Add SSO group id lookup parameter resolver

[andrewjhumphrey]

Remove the need to hardcode magic AWS IIC/SSO group IDs that are required when creating AWS::SSO::Assignment resources

Note: This requires adding a new stack_master.yml toplevel attribute: sso_identity_store_id which is required to do the group lookup. Rather than specifying that in each individual parameter lookup, do it once at the top level.

An example of what this looks like:

Before:

Parameters file:

SSOArn:
  stack_output: sso-permission-sets-standard/SSOArn
  role: service-role/rolename
  account: '123456789012'
SecurityAdminPermissionSetArn:
  stack_output: sso-permission-sets-standard/SecurityAdminArn
  role: service-role/rolename
  account: '123456789012'
GroupId: "b12345c6-7890-12e3-45b6-b7f89dded0aa"   <---- Needs to be manually fetched from the console/cli

After:

Parameters file:

SSOArn:
  stack_output: sso-permission-sets-standard/SSOArn
  role: service-role/rolename
  account: '123456789012'
SecurityAdminPermissionSetArn:
  stack_output: sso-permission-sets-standard/SecurityAdminArn
  role: service-role/rolename
  account: '123456789012'
GroupId:
  sso_group_id: 'us-east-1:d-123456df7/Okta-App-AWS-Group-name'
  role: service-role/rolename
  account: '123456789012'

[simpson-ross]

Neat! All seems reasonable, 👍

[orien]

Awesome!

Thanks for indulging my many suggestions.

[runlevel5]

LGTM 👍