feat(rum): add L2 AppMonitor construct with log group access

[pahud]

Issue # (if applicable)

Closes #35107.

Reason for this change

AWS CloudWatch RUM users need programmatic access to the CloudWatch log group that RUM creates when cwLogEnabled is set to true. This is essential for common use cases such as:

• Creating Lambda functions to process RUM log events for real-time alerting and custom analytics
• Setting up log group retention policies and permissions management
• Configuring log group permissions for cross-account access and monitoring
• Integrating RUM logs with other AWS services for comprehensive observability

Currently, users can only access the low-level CfnAppMonitor construct, which doesn't provide a convenient way to reference the associated log group. This forces users to manually construct log group names using complex CloudFormation references or hardcode naming patterns, which is error-prone and not maintainable.

The requested feature enables users to build sophisticated monitoring and alerting systems on top of RUM data, such as automatically paging engineering teams when critical performance issues are detected in real-user monitoring data.

Description of changes

This PR introduces a new L2 AppMonitor construct for the aws-rum-alpha module that provides comprehensive CloudWatch RUM functionality with seamless log group integration:

Core Implementation:

• Higher-level AppMonitor construct: Extends Resource and implements IAppMonitor interface following established CDK L2 patterns and conventions
• Automatic log group access: logGroup getter property that returns an ILogGroup interface when cwLogEnabled is true, enabling seamless integration with other CDK constructs
• Dynamic CloudFormation integration: Uses Fn.sub(), Fn.split(), and Fn.select() intrinsic functions to dynamically construct the log group name pattern RUMService_${name}${id.slice(0,8)} without requiring hardcoded values
• Import support: fromAppMonitorAttributes() static method for importing existing AppMonitor resources with full functionality preservation
• Comprehensive validation: Clear, actionable error messages when attempting to access log group when cwLogEnabled is false, with suggestions for proper configuration

Key Technical Decisions:

• Lazy initialization pattern: Log group reference is created only when accessed to avoid unnecessary CloudFormation resource creation and improve performance
• CloudFormation intrinsic functions: Uses native CloudFormation functions to construct log group names dynamically, ensuring full compatibility with CDK's CloudFormation generation and deployment process
• Interface compliance: Returns standard ILogGroup interface that works seamlessly with all existing CDK log-related constructs (subscription filters, retention policies, permissions, etc.)
• Alpha module approach: Implemented as alpha module to allow for rapid iteration and user feedback while maintaining stability for production use

Alternatives Considered:

• Adding logGroup property to existing L1 CfnAppMonitor - rejected due to L1 construct design principles
• Hardcoding log group name patterns - rejected due to maintainability and error-prone nature
• Creating utility functions instead of L2 construct - rejected as it doesn't follow CDK patterns for resource management

Design Decisions:

• Used lazy initialization to avoid creating unnecessary CloudFormation references
• Implemented comprehensive error handling with actionable messages
• Followed existing CDK patterns for L2 construct design and JSII compatibility
• Chose alpha module to enable rapid iteration while maintaining production readiness

Describe any new or updated permissions being added

N/A - This change does not introduce any new IAM permissions or security implications. The L2 construct uses the same underlying AWS::RUM::AppMonitor CloudFormation resource as the existing L1 construct.

Description of how you validated changes

Unit Tests:

• AppMonitor creation with minimal and comprehensive configurations
• Log group access when cwLogEnabled is true/false/undefined
• Import functionality via fromAppMonitorAttributes()
• Lambda subscription filter integration
• Error handling validation

Integration Tests:

• Real CloudFormation template generation and validation
• Multiple AppMonitor configurations tested
• CloudFormation outputs validation
• Snapshot testing for template stability

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.