New options to configure roles and VPC

[kvch]

From now on it is possible to configure permissions in functionbeat.yml for the deployed lambda function. Two new options are added: role and virtual_private_cloud.

# Execution role of the function.
role: arn:aws:iam::123456789012:role/MyFunction

# Connect to private resources in an Amazon VPC.
virtual_private_cloud:
  security_group_ids:
    - mySecurityGroup
    - anotherSecurityGroup
  subnet_ids:
    - myUniqueID

Note: I don't really like the name virtual_private_cloud as it's too long. But naming the option vpc seems wrong. Do you have any other suggestions?

Closes #9425

[ph]

We are using the arn reference in a few places in the code, we might want to create a custom type for it and have a single place to validate it.

As a note, I've decided not to add a validation for arn, since I was a bit worried that we would get it wrong. Can you add a link concerning the rules for an ARN.

[ph]

Note: I don't like the name virtual_private_cloud as it's too long. But naming the option vpc seems wrong. Do you have any other suggestions?

Well, I don't like long names, but in this case, we use it for configuration and it clearly describes the intent.

[ph]

I think we should log that we are using a custom role, I presume that we will get a few questions concerning the policies required if they use their role. So I think we will need to create a followup issue doc issue to describe them. Can you coordinate with @dedemorton for that?

[kvch]

Sure.

[kvch]

Created issue with the required policies: #11787

[ph]

@kvch we will also need a changelog entry.

[ph]

Change LGTM, I will do a quick human check asap.