Read in role ARN in preConfigure validation

[guineveresaenger]

Fixes #2144.

I followed the pattern we use in pulumi-azure to surface the underlying error.
I am open to other suggestions but I feel at this point it is more helpful to the user to forward the error from TF or AWS.

A screenshot of the new error surfacing when `aws-region is not set:

Sample terminal output for an invalid role ARN, with identity details removed:

Diagnostics:
  aws:ec2:VpcIpam (guin):
    error: unable to validate AWS credentials. Details: IAM Role (xxxxxxxx/xxxx) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: yyyyyyyyyyyyyyy, api error AccessDenied: User: xxxxxxxxxxx is not authorized to perform: xxxxxxxxxx
    
    
    Make sure you have:
    
     	 • Set your AWS region, e.g. `pulumi config set aws:region us-west-2`
     	 • Configured your AWS credentials as per https://pulumi.io/install/aws.html
     	 You can also set these via cli using `aws configure`.
 

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[jkisk]

Thank you, I agree we should pass along the error to assist user with debugging here

[stack72]

I think we should tread carefully here... this may expose TF implementation details

[guineveresaenger]

@stack72 that was my concern as well - however, the increasing amounts of different errors a user can run into here is not something I'm comfortable swallowing anymore. The alternative is parsing the error string for mentions of assumeRole or "Assume Role: role ARN not set" and...I think that would be an antipattern.

[richmeij]

Hi all, is there any update on this PR? It currently prevents us from updating the pulumi/aws provider to anything higher than 5.13.0

[wannessels]

@stack72 can you elaborate on this?

I think we should tread carefully here... this may expose TF implementation details

What details might leak here? Is that really problematic?

Right now we (and reading through issues a lot of others are well) are stuck on 5.13.0, and even there we are hitting issues with roleArn not setting/propagating properly. It sounds like this patch could fix a lot if not all of those issues.