aws-cf-reverse-proxy: optional WAFv2 web_acl_id

[sam-at-luther]

Summary

Adds an optional `web_acl_id` input on `aws-cf-reverse-proxy` so callers can attach a CLOUDFRONT-scope WAFv2 Web ACL ARN to the underlying `aws_cloudfront_distribution.site`. Default `null` preserves the existing behaviour (no WAF attached) for every existing caller — fully additive, backward-compatible.

Why

Used by ui-infrastructure's upcoming WAFv2 rollout for `app.luthersystems.com` (prod) and `app-test.luthersystems.com` (staging), which front the EKS-hosted A2A / MCP / Oracle APIs. Today these have zero edge protection — a recent spammer hammered the anonymous A2A endpoint with 700+ tasks in 20 hours. This input is the wire-up step; the actual WAFv2 Web ACL + IP set + rate-limit + AWS managed rules land in ui-infrastructure on top of this.

Changes

• `vars.tf`: new `variable "web_acl_id"` (`string`, default `null`, must be CLOUDFRONT-scope / us-east-1).
• `main.tf`: pass `web_acl_id = var.web_acl_id` to `aws_cloudfront_distribution.site`. `null` is the documented "no WAF" value for that argument.
• `README.md`: short usage example.

Validation

• `terraform fmt -check -recursive` clean.
• `terraform init -backend=false && terraform validate` in `aws-cf-reverse-proxy/tests/test1/` is green.
• No callers currently set the variable, so every existing consumer is byte-identical.

Versioning / tag

Additive, backward-compatible → minor bump. Current tag is `v55.19.0` → intended next tag `v55.20.0` (to be cut by a human after merge — I am intentionally not pushing the tag from this PR). ui-infrastructure's companion PR pins this tag.

Test plan

• Module validates locally (`terraform validate`).
• CI green (`Terraform CI` workflow on this PR).
• After merge, human tags `v55.20.0` and the ui-infrastructure PR plans cleanly.