feat(pulumi): add stage EFS mount targets, NFS security group, and task definition volumes

[e9e4e5f0faef]

Summary

• Add EFS mount targets in the stage VPC private subnets for the existing addons filesystem
• Create NFS security group with SG-to-SG ingress from web and worker container SGs only
• Add EFS volume and mount point to web, worker, and cron task definitions
• Filesystem ID resolved at runtime
• Versioncheck excluded (no EFS, matches legacy config)

Changes

Category	File	Change
Config	infra/pulumi/config.stage.yaml	EFS mount target config with Secrets Manager reference, EFS volumes, mount points for web and worker
Infra	infra/pulumi/__main__.py	NFS security group, mount targets (one per private subnet), cron task definition EFS volume, Secrets Manager lookup with pulumi.Output.secret(), dependency wiring

Why

The addons filesystem has mount targets only in the default VPC. Fargate tasks in the stage VPC cannot mount it without mount targets in their own subnets. This PR adds the network plumbing so EFS is reachable from web, worker, and cron tasks.

Approach

• Mount targets are created in all 3 private subnets, using a dedicated NFS security group
• NFS ingress (port 2049) is scoped to web and worker container SGs via source_security_group_id (not CIDR)
• Pulumi resolves the filesystem ID
• EFS volumes use transit encryption
• Mount path is /var/addons (RW here) on web, worker, and cron containers
• NETAPP_STORAGE_ROOT is deliberately unchanged (/tmp/storage) -- the app will not use EFS until that env var is explicitly flipped to the EFS backed path in a separate activation step

Safety

• Infra plumbing only; the app continues using local ephemeral storage until NETAPP_STORAGE_ROOT is changed
• BOOTSTRAP_SAFE=true remains the established stage safety default and is unchanged by this PR
• The EFS filesystem ID is retrieved and resolved
• Versioncheck is excluded from EFS (matches legacy configuration)
• No impact on running services until pulumi up is executed post-merge

Validation

• pulumi preview: +6 to create (1 SG, 2 SG rules, 3 mount targets), ~20 to update, +-3 to replace (task definitions), 0 to delete
• Pre-flight validation: run python infra/scripts/preflight_check.py before any scale-up or BOOTSTRAP_SAFE flip. The script verifies environment isolation, broker separation, SG reachability, and task definition consistency. See internal runbook for full scale-up procedure.
• Post-deploy: verify mount targets are available in all 3 private subnets
• Post-deploy: verify NFS SG allows 2049 from the correct container SGs
• Full activation test deferred to the NETAPP_STORAGE_ROOT flip step

Follow-up

• Flip NETAPP_STORAGE_ROOT to the EFS-backed path (separate deliberate step after broker isolation is resolved)
• Worker re-enable blocked on stage-only RabbitMQ broker (issue stage workers should not connect to production rabbitmq #375)