feat: Add custom MFA authentication flow with configurable enforcement

- Add authentication-flow.tf with complete MFA auth flow:
  - Identification -> Password -> MFA validation -> Session stages
  - Brute-force reputation policy binding
  - Evaluates policies on plan for user context

- Add configuration variables:
  - enable_mfa_flow: Toggle custom MFA flow (default: false)
  - mfa_enforcement: skip/configure/deny (default: configure)

- Fix existing issues:
  - rbac-groups.tf: parent -> parents (list)
  - source-google.tf: Use variables instead of deprecated sops
  - Google source now conditional (created only if credentials provided)

- Update README:
  - Document MFA enforcement levels
  - Add authentication-flow.tf to file structure
  - Explain Option 1 (Terraform) vs Option 2 (manual UI) for MFA setup

Security: Custom flow includes brute-force protection policy bound
at flow level, not just stage level.

terraform.tfvars.example

@@ -22,3 +22,10 @@ portainer_url      = "https://portainer.example.com"
 
 # LDAP Configuration
 ldap_base_dn = "dc=ldap,dc=example,dc=com"
+
+# Security Configuration
+enable_mfa_flow = false      # Set to true to enable MFA authentication flow
+mfa_enforcement = "configure" # Options: skip, configure, deny
+# - skip: MFA optional, no prompt if not configured
+# - configure: Prompt users to set up MFA on login
+# - deny: Block login if MFA not configured (use after users have set up MFA)