Setup AWS service accounts for terraform CI

Overview

While setting up the CI pipeline in gitlab-com/gl-infra/gitter-infrastructure!94 we started receiving permissions errors during tf_plan jobs. The pipeline had been previously setup to use the packer service account, and permissions were temporarily added to enable access to the remote state resources for planning. Going forward, we need to configure at least four other service accounts, or two accounts with two roles each:

Remote-state

1. Create terraform-remote-state IAM account
2. Add credentials to 1password
3. Add CI variables
4. Update .gitlab-ci.yml with credentials for tf_*_remote_state jobs
5. Attach terraform-remote-state IAM policy for terraform plan (Copy privileges under DynamoDB, S3, and KMS services from Packer policy)
6. Remove DynamoDB, S3, & KMS privileges from Packer IAM policy

Beta

1. Create terraform-beta IAM account
2. Add credentials to 1password
3. Add CI variables
4. Update .gitlab-ci.yml with tf_*_beta jobs and credentials
5. Create terraform-beta-ro IAM role (read-only, for terraform plan), pass role ARN by variable
6. Create terraform-beta-priv IAM role (admin privs, for terraform apply), pass role ARN by variable

Prod

1. Setup terraform-prod IAM account
2. Add credentials to 1password
3. Add CI variables
4. Update .gitlab-ci.yml with tf_*_prod jobs and credentials
5. Create terraform-prod-ro IAM role (read-only, for terraform plan), pass role ARN by variable
6. Create terraform-prod-priv IAM role (admin privs, for terraform apply), pass role ARN by variable