feature(devops): add AWS KMS provisioning terraform script #issue 412

[David-282]

Closes #412

Adds a Terraform script to provision an AWS KMS Customer Managed Key (CMK)
for encrypting Stellar provider signing keypairs used in SEP-10 authentication
and SEP-24 transaction flows.

Changes

• infra/terraform/kms/ — KMS key, alias, least-privilege key policy, and SSM
  parameter provisioning
• terraform.tfvars.example — safe-to-commit config template
• QA_STEPS.md — manual verification steps (key rotation, encrypt/decrypt
  round-trip, SSM parameter check)
• .github/workflows/terraform-kms.yml — CI pipeline (fmt, validate, checkov, plan)

Security

• Separate IAM principals for API server and BullMQ worker process
• Automatic key rotation enabled
• 10-day deletion window for testnet teardown cycles

Testing

See infra/terraform/kms/QA_STEPS.md for manual QA steps.

[drips-wave]

@David-282 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits