Refactor policies for the deployer role

[cadmiumcat]

What problem does this pull request solve?

We had initially split policies according to terraform roots to help us understand which permissions where needed for each. However, we have deviated from this and the approach and we have two issues:

• A lot of duplication (this matters because of the limit on policy sizes set by AWS)
• it's difficult to understand what permissions are in the policy. One root may set very restrictive 's3' permissions, whilst another may have 's3:*', making the first one redundant

This approach aims to simplify the policies by merging duplicated permissions (including any that had already been granted by the ReadOnly policy), and organising them based on the aws services the give/deny access to (as well as alphabetically)

The iam related policy documents are kept separate from the rest, as they are special/important (but I'm happy to change this if it's confusing)

The overall aim is to simplify permission to make it easier for us to set a permissions boundary

Trello card:

In case it helps:

Policy statements I merged together because they were giving the same permission to different resources

ManageCloudwatchMetricAlarms
ManageCloudWatchAlarms
CloudWatchApplicationSignalsPutMetricAlarmPermissions

ManageNetwork
ManageEC2Tags

ManageEcsExecutionPolicies
ManageEcsTaskPolicies

ManageMalwareProtectionRoleforS3
ManageRoles

ManageMalwareProtectionPoliciesforS3
ManageSESPolicies
ManagePolicies

ManageKMSKeySES
ManageKMSKeyAlerts

ManageLogs
ManageLogs
CreateLogs
ManageCloudwatchLogsWAF

ManageRoute53RecordSets
ManageRoute53RecordSets

ManageArtifactBuckets
ManageLambdaBuckets
ManageFormsRunnerBuckets
ManageStateBucketAccessLogs
ManageALBAccessLogsAccessLogs
ManageErrorPageBucket
ManageALBandWAFLogsBucket

ManageSESVerification
AllowManageSESTagging

ManageSNS
ManageSNS

Policy statements I removed because they were already included in the read-only policy

DescribeEC2
DescribeECSClustersAndServices
ListAlbResources
DescribeLogGroups
ListHostedZones
ListRdsDbCredentialSecrets

Things to consider when reviewing

• Ensure that you consider the wider context.
• Does it work when run on your machine?
• Is it clear what the code is doing?
• Do the commit messages explain why the changes were made?
• Are there all the unit tests needed?
• Has all relevant documentation been updated?

Reminders

If you've made changes to the deployer role (files in modules/deployer-access):

• Remember to run make <environment> forms/account apply on the relevant environments (dev, staging and/or prod)
• Check the #govuk-forms-deployment-notifications Slack channel to ensure the apply-forms-terraform-<environment> pipelines have run successfully