Allow Installer to bootstrap its own AWS Account credentials

[gwright99]

A deliberate design decision was made in that the Terraform installer would be limited only to creating IAM resources necessary for the Tower VM to be able to access other installer-related mechanism (i.e. SSM secrets) and not create the AWS Credential that Tower uses to submit jobs into AWS (e.g. AWS Batch).

This was done for a few reasons:

1. Separation of concerns.
2. Scope control.
3. Management of liability (an improperly configured AWS credential used by Tower could generate large real-world bills, so it was best to let a client explicitly create this credential themselves in an out-of-band process.)

The downside of this decision is that implementers must go through a manual process to create the necessary credential - often with some confusion and difficulty - before they can use the Seqerakit features of the installer and/or conduct benchmarking / pipeline launches into AWS Batch.

It would not be difficult to extend the tool's capabilities to generate the necessary key set and permissions. This would speed up the deployment process and remove another pain point for the user; albeit via weakened the segregation of concerns.

This ticket has been cut to discuss whether we could introduce this feature and what concerns we should be mindful of.

[gwright99]

@nate-simon -- FYI given your recent client conversation. @schaluva -- for awareness and peer opinion.

[gwright99]

Two different ways this could be implemented:

1. Leverage TOWER_ALLOW_INSTANCE_CREDENTIALS to let the IAM Role created by Terraform to be used to also let Tower submit jobs to AWS.
   1. Requires augmenting existing policies with the policies documented at nf-tower-aws.
2. Create additional IAM entities (User & Role) as part of the deployment if a flag is set indicating that the TF installer should be able to bootstrap the AWS creds.
   1. Also requires the policies documented at nf-tower-aws.