feat(custom-resources): state machine provider

Add a state machine custom resource provider.

It uses the nested workflow pattern where the "user" state machine is started
as a task in the provder state machine. This allows to set a timeout for the
custom resource.

This could be used as a base for a Fargate task custom resource provider.

Closes aws#6505

Author: jogold

packages/@aws-cdk/custom-resources/lib/index.ts

@@ -1,2 +1,3 @@
 export * from './aws-custom-resource';
-export * from './provider-framework';
+export * from './provider-framework';
+export * from './state-machine-provider';

packages/@aws-cdk/custom-resources/lib/state-machine-provider/index.ts

@@ -0,0 +1 @@
+export * from './state-machine-provider';

packages/@aws-cdk/custom-resources/lib/state-machine-provider/runtime/index.ts

@@ -0,0 +1,143 @@
+// tslint:disable no-console
+import { StepFunctions } from 'aws-sdk'; // eslint-disable-line import/no-extraneous-dependencies
+import * as https from 'https';
+import * as url from 'url';
+
+const CREATE_FAILED_PHYSICAL_ID_MARKER = 'AWSCDK::StateMachineProvider::CREATE_FAILED';
+const MISSING_PHYSICAL_ID_MARKER = 'AWSCDK::StateMachineProvider::MISSING_PHYSICAL_ID';
+
+interface ExecutionResult {
+  ExecutionArn: string;
+  Input: AWSLambda.CloudFormationCustomResourceEvent & { PhysicalResourceId?: string };
+  Name: string;
+  Output?: AWSLambda.CloudFormationCustomResourceResponse;
+  StartDate: number;
+  StateMachineArn: string;
+  Status: 'RUNNING' | 'SUCCEEDED' | 'FAILED' | 'TIMED_OUT' | 'ABORTED';
+  StopDate: number;
+}
+
+interface FailedExecutionEvent {
+  Error: string;
+  Cause: string;
+}
+
+interface CloudFormationResponse {
+  StackId: string;
+  RequestId: string;
+  PhysicalResourceId?: string;
+  LogicalResourceId: string;
+  ResponseURL: string;
+  Data?: any;
+  NoEcho?: boolean;
+  Reason?: string;
+}
+
+export async function cfnResponseSuccess(event: ExecutionResult, _context: AWSLambda.Context) {
+  console.log('Event: %j', event);
+  await respond('SUCCESS', {
+    ...event.Input,
+    PhysicalResourceId: event.Output?.PhysicalResourceId ?? event.Input.PhysicalResourceId ?? event.Input.RequestId,
+    Data: event.Output?.Data ?? {},
+    NoEcho: event.Output?.NoEcho,
+  });
+}
+
+export async function cfnResponseFailed(event: FailedExecutionEvent, _context: AWSLambda.Context) {
+  console.log('Event: %j', event);
+
+  const parsedCause = JSON.parse(event.Cause);
+  const executionResult: ExecutionResult = {
+    ...parsedCause,
+    Input: JSON.parse(parsedCause.Input),
+  };
+  console.log('Execution result: %j', executionResult);
+
+  let physicalResourceId = executionResult.Output?.PhysicalResourceId;
+  if (!physicalResourceId) {
+    // special case: if CREATE fails, which usually implies, we usually don't
+    // have a physical resource id. in this case, the subsequent DELETE
+    // operation does not have any meaning, and will likely fail as well. to
+    // address this, we use a marker so the provider framework can simply
+    // ignore the subsequent DELETE.
+    if (executionResult.Input.RequestType === 'Create') {
+      console.log('CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored');
+      physicalResourceId = CREATE_FAILED_PHYSICAL_ID_MARKER;
+    } else {
+      console.log(`ERROR: Malformed event. "PhysicalResourceId" is required: ${JSON.stringify(event)}`);
+    }
+  }
+
+  await respond('FAILED', {
+    ...executionResult.Input,
+    Reason: `${event.Error}: ${event.Cause}`,
+    PhysicalResourceId: physicalResourceId,
+  });
+}
+
+export async function startExecution(event: AWSLambda.CloudFormationCustomResourceEvent, _context: AWSLambda.Context) {
+  try {
+    console.log('Event: %j', event);
+
+    if (!process.env.STATE_MACHINE_ARN) {
+      throw new Error('Missing STATE_MACHINE_ARN.');
+    }
+
+    // ignore DELETE event when the physical resource ID is the marker that
+    // indicates that this DELETE is a subsequent DELETE to a failed CREATE
+    // operation.
+    if (event.RequestType === 'Delete' && event.PhysicalResourceId === CREATE_FAILED_PHYSICAL_ID_MARKER) {
+      console.log('ignoring DELETE event caused by a failed CREATE event');
+      await respond('SUCCESS', event);
+      return;
+    }
+
+    const stepFunctions = new StepFunctions();
+    await stepFunctions.startExecution({
+      stateMachineArn: process.env.STATE_MACHINE_ARN,
+      input: JSON.stringify(event),
+    }).promise();
+  } catch (err) {
+    console.log(err);
+    await respond('FAILED', {
+      ...event,
+      Reason: err.message,
+    });
+  }
+}
+
+function respond(status: 'SUCCESS' | 'FAILED', event: CloudFormationResponse) {
+  const json: AWSLambda.CloudFormationCustomResourceResponse = {
+    Status: status,
+    Reason: event.Reason ?? status,
+    PhysicalResourceId: event.PhysicalResourceId || MISSING_PHYSICAL_ID_MARKER,
+    StackId: event.StackId,
+    RequestId: event.RequestId,
+    LogicalResourceId: event.LogicalResourceId,
+    NoEcho: event.NoEcho ?? false,
+    Data: event.Data,
+  };
+
+  console.log('Responding: %j', json);
+
+  const responseBody = JSON.stringify(json);
+
+  const parsedUrl = url.parse(event.ResponseURL);
+  const requestOptions = {
+    hostname: parsedUrl.hostname,
+    path: parsedUrl.path,
+    method: 'PUT',
+    headers: { 'content-type': '', 'content-length': responseBody.length },
+  };
+
+  return new Promise((resolve, reject) => {
+    try {
+      const request = https.request(requestOptions, resolve);
+      request.on('error', reject);
+      request.write(responseBody);
+      request.end();
+    } catch (e) {
+      reject(e);
+    }
+  });
+}

packages/@aws-cdk/custom-resources/lib/state-machine-provider/state-machine-provider.ts

@@ -0,0 +1,139 @@
+import * as iam from '@aws-cdk/aws-iam';
+import * as lambda from '@aws-cdk/aws-lambda';
+import { CfnResource, Construct, Duration, Stack } from '@aws-cdk/core';
+import * as path from 'path';
+
+/**
+ * A State Machine
+ */
+export interface IStateMachine {
+  /**
+   * The ARN of the state machine
+   */
+  readonly stateMachineArn: string;
+}
+
+/**
+ * Properties for a StateMachineProvider
+ */
+export interface StateMachineProviderProps {
+  /**
+   * The state machine
+   */
+  readonly stateMachine: IStateMachine;
+
+  /**
+   * Timeout
+   *
+   * @default Duration.minutes(30)
+   */
+  readonly timeout?: Duration;
+}
+
+/**
+ * A state machine custom resource provider
+ */
+export class StateMachineProvider extends Construct {
+  /**
+   * The service token
+   */
+  public readonly serviceToken: string;
+
+  constructor(scope: Construct, id: string, props: StateMachineProviderProps) {
+    super(scope, id);
+
+    const cfnResponseSuccessFn = this.createCfnResponseFn('Success');
+    const cfnResponseFailedFn = this.createCfnResponseFn('Failed');
+
+    const role = new iam.Role(this, 'Role', {
+      assumedBy: new iam.ServicePrincipal('states.amazonaws.com'),
+    });
+    role.addToPolicy(new iam.PolicyStatement({
+      actions: ['lambda:InvokeFunction'],
+      resources: [cfnResponseSuccessFn.functionArn, cfnResponseFailedFn.functionArn],
+    }));
+    // https://docs.aws.amazon.com/step-functions/latest/dg/stepfunctions-iam.html
+    // https://docs.aws.amazon.com/step-functions/latest/dg/concept-create-iam-advanced.html#concept-create-iam-advanced-execution
+    role.addToPolicy(new iam.PolicyStatement({
+      actions: ['states:StartExecution'],
+      resources: [props.stateMachine.stateMachineArn],
+    }));
+    role.addToPolicy(new iam.PolicyStatement({
+      actions: ['states:DescribeExecution', 'states:StopExecution'],
+      resources: [Stack.of(this).formatArn({
+        service: 'states',
+        resource: 'execution',
+        sep: ':',
+        resourceName: `${Stack.of(this).parseArn(props.stateMachine.stateMachineArn, ':').resourceName}*`,
+      })],
+    }));
+    role.addToPolicy(new iam.PolicyStatement({
+      actions: ['events:PutTargets', 'events:PutRule', 'events:DescribeRule'],
+      resources: [Stack.of(this).formatArn({
+        service: 'events',
+        resource: 'rule',
+        resourceName: 'StepFunctionsGetEventsForStepFunctionsExecutionRule',
+      })],
+    }));
+
+    const definition = Stack.of(this).toJsonString({
+      StartAt: 'StartExecution',
+      States: {
+        StartExecution: {
+          Type: 'Task',
+          Resource: 'arn:aws:states:::states:startExecution.sync:2',
+          Parameters: {
+            'Input.$': '$',
+            'StateMachineArn': props.stateMachine.stateMachineArn,
+          },
+          TimeoutSeconds: (props.timeout ?? Duration.minutes(30)).toSeconds(),
+          Next: 'CfnResponseSuccess',
+          Catch: [{
+            ErrorEquals: [ 'States.ALL' ],
+            Next: 'CfnResponseFailed',
+          }],
+        },
+        CfnResponseSuccess: {
+          Type: 'Task',
+          Resource: cfnResponseSuccessFn.functionArn,
+          End: true,
+        },
+        CfnResponseFailed: {
+          Type: 'Task',
+          Resource: cfnResponseFailedFn.functionArn,
+          End: true,
+        },
+      },
+    }, 2);
+
+    const stateMachine = new CfnResource(this, 'StateMachine', {
+      type: 'AWS::StepFunctions::StateMachine',
+      properties: {
+        DefinitionString: definition,
+        RoleArn: role.roleArn,
+      },
+    });
+    stateMachine.node.addDependency(role);
+
+    const startExecution = new lambda.Function(this, 'StartExecution', {
+      code: lambda.Code.fromAsset(path.join(__dirname, 'runtime')),
+      handler: 'index.startExecution',
+      runtime: lambda.Runtime.NODEJS_12_X,
+    });
+    startExecution.addToRolePolicy(new iam.PolicyStatement({
+      actions: ['states:StartExecution'],
+      resources: [stateMachine.ref],
+    }));
+    startExecution.addEnvironment('STATE_MACHINE_ARN', stateMachine.ref);
+
+    this.serviceToken = startExecution.functionArn;
+  }
+
+  private createCfnResponseFn(status: string) {
+    return new lambda.Function(this, `CfnResponse${status}`, {
+      code: lambda.Code.fromAsset(path.join(__dirname, 'runtime')),
+      handler: `index.cfnResponse${status}`,
+      runtime: lambda.Runtime.NODEJS_12_X,
+    });
+  }
+}