[Issue #2351] Nava platform upgrade v0.3 => v0.4 (#2568)

## Summary

Fixes #2576

Relates to
navapbc/template-infra@v0.3.0...v0.4.0

### Time to review: __x mins__

## Changes proposed

- Adds `.template-infra` folder, which is how Nava's platform CLI keeps
track of our apps
- Updates to latest template version, eg.
  - adds and removes some variables here and there
  - that's it
  - this is a very small update

## Additional information

tested by running

```
terraform init -backend-config=dev.s3.tfbackend -reconfigure
terraform plan -var "environment_name=dev"
```

Author: coilysiren

.gitignore

@@ -149,3 +149,6 @@ dmypy.json
 
 # Terraform plan outputs
 *.tfplan
+
+# Python testing stuff
+*__pycache__*

.template-infra/app-analytics.yml

@@ -0,0 +1,3 @@
+_commit: 929a959
+_src_path: https://github.com/navapbc/template-infra
+app_name: analytics

.template-infra/app-api.yml

@@ -0,0 +1,3 @@
+_commit: 929a959
+_src_path: https://github.com/navapbc/template-infra
+app_name: api

.template-infra/app-frontend.yml

@@ -0,0 +1,3 @@
+_commit: 929a959
+_src_path: https://github.com/navapbc/template-infra
+app_name: frontend

.template-infra/base.yml

@@ -0,0 +1,3 @@
+_commit: 929a959
+_src_path: https://github.com/navapbc/template-infra
+app_name: template-only

.template-version

@@ -1 +1 @@
-fe5c7cd24d3c2c9f15c342826cda0a20af4cd0a5
+929a959ded1103bed5c25edf3c991ddf9698f0b9

infra/modules/database/main.tf

@@ -9,9 +9,10 @@ resource "random_id" "db_superuser" {
 }
 
 locals {
-  master_username      = random_id.db_superuser.hex
-  role_manager_name    = "${var.name}-role-manager"
-  role_manager_package = "${path.root}/role_manager.zip"
+  master_username       = random_id.db_superuser.hex
+  primary_instance_name = "${var.name}-primary"
+  role_manager_name     = "${var.name}-role-manager"
+  role_manager_package  = "${path.root}/role_manager.zip"
 
   # The ARN that represents the users accessing the database are of the format: "arn:aws:rds-db:<region>:<account-id>:dbuser:<resource-id>/<database-user-name>""
   # See https://aws.amazon.com/blogs/database/using-iam-authentication-to-connect-with-pgadmin-amazon-aurora-postgresql-or-amazon-rds-for-postgresql/

infra/modules/database/role_manager/requirements.txt

@@ -1 +1 @@
-pg8000
+pg8000

infra/modules/database/role_manager/role_manager.py

@@ -16,9 +16,6 @@
 def lambda_handler(event, context):
     if event == "check":
         return check()
-    elif event == "password_ts":
-        connect_as_master_user()
-        return "Succeeded"
     else:
         return manage()
 

infra/networks/main.tf

@@ -5,6 +5,17 @@ locals {
     description = "VPC resources"
   })
   region = module.project_config.default_region
+
+  # List of AWS services used by this VPC
+  # This list is used to create VPC endpoints so that the AWS services can
+  # be accessed without network traffic ever leaving the VPC's private network
+  # For a list of AWS services that integrate with AWS PrivateLink
+  # see https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
+  #
+  # The database module requires VPC access from private networks to SSM, KMS, and RDS
+  aws_service_integrations = toset(
+    module.app_config.has_database ? ["ssm", "kms", "secretsmanager"] : []
+  )
 }
 
 terraform {