feat(stepfunctions-tasks): add elasticmapreduce:AddTags permission for EmrCreateCluster state with tags (#24856)

Beginning April 24, 2023, Amazon Elastic Map Reduce (EMR) will start to require permission for the "elasticmapreduce:AddTags" IAM action when creating an EMR cluster with tags. This commit updates the EmrCreateCluster state to add elasticmapreduce:AddTags action to the state machine execution role when tags have been defined.

Closes #24842.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: sjakthol

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/EmrCreateClusterTestDefaultTestDeployAssert697DC891.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/aws-cdk-emr-create-cluster.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "31.0.0",
+  "files": {
+    "8535838cc39b895502fa6e0a308dd851831b75ca0764b24e626715c1e558c6a4": {
+      "source": {
+        "path": "aws-cdk-emr-create-cluster.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "8535838cc39b895502fa6e0a308dd851831b75ca0764b24e626715c1e558c6a4.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/aws-cdk-emr-create-cluster.template.json

@@ -0,0 +1,297 @@
+{
+ "Resources": {
+  "EmrCreateClusterServiceRole5251910D": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Condition": {
+        "StringEquals": {
+         "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
+        }
+       },
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "elasticmapreduce.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AmazonEMRServicePolicy_v2"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "EmrCreateClusterInstanceRoleC80466F5": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "ec2.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "EmrCreateClusterInstanceProfileC1729180": {
+   "Type": "AWS::IAM::InstanceProfile",
+   "Properties": {
+    "Roles": [
+     {
+      "Ref": "EmrCreateClusterInstanceRoleC80466F5"
+     }
+    ],
+    "InstanceProfileName": {
+     "Ref": "EmrCreateClusterInstanceRoleC80466F5"
+    }
+   }
+  },
+  "EmrCreateClusterAutoScalingRoleFDDAF4E2": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": [
+         "application-autoscaling.amazonaws.com",
+         "elasticmapreduce.amazonaws.com"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "SMRole49C19C48": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "states.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "SMRoleDefaultPolicy34CA15C7": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "elasticmapreduce:DescribeCluster",
+        "elasticmapreduce:RunJobFlow",
+        "elasticmapreduce:TerminateJobFlows"
+       ],
+       "Effect": "Allow",
+       "Resource": "*"
+      },
+      {
+       "Action": "iam:PassRole",
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "EmrCreateClusterAutoScalingRoleFDDAF4E2",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "EmrCreateClusterInstanceRoleC80466F5",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "EmrCreateClusterServiceRole5251910D",
+          "Arn"
+         ]
+        }
+       ]
+      },
+      {
+       "Action": "elasticmapreduce:AddTags",
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":elasticmapreduce:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":cluster/*"
+         ]
+        ]
+       }
+      },
+      {
+       "Action": [
+        "events:DescribeRule",
+        "events:PutRule",
+        "events:PutTargets"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":events:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":rule/StepFunctionsGetEventForEMRRunJobFlowRule"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "SMRoleDefaultPolicy34CA15C7",
+    "Roles": [
+     {
+      "Ref": "SMRole49C19C48"
+     }
+    ]
+   }
+  },
+  "SM934E715A": {
+   "Type": "AWS::StepFunctions::StateMachine",
+   "Properties": {
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "SMRole49C19C48",
+      "Arn"
+     ]
+    },
+    "DefinitionString": {
+     "Fn::Join": [
+      "",
+      [
+       "{\"StartAt\":\"EmrCreateCluster\",\"States\":{\"EmrCreateCluster\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":states:::elasticmapreduce:createCluster.sync\",\"Parameters\":{\"Instances\":{\"KeepJobFlowAliveWhenNoSteps\":true},\"JobFlowRole\":\"",
+       {
+        "Ref": "EmrCreateClusterInstanceRoleC80466F5"
+       },
+       "\",\"Name\":\"Cluster\",\"ServiceRole\":\"",
+       {
+        "Ref": "EmrCreateClusterServiceRole5251910D"
+       },
+       "\",\"AutoScalingRole\":\"",
+       {
+        "Ref": "EmrCreateClusterAutoScalingRoleFDDAF4E2"
+       },
+       "\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}}}}"
+      ]
+     ]
+    }
+   },
+   "DependsOn": [
+    "SMRoleDefaultPolicy34CA15C7",
+    "SMRole49C19C48"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"31.0.0"}

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-tags.js.snapshot/integ.json

@@ -0,0 +1,12 @@
+{
+  "version": "31.0.0",
+  "testCases": {
+    "EmrCreateClusterTest/DefaultTest": {
+      "stacks": [
+        "aws-cdk-emr-create-cluster"
+      ],
+      "assertionStack": "EmrCreateClusterTest/DefaultTest/DeployAssert",
+      "assertionStackName": "EmrCreateClusterTestDefaultTestDeployAssert697DC891"
+    }
+  }
+}