Eject Phase 2: Control Room Severance

[timtalbot]

Parent: #206

Summary

Implement the actual disconnection of a workload from the control room. This is done via Pulumi (modifying config and re-running ensure steps) rather than direct API calls, so both infrastructure and Pulumi state stay in sync.

Connections to Sever

Connection	How to sever
Cross-account IAM trust	Remove trust policy entries referencing control room account
Mimir password in control room secrets	Delete the secret from control room's AWS Secrets Manager
Team Operator control room config	Reconfigure Helm values to remove control room references
Observability pipeline (Alloy → control room Mimir/Loki)	Remove or redirect Alloy remote_write endpoints
OIDC provider trust (if control-room-issued)	Update or remove OIDC provider

Approach

Modify ptd.yaml to remove/empty control room fields, then re-run affected ptd ensure steps. Key code areas:

• lib/steps/persistent.go — Mimir password sync, guard with nil control room target
• lib/steps/steps.go — Step interface accepts nil control room target
• python-pulumi/src/ptd/pulumi_resources/grafana_alloy.py — Conditionally omit control room remote_write block
• python-pulumi/src/ptd/__init__.py, workload.py — Support empty control room fields as "no control room"

Requirements

• Post-severance verification: confirm workload still operates (pods running, sites accessible)
• Rollback plan for transition period
• Safety confirmation prompt (type full workload name to proceed)

Dependencies

• Phase 1 (artifact bundle generation) should be complete first