states:StopExecution permissions are incorrect for the aft-invoke-customizations-execution-role

[bmorrissirromb]

Terraform Version & Prov:

AFT Version: (Can be found in the AFT Management Account in the SSM Parameter /aft/config/aft/version)

CURRENT

Terraform Version & Provider Versions

N/A

Bug Description

aft-invoke-customizations-execution-role is given states:StopExecution permissions but the resource that is specified does not give it any permissions to stop executions, as it specifies stateMachine resources and not execution resources.

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/26667e52d0e2f46e3213239933a1c8fcf1a83166/modules/aft-customizations/iam/role-policies/aft_states_invoke_customizations_policy.tpl#L29

Expected behavior

Add "arn:${data_aws_partition_current_partition}:states:${data_aws_region_aft-management_name}:${data_aws_caller_identity_aft-management_account_id}:execution:aft-*" to the resources allowed by this statement

Related Logs Provide any related logs or error messages to help explain your problem.

Additional context Add any other context about the problem here.

[stumins]

Hi @bmorrissirromb,

Thanks for letting us know about the improper resource type for the policy action. Is this causing an active issue for you while using AFT?

[bmorrissirromb]

@stumins I don't think it is -- I think we have upstream failures that are causing the StopExecution call to be made, so that's our current blocker. But we do get CloudTrail failures for insufficient permissions to run StopExecution.

[stumins]

Understood, thanks for the context - I've added a backlog item for us to fix this policy.

[Sanjan611]

We've addressed this in the latest AFT release!

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.12.0