I have noticed what appears to be a regression in the Step Functions integration of the EC2 API. We use a step function to manage launch templates for various EC2 configurations. When we invoke it, our step function takes in a uuid and checks if there is a corresponding launch template for that uuid. If there is, then we update the launch template, otherwise we create a new one. This check hasn't been changed, but recently began failing (only in one environment, thankfully not production).
The behaviour we are seeing is:
- When a uuid which does not have a corresponding launch template is given to the step function, everything works as expected and a new launch template is created.
- When a uuid which does have a corresponding launch template is given, the step function receives an empty list from the
DescribeLaunchTemplates step with a pagination token.
- I have tested using the pagination token in a subsequent step, and it then does return the expected launch template info.
- When making the equivalent call from the AWS CLI, the template info is returned.
- When
DescribeLaunchTemplates is replaced with DescribeLaunchTemplateVersions it returns the expected info.
I have been able to create a minimal repro of this issue with the following step function:
{
"Comment": "A description of my state machine",
"StartAt": "DescribeLaunchTemplates",
"States": {
"DescribeLaunchTemplates": {
"Type": "Task",
"Parameters": {
"Filters": [
{
"Name": "launch-template-name",
"Values.$": "States.Array(States.Format('Lt_{}', $.uuid))"
}
],
"MaxResults": 200
},
"Resource": "arn:aws:states:::aws-sdk:ec2:describeLaunchTemplates",
"Next": "DescribeLaunchTemplates With NextToken",
"ResultPath": "$.input"
},
"DescribeLaunchTemplates With NextToken": {
"Type": "Task",
"End": true,
"Parameters": {
"Filters": [
{
"Name": "launch-template-name",
"Values.$": "States.Array(States.Format('Lt_{}', $.uuid))"
}
],
"NextToken.$": "$.input.NextToken"
},
"Resource": "arn:aws:states:::aws-sdk:ec2:describeLaunchTemplates"
}
}
}
Is this an issue that anyone else has seen? Or is there something wrong with the above approach? While adding the additional paginated call fixes the issue, it seems both wrong to have to paginate for a single entry and to have to add an additional transition to account for what appears to be a bug.
Any help/advice is greatly appreciated.
You mentioned that it's only happening in one environment, how many environments do you have that have this workflow? Are there any differences between them(eg: IAM/roles?) or recent changes to your dev workflow? Are they actual separate accounts or just different resources in a single account?