fix(aws-iam): fixes #2041 sensitive module, support required to replace current cfn template construction

[reillykw]

Support added to PolicyDocument assume role actions which is needed for policy documents that require more than one action

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[rix0rrr]

We don't expose type unions at the L2 level, so we can't accept this.

[reillykw]

How might this be achieved otherwise? Any suggestions would be helpful.

[rix0rrr]

I think instead of multiple assume role actions, making it so that CompositePrincipal can render to multiple policy statements would serve the same purpose, and be more generally useful in solving:

#1578

Are you interested in taking that on?

[rix0rrr]

See notes

[reillykw]

Yeah I could give it a shot.

[eladb]

@reillykw any updates on this?

[rix0rrr]

I am going to close this PR as it does not look there's going to be any movement on it. Feel free to reopen in case of renewed interest.