fix(iam): support adding permissions to imported roles

[rix0rrr]

Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an AwsPrincipal.

Relates to #2381, #2651, #2652, #2662.

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
  • Design: For significant features, design document added to design folder
• Title and Description
  • Change type: title prefixed with fix, feat and module name in parens, which will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[skinny85]

Just some tiny comments/questions.

[skinny85]

The methods addToPolicy and attachInlinePolicy are the same as in the Role class. I wonder whether we could use inheritance here to remove the duplication.

[skinny85]

I'm not sure I understand this test. Where does the Role with the logical ID MyRole come from?

[skinny85]

Oh wait, is this the physical name of the Role? Does that work in CFN?

[rix0rrr]

CFN is just doing a put-role-policy call with this parameter.