feat(stepfunctions): add EvaluateExpression task

[jogold]

Use the EvaluateExpression to perform simple operations referencing state paths. The
expression referenced in the task will be evaluated in a Lambda function
(eval()). This allows you to not have to write Lambda code for simple operations.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mergify]

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

• PR title type(scope): text
  • type: fix, feat, refactor go into CHANGELOG, chore is hidden
  • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
  • text: use all lower-case, do not end with a period, do not include issue refs
• PR Description
  • Rationale: describe rationale of change and approach taken
  • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
  • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
• Testing
  • Unit test added. Prefer to add a new test rather than modify existing tests
  • CLI or init templates change? Re-run/add CLI integration tests
• Documentation
  • README: update module README to describe new features
  • API docs: public APIs must be documented. Copy from official AWS docs when possible
  • Design: for significant features, follow design process

[jogold]

See README - Eval example for usage example.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[rix0rrr]

This is another super sexy submission @jogold! I've been putting off reviewing it a little because it honestly scares me a little, what with using eval and all.

Undoubtedly very useful, but I have serious reservations about shipping this in the core library. I wonder if it's not better off in a 3rd party construct library.

[jogold]

@rix0rrr I was expecting this kind of reaction to the usage of eval 😄

One of the security issues with eval is when it's used to evaluate user input, especially on a server/backend.

Let's look at the eval in the context here: the user is the CDK developer not an "external user" (he should know what he's doing) and the eval is run in an isolated backend (Lambda) with no IAM permission. Isn't this comparable to letting a CDK developer write (bad) Lambda code?

[rix0rrr]

It is, and my concern is not about security. More about whether or not we want to take on the maintenance burden of when people are inevitably going to misuse/abuse the feature.

Nevertheless, because it is a little unorthodox, we're also going to have to have a security review with the appropriate people internally. I don't predict that being a blocker though. Given that the IAM policy of the Lambda has barely any permissions, the worst you would be able to do is rack up Lambda charges in your own account.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[aws-cdk-automation]

AWS CodeBuild CI Report

• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository