fix(stepfunctions-tasks): missing tags & perms for emr cluster creati…

…on (#28327)

Per the [documentation](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-iam-policies.html#manually-tagged-resources):

* To use managed policies, pass the user tag `for-use-with-amazon-emr-managed-policies = true` when you provision a cluster with the CLI, SDK, or another method.
* For resources that are not created by Amazon EMR, you must add tags to those resources. For example, you must tag Amazon EC2 subnets, EC2 security groups (if not created by Amazon EMR), and VPCs (if you want Amazon EMR to create security groups).

Also, `AmazonEMRServicePolicy_v2` only has `iam:PassRole` on the default EMR roles and needs this on the cluster role created by the CDK.

Running the step function:

<img width="221" alt="Screenshot 2023-12-11 at 5 24 09 AM" src="https://github.com/aws/aws-cdk/assets/3310356/3b3b33c1-bcb8-4836-a1c0-123a8e7186ba">

<img width="661" alt="Screenshot 2023-12-11 at 5 24 03 AM" src="https://github.com/aws/aws-cdk/assets/3310356/c7f4fef9-0bce-42b9-a509-935cfe9a121b">

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/emr/integ.emr-create-cluster-with-spot-instance-fleet.js.snapshot/aws-cdk-emr-create-cluster-with-spot-instance-fleet.template.json

@@ -7,11 +7,6 @@
      "Statement": [
       {
        "Action": "sts:AssumeRole",
-       "Condition": {
-        "StringEquals": {
-         "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
-        }
-       },
        "Effect": "Allow",
        "Principal": {
         "Service": "elasticmapreduce.amazonaws.com"
@@ -36,6 +31,32 @@
     ]
    }
   },
+  "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "iam:PassRole",
+       "Effect": "Allow",
+       "Resource": {
+        "Fn::GetAtt": [
+         "EmrCreateClusterInstanceRoleC80466F5",
+         "Arn"
+        ]
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "EmrCreateClusterServiceRoleDefaultPolicyA8B4FA32",
+    "Roles": [
+     {
+      "Ref": "EmrCreateClusterServiceRole5251910D"
+     }
+    ]
+   }
+  },
   "EmrCreateClusterInstanceRoleC80466F5": {
    "Type": "AWS::IAM::Role",
    "Properties": {
@@ -90,6 +111,7 @@
      "Statement": [
       {
        "Action": [
+        "elasticmapreduce:AddTags",
         "elasticmapreduce:DescribeCluster",
         "elasticmapreduce:RunJobFlow",
         "elasticmapreduce:TerminateJobFlows"
@@ -197,7 +219,7 @@
        {
         "Ref": "EmrCreateClusterServiceRole5251910D"
        },
-       "\",\"ReleaseLabel\":\"emr-5.36.1\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"}],\"VisibleToAllUsers\":true}}}}"
+       "\",\"ReleaseLabel\":\"emr-5.36.1\",\"Tags\":[{\"Key\":\"Key\",\"Value\":\"Value\"},{\"Key\":\"for-use-with-amazon-emr-managed-policies\",\"Value\":\"true\"}],\"VisibleToAllUsers\":true}}}}"
       ]
      ]
     },