aws-logs: add `AccountPolicy` L2 construct

[garysassano]

Describe the feature

The L2 construct equivalent of CfnAccountPolicy, aimed at reducing boilerplate code and simplifying configuration; it should help to prevent common pitfalls (see #31266).

Use Case

See above.

Proposed Solution

The AccountPolicy construct should accept an input of type AccountPolicyType, an enum with the following possible values:

• LAMBDA
• KINESIS_DATA_STREAM
• DATA_FIREHOSE

Depending on the selected AccountPolicyType, you’ll need to provide a different kind of target. For example, if LAMBDA is specified, you must provide an IFunction. The required permissions for the target resource will be automatically attached when the AccountPolicy is created.

Other Information

Creating an account-level subscription filter involves 4 steps:

1. Create the target resource for the subscription filter (Lambda, Kinesis Data Stream, or Data Firehose).
2. Grant CloudWatch Logs permission to use the target resource.
3. Add a dependency in the CDK resource graph to ensure the subscription filter is not created before the permission is granted.
4. Create the account-level subscription filter.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.189.0

Environment details (OS name and version, etc.)

Ubuntu 24.04

[ykethan]

Hey @garysassano, 👋 thank you for filing this feature request.

The current L1 construct usage requires usage similar to the following

const cfnAccountPolicy = new logs.CfnAccountPolicy(this, 'MyCfnAccountPolicy', {
    RoleArn: role.roleArn,
    DestinationArn: kinesisStream.streamArn,
    FilterPattern: "ERROR",
    Distribution: "Random"
  }),
  policyName: 'MySubscriptionFilterPolicy',
  policyType: 'SUBSCRIPTION_FILTER_POLICY',
  scope: 'ALL',
  selectionCriteria: 'LogGroupName NOT IN ["LogGroupToExclude1"]'
});

from the top of my mind we could look into implement something similar to the following L2 construct to simplify this

const accountPolicy = new logs.AccountPolicy(this, 'MyAccountPolicy', {
  policyType: logs.AccountPolicyType.KINESIS_DATA_STREAM,
  target: kinesisStream,  // IStream
  filterPattern: logs.FilterPattern.literal("ERROR"),
  distribution: logs.SubscriptionFilterDistribution.RANDOM,
  excludeLogGroups: ['LogGroupToExclude1']
});

But leave it to the team to dive into this implementation. we do accept new pull requests on this repository as well.