Support creating AWS profiles for SES via aws-sign-in

[dannyroberts]

SAAS-19727

Summary

The manage-iam-keys.py script in #6872 needs an AWS profile set up the way commcare-cloud already sets up other ones — but pointing at the account where SES lives and with permissions to manage specific IAM user credentials. This is in service of scripting the SES SMTP credential rotation described in this runbook.

This PR adds a --ses flag to cchq <env> aws-sign-in that reads new config from each env's aws.yml and writes out such a profile. The new <aws_profile>:ses profiles live alongside the existing <aws_profile>:session used by terraform, and a developer doesn't need to know how either is set up.

A couple of things worth flagging for review, since they don't show up in the diff:

• iam_username is unused so far — added preemptively for one of the next tasks in https://dimagi.atlassian.net/browse/SAAS-19724, which will use it manage the SES IAM user during rotation.
• aws_sign_in_for_ses deliberately skips the v1-credentials sync that the regular SSO flow does. That sync is a terraform compatibility shim; SES tooling uses modern AWS CLI / boto3, which read SSO natively.

Environments Affected

production, staging, india, eu — all gain a new ses_config block in aws.yml. No services or hosts are touched; the field is read only by the new cchq <env> aws-sign-in --ses flow.

Testing

• cchq staging aws-sign-in --help shows the new flag
• existing terraform tests still pass
• The new cchq staging aws-sign-in --ses command creates a profile that works with manage-iam-keys.py (clear with rm -rf ~/.aws/sso ~/.aws/cli first)
• Normal cchq staging aws-sign-in also still works (clear with rm -rf ~/.aws/sso ~/.aws/cli first)