fix(stepfunctions-tasks): fix IAM policy statements for step functions API calls (#22959)

Fix IAM policy statements for step functions API calls.

The service name of the Step Functions IAM policy action is different from the service name of the task resource name and must be translated.

- IAM policy action: `states:[apiAction]`
- Task resource name: `arn:aws:states:::aws-sdk:sfn:[apiAction]`
----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: gkkachi

packages/@aws-cdk/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts

@@ -80,12 +80,17 @@ export class CallAwsService extends sfn.TaskStateBase {
       throw new Error('The RUN_JOB integration pattern is not supported for CallAwsService');
     }
 
+    const iamServiceMap: Record<string, string> = {
+      sfn: 'states',
+    };
+    const iamService = iamServiceMap[props.service] ?? props.service;
+
     this.taskPolicies = [
       new iam.PolicyStatement({
         resources: props.iamResources,
         // The prefix and the action name are case insensitive
         // https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html
-        actions: [props.iamAction ?? `${props.service}:${props.action}`],
+        actions: [props.iamAction ?? `${iamService}:${props.action}`],
       }),
       ...props.additionalIamStatements ?? [],
     ];

packages/@aws-cdk/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts

@@ -198,3 +198,34 @@ test('can pass additional IAM statements', () => {
     },
   });
 });
+
+test('IAM policy for sfn', () => {
+  // WHEN
+  const task = new tasks.CallAwsService(stack, 'SendTaskSuccess', {
+    service: 'sfn',
+    action: 'sendTaskSuccess',
+    iamResources: ['*'],
+    parameters: {
+      Output: sfn.JsonPath.objectAt('$.output'),
+      TaskToken: sfn.JsonPath.stringAt('$.taskToken'),
+    },
+  });
+
+  new sfn.StateMachine(stack, 'StateMachine', {
+    definition: task,
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'states:sendTaskSuccess',
+          Effect: 'Allow',
+          Resource: '*',
+        },
+      ],
+      Version: '2012-10-17',
+    },
+  });
+});

packages/@aws-cdk/aws-stepfunctions-tasks/test/aws-sdk/integ.call-aws-service-sfn.js.snapshot/IntegTestDefaultTestDeployAssertE3E7D2A4.assets.json

@@ -0,0 +1,32 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "b54b99043c35bd080b9d9d1afce31e3541cf15b679799ba980ed40c837dcb03b": {
+      "source": {
+        "path": "asset.b54b99043c35bd080b9d9d1afce31e3541cf15b679799ba980ed40c837dcb03b.bundle",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "b54b99043c35bd080b9d9d1afce31e3541cf15b679799ba980ed40c837dcb03b.zip",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    },
+    "53ea1c76e8a088a3e3455a07f903c3cdc7054d8399d75bc242655e2569ec4dbe": {
+      "source": {
+        "path": "IntegTestDefaultTestDeployAssertE3E7D2A4.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "53ea1c76e8a088a3e3455a07f903c3cdc7054d8399d75bc242655e2569ec4dbe.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}