feature: add opentofu workflows for big three cloud providers

[randoneering]

Pull Request Summary

This PR unifies cloud DB deployment and validation across AWS, GCP, and Azure. All providers now deploy with OpenTofu, use GitHub-stored DB passwords, and run the same reusable post-deploy validation workflow.

Type of Change

• New health check
• Bug fix
• Performance improvement
• Documentation update
• Refactoring/code cleanup
• Breaking change

---

Related Issues

• Fixes #
• Related to #
• Closes #

---

Testing

PostgreSQL Version Compatibility

Has this code been tested against the following PostgreSQL versions?

• PostgreSQL 15
• PostgreSQL 16
• PostgreSQL 17
• PostgreSQL 18

Testing notes:

Workflow wiring and OpenTofu config were updated for pg15-pg18. Full end-to-end cloud runs should be completed in CI before merge.

Managed Database Platforms

Has this code been deployed and tested on the following platforms?

• Amazon RDS for PostgreSQL
• Google Cloud SQL for PostgreSQL
• Azure Database for PostgreSQL
• Self-managed PostgreSQL

Platform-specific notes:

apply now triggers managed-db-validate.yml for AWS, GCP, and Azure.

---

Additional Notes

• Added reusable validator: .github/workflows/managed-db-validate.yml
• Updated deploy workflows:
  • .github/workflows/deploy-aws-rds.yml
  • .github/workflows/deploy-gcp-postgres.yml
  • .github/workflows/azure-postgres-opentofu.yml
• Added db_password support to AWS/GCP/Azure OpenTofu modules and deploy stacks (pg15-pg18), with sensitive = true variables.
• Hardened secret handling in workflows:
  • moved secret use to step env
  • added masking for password values
  • removed direct secret interpolation in shell where possible
• Updated workflow docs: .github/workflows/README.md

---

[randoneering]

Merging-no changes to views, adding workflow and updating testing features for internal use