Add tf_vars input to supply Terraform variable values in CI

[gsavage]

Problem

A Terraform variable declared in variables.tf with no default and no .tfvars entry makes
Terraform prompt for its value on STDIN. That's fine in an interactive terminal but hangs in CI.
The immediate need is to feed an image tag built by a docker-build-and-push-to-ECR job into the
apply — a per-build value that cannot be committed to tfvars or tf.env.

The old FiveXL tf.sh solved this with a tf_additional_env_vars input that set TF_VAR_* env
vars. This PR builds the equivalent.

Approach

The tf wrapper needs no change — it already forwards the whole environment to Terraform via
os.execvp, so any TF_VAR_* env var in the job reaches Terraform. This PR only adds a way to get
values into that environment from the calling workflow.

• base.yml — new tf_vars input plus an Export Terraform variables step that appends the
  lines to $GITHUB_ENV before Plan (visible to both Plan and Apply). Passed via env: rather than
  interpolated into the run script, to avoid shell injection.
• plan.yml / apply.yml — add the input and thread it into base.yml.
• detect-drift.yml — accepts the input for consistency.
• README.md — new "Supplying Terraform variables" section with the docker-build → apply ECR
  example, the non-secret caveat, pointers to the static-value alternatives, and the drift caveat.

Usage

    with:
      environment: production
      tf_vars: |
        TF_VAR_image_tag=${{ needs.build.outputs.image_tag }}

Caveats

• tf_vars is for non-sensitive values — inputs are not masked. Secrets should not go through it.
• Drift detection: a newly-required variable with no default will make detect-drift.yml's plan
  fail, and a fixed tag there produces false drift. The fix lives in the caller's Terraform (a
  default in variables.tf and/or lifecycle { ignore_changes = [...] }). Documented, not
  auto-solved, since it's outside this repo.

Verification

• actionlint .github/workflows/*.yml — clean.

🤖 Generated with Claude Code