Add code commit policy templates

[ArendAMZN]

Issue #, if available:

Description of changes:
Adding policy templates for read and crud for codecommit

Description of how you validated changes:

I ran policy_templates.json through jq to ensure that the syntax is still valid

Here's a diff between the full apis and the ones I used under crud

/workspace/castaren/serverless-application-model
20:56:29 castaren-> diff full.txt write.txt 
50,52d49
< "codecommit:BatchGetRepositories",
< "codecommit:CreateRepository",
< "codecommit:DeleteRepository",
54d50
< "codecommit:ListRepositories",
56d51
< "codecommit:UpdateRepositoryName",
67c62
< "codecommit:CancelUploadArchive",
---
> "codecommit:CancelUploadArchive"

Here's a diff between the crud apis and the ones I used for read

/workspace/castaren/serverless-application-model
20:56:56 castaren-> diff write.txt read.txt 
2,4d1
< "codecommit:GitPush",
< "codecommit:CreateBranch",
< "codecommit:DeleteBranch",
7,10d3
< "codecommit:MergeBranchesByFastForward",
< "codecommit:MergeBranchesBySquash",
< "codecommit:MergeBranchesByThreeWay",
< "codecommit:UpdateDefaultBranch",
12d4
< "codecommit:CreateUnreferencedMergeCommit",
17d8
< "codecommit:CreatePullRequest",
24,31d14
< "codecommit:MergePullRequestByFastForward",
< "codecommit:MergePullRequestBySquash",
< "codecommit:MergePullRequestByThreeWay",
< "codecommit:PostCommentForPullRequest",
< "codecommit:UpdatePullRequestDescription",
< "codecommit:UpdatePullRequestStatus",
< "codecommit:UpdatePullRequestTitle",
< "codecommit:DeleteFile",
35,36d17
< "codecommit:PutFile",
< "codecommit:DeleteCommentContent",
39,41d19
< "codecommit:PostCommentForComparedCommit",
< "codecommit:PostCommentReply",
< "codecommit:UpdateComment",
43d20
< "codecommit:CreateCommit",
51d27
< "codecommit:UpdateRepositoryDescription",
53,54d28
< "codecommit:TagResource",
< "codecommit:UntagResource",
56d29
< "codecommit:PutRepositoryTriggers",
60,62c33
< "codecommit:UploadArchive",
< "codecommit:GetUploadArchiveStatus",
< "codecommit:CancelUploadArchive"
---
> "codecommit:GetUploadArchiveStatus"

Checklist:

• [ N ] Write/update tests
  There aren't tests for config files
• [ Y ] make pr passes
• [ N ] Update documentation
  docs/policy_templates.rst doesn't list all policies
  I'm assuming 2016-10-31/policy_templates/all_policy_templates.yaml shouldn't be updated with policies from new versions
• [ Y? ] Verify transformed template deploys and application functions as expected
  I setup a managed template as follows, and that worked as expected

  CodeCommitReadPolicy: 
      Type: AWS::IAM::ManagedPolicy
      Properties:
          PolicyName: CodeCommitReadPolicy
          PolicyDocument: {
            "Version": "0.0.1",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "codecommit:GitPull",
                  "codecommit:GetBranch",
                  "codecommit:ListBranches",
                  "codecommit:BatchDescribeMergeConflicts",
                  "codecommit:DescribeMergeConflicts",
                  "codecommit:GetMergeCommit",
                  "codecommit:GetMergeOptions",
                  "codecommit:BatchGetPullRequests",
                  "codecommit:DescribePullRequestEvents",
                  "codecommit:GetCommentsForPullRequest",
                  "codecommit:GetCommitsFromMergeBase",
                  "codecommit:GetMergeConflicts",
                  "codecommit:GetPullRequest",
                  "codecommit:ListPullRequests",
                  "codecommit:GetBlob",
                  "codecommit:GetFile",
                  "codecommit:GetFolder",
                  "codecommit:GetComment",
                  "codecommit:GetCommentsForComparedCommit",
                  "codecommit:BatchGetCommits",
                  "codecommit:GetCommit",
                  "codecommit:GetCommitHistory",
                  "codecommit:GetDifferences",
                  "codecommit:GetObjectIdentifier",
                  "codecommit:GetReferences",
                  "codecommit:GetTree",
                  "codecommit:GetRepository",
                  "codecommit:ListTagsForResource",
                  "codecommit:GetRepositoryTriggers",
                  "codecommit:TestRepositoryTriggers",
                  "codecommit:GetBranch",
                  "codecommit:GetCommit",
                  "codecommit:GetUploadArchiveStatus"
                ],
                "Resource": {
                  "arn:aws:codecommit:us-west-2:475031329963:omnisearch"
                }
              }
            ]
          }

• [ Y ] Add/update example to examples/2016-10-31

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-io]

Codecov Report

Merging #1101 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #1101   +/-   ##
========================================
  Coverage    94.72%   94.72%           
========================================
  Files           70       70           
  Lines         3430     3430           
  Branches       675      675           
========================================
  Hits          3249     3249           
  Misses          93       93           
  Partials        88       88

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d7a9ddc...97b28ef. Read the comment docs.

[jlhood]

@ArendAMZN Thanks for the contribution! I haven't dug into all of the specific actions yet, but here's 1 update I need you to do: You made your change against the master branch, but you should make changes against the develop branch (contains latest changes). I've updated the PR to be against the develop branch and now it's showing more diffs than just your change. You should be able to rebase onto develop and then force push to update this PR.

[ArendAMZN]

@ArendAMZN Thanks for the contribution! I haven't dug into all of the specific actions yet, but here's 1 update I need you to do: You made your change against the master branch, but you should make changes against the develop branch (contains latest changes). I've updated the PR to be against the develop branch and now it's showing more diffs than just your change. You should be able to rebase onto develop and then force push to update this PR.

Thanks I fixed it

[keetonian]

Thanks for this contribution! Looks good to me!

[keetonian]

Verified that permissions and resources are correct.

Reference: https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-permissions-reference.html

The only permissions not given here are update/delete permissions on the actual repo, which seems appropriate.

[keetonian]

Verified this policy as well against same documentation.