Update Lambda and IAM role ARN validation rules

[pcholakov]

Loosen the validation rules around versions slightly to allow for aliases like $LATEST to be used.

Update the STS session id pattern with an IAM role ARN pattern. Add link to role trust setup documentation.

---

This permits role ARNs like arn:aws:iam::663487780041:role/LambdaTsCdkStack-nik-InvokerRole4DB2757E-QFh1yjd4kBYT - the previous pattern matches STS session ids which are what you might see GetCallerIdentity return, but they are not a valid ARN that Restate Cloud can assume.

I've also loosened up the validation pattern for function ARNs so that we can accept built-in and customer aliases like arn:aws:lambda:eu-central-1:663487780041:function:my-greeter-v1:$LATEST.

Also, I feel strongly that the role ARN should be displayed immediately once the user selects Lambda deployment - in practice, this will be used ~100% of the time in Restate Cloud. Not setting one will only ever work if the Lambda is public-access, which is almost certainly a misconfiguration. I tried to make it work but could not get the layout right at all :-)

[nikrooz]

Lgtm, thanks for spotting this, and fixing it.
if you run ppm nx format in the root of project the CI will pass.