fix(core): fix policy synthesizer logic for precreated roles

[GavinZZ]

Issue # (if applicable)

Closes #31653

Reason for this change

With Role.customizeRoles enabled, dynamodb.Table.addGlobalSecondaryIndex causes an error. This is a critical blocker for customers who require the use of customizeRoles.

Description of changes

Intended behaviour

When customizeRoles is used, the iam-policy-report.txt report will contain a list
of IAM roles and associated permissions that would have been created. This report is
generated so that it attempts to resolve any references and replace with a more user
friendly value.

The following are some examples of the value that will appear in the report:

"Resource": {
      "Fn::GetAtt": [
           "SomeResource",
           "Arn"
       ]
}

The policy report will instead get:

"(Path/To/SomeResource.Arn)"

Current issues

There are two main issues here:

1. Policy synthesizer (which is used for customizeRoles to generate report) is created with App scope. This caused the failure in the original issue Resolution error: PolicySynthesizer at 'PolicySynthesizer' should be created in the scope of a Stack, but no Stack found. because token resolution requires a Stack scope not an App scope.
2. The policy synthesizer was using DefaultTokenResolver. The default token resolution class does not generate the same format of output values for the policy report. i.e. A concatenated token value, i.e. ${Token[Token.X]}/index/* would be converted to (PhysicalId).Arn instead of "(Path/To/SomeResource.Arn)".
3. Pseudo parameters like AWS::NoValue would be rendered as Tokens in the policy report which is not idea. Update it to make it output NOVALUE.

This PR addresses the above two issues.

Description of how you validated changes

New and existing tests pass.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[Leo10Gama]

Overall changes look good! Just a few minor comments from me.

[Leo10Gama]

Changes LGTM! Will leave the do-not-merge label on for a second review from core to confirm changes are fine

[GavinZZ]

Discussed with Kendra offline and she's fine to merge this. Removing do-not-merge.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: c77e869
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.