fix(iam): policy statement tries to validate tokens (#13493)

Looking for guidance on error messaging and/or docs to update
Fixes #13479

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-iam/lib/policy-statement.ts

@@ -64,7 +64,8 @@ export class PolicyStatement {
   constructor(props: PolicyStatementProps = {}) {
     // Validate actions
     for (const action of [...props.actions || [], ...props.notActions || []]) {
-      if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) {
+
+      if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action) && !cdk.Token.isUnresolved(action)) {
         throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
       }
     }

packages/@aws-cdk/aws-iam/test/policy-document.test.ts

@@ -102,6 +102,19 @@ describe('IAM policy document', () => {
     }).toThrow(/Action 'in:val:id' is invalid/);
   });
 
+  // https://github.com/aws/aws-cdk/issues/13479
+  test('Does not validate unresolved tokens', () => {
+    const stack = new Stack();
+    const perm = new PolicyStatement({
+      actions: [`${Lazy.string({ produce: () => 'sqs:sendMessage' })}`],
+    });
+
+    expect(stack.resolve(perm.toStatementJson())).toEqual({
+      Effect: 'Allow',
+      Action: 'sqs:sendMessage',
+    });
+  });
+
   test('Cannot combine Resources and NotResources', () => {
     expect(() => {
       new PolicyStatement({