add permissions boundary option for iam roles regarding the custom resources of cdk-pull-request-approval-rule

[lagrianitis]

Sorry for the lack of description.

The custom resource will invoke a lambda function for cdk-pull-request-approval-rule and for cdk-pull-request-approval-rule-association. This lambda function requires an execution/invocation IAM role. The cdk deploy will fail with explicit deny creating the necessary role(s):

2020-11-18 09:29:46 UTC+0200 | CustomApprovalRuleTemplateCustomResourceProviderRoleBFA17D2F | CREATE_FAILED | API: iam:CreateRole User: arn:aws:sts::123456789012:assumed-role/Engineer/lagrianitis is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789012:role/cdk-constructs-CustomApprovalRuleTemplateCustomRes-1JBWAZH9LHIGR with an explicit deny
-- | -- | -- | --
2020-11-18 09:29:45 UTC+0200 | CustomApprovalRuleTemplateCustomResourceProviderRoleBFA17D2F | CREATE_IN_PROGRESS | Did not have IAM permissions to process tags on AWS::IAM::Role resource.

The reason for that is that there is a company policy where all principals require to attach a role permissions boundary in any IAM role to be able to deploy it due to security reason.

Said that I am unsure where exactly this can be fit in the custom construct as my Typescript skill are poor. I think https://docs.aws.amazon.com/cdk/api/latest/docs/custom-resources-readme.html#customizing-the-lambda-function-implementing-the-custom-resource might help.

[hupe1980]

@lagrianitis What exactly do you mean?

[lagrianitis]

@lagrianitis What exactly do you mean?

@hupe1980 I've added the description so issue will make more sense