feat(phase-2): workstream 8 — Multi-Region Terraform Deployment

AWS environment:
- VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW)
- ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager
- RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling)
- ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption)
- ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate
- Route 53 alias record

GCP environment:
- VPC + private services access + Serverless VPC connector
- Cloud Run service — secrets from Secret Manager
- Cloud SQL PostgreSQL 14 (private IP, no public endpoint)
- Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled)

Shared:
- 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb
- No hardcoded secrets; all sensitive vars marked sensitive=true
- terraform.tfvars.example for both environments
- docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

terraform/environments/gcp/terraform.tfvars.example

@@ -0,0 +1,70 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# terraform/environments/gcp/terraform.tfvars.example
+#
+# Copy this file to terraform.tfvars and fill in real values.
+# NEVER commit terraform.tfvars to version control — it contains secrets.
+#
+# All sensitive variables (db_password, jwt_*, vault_token) must be provided
+# via this file or as TF_VAR_* environment variables in your CI/CD pipeline.
+# ─────────────────────────────────────────────────────────────────────────────
+
+# ── GCP project & region ──────────────────────────────────────────────────────
+
+project_id  = "your-gcp-project-id"
+region      = "us-central1"
+environment = "production"
+project     = "sentryagent-agentidp"
+
+# ── Application image ─────────────────────────────────────────────────────────
+
+app_image_tag = "1.0.0"
+
+# ── Networking ────────────────────────────────────────────────────────────────
+
+vpc_cidr           = "10.1.0.0/24"
+vpc_connector_cidr = "10.8.0.0/28"
+
+# ── Database ──────────────────────────────────────────────────────────────────
+
+db_tier               = "db-g1-small"
+db_name               = "sentryagent_idp"
+db_username           = "sentryagent"
+db_availability_type  = "REGIONAL"
+
+# ── Secrets — REPLACE ALL VALUES BELOW ───────────────────────────────────────
+
+# Password for Cloud SQL PostgreSQL user
+db_password = "REPLACE_WITH_STRONG_RANDOM_PASSWORD"
+
+# RSA-2048 key pair for JWT signing/verification.
+# Generate with:
+#   openssl genrsa -out private.pem 2048
+#   openssl rsa -in private.pem -pubout -out public.pem
+jwt_private_key = "-----BEGIN RSA PRIVATE KEY-----\nREPLACE_WITH_ACTUAL_PRIVATE_KEY_CONTENTS\n-----END RSA PRIVATE KEY-----"
+jwt_public_key  = "-----BEGIN PUBLIC KEY-----\nREPLACE_WITH_ACTUAL_PUBLIC_KEY_CONTENTS\n-----END PUBLIC KEY-----"
+
+# HashiCorp Vault (optional — leave empty strings to disable Vault integration)
+vault_addr  = ""
+vault_token = ""
+vault_mount = "secret"
+
+# ── Application configuration ─────────────────────────────────────────────────
+
+cors_origin = "*"
+
+# ── Cloud Run scaling ─────────────────────────────────────────────────────────
+
+cloud_run_min_instances = 1
+cloud_run_max_instances = 10
+cloud_run_cpu           = "1"
+cloud_run_memory        = "512Mi"
+
+# ── Memorystore Redis ─────────────────────────────────────────────────────────
+
+memorystore_memory_size_gb = 1
+memorystore_redis_version  = "REDIS_7_0"
+memorystore_tier           = "STANDARD_HA"
+
+# ── Protection ────────────────────────────────────────────────────────────────
+
+deletion_protection = true