fix: resolve Terraform variable validation cross-reference error

[lgallard]

This PR fixes the Terraform variable validation error reported in issue #292.

Problem

Users reported terraform init failures with the error:

The condition for variable "vault_name" can only refer to the variable itself, using var.vault_name.

This occurred because the vault_name validation block referenced another variable (var.vault_name_validation_bypass), which violates Terraform's validation constraints.

Solution

• Moved vault name word validation from variables.tf to main.tf using locals
• Simplified variable validation to only check format requirements
• Added runtime validation with helpful error messages
• Preserved all existing bypass functionality

Changes

• variables.tf: Simplified vault_name validation to remove cross-variable reference
• main.tf: Added locals for vault name validation and runtime checks

Testing

The original user configuration should now work:

module "aws_backup_example" {
  source = "lgallard/backup/aws"
  vault_name = "EC2"
  # ...rest of config
}

Backward Compatibility

• No breaking changes
• All existing functionality preserved
• vault_name_validation_bypass still works as intended

Fixes #292

🤖 Generated with Claude Code

[lgallard]

Validation Results ✅

I've tested this PR with the exact user configuration from issue #292 and confirmed the fix works correctly.

Test Configuration

Used the example from issue #292 comment:

module "aws_backup_example" {
  source = "lgallard/backup/aws"
  
  vault_name    = "EC2"
  iam_role_name = "aws-backup-plan-EC2-role"
  plan_name     = "EC2"
}

Test Scenarios & Results

✅ Scenario 1: Success Path (vault name without restricted words)

• terraform init: PASSED - No cross-variable reference error
• terraform plan: PASSED - Shows 8 resources to create (vault, IAM role, policies)
• terraform apply: PASSED - Successfully created all AWS resources
• AWS validation: CONFIRMED - Backup vault and IAM resources created successfully
• terraform destroy: PASSED - All resources cleaned up

✅ Scenario 2: Validation Path (vault name with restricted word)

Changed vault_name = "test-vault" to test validation logic:

• terraform init: PASSED - Format validation only (no cross-variable reference)
• terraform plan: PASSED - Shows null_resource for validation
• terraform apply: FAILED AS EXPECTED with helpful error:

ERROR: Vault name validation failed!
The vault name 'test-vault' contains restricted words (test, temp, delete, remove, default).
These words are not recommended for security reasons.

Solutions:
1. Change the vault name to avoid these words
2. For existing vaults, set: vault_name_validation_bypass = true

Key Findings

1. Resolves the original issue - Users can now run terraform init without errors
2. Preserves validation - Word validation still works at runtime via locals and null_resource
3. Helpful error messages - Clear guidance when validation fails
4. Backward compatible - vault_name_validation_bypass flag works as intended
5. Terraform compliant - Variable validation only references itself

Recommendation

This PR is ready to merge. The fix successfully resolves issue #292 while maintaining all existing functionality and security validations.