Document trust policy and permissions for the cross-account-access Role

[benbridts]

We already have a process to provision accounts, and are going to use a separate role dedicated to ADF for the bootstrap provisioning.

It would be great if the documentation would mention:

• The exact role that will be assuming this role, so we can put it in the trust policy
• The (minimum) required permissions for it to do the bootstrap actions.

From a quick look at the code, it seems that some of the required permissions are:

For "generic accounts":

• ssm:PutParameter an ssm:GetParameter on kms_arn, bucket_name and deployment_account_id (code)

For the deployment account:

• ssm:GetParameter on /cross_region/kms_arn/{region} and /cross_region/s3_regional_bucket/{region} (code)
• sfn:StartExecution on stateMachine:EnableCrossAccountAccess (code)
• CloudFormation permissions on adf-{region}-base-{ou} + the required permission for things in the bootstrap configuration.

For the management account:

• ssm:PutParameter on deployment_account_id (code)
• ssm:PutParameter on organization_id , master_account_id, notification_endpoint, notification_type, cross_account_access_role, deployment_account_bucket, adf_version, and adf_log_level (code)

It might also be possible to move some things around / work with tags so that names are more predictable, and this becomes easier to write (eg. putting all Parameters under /adf/ )