Address PR feedback: Clarify RDS database usage for passwordless authentication

Added comments to address reviewer feedback about postgres-passwordless module usage:

1. **Using RDS, not EC2+Docker**: The current configuration correctly uses the
   standard RDS database module (./modules/database) which creates aws_db_instance
   with native IAM authentication support via enable_iam_database_authentication.

2. **postgres-passwordless module not used**: The postgres-passwordless module
   creates an EC2 instance with PostgreSQL in Docker, which is not suitable for
   production use cases. RDS is the correct approach.

3. **IAM authentication properly configured**:
   - RDS: enable_iam_database_authentication = true when passwordless requested
   - TFE: database_passwordless_aws_use_iam passed to runtime configuration
   - Region: database_passwordless_aws_region set for AWS authentication

This follows the standard AWS best practice of using managed RDS services
with IAM database authentication rather than self-managed PostgreSQL on EC2.

Author: raviharshicorp

main.tf

@@ -155,7 +155,12 @@ module "redis_mtls" {
 }
 
 # -----------------------------------------------------------------------------
-# AWS PostgreSQL Database
+# AWS PostgreSQL RDS Database with IAM Authentication Support
+# NOTE: Using standard RDS database module (not postgres-passwordless module)
+# because RDS supports IAM authentication natively via the 
+# enable_iam_database_authentication parameter. The postgres-passwordless
+# module creates an EC2 instance with PostgreSQL in Docker, which is not
+# suitable for production use cases.
 # -----------------------------------------------------------------------------
 module "database" {
   source = "./modules/database"
@@ -176,6 +181,7 @@ module "database" {
   kms_key_arn                        = local.kms_key_arn
   allow_major_version_upgrade        = var.allow_major_version_upgrade
   allow_multiple_azs                 = var.allow_multiple_azs
+  # Enable IAM database authentication when passwordless auth is requested
   enable_iam_database_authentication = var.postgres_enable_iam_auth && !var.postgres_use_password_auth
 }
 
@@ -287,15 +293,17 @@ module "runtime_container_engine_config" {
   iact_time_limit      = var.iact_subnet_time_limit
   run_pipeline_image   = var.run_pipeline_image
 
+  # Database configuration - uses RDS PostgreSQL with IAM authentication support
   database_name                     = local.database.name
   database_user                     = local.database.username
-  database_password                 = local.database.password
+  database_password                 = local.database.password  # Required for RDS master user even with IAM auth
   database_host                     = local.database.endpoint
   database_parameters               = local.database.parameters
   database_use_mtls                 = var.db_use_mtls
   database_ca_cert_file             = "/etc/ssl/private/terraform-enterprise/postgres/ca.crt"
   database_client_cert_file         = "/etc/ssl/private/terraform-enterprise/postgres/cert.crt"
   database_client_key_file          = "/etc/ssl/private/terraform-enterprise/postgres/key.key"
+  # AWS IAM database authentication configuration
   database_passwordless_aws_use_iam = var.postgres_enable_iam_auth && !var.postgres_use_password_auth
   database_passwordless_aws_region  = var.postgres_enable_iam_auth && !var.postgres_use_password_auth ? data.aws_region.current.name : ""