fix(job): add resource policy to environment to unblock job logs

[bvtujo]

• chore: move resource policy to env stack
• bump env version
• test: fix integ tests to include LogResourcePolicy

Resolves #4389. Customers who are currently blocked by the log resource policy issue should be able to resolve it by running copilot env deploy to upgrade their environments to the latest version.

This PR creates a Log Resource Policy as a part of each environment which handles the necessary permissions for state machines to write logs to CloudWatch. The policy is managed as part of the environment lifecycle and will be cleaned up after deletion.

Customers who need more than 10 environments per account & region can get around this issue by running copilot env override --tool yamlpatch and removing the log resource policy:

- op: remove
  path: /Resources/LogResourcePolicy

Then, they can set up a custom log resource policy for all their environments in a region:

aws logs describe-resource-policies \
  | jq '.resourcePolicies[] | select(.policyName | startswith("AWSLogDeliveryWrite"))' \
  | jq '.policyDocument | fromjson' > policy.json

Then, modify this policy.json file to include the following "resource" snippet

"Resource": [
  "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/copilot/*:log-stream:*"
]

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

[github-actions]

🍕 Here are the new binary sizes!

Name	New size (kiB)	size (kiB)	Delta (%)
macOS (amd)	50832	50748	+0.17
macOS (arm)	51032	50956	+0.15
linux (amd)	44752	44680	+0.16
linux (arm)	43076	43012	+0.15
windows (amd)	41608	41548	+0.14

[codecov-commenter]

Codecov Report

Merging #4979 (cd1ea6c) into mainline (d79a46d) will increase coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           mainline    #4979    +/-   ##
==========================================
  Coverage     70.15%   70.16%            
==========================================
  Files           289      289            
  Lines         41693    41797   +104     
  Branches        285      285            
==========================================
+ Hits          29248    29325    +77     
- Misses        11038    11059    +21     
- Partials       1407     1413     +6     

see 4 files with indirect coverage changes

[Lou1415926]

I also think what you have in the PR description (which is super nice!) is probably worth going into the doc! Either the FAQ section (when we have it), or the blog post.