in source/scheduler/cdk/aws_solutions/scheduler/cdk/construct.py [0:0]
def visit(self, node: IConstruct):
if node == self.scheduler:
# permision: allow the scheduler to call itself
self.scheduler.state_machine.add_to_role_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=[self.scheduler.state_machine_arn],
actions=["states:StartExecution"],
)
)
if self.scheduler.sync:
self.scheduler.state_machine.add_to_role_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=["*"],
actions=["states:DescribeExecution", "states:StopExecution"],
)
)
self.scheduler.state_machine.add_to_role_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
resources=[
f"arn:{Aws.PARTITION}:events:{Aws.REGION}:{Aws.ACCOUNT_ID}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
],
actions=[
"events:PutTargets",
"events:PutRule",
"events:DescribeRule",
],
)
)
add_cfn_nag_suppressions(
self.scheduler.state_machine.role.node.try_find_child(
"DefaultPolicy"
).node.find_child("Resource"),
[
CfnNagSuppression(
"W12",
"IAM policy for nested synchronous invocation of step functions requires * on Describe and Stop Execution",
),
CfnNagSuppression(
"W76",
"Large step functions need larger IAM roles to access all managed AWS Lambda functions",
),
],
)
# permission: allow the scheduler to call its referenced children
for child in self.scheduler._scheduler_child_state_machines:
child.grant_start_execution(self.scheduler.state_machine)