DDLS-434 part 1 of move to limited permissions on state file write

[jamesrwarren]

Purpose

Multi part ticket to move to limited permissions on state file write

Fixes DDLS-434

Approach

With this PR I just wanted to do some pre work to sure the permissions we were using on our terraform were all set in the right places and that we aren't inheriting secrets incorrectly. I decided to do this first so that any changes we then make to the terraform roles, won't be affected by this bit of work.

What I have mainly done here is:

• Remove inherit for added security and specified what we're inheriting
• Moved the aws credentials login to directly prior to the step where it's needed so that any compromised package running in between could not exfiltrate the creds.
• Explicitly unset the creds after use. As the last step is pretty much always the step that needs the creds, this isn't explicitly needed but I felt that it protects us in case we decide to add more steps later. It also makes the use of these creds much more explicit so we think more about their scope and how they are being used!

Learning

NA

Checklist

• I have performed a self-review of my own code
• I have updated documentation (Confluence/ADR/tech debt doc) where relevant
• I have added tests to prove my work
• The product team have approved these changes
• I have checked my work for potential security issues and refered to the OWASP top 10

Frontend

• I have run an in-browser accessibility test (e.g. WAVE, Lighthouse)
• There are no deprecated CSS classes noted in the profiler
• Translations are used and the profiler doesn't identify any missing
• Any links or buttons added are screen reader friendly and contextually complete
• If adding GA events, I have updated or checked the existing category or label values

[andrewpearce-digital]

I think this might need an if: always() if it's supported here so that it unsets even when previous jobs fail