feat(deploy): AWS provider v6 and module upgrades (ENG-3804) (#4747)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary

Implements ENG-3804: net-new upgrade off `main` for **hashicorp/aws** v6
(constraint `>= 6.28, < 6.42` — IAM v6.4 requires aws `>= 6.28`; upper
bound keeps the existing ECS cap), **Terraform >= 1.12.0**, and the
Terraform AWS module majors from the approved plan (EKS v21, RDS Aurora
v10, EFS v2, IAM IRSA v6 path, VPC v6, ACM v6, S3 v5, Honeycomb
integrations v2.1).

**Kubernetes, Helm, and 1Password** provider constraints are unchanged
from `main`; Renovate can re-raise those after merge.

## Notable behaviour / review callouts

- **EKS v21**: `cluster_*` args renamed per module upgrade guide;
`addons` use `resolve_conflicts_on_create` /
`resolve_conflicts_on_update` = `OVERWRITE`.
**`eks_managed_node_group_defaults` was removed in v21** — former
defaults are duplicated on `intel` and `arm` node groups (CNI policy
attach, gp3 root volume, `use_latest_ami_release_version`, Inspector
exclusion tag, `enable_monitoring = false` for otelcol).
- **IMDS hop limit** and **OIDC issuer URL** changes from v21 will show
as in-place updates on launch templates and IRSA trust policies
(expected noise).
- **IAM v6** `iam-role-for-service-accounts-eks` →
`iam-role-for-service-accounts` @ 6.4.0; `role_name` → `name`;
`role_policy_arns` → `policies` where applicable. Module outputs use
`arn` / `name` instead of deprecated `iam_role_arn` / `iam_role_name`.
- **RDS Aurora v10**: `cluster_instance_class`, `master_password_wo` +
`master_password_wo_version`, instance settings under
`instances.writer`, `security_group_ingress_rules` per CIDR (expect
**short destroy/create** on legacy `aws_security_group_rule` — 1–5s
window; no `removed`/`import` without state access).
- **EFS v2**: per-CIDR `security_group_ingress_rules` (NFS 2049),
`policy_statements` as map.
- **cloudfront-drata-proxy** `versions.tf`: aws raised to `>= 6.28, <
6.42` so it composes with the root constraint.

## Validation

- `terraform init -backend=false -upgrade` + `TERRAFORM_ENV_NAME=dogfood
terraform validate` in `deploy/` — **success** (existing unrelated
`data.aws_region.current.name` deprecation warnings).
- `terraform init -backend=false -upgrade` + `terraform validate` in
`cli/` — **success**.

CI **Terraform plan** on this PR is the source of truth for the full
graph; please confirm SG destroys/creates look independent and there are
no surprise cluster replacements.

## Rollout (post-merge)

Per plan: **dogfood** applies on merge via existing workflow; **prod**
is **manual** `workflow_dispatch` (plan then apply in a low-traffic
window). Close superseded Renovate PR #4743 after merge when
appropriate.

## Docs

- `deploy/README.md`: note that Terraform **>= 1.12.0** is required.
<!-- CURSOR_AGENT_PR_BODY_END -->

<div><a
href="https://cursor.com/agents/bc-ba2743dd-e09f-4acc-970f-81f6e3b62a5f"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a
href="https://cursor.com/background-agent?bcId=bc-ba2743dd-e09f-4acc-970f-81f6e3b62a5f"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: cursor[bot] <206951365+cursor[bot]@users.noreply.github.com>
GitOrigin-RevId: 12d96eeaf75eea73552eacff876b95e3a3e4d07b

Author: 3 people

.terraform.lock.hcl

@@ -38,7 +38,7 @@ provider "google" {
 }
 
 provider "google" {
-  alias = "dogfood"
+  alias   = "dogfood"
   project = "ovm-dogfood"
   region  = "europe-west2"
   zone    = "europe-west2-a"
@@ -52,7 +52,7 @@ variable "bucket_postfix" {
 
 module "bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   bucket_prefix = "cli-test${var.bucket_postfix}"