feat(phase-2): workstream 8 — Multi-Region Terraform Deployment

AWS environment:
- VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW)
- ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager
- RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling)
- ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption)
- ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate
- Route 53 alias record

GCP environment:
- VPC + private services access + Serverless VPC connector
- Cloud Run service — secrets from Secret Manager
- Cloud SQL PostgreSQL 14 (private IP, no public endpoint)
- Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled)

Shared:
- 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb
- No hardcoded secrets; all sensitive vars marked sensitive=true
- terraform.tfvars.example for both environments
- docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

terraform/environments/aws/variables.tf

@@ -0,0 +1,164 @@
+################################################################################
+# Environment: aws
+# Variables
+################################################################################
+
+variable "region" {
+  description = "AWS region for all resources."
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "environment" {
+  description = "Deployment environment (e.g. production, staging)."
+  type        = string
+  default     = "production"
+}
+
+variable "project" {
+  description = "Project identifier — used in all resource names and tags."
+  type        = string
+  default     = "sentryagent-agentidp"
+}
+
+variable "app_image_tag" {
+  description = "Docker image tag to deploy (e.g. '1.2.3' or a full SHA)."
+  type        = string
+}
+
+variable "domain_name" {
+  description = "Primary domain name for the AgentIdP service (e.g. idp.sentryagent.ai)."
+  type        = string
+}
+
+variable "certificate_arn" {
+  description = "ARN of the ACM certificate for the domain_name. Must be in the same region as the ALB."
+  type        = string
+}
+
+################################################################################
+# Networking
+################################################################################
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC."
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "availability_zones" {
+  description = "List of Availability Zones to use. Must contain at least 2 for Multi-AZ resources."
+  type        = list(string)
+  default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
+}
+
+variable "public_subnet_cidrs" {
+  description = "CIDR blocks for public subnets (ALB). One per AZ."
+  type        = list(string)
+  default     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+}
+
+variable "private_subnet_cidrs" {
+  description = "CIDR blocks for private subnets (ECS, RDS, Redis). One per AZ."
+  type        = list(string)
+  default     = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
+}
+
+################################################################################
+# Secrets — all marked sensitive; provide via tfvars or environment variables
+################################################################################
+
+variable "db_password" {
+  description = "Master password for the RDS PostgreSQL instance. Stored in AWS Secrets Manager."
+  type        = string
+  sensitive   = true
+}
+
+variable "redis_auth_token" {
+  description = "AUTH token for ElastiCache Redis (minimum 16 characters). Stored in AWS Secrets Manager."
+  type        = string
+  sensitive   = true
+}
+
+variable "jwt_private_key" {
+  description = "PEM-encoded RSA-2048 private key for signing JWTs. Stored in AWS Secrets Manager."
+  type        = string
+  sensitive   = true
+}
+
+variable "jwt_public_key" {
+  description = "PEM-encoded RSA-2048 public key for verifying JWTs. Stored in AWS Secrets Manager."
+  type        = string
+  sensitive   = true
+}
+
+variable "vault_token" {
+  description = "HashiCorp Vault token. Leave empty to disable Vault integration."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+################################################################################
+# Optional configuration
+################################################################################
+
+variable "vault_addr" {
+  description = "HashiCorp Vault server address. Leave empty to disable Vault integration."
+  type        = string
+  default     = ""
+}
+
+variable "vault_mount" {
+  description = "HashiCorp Vault KV v2 mount path."
+  type        = string
+  default     = "secret"
+}
+
+variable "cors_origin" {
+  description = "CORS_ORIGIN value for the app (use * for public APIs or a specific origin)."
+  type        = string
+  default     = "*"
+}
+
+variable "ecs_desired_count" {
+  description = "Number of ECS Fargate tasks to run."
+  type        = number
+  default     = 2
+}
+
+variable "rds_instance_class" {
+  description = "RDS instance class."
+  type        = string
+  default     = "db.t3.medium"
+}
+
+variable "redis_node_type" {
+  description = "ElastiCache node type."
+  type        = string
+  default     = "cache.t3.medium"
+}
+
+variable "alb_access_logs_bucket" {
+  description = "S3 bucket for ALB access logs. Leave empty to disable."
+  type        = string
+  default     = ""
+}
+
+variable "rds_backup_retention_days" {
+  description = "Number of days to retain RDS automated backups."
+  type        = number
+  default     = 7
+}
+
+variable "rds_deletion_protection" {
+  description = "Enable RDS deletion protection."
+  type        = bool
+  default     = true
+}
+
+variable "rds_skip_final_snapshot" {
+  description = "Skip final RDS snapshot on destroy. Keep false in production."
+  type        = bool
+  default     = false
+}