template-only-bin: Include additional resources in cleanup-test-resources

[doshitan]

Ticket

Related to #706

Changes

There were a number of resource types not covered by the script that were still left around after initial cleanup, so extend removal coverage to those. Not complete or perfect (e.g., there are a other networking resources that could prevent an VPC from being able to be removed), but covers what we've seen so far.

Context for reviewers

Will probably not squash when merging, but also didn't want to make 12 PRs. So best reviewed commit by commit for logical chunks.

Testing

--dry-run resource list before: clean-pre-results.txt

--dry-run resource list after: clean-post-final-tweaks.txt

Infra tests are now passing: https://github.com/navapbc/template-infra/actions/runs/21011517717/job/60517259169

[sean-navapbc]

Nice improvements to the cleanup script! The refactoring to use the already-fetched resources list instead of re-querying each
resource type is a good simplification. The new helper scripts (delete-iam-role, empty-s3-bucket, list-iam-roles-with-tag)
are well-structured.

Bug Found

Line 358 in cleanup-test-resources: There's a typo in the AWS CLI flag:

role_project_tag=$(aws iam list-role-tags \
    --role_name "${role_name}" \

Should be --role-name (hyphen) not --role_name (underscore). This will cause the IAM role tag lookup to fail.

Minor Suggestions

1. SNS grep pattern (line 336): The pattern 'arn:aws:sns:.*' could match unintended resources. Consider being more specific
   with 'arn:aws:sns:.*:.*:' to ensure it only matches topic ARNs.

2. VPC dependency order: The script deletes subnets and internet gateways before VPCs, which is correct. However, there may
   be other dependencies (NAT gateways, route tables with explicit associations) that could still block VPC deletion. The current
   || echo "Failed..." handling is fine for now, but worth noting for future iterations.

Verdict

Please fix the --role_name → --role-name bug, then this is good to merge

[doshitan]

Please fix the --role_name → --role-name bug, then this is good to merge

Good catch! Done.

1. **SNS grep pattern** (line 336): The pattern `'arn:aws:sns:.*'` could match unintended resources. Consider being more specific
   with `'arn:aws:sns:.*:.*:'` to ensure it only matches topic ARNs.

Topics are the only SNS ARNs AFAIK, which I suppose could change in the future, but if it does this would need updated anyway. So I think it's fine as is.

[sean-navapbc]

LGTM

[doshitan]

Manually merged as individual commits: 8e32d98...eb06b65