Enable provisioning of permission set to orgMain / delegated admin account

[leelalagudu]

• There's been a recent change in the SSO admin API, wherein using specific IAM permisisons, you could now programmatically create/delete account assignments for org main/delegated admin account.
• The solution currently excludes provisioning to org main/delegated admin account as the earlier version of SSO admin API did not allow this.
• However, using the following permissions policy, provisioning lambda can now successfully assign/remove account assignment to org main / delegated admin account

{
    effect = "Allow"
    actions = [
      "iam:CreateRole",
      "iam:ListRolePolicies",
      "iam:AttachRolePolicy",
      "iam:PutRolePolicy"
    ]
    resources = [
      "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO*",
    ]
  }

  statement {
    effect = "Allow"
    actions = [
      "iam:GetSAMLProvider",
      "iam:CreateSAMLProvider"
    ]
    resources = [
      "arn:aws:iam::*:saml-provider/AWSSSO*",
    ]
  }

AC:

• The solution should now programmatically switch the permissions it uses to provision based on the target account it's provisioning the account assignment to
• Update docs to remove this limitation