Migrate the OpenToFu state out of LeastAuthority perimeter

[btlogy]

Scope

Since its first implementation via #21, the OpenToFu plan relies on a remote state hosted by an S3 bucket (and a dynamoDB table) directly managed by Least Authority.

This situation is not ideal but was the best known at the time.

While it is technically possible to "recover" the state" by importing each resources of the plan in a worst case scenario, it seems rather important to remove the dependency on Least Authority in the short term.

Here are a few option to investigate:

• Migrate to another S3 bucket owned by Tahoe-LAFS (could be hosted by Hetzner, in the same project used for webforge and testgrid)
• Migrate to a local state file saved as an artifact in this repository after each merge
• Migrate to a local state file committed directly in this repository after each merge
• Migrate to an other remote back-end, possibly served from on of the server deployed by this plan (circular dependency?)

In most case, we should consider using the encryption now directly provided by OpenToFu.

Value

Avoiding unnecessary 3rd party dependencies would give more autonomy to the Tahoe-LAFS community.

Requirements

Credential rotation and configuration changes for this back-end should be possible w/o requiring the involvement of a member of Least Authority.

Additional information

[hacklschorsch]

The solution is: Move the state to Tahoe-LAFS :)