Fix deployment bootstrap IAM PassRole permissions

[sbkok]

Issue: #755

Why?

When an update is performed in the bootstrap repository, it will run sam build to generate the bootstrap stack for the deployment account.

This, however, includes new versions of some of its dependencies and therefore requires the Lambda Functions to update. While updating, it requires the iam:PassRole permission to pass the role to the new Lambda Function version.

This was not permitted by the update deployment role as used for minor updates. As reported in the issue linked above.

What?

Updated the update deployment bootstrap role to include the required permissions to pass those roles as required.

Unfortunately, some of the Lambda functions relied on the Policies feature of SAM. This would auto generate a name for the role, thereby making it impossible to lock down permissions to the bare minimum. Hence, those functions now rely on dedicated Roles such that we can list the ARNs properly.

Half of the policies for the updated bootstrap deployment role have been relocated to an IAM Managed Policy to work around the 10k inline-policy limit.

Additionally, the permission to perform the codebuild:BatchGetProjects on the pipeline management CodeBuild project was missing.

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.