fix(aws-iam): Permit the use of multiple actions in a policy principal

[reillykw]

closes #2041.

Doesn't address the larger policy principal, composite issues. Permits the use of multiple actions on a single policy principal.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mergify]

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

• PR title type(scope): text
  • type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • text: use all lower-case, do not end with a period, do not include issue refs
• PR Description
  • Rationale: describe rationale of change and approach taken
  • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
• Testing
  • Unit test added. Prefer to add a new test rather than modify existing tests
  • CLI or init templates change? Re-run/add CLI integration tests
• Documentation
  • README: update module README to describe new features
  • API docs: public APIs must be documented. Copy from official AWS docs when possible
  • Design: for significant features, follow design process

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[rix0rrr]

Thanks for the contribution!

I am aware of this issue, but I feel we need to address it more holistically. I think the shape of the ultimate solution will be something that doesn't violate Tell, Don't Ask so much as what we have today (probably a method that does some work to its parameters), so I'd also hate to introduce more properties that will be subsequently deprecated once we do the final version. I'm therefore not inclined to merge what feels like a stopgap solution.

In the mean time, we don't allow breaking API changes, and removing a property from an interface is breaking, which is why you're experiencing build trouble.

[reillykw]

This is a stopgap solution, so I can abandon it. A more holistic solution would require breaking changes, though, wouldn't it?

I read your comment about a composite that returned multiple statements, is that an approach you would take? I think, and disagree with me if you do, the whole approach to the principals where the policy document is given is part of the difficulty here. It seems that the document itself and the principal are inextricably linked and a working solution would be to disentangle the concepts entirely.