Create AWS permissions required to deploy the model-output transform lambda from GitHub Actions

[bsweger]

Background

This is related to (and a pre-requisite for) hubverse-org/hubverse-transform#6

The hubverse-transform repo will have a GitHub action that deploys an AWS Lambda package by creating the package and writing it to an S3 bucket (hubverse-assets).

Thus, that repo's GitHub actions will need to assume an AWS IAM role that has permissions to write to hubverse-assets.

Definition of done

• The Pulumi code base creates an IAM role with a resource policy that specifies list/get/delete/write access to s3://hubverse-assets
• The new role's trust policy specifies that the role can be assumed only via GitHub OIDC provider and only by the main branch of the hubverse-transform repo

[bsweger]

We should be able to copy and re-purpose some existing code to do this. See the first 3 functions of iam.py: https://github.com/Infectious-Disease-Modeling-Hubs/hubverse-infrastructure/blob/main/src/hubverse_infrastructure/hubs/iam.py#L5

[bsweger]

Because we're getting close to the Hubverse's GitHub org name change, will plan to hold off on this work until that's completed (because the trust policy is based on GitHub org and repo name).