feat(iam): allow changing the effect to 'deny' for policy statements

[SanderKnape]

I just noticed that I can not set a policy statement to "deny". Maybe I'm missing something, but otherwise this should be an easy fix.

---

Please read the contribution guidelines and follow the pull-request checklist.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[skinny85]

I have a general question about the class PolicyStatement.

Should we make it immutable? I feel like if we keep it mutable, it prevents us from ever being able to implement statement normalization in policies (to make them smaller), which we might want to do in the future.

[rix0rrr]

That's a good question.

I feel like maybe so, but some APIs we have now explicitly assume that they're mutable, and that they can be freely modified by adding conditions, for example. In fact, we document this somewhere.

[skinny85]

@rix0rrr would it be possible to implement statement normalization using CDK lifecycle callbacks? Like we now do for simple de-duplication of identical statements?

[rix0rrr]

Yes.

[skinny85]

Yes.

So perhaps leaving PolicyStatement mutable is not atas problematic as I initially thought.

Carry on.