feat: Add EKS 1.34 addon versions and update ALB controller IAM policy

[sam-at-luther]

Summary

• Add Kubernetes 1.34 compatible addon versions (vpc-cni, kube-proxy, CoreDNS, ebs-csi-driver) sourced from Marcin Cuber's EKS upgrade blog post and his GitHub repo
• Update AWS Load Balancer Controller IAM policy from v2.4.0 to v2.17.1, adding 10 new required IAM actions ahead of the controller version upgrade tracked in Upgrade AWS Load Balancer Controller from v2.4.0 to v2.17.1+ mars#114
• Update blog post reference URL in vars.tf comment

Addon Versions for 1.34

Addon	Version
vpc-cni	v1.20.3-eksbuild.1
kube-proxy	v1.34.0-eksbuild.4
CoreDNS	v1.12.4-eksbuild.1
ebs-csi-driver	v1.48.0-eksbuild.2

ALB Controller IAM Policy Changes

New actions added to match the v2.17.1 upstream policy:

• ec2:GetSecurityGroupsForVpc, ec2:DescribeIpamPools, ec2:DescribeRouteTables
• elasticloadbalancing:DescribeTrustStores, DescribeListenerAttributes, DescribeCapacityReservation
• elasticloadbalancing:ModifyListenerAttributes, ModifyCapacityReservation, ModifyIpPools
• elasticloadbalancing:SetRulePriorities
• New AddTags statement with CreateAction condition (tighter security)
• Tightened existing AddTags/RemoveTags on LB/TG with proper tag condition

Custom VPC condition on AuthorizeSecurityGroupIngress is preserved.

Notes

• The actual ALB controller Helm chart + image tag upgrade is a separate change in the mars repo: Upgrade AWS Load Balancer Controller from v2.4.0 to v2.17.1+ mars#114
• Deploy order: apply this IAM policy update first, then upgrade the controller version in mars
• No breaking changes in K8s 1.34 itself (no API deprecations or removals)
• EBS CSI v1.48.0 is safe since we don't use VolumeAttributesClass (verified on plt-test cluster)

Test plan

• terraform plan on test environment shows only IAM policy + addon version changes
• Apply IAM policy update to test cluster
• Upgrade EKS control plane to 1.34 on test cluster
• Verify all addons reconcile to new versions
• Verify ALB/ingress resources remain healthy