# Sample config for the DataOps Step Function module - no-project # variant. Demonstrates standalone Step Functions with explicit KMS, # bucket, deployment role, and security configuration. # (Optional) KMS key ARN for encrypting DataOps resources and data. # Auto-resolved from project when projectName is set. kmsArn: arn:{{partition}}:kms:{{region}}:{{account}}:key/test-key-id # (Optional) S3 bucket name for project storage (scripts, artifacts, # temp files). Auto-resolved from project when projectName is set. bucketName: test-stepfn-bucket # (Optional) IAM role ARN for deployment operations and resource # management. Auto-resolved from project when projectName is set. deploymentRoleArn: arn:{{partition}}:iam::{{account}}:role/test-deploy-role # (Optional) Glue security configuration name for job encryption # (at rest, in transit, CloudWatch logs). Auto-resolved from project # when projectName is set. securityConfigurationName: test-security-config # (Optional) SNS topic ARN for job notifications and workflow alerts. # Auto-resolved from project when projectName is set. notificationTopicArn: arn:{{partition}}:sns:{{region}}:{{account}}:test-topic # List of step function definitions stepfunctionDefinitions: - stateMachineName: sample-state-machine-1 # State Machine Type can be STANDARD or EXPRESS. Refer https://docs.aws.amazon.com/step-functions/latest/dg/concepts-standard-vs-express.html stateMachineType: STANDARD # ARN of role that will be used to execute the step function. # Can be specified as string or SSM parameter in format {{resolve:ssm/path/to/ssm/parameter}} # Often created by the Roles module. # Example SSM: ssm:/{{org}}/{{domain}}//role//arn stateMachineExecutionRole: 'arn:{{partition}}:iam::{{account}}:role/service-role/StepFunctions-explore-Table1sInfo-ETL-role-4c710b67' # Optional. Number of days the Logs will be retained in Cloudwatch. # Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. # If you specify 0, the events in the log group are always retained and never expire. # Default, if property not specified, is 731 days. logGroupRetentionDays: 0 # Required. true or false. Enable or disable logging execution data e.g. parameter values etc. logExecutionData: false # Integration with Event Bridge for the purpose # of triggering this function with Event Bridge rules eventBridge: # Number of times Event Bridge will attempt to trigger this step function # before sending event to DLQ. retryAttempts: 10 # The max age of an event before Event Bridges sends it to DLQ. maxEventAgeSeconds: 3600 # List of s3 buckets and prefixes which will be monitored via EventBridge in order to trigger this function # Note that the S3 Bucket must have Event Bridge Notifications enabled. s3EventBridgeRules: testing-event-bridge-s3: # The bucket producing event notifications buckets: [sample-org-dev-instance1-datalake-raw] # Optional - The S3 prefix to match events on prefixes: [data/test-lambda/] # Optional - Can specify a custom event bus for S3 rules, but note that S3 EventBridge notifications # are initially sent only to the default bus in the account, and would need to be # forwarded to the custom bus before this rule would match. eventBusArn: 'arn:{{partition}}:events:{{region}}:{{account}}:event-bus/some-custom-name' # List of generic Event Bridge rules which will trigger this function # List of generic Event Bridge rules which will trigger this function eventBridgeRules: testing-event-bridge: description: 'testing' eventBusArn: 'arn:{{partition}}:events:{{region}}:{{account}}:event-bus/some-custom-name' eventPattern: source: - 'glue.amazonaws.com' detail: some_event_key: some_event_value testing-event-bridge-schedule: description: 'testing' # (Optional) - Rules can be scheduled using a crontab expression scheduleExpression: 'cron(0 20 * * ? *)' # (Optional) - If specified, this input will be passed as the event payload to the function. # If not specified, the matched event payload will be passed as input. input: some-test-input-obj: some-test-input-key: test-value # The rawStepFunctionDef is Amazon States Langauage (ASL) JSON exported or copied from AWS Console. # Environment specific attributes can be specified as SSM Parameters in format {{resolve:ssm:/path/to/ssm/parameter}} rawStepFunctionDef: { 'Comment': 'A description of my state machine', 'StartAt': 'StartCrawler-Domain1', 'States': { 'StartCrawler-Domain1': { 'Type': 'Task', 'Next': 'WaitForDomain1Crawler', 'Parameters': { 'Name': '{{resolve:ssm:/org/domain/glue-project/crawler/name/raw-source-files-crawler}}' }, 'Resource': 'arn:{{partition}}:states:::aws-sdk:glue:startCrawler', }, 'WaitForDomain1Crawler': { 'Type': 'Wait', 'Seconds': 5, 'Next': 'GetCrawlerStatus-Domain1' }, 'GetCrawlerStatus-Domain1': { 'Type': 'Task', 'Next': 'CheckStatus-Domain1Crawler', 'Parameters': { 'Name': '{{resolve:ssm:/org/domain1/glue-project/crawler/name/raw-source-files-crawler}}' }, 'Resource': 'arn:{{partition}}:states:::aws-sdk:glue:getCrawler', }, 'CheckStatus-Domain1Crawler': { 'Type': 'Choice', 'Choices': [ { 'Or': [ { 'Variable': '$.Crawler.State', 'StringEquals': 'RUNNING' }, { 'Variable': '$.Crawler.State', 'StringEquals': 'STOPPING' }, ], 'Next': 'WaitForDomain1Crawler', }, { 'Or': [ { 'Variable': '$.Crawler.State', 'StringEquals': 'FAILED' }, { 'Variable': '$.Crawler.State', 'StringEquals': 'STOPPED' }, ], 'Next': 'Fail-Domain1Crawler', }, ], 'Default': 'Success', }, 'Success': { 'Type': 'Pass', 'End': true }, 'Fail-Domain1Crawler': { 'Type': 'Fail', 'Cause': 'GlueCrawlerError - Glue Crawler Failed' }, }, } suppressions: - id: 'NIST.800.53.R5' reason: 'Cloudwatch Log Group retention period is managed by AWS Secure Environment Accelerator'