CAPA Private WCs don't support using a different AWS account to the MC

[AverageMarcus]

Bug description

When creating a private CAPA WC using a different AWSClusterRoleIdentity (AWS Account) to that of the MC the workload clusters api-server never seems to come up. The first control plane instance is created and seems to boot ok but the api server never becomes available and the nodeName is never set on the Machine CR.

Designed behavior

Private CAPA clusters should be able to be created in isolated AWS accounts just like non-private WCs can be.

Reproduction Steps

1. Add the following to the cluster values of the capa private E2E test

   global:
     providerSpecific:
       awsClusterRoleIdentityName: giantswarm-goat-wc-e2e
   

2. Run the capa private E2E test (E.g. E2E_KUBECONFIG=~/.kube/clusters/e2e.yaml ginkgo --timeout 4h -v -r ./providers/capa/private) and the cluster standup step should timeout.

Technical information

Related PR which discovered this issue: giantswarm/cluster-test-suites#444
Use case for wanting isolated aws account: https://github.com/giantswarm/giantswarm/issues/29815

[mnitchev]

fixed with https://github.com/giantswarm/aws-resolver-rules-operator/releases/tag/v0.17.0