fix(stepfunctions-tasks): state machine role is missing sagemaker:AddTags permission for SageMakerCreateTransformJob task (#27264)

If we specified RUN_JOB as IntegrationPattern prop for SageMakerCreateTransformJob construct, StepFunctions executes SageMaker batch transform job [synchronously](https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-sync). In this case, StepFunctions add a tag (key: MANAGED_BY_AWS, value: STARTED_BY_STEP_FUNCTIONS) to the job, so state machine role needs the permission to do that. However, currently CDK does not add the permission automatically.

This PR solves the issue by adding `sagemaker:AddTags` permission to state machine role when RUN_JOB is specified as IntegrationPattern prop.

Closes #26012

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: tam0ri

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/sagemaker/integ.create-transform-job.js.snapshot/SqsTestDefaultTestDeployAssert659366A6.assets.json

@@ -0,0 +1,208 @@
+{
+ "Resources": {
+  "BatchInferenceTaskSagemakerTransformRoleEABCCE1A": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "sagemaker.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/AmazonSageMakerFullAccess"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "SimpleStateMachineRole0CBC135A": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "states.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "SimpleStateMachineRoleDefaultPolicyF5E1CB8E": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "sagemaker:AddTags",
+        "sagemaker:CreateTransformJob",
+        "sagemaker:DescribeTransformJob",
+        "sagemaker:StopTransformJob"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":sagemaker:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":transform-job/*"
+         ]
+        ]
+       }
+      },
+      {
+       "Action": "sagemaker:ListTags",
+       "Effect": "Allow",
+       "Resource": "*"
+      },
+      {
+       "Action": "iam:PassRole",
+       "Condition": {
+        "StringEquals": {
+         "iam:PassedToService": "sagemaker.amazonaws.com"
+        }
+       },
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "BatchInferenceTaskSagemakerTransformRoleEABCCE1A",
+         "Arn"
+        ]
+       }
+      },
+      {
+       "Action": [
+        "events:DescribeRule",
+        "events:PutRule",
+        "events:PutTargets"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::Join": [
+         "",
+         [
+          "arn:",
+          {
+           "Ref": "AWS::Partition"
+          },
+          ":events:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":rule/StepFunctionsGetEventsForSageMakerTransformJobsRule"
+         ]
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "SimpleStateMachineRoleDefaultPolicyF5E1CB8E",
+    "Roles": [
+     {
+      "Ref": "SimpleStateMachineRole0CBC135A"
+     }
+    ]
+   }
+  },
+  "SimpleStateMachineE8E2CF40": {
+   "Type": "AWS::StepFunctions::StateMachine",
+   "Properties": {
+    "DefinitionString": {
+     "Fn::Join": [
+      "",
+      [
+       "{\"StartAt\":\"BatchInferenceTask\",\"States\":{\"BatchInferenceTask\":{\"End\":true,\"Type\":\"Task\",\"Resource\":\"arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":states:::sagemaker:createTransformJob.sync\",\"Parameters\":{\"ModelName\":\"MyModelName\",\"TransformInput\":{\"DataSource\":{\"S3DataSource\":{\"S3Uri\":\"s3://inputbucket/prefix\",\"S3DataType\":\"S3Prefix\"}}},\"TransformJobName\":\"MyTransformJob\",\"TransformOutput\":{\"S3OutputPath\":\"s3://outputbucket/result\"},\"TransformResources\":{\"InstanceCount\":1,\"InstanceType\":\"ml.m4.xlarge\"}}}}}"
+      ]
+     ]
+    },
+    "RoleArn": {
+     "Fn::GetAtt": [
+      "SimpleStateMachineRole0CBC135A",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "SimpleStateMachineRoleDefaultPolicyF5E1CB8E",
+    "SimpleStateMachineRole0CBC135A"
+   ],
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}