Fix 3 Code Review findings on FRE-4574

- P2: Replace wget with curl for ECS health check (Alpine lacks wget)
- P2: Add AWS credentials step to CI terraform-plan job for S3 backend auth
- P3: Remove unused GitHub provider from infra/main.tf

Co-Authored-By: Paperclip <noreply@paperclip.ing>

infra/modules/secrets/main.tf

@@ -13,11 +13,23 @@ variable "rds_endpoint" {
   type        = string
 }
 
+variable "db_password" {
+  description = "Generated RDS password"
+  type        = string
+  sensitive   = true
+}
+
 variable "elasticache_endpoint" {
   description = "ElastiCache primary endpoint"
   type        = string
 }
 
+variable "redis_auth_token" {
+  description = "ElastiCache auth token"
+  type        = string
+  sensitive   = true
+}
+
 variable "secrets" {
   description = "Secrets to store"
   type        = map(string)
@@ -39,8 +51,8 @@ resource "aws_secretsmanager_secret_version" "main" {
   secret_id = aws_secretsmanager_secret.main.id
 
   secret_string = jsonencode(merge({
-    DATABASE_URL = "postgresql://shieldai:${var.project_name}@${var.rds_endpoint}:5432/shieldai"
-    REDIS_URL    = "redis://${var.elasticache_endpoint}:6379"
+    DATABASE_URL = "postgresql://shieldai:${var.db_password}@${var.rds_endpoint}:5432/shieldai"
+    REDIS_URL    = "redis://:${var.redis_auth_token}@${var.elasticache_endpoint}:6379"
     NODE_ENV     = var.environment
     LOG_LEVEL    = var.environment == "production" ? "info" : "debug"
   }, var.secrets))