Add support for managing stacks cross-account

[clareliguori]

The CFN controller currently supports deploying stacks to only a single account, using the AWS credentials found in the controller's environment. Potentially we could follow the ACK method of mapping AWS accounts to roles in a ConfigMap. I'm not sure whether we should follow the ACK example of binding accounts to namespaces (so all stacks in a namespace will be deployed to the same account) or if each CloudFormationStack object should be annotated with the account ID it belongs in.

https://aws-controllers-k8s.github.io/community/docs/user-docs/cross-account-resource-management/

apiVersion: v1
kind: Namespace
metadata:
  name: production
  annotations:
    cloudformation.contrib.fluxcd.io/owner-account-id: "111111111111"
EOF
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cloudformation-role-account-map
  namespace: flux-system
data:
  "111111111111": arn:aws:iam::111111111111:role/s3FullAccess
EOF

[gitbluf]

@clareliguori I'm also interested in this feature, but in the meanwhile, do you know if this controller is capable of assuming a cross-account role? Another option can be to use K8s to assume a service account in the same way flux components do.

[clareliguori]

@gitbluf The controller should be able to use a cross-account IAM role with EKS service accounts, and then run one controller per account you want to deploy to.

See the first example on this page for configuring a cross-account IAM role: https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html

Instructions for using service accounts with this controller are here: https://github.com/awslabs/aws-cloudformation-controller-for-flux/blob/main/docs/install.md#option-1-short-lived-credentials-using-iam-roles-for-service-accounts-on-an-eks-cluster-recommended