[PRP-344] Create IAM user for longer S3 presigned url expiration time

[rocketnova]

Ticket

https://wicmtdp.atlassian.net/browse/PRP-344

Changes

What was added, updated, or removed in this PR.

• Adds a script to be able to manually refresh S3 urls on-demand
• Creates a machine IAM user for longer S3 presigned url expiration time
• Supplies the machine IAM user's access credentials to the participant task definition
• Changes the s3-encrypted terraform module to grant permissions to an IAM group rather than an IAM role
• Drops the no-longer-used admin permissions in the s3-encrypted terraform module
• Refactors away SSM Parameter Store names and instead passes arns
• Starts the process of adding more organization and inline code documentation to the infra codebase

Context for reviewers

Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers. Explain how the changes were verified.

According to the AWS documentation, maximum S3 presigned url expiration time for STS is tied to the maximum session duration of the assumed role (which can be 12 hours at most); whereas maximum S3 presigned url expiration time for an IAM user is 7 days.

This PR creates a machine IAM user to take advantage of the longer expiration time. It therefore also lowers the refresh frequency introduced in the previous hotfix #105. This PR changes the Eventbridge check to run once a day and update any urls that haven't been updated in the last 4 days. Important: The first time this is run, we need to refresh all the urls, so that the old expiration times are caught.

This PR also starts to add more inline code documentation to the infra codebase.

Testing

Screenshots, GIF demos, code examples or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.

• I've deployed this to the dev environment
• On 2023-05-16 @ ~3:50pm PT, I also ran a one time aws ecs run-task to the dev environment to refresh all the urls (see log where it updated 82 documents)
• We should see over the next several days that the eventbridge tasks should not find any urls to update AND that the urls should still work in the staff portal

[rocketnova]

Noting that last night's overnight Eventbridge schedule-triggered task in dev did not find any documents to update (log) and the document links in dev this morning appear to all still be working. This is promising.

[rocketnova]

Noting again that last night's overnight Eventbridge schedule-triggered task in dev did not find any documents to update (log) and the document links in dev seem to still be working 🤞

[rocketnova]

Last night's overnight log shows that the Eventbridge schedule-triggered task in dev finally did find some documents to update (log) and all the document links in dev appear to be working.

This shows that the refresh script found documents to update on the correct schedule.

I'm still wary of merging this in while the pilot is running in case we run into more unexpected AWS session expiry, so I'm going to wait until it's over to merge this one.