ci: add plan_only dry-run mode to reusable terraform deploy

[NWarila]

Summary

Adds an opt-in plan_only input to the reusable Terraform deploy workflow so callers can run a pull-request dry run without applying changes.

Design

When plan_only is true, Terraform initializes with terraform init -backend=false, so import adoption and planning run against isolated local state that is discarded with the runner workspace. The existing S3 backend initialization remains on the default deploy path.

The dry-run path publishes plan-output.txt to the job summary for review while keeping the existing plan artifact. The apply step and AWS OIDC configuration are gated to the default deploy path only.

Safety

The default remains plan_only: false. In that mode the S3 backend init and apply behavior are unchanged. In plan_only mode the canonical S3 state is not initialized and terraform apply is skipped.

Verification

• git diff --check
• parsed .github/workflows/reusable-terraform-deploy.yaml with PyYAML
• terraform -chdir=terraform fmt -check -recursive
• PR CI passed: Validate & Test, CodeQL, Gitleaks, Trivy, zizmor, org ADR, org baseline

Local Terraform init/validate/test could not run because the available local Terraform binaries are 1.15.2 and 1.14.3, while the module pins required_version = "= 1.15.4".