | # Changelog
  2 | 
  3 | All notable changes to this project will be documented in this file.
  4 | 
  5 | ## [5.0.2](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v5.0.1...v5.0.2) (2025-10-21)
  6 | 
  7 | ### Bug Fixes
  8 | 
  9 | * Update CI workflow versions to latest ([#74](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/74)) ([24f5b71](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/24f5b718660d8e024b16600375b81973da64d083))
 10 | 
 11 | ## [5.0.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v5.0.0...v5.0.1) (2025-07-04)
 12 | 
 13 | 
 14 | ### Bug Fixes
 15 | 
 16 | * Fix deprecation warning with terraform provider v6 ([#72](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/72)) ([4fe5305](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/4fe530558e1f4ab22e77c8f4a38e6a9f1526a6c7))
 17 | 
 18 | ## [5.0.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.2.1...v5.0.0) (2025-06-26)
 19 | 
 20 | 
 21 | ### ⚠ BREAKING CHANGES
 22 | 
 23 | * Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively (#70)
 24 | 
 25 | ### Features
 26 | 
 27 | * Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively ([#70](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/70)) ([7562b0d](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/7562b0d03b7c1bf9aab9a5fe9b2c81c6e9115e40))
 28 | 
 29 | ## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.2.0...v4.2.1) (2025-01-21)
 30 | 
 31 | 
 32 | ### Bug Fixes
 33 | 
 34 | * Update CI workflow versions to latest ([#67](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/67)) ([4ff7e77](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/4ff7e77921601c32e1b91a4e2ac86168b72911e1))
 35 | 
 36 | ## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.1.1...v4.2.0) (2024-03-22)
 37 | 
 38 | 
 39 | ### Features
 40 | 
 41 | * Add new output with state machine name ([#63](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/63)) ([f421ef6](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/f421ef6c6807c3bf3cd9ea90d895fb25844dd4ba))
 42 | 
 43 | ## [4.1.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.1.0...v4.1.1) (2024-03-06)
 44 | 
 45 | 
 46 | ### Bug Fixes
 47 | 
 48 | * Update CI workflow versions to remove deprecated runtime warnings ([#62](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/62)) ([0fdf089](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/0fdf089ecef7af5c0094e89783200ab698e721e4))
 49 | 
 50 | ## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.0.1...v4.1.0) (2023-12-04)
 51 | 
 52 | 
 53 | ### Features
 54 | 
 55 | * Add optional policy_path variable used for policy definitions ([#60](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/60)) ([cddcf93](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/cddcf9386e33dadbd32be23cdb279ed5acf019e5))
 56 | 
 57 | ### [4.0.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v4.0.0...v4.0.1) (2023-10-27)
 58 | 
 59 | 
 60 | ### Bug Fixes
 61 | 
 62 | * Fixed stepfunction_Sync action ([#58](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/58)) ([b85c8f1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/b85c8f1c963034ba46c8263a15487f9acb4c8041))
 63 | 
 64 | ## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v3.1.0...v4.0.0) (2023-10-01)
 65 | 
 66 | 
 67 | ### ⚠ BREAKING CHANGES
 68 | 
 69 | * Added publish functionality and bump AWS provider version to v5 (#57)
 70 | 
 71 | ### Features
 72 | 
 73 | * Added publish functionality and bump AWS provider version to v5 ([#57](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/57)) ([28a77d2](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/28a77d261ef46f5a5ff133c6ab68d851312c0666))
 74 | 
 75 | ## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v3.0.0...v3.1.0) (2023-05-17)
 76 | 
 77 | 
 78 | ### Features
 79 | 
 80 | * Prefix the CloudWatch Log group name with  `/aws/vendedlogs/states/` ([#52](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/52)) ([3964cb3](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/3964cb385d7dd10f6e079a1df7708c260892990f))
 81 | 
 82 | ## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.8.0...v3.0.0) (2023-05-08)
 83 | 
 84 | 
 85 | ### ⚠ BREAKING CHANGES
 86 | 
 87 | * Upgraded Terraform version to 1.0+ and added configurable timeouts (#53)
 88 | 
 89 | ### Features
 90 | 
 91 | * Upgraded Terraform version to 1.0+ and added configurable timeouts ([#53](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/53)) ([75eaaa7](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/75eaaa7580a703a96fb04c264f8b04dcc283540d))
 92 | 
 93 | ## [2.8.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.7.3...v2.8.0) (2023-04-07)
 94 | 
 95 | 
 96 | ### Features
 97 | 
 98 | * Add output for the CloudWatch log group name and ARN created for the Step Function ([#45](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/45)) ([62afe34](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/62afe3466501da24b6c94c92756334da69f16e3f))
 99 | 
100 | ### [2.7.3](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.7.2...v2.7.3) (2023-01-24)
101 | 
102 | 
103 | ### Bug Fixes
104 | 
105 | * Use a version for  to avoid GitHub API rate limiting on CI workflows ([#48](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/48)) ([a22efcb](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/a22efcb289e6305d1be3b2d6256065d580ee0cae))
106 | 
107 | ### [2.7.2](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.7.1...v2.7.2) (2022-11-02)
108 | 
109 | 
110 | ### Bug Fixes
111 | 
112 | * Move default resources for events for AWS Batch service integration ([#44](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/44)) ([bb2186b](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/bb2186b4215461dad5675790c3125b0116030a81))
113 | 
114 | ### [2.7.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.7.0...v2.7.1) (2022-10-27)
115 | 
116 | 
117 | ### Bug Fixes
118 | 
119 | * Update CI configuration files to use latest version ([#43](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/43)) ([9eea3d9](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/9eea3d9cf7c384955065ae3ca400d97428dfdfb0))
120 | 
121 | ## [2.7.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.6.0...v2.7.0) (2022-04-13)
122 | 
123 | 
124 | ### Features
125 | 
126 | * Enabled tags for IAM policies ([#38](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/38)) ([f9d3a89](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/f9d3a894fb30cbcc298903cdf9d277e4835da9d8))
127 | 
128 | ## [2.6.0](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.5.2...v2.6.0) (2022-04-11)
129 | 
130 | 
131 | ### Features
132 | 
133 | * Added default resources for events permissions ([#34](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/34)) ([698e4c1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/698e4c1a4640ee80d810bd8f7e6e4db3acfd2b47))
134 | 
135 | 
136 | ### [2.5.2](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.5.1...v2.5.2) (2022-01-14)
137 | 
138 | 
139 | ### Bug Fixes
140 | 
141 | * True/false results had different types ([#30](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/30)) ([9f8c111](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/9f8c111b8c8daa8e0525525ca0110b3a8c43e577))
142 | 
143 | ### [2.5.1](https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.5.0...v2.5.1) (2022-01-10)
144 | 
145 | 
146 | ### Bug Fixes
147 | 
148 | * update CI/CD process to enable auto-release workflow ([#26](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/26)) ([660d759](https://github.com/terraform-aws-modules/terraform-aws-step-functions/commit/660d759b68d2ae9817fd1bc138885cddc58dfd2e))
149 | 
150 | 
151 | <a name="v2.5.0"></a>
152 | ## [v2.5.0] - 2021-09-15
153 | 
154 | - feat: Adding IAM PassRole for ECS tasks as it is required for Fargate ([#24](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/24))
155 | 
156 | 
157 | <a name="v2.4.0"></a>
158 | ## [v2.4.0] - 2021-09-01
159 | 
160 | - feat: Enable X-Ray tracing on Step Function if set to true in service_integrations ([#22](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/22))
161 | 
162 | 
163 | <a name="v2.3.0"></a>
164 | ## [v2.3.0] - 2021-05-25
165 | 
166 | - chore: Remove check boxes that don't render properly in module doc ([#18](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/18))
167 | 
168 | 
169 | <a name="v2.2.0"></a>
170 | ## [v2.2.0] - 2021-05-15
171 | 
172 | - feat: Add support for EventBridge integration with PutEvents tasks ([#17](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/17))
173 | 
174 | 
175 | <a name="v2.1.0"></a>
176 | ## [v2.1.0] - 2021-05-12
177 | 
178 | - fix: Fixed service_integration type conversion with tomap ([#16](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/16))
179 | - chore: update CI/CD to use stable `terraform-docs` release artifact and discoverable Apache2.0 license ([#13](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/13))
180 | 
181 | 
182 | <a name="v2.0.0"></a>
183 | ## [v2.0.0] - 2021-04-26
184 | 
185 | - feat: Shorten outputs (removing this_) ([#12](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/12))
186 | 
187 | 
188 | <a name="v1.3.0"></a>
189 | ## [v1.3.0] - 2021-04-07
190 | 
191 | - feat: Configure cloudwatch logging for step functions module ([#9](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/9))
192 | - chore: update documentation and pin `terraform_docs` version to avoid future changes ([#10](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/10))
193 | - chore: align ci-cd static checks to use individual minimum Terraform versions ([#6](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/6))
194 | - chore: Run pre-commit terraform_docs hook ([#5](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/5))
195 | - chore: add ci-cd workflow for pre-commit checks ([#4](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/4))
196 | 
197 | 
198 | <a name="v1.2.0"></a>
199 | ## [v1.2.0] - 2021-02-20
200 | 
201 | - chore: update documentation based on latest `terraform-docs` which includes module and resource sections ([#3](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/3))
202 | 
203 | 
204 | <a name="v1.1.0"></a>
205 | ## [v1.1.0] - 2021-02-12
206 | 
207 | - feat: Add support for Step Function type - STANDARD (default) or EXPRESS ([#2](https://github.com/terraform-aws-modules/terraform-aws-step-functions/issues/2))
208 | 
209 | 
210 | <a name="v1.0.0"></a>
211 | ## [v1.0.0] - 2020-11-21
212 | 
213 | - fix: IAM policy integration
214 | 
215 | 
216 | <a name="v0.1.0"></a>
217 | ## v0.1.0 - 2020-11-21
218 | 
219 | - Initial commit
220 | 
221 | 
222 | [Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.5.0...HEAD
223 | [v2.5.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.4.0...v2.5.0
224 | [v2.4.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.3.0...v2.4.0
225 | [v2.3.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.2.0...v2.3.0
226 | [v2.2.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.1.0...v2.2.0
227 | [v2.1.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v2.0.0...v2.1.0
228 | [v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v1.3.0...v2.0.0
229 | [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v1.2.0...v1.3.0
230 | [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v1.1.0...v1.2.0
231 | [v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v1.0.0...v1.1.0
232 | [v1.0.0]: https://github.com/terraform-aws-modules/terraform-aws-step-functions/compare/v0.1.0...v1.0.0
233 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # AWS Step Functions Terraform module
  2 | 
  3 | Terraform module, which creates AWS Step Functions as well as required IAM role and IAM policies for [Integrated Services](https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html).
  4 | 
  5 | This Terraform module is the part of [serverless.tf framework](https://github.com/antonbabenko/serverless.tf), which aims to simplify all operations when working with the serverless in Terraform.
  6 | 
  7 | ## Features
  8 | 
  9 | - Creates AWS Step Function
 10 | - Conditional creation for many types of resources
 11 | - Support IAM policy attachments for [Integrated Services (eg, Lambda, SQS, ECS, EKS, Batch, DynamoDB, etc)](https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html) and various ways to create and attach additional policies
 12 | 
 13 | ## Usage
 14 | 
 15 | ### Step Function
 16 | 
 17 | ```hcl
 18 | module "step_function" {
 19 |   source = "terraform-aws-modules/step-functions/aws"
 20 | 
 21 |   name       = "my-step-function"
 22 |   definition = <<EOF
 23 | {
 24 |   "Comment": "A Hello World example of the Amazon States Language using Pass states",
 25 |   "StartAt": "Hello",
 26 |   "States": {
 27 |     "Hello": {
 28 |       "Type": "Pass",
 29 |       "Result": "Hello",
 30 |       "Next": "World"
 31 |     },
 32 |     "World": {
 33 |       "Type": "Pass",
 34 |       "Result": "World",
 35 |       "End": true
 36 |     }
 37 |   }
 38 | }
 39 | EOF
 40 | 
 41 |   service_integrations = {
 42 |     dynamodb = {
 43 |       dynamodb = ["arn:aws:dynamodb:eu-west-1:052212379155:table/Test"]
 44 |     }
 45 | 
 46 |     lambda = {
 47 |       lambda = ["arn:aws:lambda:eu-west-1:123456789012:function:test1", "arn:aws:lambda:eu-west-1:123456789012:function:test2"]
 48 |     }
 49 | 
 50 |     stepfunction_Sync = {
 51 |       stepfunction = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
 52 |       stepfunction_Wildcard = ["arn:aws:states:eu-west-1:123456789012:stateMachine:test1"]
 53 | 
 54 |       # Set to true to use the default events (otherwise, set this to a list of ARNs; see the docs linked in locals.tf
 55 |       # for more information). Without events permissions, you will get an error similar to this:
 56 |       #   Error: AccessDeniedException: 'arn:aws:iam::xxxx:role/step-functions-role' is not authorized to
 57 |       #   create managed-rule
 58 |       events = true
 59 |     }
 60 |   }
 61 | 
 62 |   type = "STANDARD"
 63 | 
 64 |   tags = {
 65 |     Module = "my"
 66 |   }
 67 | }
 68 | ```
 69 | 
 70 | ## Service integration policies
 71 | 
 72 | There are predefined policies for all available integrations (see `aws_service_policies` in `locals.tf` for values) which can be used as a key inside `service_integrations` argument.
 73 | 
 74 | Each key of `aws_service_policies` contains configuration for the IAM policy statements which will be combined with the values specified in `service_integrations` argument.
 75 | 
 76 | Example of `service_integrations` arguments:
 77 | 
 78 | ```hcl
 79 | module "step_function" {
 80 |   source = "terraform-aws-modules/step-functions/aws"
 81 | 
 82 |   # ... omitted
 83 |   service_integrations = {
 84 |     xray = {
 85 |       xray = true  # the value of default_resources key will be used when key value is `true`
 86 |     }
 87 | 
 88 |     sqs = {
 89 |       sqs = ["arn:aws:sqs:..."]  # sqs queue ARN is required because there is no default_resources key for such integration
 90 |     }
 91 | 
 92 |     # Special case to deny all actions for the step function (this will override all IAM policies allowed for the function)
 93 |     no_tasks = {
 94 |       deny_all = true
 95 |     }
 96 |   }
 97 | }
 98 | ```
 99 | 
100 | ## Additional IAM policies for Step Function
101 | 
102 | In addition to all supported AWS service integrations you may want to create and attach additional policies.
103 | 
104 | There are 5 supported ways to attach additional IAM policies to IAM role used by Step Function:
105 | 
106 | 1. `policy_json` - JSON string or heredoc, when `attach_policy_json = true`.
107 | 2. `policy_jsons` - List of JSON strings or heredoc, when `attach_policy_jsons = true` and `number_of_policy_jsons > 0`.
108 | 3. `policy` - ARN of existing IAM policy, when `attach_policy = true`.
109 | 4. `policies` - List of ARNs of existing IAM policies, when `attach_policies = true` and `number_of_policies > 0`.
110 | 5. `policy_statements` - Map of maps to define IAM statements which will be generated as IAM policy. Requires `attach_policy_statements = true`. See `examples/complete` for more information.
111 | 
112 | ## Conditional creation
113 | 
114 | Sometimes you need to have a way to create resources conditionally, so the solution is to specify `create` arguments.
115 | 
116 | ```hcl
117 | module "step_function" {
118 |   source = "terraform-aws-modules/step-functions/aws"
119 | 
120 |   create      = false # to disable all resources
121 |   create_role = false  # to control creation of the IAM role and policies required for Step Function
122 | 
123 |   # ... omitted
124 | }
125 | ```
126 | 
127 | ## Examples
128 | 
129 | - [Complete](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/examples/complete) - Create Step Function and required IAM resources in various combinations with all supported features.
130 | 
131 | <!-- BEGIN_TF_DOCS -->
132 | ## Requirements
133 | 
134 | | Name | Version |
135 | |------|---------|
136 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
137 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
138 | 
139 | ## Providers
140 | 
141 | | Name | Version |
142 | |------|---------|
143 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
144 | 
145 | ## Modules
146 | 
147 | No modules.
148 | 
149 | ## Resources
150 | 
151 | | Name | Type |
152 | |------|------|
153 | | [aws_cloudwatch_log_group.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
154 | | [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
155 | | [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
156 | | [aws_iam_policy.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
157 | | [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
158 | | [aws_iam_policy.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
159 | | [aws_iam_policy_attachment.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
160 | | [aws_iam_policy_attachment.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
161 | | [aws_iam_policy_attachment.additional_jsons](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
162 | | [aws_iam_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
163 | | [aws_iam_policy_attachment.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
164 | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
165 | | [aws_iam_role_policy_attachment.additional_many](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
166 | | [aws_iam_role_policy_attachment.additional_one](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
167 | | [aws_sfn_state_machine.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
168 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
169 | | [aws_cloudwatch_log_group.sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |
170 | | [aws_iam_policy_document.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
171 | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
172 | | [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
173 | | [aws_iam_policy_document.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
174 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
175 | 
176 | ## Inputs
177 | 
178 | | Name | Description | Type | Default | Required |
179 | |------|-------------|------|---------|:--------:|
180 | | <a name="input_attach_cloudwatch_logs_policy"></a> [attach\_cloudwatch\_logs\_policy](#input\_attach\_cloudwatch\_logs\_policy) | Controls whether CloudWatch Logs policy should be added to IAM role for Lambda Function | `bool` | `true` | no |
181 | | <a name="input_attach_policies"></a> [attach\_policies](#input\_attach\_policies) | Controls whether list of policies should be added to IAM role | `bool` | `false` | no |
182 | | <a name="input_attach_policies_for_integrations"></a> [attach\_policies\_for\_integrations](#input\_attach\_policies\_for\_integrations) | Whether to attach AWS Service policies to IAM role | `bool` | `true` | no |
183 | | <a name="input_attach_policy"></a> [attach\_policy](#input\_attach\_policy) | Controls whether policy should be added to IAM role | `bool` | `false` | no |
184 | | <a name="input_attach_policy_json"></a> [attach\_policy\_json](#input\_attach\_policy\_json) | Controls whether policy\_json should be added to IAM role | `bool` | `false` | no |
185 | | <a name="input_attach_policy_jsons"></a> [attach\_policy\_jsons](#input\_attach\_policy\_jsons) | Controls whether policy\_jsons should be added to IAM role | `bool` | `false` | no |
186 | | <a name="input_attach_policy_statements"></a> [attach\_policy\_statements](#input\_attach\_policy\_statements) | Controls whether policy\_statements should be added to IAM role | `bool` | `false` | no |
187 | | <a name="input_aws_region_assume_role"></a> [aws\_region\_assume\_role](#input\_aws\_region\_assume\_role) | Name of AWS regions where IAM role can be assumed by the Step Function | `string` | `""` | no |
188 | | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no |
189 | | <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | Name of Cloudwatch Logs group name to use. | `string` | `null` | no |
190 | | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `null` | no |
191 | | <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `{}` | no |
192 | | <a name="input_create"></a> [create](#input\_create) | Whether to create Step Function resource | `bool` | `true` | no |
193 | | <a name="input_create_role"></a> [create\_role](#input\_create\_role) | Whether to create IAM role for the Step Function | `bool` | `true` | no |
194 | | <a name="input_definition"></a> [definition](#input\_definition) | The Amazon States Language definition of the Step Function | `string` | `""` | no |
195 | | <a name="input_encryption_configuration"></a> [encryption\_configuration](#input\_encryption\_configuration) | Defines what encryption configuration is used to encrypt data in the State Machine. | `any` | `{}` | no |
196 | | <a name="input_logging_configuration"></a> [logging\_configuration](#input\_logging\_configuration) | Defines what execution history events are logged and where they are logged | `map(string)` | `{}` | no |
197 | | <a name="input_name"></a> [name](#input\_name) | The name of the Step Function | `string` | `""` | no |
198 | | <a name="input_number_of_policies"></a> [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no |
199 | | <a name="input_number_of_policy_jsons"></a> [number\_of\_policy\_jsons](#input\_number\_of\_policy\_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no |
200 | | <a name="input_policies"></a> [policies](#input\_policies) | List of policy statements ARN to attach to IAM role | `list(string)` | `[]` | no |
201 | | <a name="input_policy"></a> [policy](#input\_policy) | An additional policy document ARN to attach to IAM role | `string` | `null` | no |
202 | | <a name="input_policy_json"></a> [policy\_json](#input\_policy\_json) | An additional policy document as JSON to attach to IAM role | `string` | `null` | no |
203 | | <a name="input_policy_jsons"></a> [policy\_jsons](#input\_policy\_jsons) | List of additional policy documents as JSON to attach to IAM role | `list(string)` | `[]` | no |
204 | | <a name="input_policy_path"></a> [policy\_path](#input\_policy\_path) | Path of IAM policies to use for Step Function | `string` | `null` | no |
205 | | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | Map of dynamic policy statements to attach to IAM role | `any` | `{}` | no |
206 | | <a name="input_publish"></a> [publish](#input\_publish) | Determines whether to set a version of the state machine when it is created. | `bool` | `false` | no |
207 | | <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | `string` | `null` | no |
208 | | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role to use for this Step Function | `string` | `""` | no |
209 | | <a name="input_role_description"></a> [role\_description](#input\_role\_description) | Description of IAM role to use for Step Function | `string` | `null` | no |
210 | | <a name="input_role_force_detach_policies"></a> [role\_force\_detach\_policies](#input\_role\_force\_detach\_policies) | Specifies to force detaching any policies the IAM role has before destroying it. | `bool` | `true` | no |
211 | | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | Name of IAM role to use for Step Function | `string` | `null` | no |
212 | | <a name="input_role_path"></a> [role\_path](#input\_role\_path) | Path of IAM role to use for Step Function | `string` | `null` | no |
213 | | <a name="input_role_permissions_boundary"></a> [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM role used by Step Function | `string` | `null` | no |
214 | | <a name="input_role_tags"></a> [role\_tags](#input\_role\_tags) | A map of tags to assign to IAM role | `map(string)` | `{}` | no |
215 | | <a name="input_service_integrations"></a> [service\_integrations](#input\_service\_integrations) | Map of AWS service integrations to allow in IAM role policy | `any` | `{}` | no |
216 | | <a name="input_sfn_state_machine_timeouts"></a> [sfn\_state\_machine\_timeouts](#input\_sfn\_state\_machine\_timeouts) | Create, update, and delete timeout configurations for the step function. | `map(string)` | `{}` | no |
217 | | <a name="input_tags"></a> [tags](#input\_tags) | Maps of tags to assign to the Step Function | `map(string)` | `{}` | no |
218 | | <a name="input_trusted_entities"></a> [trusted\_entities](#input\_trusted\_entities) | Step Function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no |
219 | | <a name="input_type"></a> [type](#input\_type) | Determines whether a Standard or Express state machine is created. The default is STANDARD. Valid Values: STANDARD \| EXPRESS | `string` | `"STANDARD"` | no |
220 | | <a name="input_use_existing_cloudwatch_log_group"></a> [use\_existing\_cloudwatch\_log\_group](#input\_use\_existing\_cloudwatch\_log\_group) | Whether to use an existing CloudWatch log group or create new | `bool` | `false` | no |
221 | | <a name="input_use_existing_role"></a> [use\_existing\_role](#input\_use\_existing\_role) | Whether to use an existing IAM role for this Step Function | `bool` | `false` | no |
222 | 
223 | ## Outputs
224 | 
225 | | Name | Description |
226 | |------|-------------|
227 | | <a name="output_cloudwatch_log_group_arn"></a> [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch log group created for the Step Function |
228 | | <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | The name of the CloudWatch log group created for the Step Function |
229 | | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role created for the Step Function |
230 | | <a name="output_role_name"></a> [role\_name](#output\_role\_name) | The name of the IAM role created for the Step Function |
231 | | <a name="output_state_machine_arn"></a> [state\_machine\_arn](#output\_state\_machine\_arn) | The ARN of the Step Function |
232 | | <a name="output_state_machine_creation_date"></a> [state\_machine\_creation\_date](#output\_state\_machine\_creation\_date) | The date the Step Function was created |
233 | | <a name="output_state_machine_id"></a> [state\_machine\_id](#output\_state\_machine\_id) | The ARN of the Step Function |
234 | | <a name="output_state_machine_name"></a> [state\_machine\_name](#output\_state\_machine\_name) | The Name of the Step Function |
235 | | <a name="output_state_machine_status"></a> [state\_machine\_status](#output\_state\_machine\_status) | The current status of the Step Function |
236 | | <a name="output_state_machine_version_arn"></a> [state\_machine\_version\_arn](#output\_state\_machine\_version\_arn) | The ARN of state machine version |
237 | <!-- END_TF_DOCS -->
238 | 
239 | ## Authors
240 | 
241 | Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [serverless.tf](https://serverless.tf) to learn more about doing serverless with Terraform.
242 | 
243 | Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project.
244 | 
245 | ## License
246 | 
247 | Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-step-functions/tree/master/LICENSE) for full details.
248 | 


--------------------------------------------------------------------------------
/locals.tf:
--------------------------------------------------------------------------------
  1 | locals {
  2 |   # Map of all available IAM policies constructs for AWS services
  3 |   #
  4 |   # See more - https://docs.aws.amazon.com/step-functions/latest/dg/service-integration-iam-templates.html
  5 |   #
  6 |   # Notes:
  7 |   # * `effect` - "Allow" or "Deny" in policy statement (default: Allow)
  8 |   # * `actions` - list of actions in policy statement
  9 |   # * `condition` - list of condition in policy statement
 10 |   # * `default_resources` - list of resources if not provided as argument
 11 | 
 12 |   aws_service_policies = {
 13 | 
 14 |     # https://docs.aws.amazon.com/step-functions/latest/dg/lambda-iam.html
 15 |     lambda = {
 16 |       lambda = {
 17 |         actions = [
 18 |           "lambda:InvokeFunction"
 19 |         ]
 20 |       }
 21 |     }
 22 | 
 23 |     # https://docs.aws.amazon.com/step-functions/latest/dg/sns-iam.html
 24 |     sns = {
 25 |       sns = {
 26 |         actions = [
 27 |           "sns:Publish"
 28 |         ]
 29 |       }
 30 |     }
 31 | 
 32 |     # https://docs.aws.amazon.com/step-functions/latest/dg/sqs-iam.html
 33 |     sqs = {
 34 |       sqs = {
 35 |         actions = [
 36 |           "sqs:SendMessage"
 37 |         ]
 38 |       }
 39 |     }
 40 | 
 41 |     # https://docs.aws.amazon.com/step-functions/latest/dg/xray-iam.html
 42 |     xray = {
 43 |       xray = {
 44 |         actions = [
 45 |           "xray:PutTraceSegments",
 46 |           "xray:PutTelemetryRecords",
 47 |           "xray:GetSamplingRules",
 48 |           "xray:GetSamplingTargets"
 49 |         ]
 50 |         default_resources = ["*"]
 51 |       }
 52 |     }
 53 | 
 54 |     # https://docs.aws.amazon.com/step-functions/latest/dg/athena-iam.html
 55 |     athena_StartQueryExecution_Sync = {
 56 |       athena = {
 57 |         actions = [
 58 |           "athena:startQueryExecution",
 59 |           "athena:stopQueryExecution",
 60 |           "athena:getQueryExecution",
 61 |           "athena:getDataCatalog"
 62 |         ]
 63 |       }
 64 | 
 65 |       s3 = {
 66 |         actions = [
 67 |           "s3:GetBucketLocation",
 68 |           "s3:GetObject",
 69 |           "s3:ListBucket",
 70 |           "s3:ListBucketMultipartUploads",
 71 |           "s3:ListMultipartUploadParts",
 72 |           "s3:AbortMultipartUpload",
 73 |           "s3:CreateBucket",
 74 |           "s3:PutObject"
 75 |         ]
 76 |         default_resources = ["arn:aws:s3:::*"]
 77 |       }
 78 | 
 79 |       glue = {
 80 |         actions = [
 81 |           "glue:CreateDatabase",
 82 |           "glue:GetDatabase",
 83 |           "glue:GetDatabases",
 84 |           "glue:UpdateDatabase",
 85 |           "glue:DeleteDatabase",
 86 |           "glue:CreateTable",
 87 |           "glue:UpdateTable",
 88 |           "glue:GetTable",
 89 |           "glue:GetTables",
 90 |           "glue:DeleteTable",
 91 |           "glue:BatchDeleteTable",
 92 |           "glue:BatchCreatePartition",
 93 |           "glue:CreatePartition",
 94 |           "glue:UpdatePartition",
 95 |           "glue:GetPartition",
 96 |           "glue:GetPartitions",
 97 |           "glue:BatchGetPartition",
 98 |           "glue:DeletePartition",
 99 |           "glue:BatchDeletePartition"
100 |         ]
101 |       }
102 | 
103 |       lakeformation = {
104 |         actions = [
105 |           "lakeformation:GetDataAccess"
106 |         ]
107 |         default_resources = ["*"]
108 |       }
109 |     }
110 | 
111 |     athena_StartQueryExecution = {
112 |       athena = {
113 |         actions = [
114 |           "athena:startQueryExecution",
115 |           "athena:getDataCatalog"
116 |         ]
117 |       }
118 | 
119 |       s3 = {
120 |         actions = [
121 |           "s3:GetBucketLocation",
122 |           "s3:GetObject",
123 |           "s3:ListBucket",
124 |           "s3:ListBucketMultipartUploads",
125 |           "s3:ListMultipartUploadParts",
126 |           "s3:AbortMultipartUpload",
127 |           "s3:CreateBucket",
128 |           "s3:PutObject"
129 |         ]
130 |         default_resources = ["arn:aws:s3:::*"]
131 |       }
132 | 
133 |       glue = {
134 |         actions = [
135 |           "glue:CreateDatabase",
136 |           "glue:GetDatabase",
137 |           "glue:GetDatabases",
138 |           "glue:UpdateDatabase",
139 |           "glue:DeleteDatabase",
140 |           "glue:CreateTable",
141 |           "glue:UpdateTable",
142 |           "glue:GetTable",
143 |           "glue:GetTables",
144 |           "glue:DeleteTable",
145 |           "glue:BatchDeleteTable",
146 |           "glue:BatchCreatePartition",
147 |           "glue:CreatePartition",
148 |           "glue:UpdatePartition",
149 |           "glue:GetPartition",
150 |           "glue:GetPartitions",
151 |           "glue:BatchGetPartition",
152 |           "glue:DeletePartition",
153 |           "glue:BatchDeletePartition"
154 |         ]
155 |       }
156 | 
157 |       lakeformation = {
158 |         actions = [
159 |           "lakeformation:GetDataAccess"
160 |         ]
161 |         default_resources = ["*"]
162 |       }
163 |     }
164 | 
165 |     athena_StopQueryExecution = {
166 |       athena = {
167 |         actions = [
168 |           "athena:stopQueryExecution"
169 |         ]
170 |       }
171 |     }
172 | 
173 |     athena_GetQueryExecution = {
174 |       athena = {
175 |         actions = [
176 |           "athena:stopQueryExecution"
177 |         ]
178 |       }
179 |     }
180 | 
181 |     athena_GetQueryResults = {
182 |       athena = {
183 |         actions = [
184 |           "athena:getQueryResults"
185 |         ]
186 |       }
187 | 
188 |       s3 = {
189 |         actions = [
190 |           "s3:GetObject"
191 |         ]
192 |         default_resources = ["arn:aws:s3:::*"]
193 |       }
194 |     }
195 | 
196 |     # https://docs.aws.amazon.com/step-functions/latest/dg/batch-iam.html
197 |     batch_Sync = {
198 |       batch = {
199 |         actions = [
200 |           "batch:SubmitJob",
201 |           "batch:DescribeJobs",
202 |           "batch:TerminateJob"
203 |         ]
204 |         default_resources = ["*"]
205 |       }
206 | 
207 |       events = {
208 |         actions = [
209 |           "events:PutTargets",
210 |           "events:PutRule",
211 |           "events:DescribeRule"
212 |         ]
213 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForBatchJobsRule"]
214 |       }
215 |     }
216 | 
217 |     batch_WaitForTaskToken = {
218 |       batch = {
219 |         actions = [
220 |           "batch:SubmitJob"
221 |         ]
222 |         default_resources = ["*"]
223 |       }
224 |     }
225 | 
226 |     # https://docs.aws.amazon.com/step-functions/latest/dg/dynamo-iam.html
227 |     dynamodb = {
228 |       dynamodb = {
229 |         actions = [
230 |           "dynamodb:GetItem",
231 |           "dynamodb:PutItem",
232 |           "dynamodb:UpdateItem",
233 |           "dynamodb:DeleteItem"
234 |         ]
235 |       }
236 |     }
237 | 
238 |     # https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
239 |     ecs_Sync = {
240 |       ecs = {
241 |         actions = [
242 |           "ecs:RunTask"
243 |         ]
244 |       }
245 | 
246 |       ecs_Wildcard = {
247 |         actions = [
248 |           "ecs:StopTask",
249 |           "ecs:DescribeTasks"
250 |         ]
251 |         default_resources = ["*"]
252 |       }
253 | 
254 |       iam_PassRole = {
255 |         actions = [
256 |           "iam:PassRole"
257 |         ]
258 |         condition = [
259 |           {
260 |             test     = "StringEquals"
261 |             variable = "iam:PassedToService"
262 |             values   = ["ecs-tasks.amazonaws.com"]
263 |           }
264 |         ]
265 |       }
266 | 
267 |       events = {
268 |         actions = [
269 |           "events:PutTargets",
270 |           "events:PutRule",
271 |           "events:DescribeRule"
272 |         ]
273 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForECSTaskRule"]
274 |       }
275 |     }
276 | 
277 |     ecs_WaitForTaskToken = {
278 |       ecs = {
279 |         actions = [
280 |           "ecs:RunTask"
281 |         ]
282 |       }
283 | 
284 |       iam_PassRole = {
285 |         actions = [
286 |           "iam:PassRole"
287 |         ]
288 |         condition = [
289 |           {
290 |             test     = "StringEquals"
291 |             variable = "iam:PassedToService"
292 |             values   = ["ecs-tasks.amazonaws.com"]
293 |           }
294 |         ]
295 |       }
296 |     }
297 | 
298 |     # https://docs.aws.amazon.com/step-functions/latest/dg/glue-iam.html
299 |     glue_Sync = {
300 |       glue = {
301 |         actions = [
302 |           "glue:StartJobRun",
303 |           "glue:GetJobRun",
304 |           "glue:GetJobRuns",
305 |           "glue:BatchStopJobRun"
306 |         ]
307 |         default_resources = ["*"]
308 |       }
309 |     }
310 | 
311 |     glue_WaitForTaskToken = {
312 |       glue = {
313 |         actions = [
314 |           "glue:StartJobRun"
315 |         ]
316 |         default_resources = ["*"]
317 |       }
318 |     }
319 | 
320 |     # https://docs.aws.amazon.com/step-functions/latest/dg/sagemaker-iam.html
321 |     sagemaker_CreateTrainingJob_Sync = {
322 |       sagemaker = {
323 |         actions = [
324 |           "sagemaker:CreateTrainingJob",
325 |           "sagemaker:DescribeTrainingJob",
326 |           "sagemaker:StopTrainingJob"
327 |         ]
328 |       }
329 | 
330 |       sagemaker_Wildcard = {
331 |         actions = [
332 |           "sagemaker:ListTags"
333 |         ]
334 |         default_resources = ["*"]
335 |       }
336 | 
337 |       sagemaker_IamPassRole = {
338 |         actions = [
339 |           "iam:PassRole"
340 |         ]
341 |         condition = [
342 |           {
343 |             test     = "StringEquals"
344 |             variable = "iam:PassedToService"
345 |             values   = ["sagemaker.amazonaws.com"]
346 |           }
347 |         ]
348 |       }
349 | 
350 |       events = {
351 |         actions = [
352 |           "events:PutTargets",
353 |           "events:PutRule",
354 |           "events:DescribeRule"
355 |         ]
356 |       }
357 |       default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTrainingJobsRule"]
358 |     }
359 | 
360 |     sagemaker_CreateTrainingJob_WaitForTaskToken = {
361 |       sagemaker = {
362 |         actions = [
363 |           "sagemaker:CreateTrainingJob"
364 |         ]
365 |       }
366 | 
367 |       sagemaker_Wildcard = {
368 |         actions = [
369 |           "sagemaker:ListTags"
370 |         ]
371 |         default_resources = ["*"]
372 |       }
373 | 
374 |       sagemaker_IamPassRole = {
375 |         actions = [
376 |           "iam:PassRole"
377 |         ]
378 |         condition = [
379 |           {
380 |             test     = "StringEquals"
381 |             variable = "iam:PassedToService"
382 |             values   = ["sagemaker.amazonaws.com"]
383 |           }
384 |         ]
385 |       }
386 |     }
387 | 
388 |     sagemaker_CreateTransformJob_Sync = {
389 |       sagemaker = {
390 |         actions = [
391 |           "sagemaker:CreateTransformJob",
392 |           "sagemaker:DescribeTransformJob",
393 |           "sagemaker:StopTransformJob"
394 |         ]
395 |       }
396 | 
397 |       sagemaker_Wildcard = {
398 |         actions = [
399 |           "sagemaker:ListTags"
400 |         ]
401 |         default_resources = ["*"]
402 |       }
403 | 
404 |       sagemaker_IamPassRole = {
405 |         actions = [
406 |           "iam:PassRole"
407 |         ]
408 |         condition = [
409 |           {
410 |             test     = "StringEquals"
411 |             variable = "iam:PassedToService"
412 |             values   = ["sagemaker.amazonaws.com"]
413 |           }
414 |         ]
415 |       }
416 | 
417 |       events = {
418 |         actions = [
419 |           "events:PutTargets",
420 |           "events:PutRule",
421 |           "events:DescribeRule"
422 |         ]
423 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForSageMakerTransformJobsRule"]
424 |       }
425 |     }
426 | 
427 |     sagemaker_CreateTransformJob_WaitForTaskToken = {
428 |       sagemaker = {
429 |         actions = [
430 |           "sagemaker:CreateTransformJob"
431 |         ]
432 |       }
433 | 
434 |       sagemaker_Wildcard = {
435 |         actions = [
436 |           "sagemaker:ListTags"
437 |         ]
438 |         default_resources = ["*"]
439 |       }
440 | 
441 |       sagemaker_IamPassRole = {
442 |         actions = [
443 |           "iam:PassRole"
444 |         ]
445 |         condition = [
446 |           {
447 |             test     = "StringEquals"
448 |             variable = "iam:PassedToService"
449 |             values   = ["sagemaker.amazonaws.com"]
450 |           }
451 |         ]
452 |       }
453 |     }
454 | 
455 |     # https://docs.aws.amazon.com/step-functions/latest/dg/emr-iam.html
456 |     emr_AddStep = {
457 |       emr = {
458 |         actions = [
459 |           "elasticmapreduce:AddJobFlowSteps",
460 |           "elasticmapreduce:DescribeStep",
461 |           "elasticmapreduce:CancelSteps"
462 |         ]
463 |       }
464 | 
465 |       events = {
466 |         actions = [
467 |           "events:PutTargets",
468 |           "events:PutRule",
469 |           "events:DescribeRule"
470 |         ]
471 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRAddJobFlowStepsRule"]
472 |       }
473 |     }
474 | 
475 |     emr_CancelStep = {
476 |       emr = {
477 |         actions = [
478 |           "elasticmapreduce:CancelSteps"
479 |         ]
480 |       }
481 |     }
482 | 
483 |     emr_CreateCluster = {
484 |       emr = {
485 |         actions = [
486 |           "elasticmapreduce:RunJobFlow",
487 |           "elasticmapreduce:DescribeCluster",
488 |           "elasticmapreduce:TerminateJobFlows"
489 |         ]
490 |         default_resources = ["*"]
491 |       }
492 | 
493 |       iam_PassRole = {
494 |         actions = [
495 |           "iam:PassRole"
496 |         ]
497 |       }
498 | 
499 |       events = {
500 |         actions = [
501 |           "events:PutTargets",
502 |           "events:PutRule",
503 |           "events:DescribeRule"
504 |         ]
505 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRRunJobFlowRule"]
506 |       }
507 |     }
508 | 
509 |     emr_SetClusterTerminationProtection = {
510 |       emr = {
511 |         actions = [
512 |           "elasticmapreduce:SetTerminationProtection"
513 |         ]
514 |       }
515 |     }
516 | 
517 |     emr_ModifyInstanceFleetByName = {
518 |       emr = {
519 |         actions = [
520 |           "elasticmapreduce:ModifyInstanceFleet",
521 |           "elasticmapreduce:ListInstanceFleets"
522 |         ]
523 |       }
524 |     }
525 | 
526 |     emr_ModifyInstanceGroupByName = {
527 |       emr = {
528 |         actions = [
529 |           "elasticmapreduce:ModifyInstanceGroups",
530 |           "elasticmapreduce:ListInstanceGroups"
531 |         ]
532 |       }
533 |     }
534 | 
535 |     emr_TerminateCluster = {
536 |       emr = {
537 |         actions = [
538 |           "elasticmapreduce:TerminateJobFlows",
539 |           "elasticmapreduce:DescribeCluster"
540 |         ]
541 |       }
542 | 
543 |       events = {
544 |         actions = [
545 |           "events:PutTargets",
546 |           "events:PutRule",
547 |           "events:DescribeRule"
548 |         ]
549 |       }
550 |       default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForEMRTerminateJobFlowsRule"]
551 |     }
552 | 
553 |     # https://docs.aws.amazon.com/step-functions/latest/dg/codebuild-iam.html
554 |     codebuild_StartBuild_Sync = {
555 |       codebuild = {
556 |         actions = [
557 |           "codebuild:StartBuild",
558 |           "codebuild:StopBuild",
559 |           "codebuild:BatchGetBuilds"
560 |         ]
561 |       }
562 | 
563 |       events = {
564 |         actions = [
565 |           "events:PutTargets",
566 |           "events:PutRule",
567 |           "events:DescribeRule"
568 |         ]
569 |       }
570 |       default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventForCodeBuildStartBuildRule"]
571 |     }
572 | 
573 |     codebuild_StartBuild = {
574 |       codebuild = {
575 |         actions = [
576 |           "codebuild:StartBuild",
577 |           "codebuild:StopBuild",
578 |           "codebuild:BatchGetBuilds"
579 |         ]
580 |       }
581 |     }
582 | 
583 |     codebuild_StopBuild = {
584 |       codebuild = {
585 |         actions = [
586 |           "codebuild:StopBuild"
587 |         ]
588 |       }
589 |     }
590 | 
591 |     codebuild_BatchDeleteBuilds = {
592 |       codebuild = {
593 |         actions = [
594 |           "codebuild:BatchDeleteBuilds"
595 |         ]
596 |       }
597 |     }
598 | 
599 |     codebuild_BatchGetReports = {
600 |       codebuild = {
601 |         actions = [
602 |           "codebuild:BatchGetReports"
603 |         ]
604 |       }
605 |     }
606 | 
607 |     # https://docs.aws.amazon.com/step-functions/latest/dg/eks-iam.html
608 |     eks_CreateCluster = {
609 |       eks = {
610 |         actions = [
611 |           "eks:CreateCluster"
612 |         ]
613 |         default_resources = ["*"]
614 |       }
615 | 
616 |       eks_Wildcard = {
617 |         actions = [
618 |           "eks:DescribeCluster",
619 |           "eks:DeleteCluster" # o'really? Delete? :)
620 |         ]
621 |       }
622 | 
623 |       eks_IamPassRole = {
624 |         actions = [
625 |           "iam:PassRole"
626 |         ]
627 |         condition = [
628 |           {
629 |             test     = "StringEquals"
630 |             variable = "iam:PassedToService"
631 |             values   = ["eks.amazonaws.com"]
632 |           }
633 |         ]
634 |       }
635 |     }
636 | 
637 |     eks_CreateNodeGroup = {
638 |       eks = {
639 |         actions = [
640 |           "ec2:DescribeSubnets",
641 |           "eks:CreateNodegroup"
642 |         ]
643 |         default_resources = ["*"]
644 |       }
645 | 
646 |       eks_Wildcard = {
647 |         actions = [
648 |           "eks:DescribeNodegroup",
649 |           "eks:DeleteNodegroup"
650 |         ]
651 |       }
652 | 
653 |       iam_Role = {
654 |         actions = [
655 |           "iam:GetRole",
656 |           "iam:ListAttachedRolePolicies"
657 |         ],
658 |       }
659 | 
660 |       eks_IamPassRole = {
661 |         actions = [
662 |           "iam:PassRole"
663 |         ]
664 |         condition = [
665 |           {
666 |             test     = "StringEquals"
667 |             variable = "iam:PassedToService"
668 |             values   = ["eks.amazonaws.com"]
669 |           }
670 |         ]
671 |       }
672 |     }
673 | 
674 |     eks_DeleteCluster = {
675 |       eks = {
676 |         actions = [
677 |           "eks:DeleteCluster",
678 |           "eks:DescribeCluster"
679 |         ]
680 |       }
681 |     }
682 | 
683 |     eks_DeleteNodegroup = {
684 |       eks = {
685 |         actions = [
686 |           "eks:DeleteNodegroup",
687 |           "eks:DescribeNodegroup"
688 |         ]
689 |       }
690 |     }
691 | 
692 |     # https://docs.aws.amazon.com/step-functions/latest/dg/api-gateway-iam.html
693 |     apigateway = {
694 |       apigateway = {
695 |         actions = [
696 |           "execute-api:Invoke"
697 |         ]
698 |       }
699 |     }
700 | 
701 |     # https://docs.aws.amazon.com/step-functions/latest/dg/stepfunctions-iam.html
702 |     stepfunction_Sync = {
703 |       stepfunction = {
704 |         actions = [
705 |           "states:StartSyncExecution"
706 |         ]
707 |       }
708 | 
709 |       stepfunction_Wildcard = {
710 |         actions = [
711 |           "states:DescribeExecution",
712 |           "states:StopExecution"
713 |         ]
714 |       }
715 | 
716 |       events = {
717 |         actions = [
718 |           "events:PutTargets",
719 |           "events:PutRule",
720 |           "events:DescribeRule"
721 |         ]
722 |         default_resources = ["arn:aws:events:${local.aws_region}:${data.aws_caller_identity.current.account_id}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"]
723 |       }
724 |     }
725 | 
726 |     stepfunction = {
727 |       stepfunction = {
728 |         actions = [
729 |           "states:StartExecution"
730 |         ]
731 |       }
732 |     }
733 | 
734 |     # https://docs.aws.amazon.com/step-functions/latest/dg/eventbridge-iam.html
735 |     eventbridge = {
736 |       eventbridge = {
737 |         actions = [
738 |           "events:PutEvents"
739 |         ]
740 |         default_resources = ["*"]
741 |       }
742 |     }
743 | 
744 |     # https://docs.aws.amazon.com/step-functions/latest/dg/activities-iam.html
745 |     no_tasks = {
746 |       deny_all = {
747 |         effect            = "Deny"
748 |         actions           = ["*"]
749 |         default_resources = ["*"]
750 |       }
751 |     }
752 | 
753 |   }
754 | }
755 | 
756 | data "aws_caller_identity" "current" {}
757 | 


--------------------------------------------------------------------------------