fix(iam): handle Fn::Sub string form in getExecutionArn

Fn::Sub can be a plain string or an array [template, vars].
getExecutionArn() assumed array form, causing string destructuring
to produce garbage output like { 'Fn::Sub': ['a:*', 'r'] }.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: zirkelc

lib/deploy/stepFunctions/compileIamRole.js

@@ -472,7 +472,13 @@ function getExecutionArn(stateMachineArn) {
     return `${stateMachineArn.replace(':stateMachine:', ':execution:')}:*`;
   }
   if (stateMachineArn['Fn::Sub']) {
-    const [template, vars] = stateMachineArn['Fn::Sub'];
+    const sub = stateMachineArn['Fn::Sub'];
+    if (typeof sub === 'string') {
+      return {
+        'Fn::Sub': `${sub.replace(':stateMachine:', ':execution:')}:*`,
+      };
+    }
+    const [template, vars] = sub;
     return {
       'Fn::Sub': [
         `${template.replace(':stateMachine:', ':execution:')}:*`,

lib/deploy/stepFunctions/compileIamRole.test.js

@@ -3392,7 +3392,9 @@ describe('#compileIamRole', () => {
 
       const executionPermissions = statements.filter(s => _.isEqual(s.Action, ['states:DescribeExecution', 'states:StopExecution']));
       expect(executionPermissions).to.have.lengthOf(1);
-      expect(executionPermissions[0].Resource).to.equal('*');
+      expect(executionPermissions[0].Resource).to.deep.eq([{
+        'Fn::Sub': 'arn:aws:states:${AWS::Region}:${AWS::AccountId}:execution:HelloStateMachine:*',
+      }]);
     });
 
     it('should handle ${AWS::Partition} in resource ARN', () => {