Install Fails Due to New Installer Role Not Being Included in Guardrails

[turqual]

Describe the bug
While attempting to upgrade from v1.10.0 to v1.11.0 it was found that the SCPs applied did not include the newly created Installer role.

error:

User: arn:aws:sts::000011112222:assumed-role/blah-blah-installer-admin-role/AWSCodeBuild-29RANDOMSTRING 
is not authorized to perform: iam:PassRole on 
resource: arn:aws:iam::000011112222:role/cdk-accel-cfn-exec-role-000011112222-eu-west-1 
with an explicit deny in a service control policy

This new role was created as part of this commit.

This section of the guardrail needed to be updated to include the new role to allow for the installer pipeline to run successfully.

    {
      "Sid": "IamRolesStatement",
      "Effect": "Deny",
      "Action": ["iam:*"],
      "Resource": [
        "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
        "arn:${PARTITION}:iam::*:role/cdk-accel-*",
        "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}"
      ],
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
            "arn:${PARTITION}:iam::*:role/cdk-accel-*",
            "arn:${PARTITION}:iam::*:role/${MANAGEMENT_ACCOUNT_ACCESS_ROLE}",
            "arn:${PARTITION}:iam::*:role/AWSServiceRoleForConfig"
          ]
        }
      }
    }

To Reproduce

Attempt install v1.11.0 with the "Guardrails-2,json" applied to the OU with the pipeline account (Infrastructure OU)

Expected behavior

• A Note in the change log that this new role would be created would have been helpful as a pre-requisite.
• An update to the guardrails-2.json to include the new role in the condition on the IamRolesStatement statement so that we could know ahead of running would have been helpful as well.

Please complete the following information about the solution:

• Version: [e.g. v1.11.0] - v1.11.0
• Region: [e.g. us-east-1] eu-west-1
• Was the solution modified from the version published on this repository? No
• If the answer to the previous question was yes, are the changes available on GitHub? N/A
• Have you checked your service quotas for the services this solution uses? N/A
• Were there any errors in the CloudWatch Logs? No

Screenshots
If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context
Add any other context about the problem here.

[bo1984]

Hi Chris!

Thank you for making us aware of this issue. I have created a ticket in our backlog to update the documentation on our external pipeline deployments, particularly around the preventative controls needing to be applied. I will keep this issue open in the meantime. Please let me know if you have any additional questions or concerns.