Move bespoke roles granting S3 permission (to third party) out of the stack

[Jimlinz]

Geostore has some bespoke roles granting s3 permission to external accounts (i.e. koordinates lds, opentopo). For example:

• infrastructure/constructs/opentopo.py
• infrastructure/constructs/lds.py

As best practice, we should probably separate these out from the stack. This can become unmanageable if it grows.

A suggestion is to include this in cdk runtime context (i.e. cdk.json)

The project file cdk.context.json is where the AWS CDK caches context values retrieved from your AWS account. This practice avoids unexpected changes to your deployments when, for example, a new Availability Zone is introduced. The AWS CDK does not write context data to any of the other files listed.

Should investigate if putting this in cdk.json will work (i.e. provide us with what we need).

[Jimlinz]

Putting these values in parameter store could also be an option https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html