(synthetics): Default role breaks in non aws partitions

[Khufu-I]

Synthetics Canary default execution role hard codes 'arn:aws:logs:::*' in the IAM policy which does not work in non AWS partitions (i.e aws-cn or aws-us-gov)

Reproduction Steps

Synthesize the following code (cdk synth) for cn-north-1

import * as synthetics from '@aws-cdk/aws-synthetics';

const canary = new synthetics.Canary(this, 'MyCanary', {
  schedule: synthetics.Schedule.rate(Duration.minutes(5)),
  test: Test.custom({
    code: synthetics.Code.fromAsset(path.join(__dirname, 'canary')),
    handler: 'index.handler',
  }),
  runtime: synthetics.Runtime.SYNTHETICS_NODEJS_2_0,
});

What did you expect to happen?

The default execution role IAM policy should contain a partition aware log access policy

{
  "Action": [
    "logs:CreateLogStream",
    "logs:CreateLogGroup",
    "logs:PutLogEvents"
  ],
  "Effect": "Allow",
  "Resource": { "Fn::Join": ["", ["arn:", {"Ref": "AWS::Partition"}, ":logs:::*"]] }
}

What actually happened?

The default execution role contains an IAM policy which has aws hardcoded and isn't partition aware

{
  "Action": [
    "logs:CreateLogStream",
    "logs:CreateLogGroup",
    "logs:PutLogEvents"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:logs:::*"
}

Environment

• CDK CLI Version : 1.76.0
• Framework Version: Version: monocdk 1.77.0
• Node.js Version: 12.9.1
• OS : macOS 10.15.7
• Language (Version): JavaScript 2020

Other

---

This is :bug: Bug Report

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.