stepfunctions: Operation enum like for dynamodb

[xfudox]

Describe the feature

It would be useful to have an Operation enum like for dynamodb that lists all the available operations.

Use Case

Without an enum, writing code that assign actions to policies relies on literal strings and so the ide is not capable to suggest autocomplete options.

Proposed Solution

No response

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.128.0 (build d995261)

Environment details (OS name and version, etc.)

Ubuntu 22.04.4 LTS 64-bit

[pahud]

Can you elaborate what exactly do you need with some code snippets or specify which construct class or properties do you need the enum support?

[xfudox]

aws-dynamodb package has a Operation enum listing all the strings that represent the possible actions that can used to define policies/permisions:

const dynamodb = require('aws-cdk-lib/aws-dynamodb');

const role = new iam.Role(this, 'MyRole', {
    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
role.addToPolicy(new iam.PolicyStatement({
    resources: [ /* some dynamodb table ARN */ ],
    actions: ['dynamodb:' + dynamodb.Operation.PUT_ITEM]
}));

Such useful feature is not present in aws-stepfunctions package, so for the the same scenario it is needed to use literal strings to define the permitted action:

const stepfunctions = require('aws-cdk-lib/aws-stepfunctions');

const role = new iam.Role(this, 'HandleNewAlbumEventRole', {
    assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
role.addToPolicy(new iam.PolicyStatement({
    resources: [ /* some stepfunctions state machine arn */ ],
    actions: ['states:StartExecution'] // <- HERE
}));

[daschaa]

Hi @xfudox :) I really appreciate the idea of having an enum for the actions, so that an user of the CDK does not need to search for all the available actions in the documentation.
However, I'm not sure if the effort is worth the benefit here. The only use case for that enum that I see is for IAM policies. And in regards to that I would rather recommend to use the grant* methods from the StateMachine class like grantStartExecution for example. [1] In my opinion the grant* methods are a better abstraction for the CDK users than providing an enum with all the available actions, because with just the enum values you can not be sure that you have "grouped" all actions together that you need for a policy. (For example to grant an identity to read the results from a state machine you need "states:ListExecutions", "states:ListStateMachines", "states:DescribeExecution", "states:DescribeStateMachineForExecution", "states:GetExecutionHistory", "states:ListActivities", "states:DescribeStateMachine", "states:DescribeActivity")

What do you think about that? I would be interested in your opinion :)

[1] https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_stepfunctions.StateMachine.html#methods

[xfudox]

@daschaa sorry for the late reply.
I'm at the beginning in my aws journey, and before cdk i was trying cloudformation, so coming from a json/yaml approach it has felt natural to go with a declarative approach.
I agree that a programmatic approch using grant* methods is more modern, readable and in tune with the whole cdk so i'll stick with it.

Thanks for the help and agai, sorry for my late reply.

[daschaa]

@xfudox No worries :) If the issue is resolved for you, can you close the issue? :)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.