Create a Hubverse AWS IAM role & policy to support the use of Lambda functions

[bsweger]

Background

The AWS Lambda function responsible for transforming incoming model-output files will require specific IAM role and permissions. These currently exist: they were created manually to test the use of S3 triggers/lambda functions and now need to be codified in Pulumi, our infrastructure as code (IaC) tool.

Work required

Use Pulumi to create the AWS IAM components required to support a "hubverse transform" lambda function, so that:

• each cloud-enabled hub will have its model-output data transformed to parquet, etc.
• the IAM resources are managed via infrastructure as code with our other AWS resources

Definition of done

• [x] Pulumi code base defines an IAM policy that allows write access to AWS CloudWatch logs (Lamda functions require write access to Cloudwatch)
• [x] Pulumi code base creates an additional IAM role for each hub that has 2 attached policies: the existing policy that allows writes to the hub's S3 bucket, and the CloudWatch log write policy defined above
• [x] The IAM role created above has a trust policy that allows it to be assumed by the AWS lamda service
• [x] Pulumi creates these required IAM resources when the PR for this issue is merged

More information about AWS permissions and lambda: https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html

[bsweger]

Parts of this work got entwined with #36, because the shared, hubverse-wide IAM roles and policies made more sense to write as part of the PR that creates the lambda that requires them.

The hub-specific pieces of this issue will be in a follow-up PR (WIP branch: https://github.com/Infectious-Disease-Modeling-Hubs/hubverse-infrastructure/tree/bsweger/add-hub-specific-lambda-infra)

[bsweger]

Additional permissions added to the AWS IAM roles used for infrastrature:

hubverse-infrastructure-write-policy

• PutBucketNotification