fix(custom-resources): IAM policy incorrect for SDKv3 names (#27313)

In the `AwsCustomResource` and the `Assertions` libraries, we advertise accepting all of the following service name formats:

* The SDKv3 service name: `api-gateway`
* The full SDKv3 package name: `@aws-sdk/client-api-gateway`
* The SDKv2 constructor name: `APIGateway`
* The SDKv2 constructor name in all lower case: `apigateway`

And the following action name formats:

* The API call name: `GetRestApi`
* The API call name with a lowercase starting letter method name: `getRestApi`
* The SDKv3 command class name: `GetRestApiCommand`

However, the code that was taking care of mapping service names into an IAM name was not handling all cases correctly. There was also an issue with some commands that end in the word `"Command"`, like ECS's `ExecuteCommand`, which according to the rules above should work both written as `ExecuteCommand` as well as `ExecuteCommandCommand`: we did not have enough information to know if we saw the string `ExecuteCommand`, whether we should interpret it as `Execute` or `ExecuteCommand`.

Also, we were recommending to use the full SDKv3 package name and class name formats:

```
{
  service: '@aws-sdk/client-api-gateway',
  action: 'GetRestApiCommand',
}
```

Which looks ugly (imo) and leaks too many of the underlying implementation details.

This PR changes the following:

- Deprecate the `sdk-api-metadata.json` we extracted from SDKv2.
- From SDKv3 models, extract a new `sdk-v3-metadata.json` which contains the following information:
  - IAM prefix for every service
  - A list of APIs that end in the word `Command`, so we can disambiguate around these.
- From `aws-sdk-codemod`, extract a mapping from SDKv2 service names to SDKv3 service names (replacing the copy/pasted code we used to have with a build-time extraction).
- Unfortunately, both of these mappings are duplicated: once for the construct library, and once for the handlers. I did not want to go into deduplicating between these for now.
- At runtime, we now map a potential V2 service name to a V3 service name, then look up the V3 metadata to determine the IAM prefix and the normalized action name.
- There was a lot of duplication between the `assertions` handler and the `AwsCustomResource` handler (and to a lesser degree, the `events.ApiCall` handler), around loading SDKs and coercing values. Introduce a new `ApiCall` class that unifies the behavior between these call sites.
- Change the recommendation in the README from using SDKv3 names to using shorter form names (`api-gateway` and `GetRestApi`).
- Add "dynamic reuqire" protection to the `esbuild` commands for custom resources. 

Fixes #27255, closes #27268, closes #27270, closes #27395.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

nx.json

@@ -17,7 +17,8 @@
       "outputs": [
         "{projectRoot}/**/*.integ.*.js.snapshot/*",
         "{projectRoot}/tsconfig.json",
-        "{projectRoot}/**/lib/aws-custom-resource/sdk-api-metadata.json",
+        "{projectRoot}/**/lib/aws-custom-resource/sdk-v2-to-v3.json",
+        "{projectRoot}/**/lib/aws-custom-resource/sdk-v3-metadata.json",
         "{projectRoot}/**/build-info.json",
         "{projectRoot}/**/*.js",
         "{projectRoot}/**/*.js.map",

package.json

@@ -19,6 +19,7 @@
     "@types/node": "18.11.19",
     "@types/prettier": "2.6.0",
     "@yarnpkg/lockfile": "^1.1.0",
+    "aws-sdk-js-codemod": "^0.18.3",
     "cdk-generate-synthetic-examples": "^0.1.291",
     "conventional-changelog-cli": "^2.2.2",
     "fs-extra": "^9.1.0",