Initial AWS Vendor Access Module Configuration

[jrsdav]

Overview

This PR moves the AWS Vendor Access Module out of the terraform-aws-cloud repo, in order to decouple the two modules for supporting granular versioning, reason version through updates more clearly, and allow for faster development of the two modules.

Notable Changes & Improvements

Some small changes have been made to the Terraform module and IAM policies themselves, both to enhance security and make the module code more readable, and to also support the future v3.0.0 release of the terraform-aws-cloud module.

What's Changed

• The eks_cluster_pattern, eks_nodepool_pattern, and the s3_bucket_pattern input variables have had their defaults changed from snc-* to *snc*. Going forward we may not always use the prefix snc-* for the resources we create (this was precipitated by changes to the community EKS module around default names for resources). But we will always anticipate resources we create to contain the string "snc", and we also needed to provide backwards compatibility for older resources created by our module, hence the shift to the double wildcard.
• We have moved away from using the aws_iam_policy_document resource for management of the StreamNativeCloudRuntimePolicy, and are instead using a template file in the modules/aws/files directory. This makes the policy document easier to find and read, without having to dig through the Terraform module itself, and falls in line with the existing structure where the rest of the IAM policies were template files.
• We have removed "runtime mode" logic from the module, which flipped between allowing/disallowing IAM policy creation for the bootstrap role and permission boundary. "Runtime Mode" is now the default behavior, where the IAM roles no longer have the ability to create IAM policies.

Left Todo

• Update the CloudFormation template file to match the Terraform module's output We will add the CF template at a later date.
• Update the main README file