feat(phase-2): workstream 8 — Multi-Region Terraform Deployment

AWS environment: - VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW) - ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager - RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling) - ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption) - ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate - Route 53 alias record GCP environment: - VPC + private services access + Serverless VPC connector - Cloud Run service — secrets from Secret Manager - Cloud SQL PostgreSQL 14 (private IP, no public endpoint) - Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled) Shared: - 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb - No hardcoded secrets; all sensitive vars marked sensitive=true - terraform.tfvars.example for both environments - docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-29 06:25:14 +00:00
parent a504964e5f
commit 6913d62648
22 changed files with 4138 additions and 8 deletions
--- a/terraform/modules/rds/variables.tf
+++ b/terraform/modules/rds/variables.tf
@@ -0,0 +1,133 @@
+################################################################################
+# Module: rds
+# Variables — AWS RDS PostgreSQL 14
+################################################################################
+
+variable "environment" {
+  description = "Deployment environment label (e.g. production, staging)."
+  type        = string
+}
+
+variable "project" {
+  description = "Project identifier used in resource names and tags."
+  type        = string
+  default     = "sentryagent-agentidp"
+}
+
+variable "vpc_id" {
+  description = "VPC ID in which to create the RDS subnet group and security group."
+  type        = string
+}
+
+variable "subnet_ids" {
+  description = "List of private subnet IDs for the RDS DB subnet group. Must span at least 2 AZs for Multi-AZ."
+  type        = list(string)
+}
+
+variable "allowed_security_group_ids" {
+  description = "List of security group IDs (e.g. ECS app SG) permitted to connect to RDS on port 5432."
+  type        = list(string)
+  default     = []
+}
+
+variable "db_name" {
+  description = "Name of the initial PostgreSQL database to create."
+  type        = string
+  default     = "sentryagent_idp"
+}
+
+variable "db_username" {
+  description = "Master username for the RDS instance."
+  type        = string
+  default     = "sentryagent"
+}
+
+variable "db_password" {
+  description = "Master password for the RDS instance. Store this in Secrets Manager; do not hardcode."
+  type        = string
+  sensitive   = true
+}
+
+variable "instance_class" {
+  description = "RDS instance class."
+  type        = string
+  default     = "db.t3.medium"
+}
+
+variable "allocated_storage" {
+  description = "Initial storage allocated in GiB."
+  type        = number
+  default     = 50
+}
+
+variable "max_allocated_storage" {
+  description = "Upper bound for RDS storage autoscaling in GiB. Set to 0 to disable autoscaling."
+  type        = number
+  default     = 500
+}
+
+variable "multi_az" {
+  description = "Enable Multi-AZ deployment for high availability."
+  type        = bool
+  default     = true
+}
+
+variable "backup_retention_days" {
+  description = "Number of days to retain automated backups. Must be >= 1 for Multi-AZ."
+  type        = number
+  default     = 7
+}
+
+variable "backup_window" {
+  description = "Preferred daily backup window in UTC (hh24:mi-hh24:mi)."
+  type        = string
+  default     = "03:00-04:00"
+}
+
+variable "maintenance_window" {
+  description = "Preferred weekly maintenance window (ddd:hh24:mi-ddd:hh24:mi in UTC)."
+  type        = string
+  default     = "sun:05:00-sun:06:00"
+}
+
+variable "deletion_protection" {
+  description = "Enable deletion protection. Set to false only when decommissioning."
+  type        = bool
+  default     = true
+}
+
+variable "skip_final_snapshot" {
+  description = "Whether to skip the final DB snapshot on destroy. Should be false in production."
+  type        = bool
+  default     = false
+}
+
+variable "performance_insights_enabled" {
+  description = "Enable RDS Performance Insights."
+  type        = bool
+  default     = true
+}
+
+variable "performance_insights_retention_period" {
+  description = "Performance Insights data retention in days. Free tier = 7; paid tiers = 731."
+  type        = number
+  default     = 7
+}
+
+variable "monitoring_interval" {
+  description = "Enhanced monitoring interval in seconds (0 to disable, valid: 1, 5, 10, 15, 30, 60)."
+  type        = number
+  default     = 60
+}
+
+variable "monitoring_role_arn" {
+  description = "IAM role ARN for RDS Enhanced Monitoring. Required when monitoring_interval > 0."
+  type        = string
+  default     = ""
+}
+
+variable "parameter_group_family" {
+  description = "DB parameter group family."
+  type        = string
+  default     = "postgres14"
+}