… (under feature flag)

Currently when you create a RestApi cloudwatch logging is enabled by
default. This will create an IAM role and a `AWS::ApiGateway::Account`
resource, which is what is used to allow API Gateway to write API logs
to CloudWatch logs. There can only be a single API Gateway account per
AWS environment (account/region), but CloudFormation will not throw an
error if you try to create additional accounts. Instead it will update
the existing account with the new configuration.

This can cause issues if customers create more than 1 RestApi.
The following scenario is an example.

1. Create a single `RestApi`
A new `AWS::ApiGateway::Account` and IAM role is created.
2. Create a second `RestApi`
Another `AWS::ApiGateway::Account`/IAM role is created which
_overwrites_ the first one. The first RestApi now uses the account/role
created by this `RestApi`.
3. Delete the second `RestApi`
The `AWS::ApiGateway::Account`/IAM role is deleted along with the second
`RestApi`. The first `RestApi` no longer has access to write to
CloudWatch logs.

Because of this behavior, the correct thing to do is to disable
CloudWatch logs by default so that the user has to create the global
resource separately. This new behavior is behind a feature flag
`@aws-cdk/aws-apigateway:disableCloudWatchLogs`.

In addition, the default retention policy for both the API Gateway
account and IAM role has been set to `RETAIN` so that existing
implementations that do not use the feature flag can avoid the above
scenario. The resources will be unmanaged, but existing RestApis will
not break.

closes #10878