feat(mixins-preview): vended log deliveries (#36138)

### Reason for this change
Utility classes that will be needed for the VendedLogs Mixin. 

### Description of changes
Implements 4 classes, one for each destination resource Vended Logs can delivery data to. These classes are instantiated with the resource they are affiliated with and all have a bind method that takes care of setting up each deliveryDestination and the delivery connection between the source of the logs and the destination where logs are consumed. 
We are using a bind method to set up the delivery and the deliveryDestination instead of having these be set up in the constructor because of complications surrounding the lack of a resource in XRays. 

### Describe any new or updated permissions being added


**S3:** 
Adds the permissions defined here to an existing bucket policy or creates a bucket policy on the current bucket with these permissions: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-S3.html
Adds different permissions based on whether the service sending logs uses V1 or V2 permissions.

**Firehose:**
No new permissions. Adds tag to each Kinesis Firehose DeliveryStream that enables `LogDelivery`. 

**Cloudwatch:** 
Adds these permissions to existing Cloudwatch Logs policy or creates a new one with these permissions: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-CWL.html
Each Log Group that is involved with Vended Logs will need these permissions. 

**XRays:** 
Adds permissions specified here to existing XRay policy or creates a new one if one doesn't exist: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-XRayTraces.html

### Description of how you validated changes

Extensive unit tests. Integ tests to follow.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: ShadowCat567

packages/@aws-cdk/mixins-preview/.gitignore

@@ -22,5 +22,4 @@ junit.xml
 !**/*.snapshot/**/asset.*/**
 
 # we ignore generated files that cannot contain hand-written info
-lib/services/*/index.ts
 lib/services/**/*.jsiirc.json

packages/@aws-cdk/mixins-preview/lib/core/selectors.ts

@@ -19,6 +19,13 @@ export abstract class ConstructSelector {
     return new CfnResourceSelector();
   }
 
+  /**
+   * Selects only the provided construct.
+   */
+  static onlyItself(): ConstructSelector {
+    return new OnlyItselfSelector();
+  }
+
   /**
    * Selects constructs of a specific type.
    */
@@ -107,3 +114,9 @@ class IdPatternSelector extends ConstructSelector {
     return result;
   }
 }
+
+class OnlyItselfSelector extends ConstructSelector {
+  select(scope: IConstruct): IConstruct[] {
+    return [scope];
+  }
+}

packages/@aws-cdk/mixins-preview/lib/mixins/private/s3.ts

@@ -0,0 +1,47 @@
+import type { IConstruct } from 'constructs/lib/construct';
+import { Mixin } from '../../core';
+import type { PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { PolicyDocument } from 'aws-cdk-lib/aws-iam';
+import type { CfnBucketPolicy } from 'aws-cdk-lib/aws-s3';
+import { makeIsCfnResource } from './utils';
+
+/**
+ * Adds statements to a bucket policy
+ * @mixin true
+ */
+export class BucketPolicyStatementsMixins extends Mixin {
+  private readonly statements: PolicyStatement[];
+
+  public constructor(statements: PolicyStatement[]) {
+    super();
+    this.statements = statements;
+  }
+
+  public supports(construct: IConstruct): construct is CfnBucketPolicy {
+    return makeIsCfnResource('AWS::S3::BucketPolicy')(construct);
+  }
+
+  public applyTo(policy: IConstruct): IConstruct {
+    if (!this.supports(policy)) {
+      return policy;
+    }
+
+    const policyDocument = this.getPolicyDocument(policy);
+    policyDocument.addStatements(...this.statements);
+
+    policy.policyDocument = policyDocument;
+
+    return policy;
+  }
+
+  /**
+   * CfnBucketPolicy.policyDocument sometimes is a PolicyDocument object
+   * and sometimes is a plain object. We need to handle both cases.
+   */
+  private getPolicyDocument(policy: CfnBucketPolicy): PolicyDocument {
+    if (policy.policyDocument instanceof PolicyDocument) {
+      return policy.policyDocument;
+    }
+    return PolicyDocument.fromJson(policy.policyDocument);
+  }
+}

packages/@aws-cdk/mixins-preview/lib/mixins/private/utils.ts

@@ -0,0 +1,6 @@
+import { CfnResource } from 'aws-cdk-lib/core';
+import type { IConstruct } from 'constructs';
+
+export function makeIsCfnResource(cfnResourceType: string): (construct: IConstruct) => boolean {
+  return (construct: IConstruct) => CfnResource.isCfnResource(construct) && construct.cfnResourceType === cfnResourceType;
+}

packages/@aws-cdk/mixins-preview/lib/services/alexa-ask/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';

packages/@aws-cdk/mixins-preview/lib/services/aws-accessanalyzer/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';

packages/@aws-cdk/mixins-preview/lib/services/aws-acmpca/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';

packages/@aws-cdk/mixins-preview/lib/services/aws-aiops/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';

packages/@aws-cdk/mixins-preview/lib/services/aws-amazonmq/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';

packages/@aws-cdk/mixins-preview/lib/services/aws-amplify/index.ts

@@ -0,0 +1 @@
+export * as mixins from './mixins';