chore(aws-config): fix failing integration tests

[aemada-aws]

Issue # (if applicable)

N/A — Fixing failing integration tests for aws-config module.

Reason for this change

Three aws-config integration tests were failing because:

1. NoAvailableConfigurationRecorder: AWS Config requires a Configuration Recorder and Delivery Channel to exist before Config Rules can be created. The CDK aws-config L2 constructs (CustomRule, CustomPolicy, ManagedRule, CloudFormationStackDriftDetectionCheck) create AWS::Config::ConfigRule resources but do NOT create these prerequisites. The test account had no Configuration Recorders.

2. NAME_COLLISION: integ.rule.ts used the same stack name (aws-cdk-config-custompolicy) as integ.custompolicy.ts, causing conflicts when running in parallel.

3. Invalid Guard policy: integ.custompolicy.ts used policyText: 'lazy-create-test' which is not valid Guard syntax and was never deployable.

4. Unsupported evaluation modes: integ.rule-evaluation-mode.ts used PROACTIVE evaluation mode for rule types that don't support it (Lambda custom rules, API_GW_XRAY_ENABLED managed rule). Per AWS docs, only eip-attached supports proactive evaluation for managed rules.

Original errors:

• integ.custompolicy: Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"
• integ.rule: Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"
• integ.rule-evaluation-mode: Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder"

Description of changes

All three tests — Added AWS Config prerequisites to each test stack:

• IAM Role for config.amazonaws.com with AWS_ConfigRole managed policy
• CfnConfigurationRecorder with the IAM role and scoped recording group
• S3 Bucket (removalPolicy: DESTROY, autoDeleteObjects: true) for the delivery channel
• S3 bucket policy granting config.amazonaws.com the s3:GetBucketAcl, s3:ListBucket, and s3:PutObject permissions (per AWS docs)
• CfnDeliveryChannel pointing to the S3 bucket
• DependsOn from all Config Rule constructs to both the recorder and delivery channel

integ.rule.ts — Additional fixes:

• Fixed stack name from aws-cdk-config-custompolicy to aws-cdk-config-rule (collision with integ.custompolicy.ts)
• Removed the "Warning! This test case can not be deployed!" comment (it now deploys successfully)

integ.custompolicy.ts — Additional fix:

• Replaced invalid Guard policy text 'lazy-create-test' with valid Guard rule 'rule check_iam_user { resourceType == "AWS::IAM::User" }'

integ.rule-evaluation-mode.ts — Additional fixes:

• Changed CustomRule (Lambda-based) evaluation mode from PROACTIVE to DETECTIVE (Lambda custom rules don't support proactive evaluation)
• Changed ManagedRule from API_GW_XRAY_ENABLED with DETECTIVE_AND_PROACTIVE to EIP_ATTACHED with DETECTIVE (API_GW_XRAY_ENABLED doesn't support proactive; per AWS docs only eip-attached supports proactive for managed rules)
• Changed CustomPolicy (Guard) evaluation mode to DETECTIVE

Describe any new or updated permissions being added

Each test stack now creates:

• An IAM Role for config.amazonaws.com with the AWS_ConfigRole managed policy (required for Configuration Recorder)
• An S3 bucket policy granting config.amazonaws.com service principal s3:GetBucketAcl, s3:ListBucket, and s3:PutObject permissions (required for Delivery Channel)
• An IAM Role for the S3 auto-delete objects Lambda (from autoDeleteObjects: true)

These are test-only resources, not library changes.

Description of how you validated changes

yarn integ test/aws-config/test/integ.custompolicy.js test/aws-config/test/integ.rule.js test/aws-config/test/integ.rule-evaluation-mode.js \
  --disable-update-workflow --update-on-failed --force \
  --parallel-regions us-east-1 --parallel-regions us-east-2 --parallel-regions us-west-2 --parallel-regions eu-west-1 \
  --verbose

All 3 tests pass. Snapshots updated via integ-runner --update-on-failed.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ The title scope of the pull request should omit 'aws-' from the name of modified packages. Use 'config' instead of 'aws-config'.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	72 ran	72 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	72 ran	72 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates