chore(infra/website): add tf-apply pipeline + clean variable comments

Two changes:

1. Strip stale `# Leave false until Phase 4 cutover…` comments from
   manage_apex_records / manage_www_records — the variable description
   field already says what they do, and the cutover narrative they
   preserved is no longer load-bearing.

2. Add a tf-apply pipeline (`.github/workflows/tf-apply.yml`) so changes
   under `infra/terraform/website/` actually deploy on merge to main.
   Previously only `tf-plan.yml` ran on PRs and applies were manual,
   which is how the cleanUrls fix sat unapplied for hours after #1576
   merged.

   - New IAM role `iii-website-prod-github-tf-apply` (AdministratorAccess,
     trust narrowly scoped to a new `iii-website-prod-tf-apply` env so
     repo settings can require reviewers without gating routine S3
     deploys).
   - Workflow runs on push to main + workflow_dispatch, uses concurrency
     `tf-apply-website` to serialize applies, captures output to the job
     summary.

Bootstrap (one-time, manual):
  AWS_PROFILE=motia-prod terraform apply
  → grab `github_tf_apply_role_arn` from outputs
  → set repo secret `AWS_TF_APPLY_ROLE_ARN`
  → create `iii-website-prod-tf-apply` GitHub environment with required
    reviewers

Author: ytallo

.github/workflows/tf-apply.yml

@@ -0,0 +1,87 @@
+name: Terraform Apply
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'infra/terraform/website/**'
+      - '.github/workflows/tf-apply.yml'
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Git ref to apply (default: current default branch)'
+        required: false
+        type: string
+
+concurrency:
+  group: tf-apply-website
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  apply:
+    name: terraform apply (infra/terraform/website)
+    runs-on: ubuntu-latest
+    environment: iii-website-prod-tf-apply
+    timeout-minutes: 15
+
+    env:
+      AWS_REGION: us-east-1
+      TF_IN_AUTOMATION: 'true'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: '1.9.8'
+          terraform_wrapper: false
+
+      - name: Configure AWS credentials (GitHub OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_TF_APPLY_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terraform init
+        working-directory: infra/terraform/website
+        run: terraform init -input=false
+
+      - name: Terraform apply
+        id: apply
+        working-directory: infra/terraform/website
+        env:
+          TF_VAR_alarm_email: ${{ secrets.ALARM_EMAIL }}
+        run: |
+          set -o pipefail
+          terraform apply -input=false -auto-approve -no-color 2>&1 | tee apply.txt
+          {
+            echo 'apply<<TF_APPLY_EOF'
+            tail -c 60000 apply.txt
+            echo 'TF_APPLY_EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Job summary
+        if: always()
+        env:
+          APPLY: ${{ steps.apply.outputs.apply }}
+        run: |
+          {
+            echo "## terraform apply — \`infra/terraform/website\`"
+            echo
+            echo "- Commit: \`${{ github.sha }}\`"
+            echo "- Ref: \`${{ inputs.ref || github.ref }}\`"
+            echo
+            echo '<details><summary>Apply output</summary>'
+            echo
+            echo '```'
+            echo "${APPLY:-(no apply output captured)}"
+            echo '```'
+            echo
+            echo '</details>'
+          } >> "$GITHUB_STEP_SUMMARY"

infra/terraform/website/iam_github_oidc.tf

@@ -87,8 +87,44 @@ resource "aws_iam_role_policy_attachment" "github_deploy_website" {
   policy_arn = aws_iam_policy.github_deploy_website.arn
 }
 
-# Read-only role for `tf-plan.yml`. Separate from the deploy role so a malicious
-# PR can't accidentally run `terraform apply` with write permissions.
+data "aws_iam_policy_document" "github_tf_apply_trust" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = [
+        "repo:${var.github_repo}:environment:${var.github_tf_apply_environment}",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "github_tf_apply" {
+  name                 = "iii-website-prod-github-tf-apply"
+  description          = "Assumed by GitHub Actions from the ${var.github_tf_apply_environment} environment to run `terraform apply` against infra/terraform/website. Configure that environment with required reviewers in repo settings to gate applies."
+  assume_role_policy   = data.aws_iam_policy_document.github_tf_apply_trust.json
+  max_session_duration = 3600
+}
+
+resource "aws_iam_role_policy_attachment" "github_tf_apply_admin" {
+  role       = aws_iam_role.github_tf_apply.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
 data "aws_iam_policy_document" "github_tf_plan_trust" {
   statement {
     effect  = "Allow"

infra/terraform/website/outputs.tf

@@ -38,6 +38,11 @@ output "github_tf_plan_role_arn" {
   value       = aws_iam_role.github_tf_plan.arn
 }
 
+output "github_tf_apply_role_arn" {
+  description = "Admin IAM role ARN assumed by the tf-apply GitHub Actions workflow on push to main — set as repo-level GitHub secret AWS_TF_APPLY_ROLE_ARN"
+  value       = aws_iam_role.github_tf_apply.arn
+}
+
 output "sns_alarms_topic_arn" {
   description = "SNS topic ARN that receives production alarms"
   value       = aws_sns_topic.alarms.arn

infra/terraform/website/variables.tf

@@ -58,25 +58,27 @@ variable "github_environment" {
   default     = "iii-website-prod"
 }
 
+variable "github_tf_apply_environment" {
+  # Distinct from github_environment so the apply env can be configured with
+  # required reviewers without gating routine S3 deploys.
+  description = "GitHub environment scoping the tf-apply role. Configure required reviewers on this env in repo settings to gate applies."
+  type        = string
+  default     = "iii-website-prod-tf-apply"
+}
+
 variable "csp_report_only" {
   description = "Send CSP as report-only instead of enforcing."
   type        = bool
   default     = true
 }
 
 variable "manage_apex_records" {
-  # Phase 4 cutover is complete (see #1470). Records were imported into state
-  # and Terraform now owns them. Flag retained as an escape hatch for emergency
-  # rollback — set to false to release ownership without destroying the records
-  # (use `terraform state rm` after flipping).
   description = "Whether Terraform manages the iii.dev apex A/AAAA Route53 records."
   type        = bool
   default     = true
 }
 
 variable "manage_www_records" {
-  # Phase 4 cutover complete; same situation as manage_apex_records. Decoupled
-  # from apex so the two can be released independently if ever needed.
   description = "Whether Terraform manages the www.iii.dev A/AAAA Route53 records."
   type        = bool
   default     = true