feat(phase-2): workstream 8 — Multi-Region Terraform Deployment
AWS environment: - VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW) - ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager - RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling) - ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption) - ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate - Route 53 alias record GCP environment: - VPC + private services access + Serverless VPC connector - Cloud Run service — secrets from Secret Manager - Cloud SQL PostgreSQL 14 (private IP, no public endpoint) - Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled) Shared: - 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb - No hardcoded secrets; all sensitive vars marked sensitive=true - terraform.tfvars.example for both environments - docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
76
terraform/environments/aws/terraform.tfvars.example
Normal file
76
terraform/environments/aws/terraform.tfvars.example
Normal file
@@ -0,0 +1,76 @@
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# terraform/environments/aws/terraform.tfvars.example
|
||||
#
|
||||
# Copy this file to terraform.tfvars and fill in real values.
|
||||
# NEVER commit terraform.tfvars to version control — it contains secrets.
|
||||
#
|
||||
# All sensitive variables (db_password, jwt_*, vault_token) must be provided
|
||||
# via this file or as TF_VAR_* environment variables in your CI/CD pipeline.
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── Region & environment ──────────────────────────────────────────────────────
|
||||
|
||||
region = "us-east-1"
|
||||
environment = "production"
|
||||
project = "sentryagent-agentidp"
|
||||
|
||||
# ── Application image ─────────────────────────────────────────────────────────
|
||||
# Docker image tag to deploy. Update this to roll out a new version.
|
||||
|
||||
app_image_tag = "1.0.0"
|
||||
|
||||
# ── DNS & TLS ─────────────────────────────────────────────────────────────────
|
||||
# The ACM certificate must already exist in the same region as the ALB.
|
||||
# Create it with: aws acm request-certificate --domain-name idp.example.com --validation-method DNS
|
||||
|
||||
domain_name = "idp.example.com"
|
||||
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
||||
|
||||
# ── Networking ────────────────────────────────────────────────────────────────
|
||||
|
||||
vpc_cidr = "10.0.0.0/16"
|
||||
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
|
||||
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
|
||||
private_subnet_cidrs = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
|
||||
|
||||
# ── Secrets — REPLACE ALL VALUES BELOW ───────────────────────────────────────
|
||||
# Use strong, randomly generated values. Do NOT use these placeholders in production.
|
||||
|
||||
# Master password for RDS PostgreSQL (min 8 chars, no special chars that break URLs)
|
||||
db_password = "REPLACE_WITH_STRONG_RANDOM_PASSWORD"
|
||||
|
||||
# AUTH token for ElastiCache Redis (min 16 chars)
|
||||
redis_auth_token = "REPLACE_WITH_STRONG_RANDOM_TOKEN_AT_LEAST_16_CHARS"
|
||||
|
||||
# RSA-2048 key pair for JWT signing/verification.
|
||||
# Generate with:
|
||||
# openssl genrsa -out private.pem 2048
|
||||
# openssl rsa -in private.pem -pubout -out public.pem
|
||||
jwt_private_key = "-----BEGIN RSA PRIVATE KEY-----\nREPLACE_WITH_ACTUAL_PRIVATE_KEY_CONTENTS\n-----END RSA PRIVATE KEY-----"
|
||||
jwt_public_key = "-----BEGIN PUBLIC KEY-----\nREPLACE_WITH_ACTUAL_PUBLIC_KEY_CONTENTS\n-----END PUBLIC KEY-----"
|
||||
|
||||
# HashiCorp Vault (optional — leave empty strings to disable Vault integration)
|
||||
vault_addr = ""
|
||||
vault_token = ""
|
||||
vault_mount = "secret"
|
||||
|
||||
# ── Application configuration ─────────────────────────────────────────────────
|
||||
|
||||
cors_origin = "*"
|
||||
ecs_desired_count = 2
|
||||
|
||||
# ── Infrastructure sizing ─────────────────────────────────────────────────────
|
||||
|
||||
rds_instance_class = "db.t3.medium"
|
||||
redis_node_type = "cache.t3.medium"
|
||||
|
||||
# ── ALB access logs (optional) ────────────────────────────────────────────────
|
||||
# Create the S3 bucket and enable ALB log delivery permissions before setting this.
|
||||
|
||||
alb_access_logs_bucket = ""
|
||||
|
||||
# ── RDS settings ──────────────────────────────────────────────────────────────
|
||||
|
||||
rds_backup_retention_days = 7
|
||||
rds_deletion_protection = true
|
||||
rds_skip_final_snapshot = false
|
||||
Reference in New Issue
Block a user