aws-cdk-lib/aws-stepfunctions: Configure IAM policy to redrive from failure on labelled execution for DistributedMap failures

[kshefchek]

Describe the feature

Currently when creating a state machine, the step function module automatically sets up necessary IAM policies to run a state machine as described here: https://github.com/aws/aws-cdk/blob/e03d11/packages/aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts#L221-L411

However, the ability to redrive from failure from a DistributedMap step(s) is not included, so this has to be added via addToRolePolicy or attachToRole

see also #28820 (comment)

Use Case

I want to create a state machine in cdk without manually adding an inline IAM policy to the state machine role that grants states:RedriveExecution on labelled executions

Proposed Solution

add a method to aws-cdk-lib/aws-stepfunctions/lib/state-machine.ts

  /**
   * Grant the given identity permissions to redrive an execution of this state
   * machine.
   */
  public grantRedriveOnExecution(identity: iam.IGrantable, ...actions: string[]) {
    return iam.Grant.addToPrincipal({
      grantee: identity,
      'states:RedriveExecution',
      resourceArns: [`${this.executionArn()}/*`],
    });
  }

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.179.0

Environment details (OS name and version, etc.)

mac os

[ashishdhingra]

Appear to be valid feature request. Marking it as P2. Community contributions are welcome.

[kshefchek]

As an update I think this is only affecting redrive from a distributed map step failure, so my initial ticket is misleading, this partially overlapping with this ticket #28820 (comment)

Update: I edited the original ticket title and description to make this more clear.