Remove FIPS endpoint toggles, ECR repos, and CI IAM role from Terraform

[ausbru87]

Context

Part of the FIPS-removal effort. See REMOVE_FIPS_PLAN.md for the full plan and premise.

Premise: Coder is not a FIPS boundary component. Upstream load balancers and proxies terminate TLS with FIPS-validated crypto modules. This repo does not need:

• FIPS-endpoint toggles on the AWS provider / S3 backend / remote_state data sources.
• Private ECR repositories for FIPS-only workspace and server images.
• A GitHub Actions OIDC IAM role scoped to pushing those images.

The upstream Coder Helm chart already defaults to ghcr.io/coder/coder, which reachable from GovCloud EKS via standard NAT egress. No in-partition mirror is needed for this reference architecture. (Note: docker.io/coder/coder is not an official image; the canonical upstream is GHCR.)

Scope

This is the largest unit. Can be split into 3a (endpoint toggles) and 3b (ECR + CI role) if two agents want to work in parallel — they touch mostly disjoint files.

3a — Remove FIPS endpoint toggles from every layer

Remove variable "use_fips_endpoints" declarations and every use_fips_endpoint = … line (AWS provider blocks, backend "s3" blocks, terraform_remote_state data source blocks):

• infra/terraform/0-state/variables.tf — drop the use_fips_endpoints block.
• infra/terraform/0-state/providers.tf — drop the FIPS header comment and the use_fips_endpoint provider line.
• infra/terraform/1-network/variables.tf — drop use_fips_endpoints.
• infra/terraform/1-network/providers.tf — drop FIPS header, backend.s3.use_fips_endpoint, provider use_fips_endpoint.
• infra/terraform/2-data/variables.tf — drop use_fips_endpoints.
• infra/terraform/2-data/providers.tf — drop backend.s3.use_fips_endpoint, provider use_fips_endpoint, terraform_remote_state.network FIPS line.
• infra/terraform/3-eks/variables.tf — drop use_fips_endpoints.
• infra/terraform/3-eks/providers.tf — drop backend, provider, and both terraform_remote_state FIPS lines (network + data).
• infra/terraform/4-bootstrap/variables.tf — drop use_fips_endpoints.
• infra/terraform/4-bootstrap/providers.tf — drop FIPS header, backend, provider, and all three terraform_remote_state FIPS lines.
• infra/terraform/govcloud.tfvars.example — drop the FIPS comment + use_fips_endpoints = true.
• infra/terraform/terraform.tfvars.example — drop the commented FIPS lines + the illustrative backend use_fips_endpoint + the "GovCloud FIPS endpoints" note.

3b — Remove FIPS-only 2-data resources

• infra/terraform/2-data/ecr.tf — DELETE entirely. All three declared repos (coder, base-fips, desktop-fips) are FIPS-only. The live coder-server HelmRelease sets no image override and inherits the upstream chart default ghcr.io/coder/coder — so no runtime consumer of the coder ECR repo exists in this repo.
• infra/terraform/2-data/ci.tf — DELETE (GitHub Actions OIDC role + ECR push policy + OIDC provider data source lookup).
• infra/terraform/2-data/outputs.tf — remove the following outputs:
  • ecr_coder_repo_url
  • ecr_base_fips_repo_url
  • ecr_desktop_fips_repo_url
  • ecr_repo_urls
  • github_actions_role_arn
  • ecr_registry

Everything-as-code for deployed-stack migration (two-commit sequence)

Because aws_ecr_repository cannot be destroyed while images exist, use the following two-commit sequence in this PR (don't squash on merge, or squash carefully):

1. Commit 1: Add force_delete = true to the existing aws_ecr_repository.repos resource(s) in infra/terraform/2-data/ecr.tf. Nothing else changes.
2. Operator runs terraform apply in Layer 2 — modifies the three repos in place to allow force-destroy.
3. Commit 2: Apply all deletions described above (3a + the rest of 3b).
4. Operator runs terraform apply in Layer 2 (and the other layers) — Terraform cleanly destroys the ECR repos, aws_ecr_lifecycle_policy.repos, aws_iam_role.github_actions, and aws_iam_policy.ecr_push.

For fresh stacks (no prior deployment) the two commits may be squashed — there is nothing for force_delete to rescue.

No manual aws ecr batch-delete-image, no manual aws iam, no terraform state rm is required.

Acceptance criteria

• grep -rin "fips\|use_fips_endpoint" infra/terraform/ returns zero.
• terraform fmt -recursive -check infra/terraform/ passes.
• terraform validate (-backend=false) passes in each of the five layers.
• On a fresh terraform apply from scratch, no FIPS variables, no ECR repos, and no github_actions IAM role exist.
• On a deployed stack, terraform apply after Commit 2 cleanly destroys all three ECR repos and the IAM role/policy with no errors.
• Layer outputs no longer advertise the six removed output keys.

Dependencies

None on other code units. Soft-order: merge this before the docs issue so docs don't briefly reference deleted Terraform outputs.

Notes / risks (surface in PR description, not code)

• Backend endpoint switch. The S3 backend endpoint changes from s3-fips.<region>.amazonaws.com to s3.<region>.amazonaws.com. Same bucket. Operators must run terraform init -reconfigure in each layer on existing stacks. No state data is touched.
• OIDC provider token.actions.githubusercontent.com is an account-level singleton likely used by other repos. We only delete the data source lookup and the IAM role; the OIDC provider itself stays in AWS.
• rds.force_ssl = 1 is TLS enforcement, NOT FIPS. Keep as-is.
• External consumers. If usgov-env-demo or another repo reads ecr_coder_repo_url / github_actions_role_arn / ecr_registry from this stack's remote state, coordinate the update before merge. None found via in-repo grep.

[ausbru87]

Part of tracking issue #10.