AWS StepFunction with Invoke Child Workflow state using cloud formation giving in

Question

I'm trying to create a state machine that can invoke another state machine. I tried to use following approach to get ARN. However this returns error Arn is not a valid property, which stack is being created.

  ParentStateMachine:
    Type: "AWS::StepFunctions::StateMachine"
    Properties:
      StateMachineName: !Sub "ParentStateMachine"
      DefinitionString:
        Fn::Sub:
         - |-
            {
              "Comment": "...",
              "StartAt": "State1",
              "States": {
                "State1": {
                  "Type": "Task",
                  "Resource": "arn:aws:states:::states:startExecution.sync",
                  "Parameters": {
                    "StateMachineArn": "${ChildStateMachineArn}",
                    "Input": {
                      "StatePayload": {
                        "datasetDate.$": "$.datasetDate"
                      },
                      "AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$": "$$.Execution.Id"
                    }
                  },
                  "End": true
                }
              }
            }
         -  {
               ChildStateMachineArn:
                 Fn::GetAtt:
                   - ChildStateMachine
                   - Arn
            }
      RoleArn:
        Fn::GetAtt:
          - StatesExecutionRole
          - Arn

I've also tried to generate ARN by using this string.

arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:ChildStateMachine

However, this gave error

Failed to call Step Functions for request: 'com.amazonaws.services.stepfunctions.model.CreateStateMachineRequest'. (Service: null; Status Code: 500; Error Code: null; Request ID: null)

I'm able to create other type of state machines using cloud formation. Only when I'm trying to create one that executes a child workflow is not working. When I go to cloud trail, the CreateStateMachineEvent has an error code of Access Denied. I've given Admin Access to the role. Did anyone face this issue and found a solution?

Answer 1

For States using the "Wait For callback" patterns (those ending in .sync or .waitForTaskToken) you need special policies, as mentioned here.

Specifically in your case, in addition to the Standard states:StartEecution policy you need to add event-related policies:

• events:PutTargets
• events:PutRule
• events:DescribeRule

And policies dedicated to the Description and Stopping of the execution:

• states:DescribeExecution
• states:StopExecution

Details can be found here

For simplicity, most of the time I use the next policies:

  - PolicyName: StatesStartExecutionPolicy
     - PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "states:*"
            Resource: "*"
    - PolicyName: StatesAccessEventsPolicy
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - "events:*"
            Resource: "*"