Add GetFunction and GetPolicy permissions to the build image cleanup role

[hgreebe]

Description of changes

• Add GetFunction and GetPolicy permissions to the build image cleanup role
• AccessDenied Errors were encountered when trying to delete the DeleteFunction Lambda function
• Cloudtrail events were encountering the following error:

User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/PClusterBuildImageCleanupRole-*-v1/ParallelClusterImage-* is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:us-west-2:<ACCOUNT_ID>:function:ParallelClusterImage-* because no identity-based policy allows the lambda:GetFunction action

User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/PClusterBuildImageCleanupRole-*-v1/ParallelClusterImage-* is not authorized to perform: lambda:GetPolicy on resource: arn:aws:lambda:us-west-2:<ACCOUNT_ID>:function:ParallelClusterImage-* because no identity-based policy allows the lambda:GetPolicy action

Tests

• Running test_build_image and checked CloudTrail to validate that GetFunction and GetPolicy actions no longer had AccessDenied errors.

Please review the guidelines for contributing and Pull Request Instructions.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[gmarciani]

IIRC we need to increment only when we introduce breaking changes to the policy. This is an additive fix, not a breaking change. So I think we can keep the version to 1.

Can you please double check?
If this is the case, then please also fix the comment, as it could be misleading.

[gmarciani]

Nope, I was wrong. We need to increase the version at every change, because we do not modify the exisitng role
See code

aws-parallelcluster/cli/src/pcluster/imagebuilder_utils.py

Lines 223 to 224 in e2d21fc

	if already_bootstrapped:
	return role_arn

[gmarciani]

[Test] I would expect a unit test to be adapted accordingly. If there is no unit test covering this part, can we add it to cover this change?