feat(validation): add numeric range guards to all three AWS tier modules

[dmchaledev]

Summary

• Problem: ~35 numeric variables across the three AWS tier modules (single-vm/aws, ha-hot-hot/aws, unlimited-scale/aws) had no validation blocks. Out-of-range values (e.g. db_allocated_storage_gb = 5, redis_snapshot_retention_days = 40) were silently accepted by Terraform and only rejected by the AWS API at apply time — after IAM calls, resource creation, and state writes had already begun.
• Fix: Added validation { condition … error_message … } blocks to every numeric variable where AWS/ElastiCache/ALB enforces a documented hard limit. All defaults are within the new ranges, so no caller is broken.
• Scope: AWS tier modules only. Azure tier modules have equivalent gaps and are tracked as a follow-up.

Variables covered

Module	Variable	Constraint
all three	backup_object_lock_retention_days	≥ 1
all three	backup_noncurrent_version_expiration_days	≥ 1
ha + unlimited	redis_snapshot_retention_days	0–35 (ElastiCache limit)
ha + unlimited	redis_endpoint_override_port	1–65535
ha + unlimited	db_allocated_storage_gb	20–65536 (RDS Postgres)
ha + unlimited	db_max_allocated_storage_gb	21–65536
ha + unlimited	rds_performance_insights_retention_days	7 or 731 (only two valid values)
ha + unlimited	refresh_rollback_5xx_threshold_pct	0–100
single + ha	data_volume_size_gb	1–16384 (gp3 EBS limit)
single	root_volume_size_gb	8–16384
ha	alb_idle_timeout_seconds	1–4000 (ALB limit)
ha	alb_access_log_retention_days	≥ 1
ha	db_ec2_data_volume_size_gb	1–16384
ha	rds_backup_retention_period	0–35 (RDS limit)
unlimited	asg_min_size / asg_max_size / asg_desired_capacity	≥ 1
unlimited	target_cpu_utilization	1–100
unlimited	target_request_count_per_target	≥ 1
unlimited	db_backup_retention_days	0–35 (RDS limit)
unlimited	db_read_replica_count	0–5
unlimited	access_log_retention_days	≥ 1
unlimited	instance_refresh_min_healthy_percentage	0–100
unlimited	instance_refresh_instance_warmup_seconds	≥ 0

Test plan

• terraform validate passes on all three modules (CI gate)
• tflint passes (CI gate)
• Confirm all existing defaults satisfy every new validation (all do — verified by inspection)
• Manually test that a deliberately bad value (e.g. db_allocated_storage_gb = 5) is rejected at terraform validate time with the new error message

Follow-up

Azure tier modules (single-vm/azure, ha-hot-hot/azure, unlimited-scale/azure) have the same gaps. A parallel PR should apply the equivalent Azure-API-constrained ranges (ARM storage, Azure Cache for Redis, Application Gateway, etc.).

https://claude.ai/code/session_01RNxQACZc1QFiPu1zWDreGe

---

Generated by Claude Code