Allow support role to release the lock on state files

We need the support role to be able to `terraform apply`, therefore it needs to
be able to get/release the lock on state files.

The role also needs to be able to put objects in and get objects from the state
file buckets, but we already gave it those permissions as part of allowing it to
manage_maintenance_page.

Author: cadmiumcat

infra/modules/engineer-access/policies.tf

@@ -310,4 +310,26 @@ resource "aws_iam_policy" "lock_state_files" {
       }
     ]
   })
+}
+
+resource "aws_iam_policy" "release_lock_on_state_files" {
+  name = "release-lock-on-state-files"
+  path = "/"
+
+  description = "Allow releasing the lock on state files"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:DeleteOject"
+        ]
+        Effect = "Allow"
+        Resource = [
+          "arn:aws:s3:::gds-forms-${var.environment_type}-tfstate/*.tflock"
+        ]
+      }
+    ]
+  })
 }

infra/modules/engineer-access/roles.tf

@@ -29,6 +29,7 @@ module "support_role" {
     aws_iam_policy.manage_deployments.arn,
     aws_iam_policy.manage_maintenance_page.arn,
     aws_iam_policy.lock_state_files.arn,
+    aws_iam_policy.release_lock_on_state_files.arn,
     var.allow_rds_data_api_access ? [aws_iam_policy.query_rds_with_data_api[0].arn] : [],
     var.allow_ecs_task_usage ? [aws_iam_policy.run_task[0].arn, aws_iam_policy.stop_task[0].arn] : []
   ])