fix(mixins-preview): improving delivery source and delivery destination creation

[ShadowCat567]

Reason for this change

There were several issues with the initial release of Vended logs, primarily:

• if you attempted to set up vended logs for the same source resource that go to the same destination but with different log types you would have a naming conflict for the delivery destination name and it would fail, see below for example

// previously this did not work
eventBus.with(CfnEventBusLogsMixin.ERROR_LOGS.toLogGroup(logGroup));
eventBus.with(CfnEventBusLogsMixin.INFO_LOGS.toLogGroup(logGroup));

• if you attempted to set up vended logs for the same source resource that go to different destination and have the same log type, your deployment would also fail -- I haven't been able to find any documentation about why this happens (this error occurs even if you ensure the DeliverySource names are unique, while testing I noticed you cannot have DeliverySources that are identical aside from their name)

// previously this did not work
eventBus.with(CfnEventBusLogsMixin.ERROR_LOGS.toLogGroup(logGroup));
eventBus.with(CfnEventBusLogsMixin.ERROR_LOGS.toS3(bucket));

• our integration tests were slow because they used a Cloudfront Distribution as their log source

Description of changes

Delivery Destination Names
Delivery destination names now depend on the logType as well as the destination type, the destination resource, and the source resource to come up with a unique name. This ensures we can no longer have naming conflicts if we set up 2 vended log mixin deliveries that only differ based on the type of log that is getting send through them.

Delivery Sources
Previously a new delivery source was created for every delivery. However, it seems like there is some kind of internal implementation that blocks new delivery sources from being created that share a resourceArn and logType with an existing delivery source even if the names are unique.
Now only one DeliverySource is created per resourceArn + logType pair and log deliveries look for an existing DeliverySource they can use before creating a new one.

Unrelated to Mixins
Another PR introduced much stricter cfn-guard rules to the Security Guardian: #36110
This caused Security Guardian to start flagging some of the policies that the integ tests for the Vended Logs Mixin was using. Of the issues that were flagged, 2 of them were somewhat valid (encrypt s3 buckets and firehose data stream) and 2 of them were invalid (could not find relevant sections, even though they were there and threw error), updated the cfn guard rules for the invalid cases so they could properly validate the generated policies.

Updated the IAM_NO_WILDCARD_ACTIONS_INLINE cfn guard rule so it could properly validate IAM Roles that have this kind of structure Properties.AssumeRolePolicyDocument.Statement[*] as well as the structure it was previously looking for.
Excluded AWS:Logs::ResourcePolicy from NO_ROOT_PRINCIPALS_EXCEPT_KMS_SECRETS cfn guard rule. Cloudwatch Logs resource policies take in normal strings as their Policy Document (unlike most other policies which use JSON strings), which makes them difficult to deal with when working with cfn guard. See: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-logs-resourcepolicy.html

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Added unit tests to ensure that delivery sources are getting created when we expect them to be and only one is getting created for each resourceArn + logType pair.
Added and updated integration tests to test previously untested scenarios and switched the integration tests from using a Cloudfront Distribution as their log source or an EventBus so they spin up and tear down faster.
Removed some of the requirements that force our Deliveries to be created sequentially, but only from the tests that create different DeliveryDestinations. When using the same DeliveryDestination for different Deliveries, they must deploy in sequence.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	130 ran	130 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	130 ran	130 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[mrgrain]

add this to the deliveryId function instead, less repeat.

[mrgrain]

add this to the deliveryDestName function instead, less repeat.

[mrgrain]

Is this actually more behaving like the BucketPolicy where the Delivery Source could be anywhere in the tree and we are looking for one that matches the given resourceArn and logType?

[ShadowCat567]

in theory, yes, if the user already has some vended log configurations they set up without the Mixin

[mrgrain]

this should be available on the logDelivery object.

[ShadowCat567]

yes, this was a relic of something else I was doing, we don't need it here any more

[mrgrain]

see comments