feat(bootstrap): Add ECR resource policy for emr-serverless containers (#112)

This PR modifies the default bootstrap template to support EMR
Serverless containers.

Without this policy, containers created using the `DockerImageAsset`
construct cannot be used with EMR Serverless applications.

There is precedence for this pattern to support Lambda function
containers, so I don't think this should be too controversial of a
change.

Relevant documentation on using custom images in EMR Serverless:
-
https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/application-custom-image.html

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license

Author: graydenshand

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -278,6 +278,19 @@ Resources:
             Condition:
               StringLike:
                 "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:*" }
+          # Necessary for EMR Serverless container images
+          # https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/application-custom-image.html#access-repo
+          - Sid: EmrServerlessImageRetrievalPolicy
+            Effect: Allow
+            Principal:
+              Service: emr-serverless.amazonaws.com
+            Action:
+              - ecr:BatchGetImage
+              - ecr:GetDownloadUrlForLayer
+              - ecr:DescribeImages
+            Condition:
+              StringLike:
+                "aws:sourceArn": { "Fn::Sub": "arn:${AWS::Partition}:emr-serverless:${AWS::Region}:${AWS::AccountId}:/applications/*" }
   FilePublishingRole:
     Type: AWS::IAM::Role
     Properties:
@@ -659,7 +672,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '26'
+      Value: '27'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack