stepfunctions: Operation enum like for dynamodb

[xfudox]

Describe the feature

It would be useful to have an Operation enum like for dynamodb that lists all the available operations.

Use Case

Without an enum, writing code that assign actions to policies relies on literal strings and so the ide is not capable to suggest autocomplete options.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.128.0 (build d995261)

Environment details (OS name and version, etc.)

Ubuntu 22.04.4 LTS 64-bit

[pahud]

Can you elaborate what exactly do you need with some code snippets or specify which construct class or properties do you need the enum support?

[xfudox]

aws-dynamodb package has a Operation enum listing all the strings that represent the possible actions that can used to define policies/permisions:

const dynamodb = require('aws-cdk-lib/aws-dynamodb');

const role = new iam.Role(this, 'MyRole', {
    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
role.addToPolicy(new iam.PolicyStatement({
    resources: [ /* some dynamodb table ARN */ ],
    actions: ['dynamodb:' + dynamodb.Operation.PUT_ITEM]
}));

Such useful feature is not present in aws-stepfunctions package, so for the the same scenario it is needed to use literal strings to define the permitted action:

const stepfunctions = require('aws-cdk-lib/aws-stepfunctions');

const role = new iam.Role(this, 'HandleNewAlbumEventRole', {
    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
role.addToPolicy(new iam.PolicyStatement({
    resources: [ /* some stepfunctions state machine arn */ ],
    actions: ['states:StartExecution'] // <- HERE
}));

[daschaa]

Hi @xfudox :) I really appreciate the idea of having an enum for the actions, so that an user of the CDK does not need to search for all the available actions in the documentation.
However, I'm not sure if the effort is worth the benefit here. The only use case for that enum that I see is for IAM policies. And in regards to that I would rather recommend to use the grant* methods from the StateMachine class like grantStartExecution for example. [1] In my opinion the grant* methods are a better abstraction for the CDK users than providing an enum with all the available actions, because with just the enum values you can not be sure that you have "grouped" all actions together that you need for a policy. (For example to grant an identity to read the results from a state machine you need "states:ListExecutions", "states:ListStateMachines", "states:DescribeExecution", "states:DescribeStateMachineForExecution", "states:GetExecutionHistory", "states:ListActivities", "states:DescribeStateMachine", "states:DescribeActivity")

What do you think about that? I would be interested in your opinion :)

[1] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html#methods