Subject: infra(roles): update CloudFormation write role permissions

Body: Adjust IAM permissions in roles/cloudformation-write-role.yaml to ensure
CloudFormation has the required write access for stack operations.

roles/cloudformation-write-role.yaml

@@ -107,7 +107,7 @@ Resources:
                   - elasticloadbalancing:ModifyTargetGroup
                 Resource:
                   - !Sub "arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*"
-        - PolicyName: EcsPolicies
+        - PolicyName: EcsTaskPolicies
           PolicyDocument:
             Version: "2012-10-17"
             Statement:
@@ -118,6 +118,30 @@ Resources:
                   - ecs:TagResource
                 Resource:
                   - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*"
+        - PolicyName: EcsServicePolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecs:CreateService
+                  - ecs:UpdateService
+                  - ecs:DeleteService
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:service/*"
+        - PolicyName: EcsClusterPolicies
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - ecs:CreateCluster
+                  - ecs:UpdateCluster
+                  - ecs:DeleteCluster
+                  - ecs:TagResource
+                Resource:
+                  - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/*"
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/ReadOnlyAccess
         - !Sub arn:aws:iam::${AWS::AccountId}:policy/CloudFormationWrite