User Story:

As a user I want to be able to pre-create AWS IAM instance profiles for the control plane, worker and bootstrap node to limit granting the installer IAM policy privileged IAM actions.

This will allow the user to not grant the installer the IAM `AddRoleToInstanceProfile` permission required when attaching the IAM role to the instance profile. The IAM policy could then be further restricted since the user will need to pass the instance profile to the install which will contain the IAM role ARN it is assigned. The installer policy could restrict the IAM PassRole resource to the specific ARN containd in the instance profile.

The above IAM actions can be used for privileged escalation as today we don't restrict what AWS IAM role ARN is passed to the instance profile.

For Managed OpenShift we can't completely restrict this ARN since we allow users to define their own role names.

Removing these permissions from the installer policy significantly improves the security profile of both the installer and Managed OpenShift.

Acceptance Criteria:

Description of criteria:

• Upstream documentation
• Installs should complete without providing the PassRole and AddRoleToInstanceProfile actions when passing instance profile ARNs to the installer
• Have the option to not delete instance profiles during uninstallation (which may just rely on the fact tags created by the installer wont be assigned to user created instance profiles)
• The above should allow the removal of the following privileged IAM actions when using this feature and CCO manual mode.

		"iam:AddRoleToInstanceProfile",
		"iam:CreateInstanceProfile",
		"iam:CreateRole",
		"iam:DeleteInstanceProfile",
		"iam:DeleteRole",
		"iam:DeleteRolePolicy",
		"iam:PassRole",
		"iam:PutRolePolicy",
		"iam:RemoveRoleFromInstanceProfile",
		"iam:TagRole",

This requires/does not require a design proposal.
This requires/does not require a feature gate.