Minimum reproduction:
Create a state machine, with a singular step with resource arn:aws:states:::states:startExecution.sync
, i.e. executing another state machine, and define the arn using Fn::GetAtt
function.
When executing the parent state machine in Step Functions Local:
Invalid Arn: '{"Fn::GetAtt":["ChildStateMachineId","Arn"]}' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidArn; Request ID: null; Proxy: null)
What happens when exeucuting the parent in 'live' AWS stepfunctions console:
ExecutionSucceeded
Template for an example state machine to reproduce (in yml for brevity):
AWSTemplateFormatVersion: 2010-09-09
Description: The AWS CloudFormation template for this Serverless application
Resources:
ServerlessDeploymentBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ServerlessDeploymentBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ServerlessDeploymentBucket
PolicyDocument:
Statement:
- Action: 's3:*'
Effect: Deny
Principal: '*'
Resource:
- !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':s3:::'
- !Ref ServerlessDeploymentBucket
- /*
- !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':s3:::'
- !Ref ServerlessDeploymentBucket
Condition:
Bool:
'aws:SecureTransport': false
ParentStateMachineIdRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub 'states.${AWS::Region}.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: dev-stepfunctions-statemachine
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'states:StartExecution'
Resource:
- !GetAtt
- ChildStateMachineId
- Arn
- Effect: Allow
Action:
- 'states:DescribeExecution'
- 'states:StopExecution'
Resource: '*'
- Effect: Allow
Action:
- 'events:PutTargets'
- 'events:PutRule'
- 'events:DescribeRule'
Resource:
- !Sub
- >-
arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule
- {}
ChildStateMachineIdRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub 'states.${AWS::Region}.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: dev-stepfunctions-statemachine
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: '*'
Resource: '*'
ParentStateMachineId:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
DefinitionString: !Sub
- |-
{
"StartAt": "StartChildStateMachine",
"States": {
"StartChildStateMachine": {
"Type": "Task",
"Resource": "arn:aws:states:::states:startExecution.sync",
"Parameters": {
"StateMachineArn": "${1e6e8813e9805d9988de892f7ee7123c}",
"Input": {
"NeedCallback": false
}
},
"End": true,
"ResultPath": "$.StartChildStateMachine"
}
}
}
- 1e6e8813e9805d9988de892f7ee7123c: !GetAtt
- ChildStateMachineId
- Arn
RoleArn: !GetAtt
- ParentStateMachineIdRole
- Arn
StateMachineName: ParentStateMachine
DependsOn:
- ParentStateMachineIdRole
ChildStateMachineId:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
DefinitionString: |-
{
"StartAt": "ChildDone",
"States": {
"ChildDone": {
"Type": "Succeed"
}
}
}
RoleArn: !GetAtt
- ChildStateMachineIdRole
- Arn
StateMachineName: ChildStateMachine
DependsOn:
- ChildStateMachineIdRole
Outputs:
ServerlessDeploymentBucketName:
Value: !Ref ServerlessDeploymentBucket
Export:
Name: sls-stepfunctions-dev-ServerlessDeploymentBucketName
ParentStateMachineIdArn:
Description: Current StateMachine Arn
Value: !Ref ParentStateMachineId
Export:
Name: sls-stepfunctions-dev-ParentStateMachineIdArn
ChildStateMachineIdArn:
Description: Current StateMachine Arn
Value: !Ref ChildStateMachineId
Export:
Name: sls-stepfunctions-dev-ChildStateMachineIdArn
Output of aws stepfunctions --endpoint http: //localhost:8083 describe-state-machine --state-machine-arn arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine
{
"stateMachineArn": "arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine",
"name": "ParentStateMachine",
"status": "ACTIVE",
"definition": "{\"StartAt\":\"StartChildStateMachine\",\"States\":{\"StartChildStateMachine\":{\"Type\":\"Task\",\"Resource\":\"arn:aws:states:::states:startExecution.sync\",\"Parameters\":{\"StateMachineArn\":{\"Fn::GetAtt\":[\"ChildStateMachineId\",\"Arn\"]},\"Input\":{\"NeedCallback\":false}},\"End\":true,\"ResultPath\":\"$.StartChildStateMachine\"}}}",
"roleArn": "arn:aws:iam::101010101010:role/DummyRole",
"type": "STANDARD",
"creationDate": "2023-09-18T14:09:40.648000+02:00"
}
Thank you for taking a look into it, still looks like a bug in SF Local. The reason is because once I replace
StateMachineArn
with hardcoded Arn, likearn:aws:states:eu-north-1:101010101010:stateMachine:ChildStateMachine
, and start execution of the parent state machine from CLI , then follow up with describe execution for the resulting execution Arn - I get "status": "SUCCEEDED". So my setup seems fine, I am able to connect to SF Local and start successful execution, it just works with hardcoded Arn, doesn't resolveGetAtt
Arn in SF Local, yet does resolve it correctly on AWS.