feat(phase-2): workstream 8 — Multi-Region Terraform Deployment

AWS environment:
- VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW)
- ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager
- RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling)
- ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption)
- ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate
- Route 53 alias record

GCP environment:
- VPC + private services access + Serverless VPC connector
- Cloud Run service — secrets from Secret Manager
- Cloud SQL PostgreSQL 14 (private IP, no public endpoint)
- Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled)

Shared:
- 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb
- No hardcoded secrets; all sensitive vars marked sensitive=true
- terraform.tfvars.example for both environments
- docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

terraform/modules/redis/variables.tf

@@ -0,0 +1,116 @@
+################################################################################
+# Module: redis
+# Variables — AWS ElastiCache Redis 7
+################################################################################
+
+variable "environment" {
+  description = "Deployment environment label (e.g. production, staging)."
+  type        = string
+}
+
+variable "project" {
+  description = "Project identifier used in resource names and tags."
+  type        = string
+  default     = "sentryagent-agentidp"
+}
+
+variable "vpc_id" {
+  description = "VPC ID in which to create the ElastiCache subnet group and security group."
+  type        = string
+}
+
+variable "subnet_ids" {
+  description = "List of private subnet IDs for the ElastiCache subnet group. Span at least 2 AZs."
+  type        = list(string)
+}
+
+variable "allowed_security_group_ids" {
+  description = "List of security group IDs (e.g. ECS app SG) permitted to connect to Redis on port 6379."
+  type        = list(string)
+  default     = []
+}
+
+variable "node_type" {
+  description = "ElastiCache node instance type."
+  type        = string
+  default     = "cache.t3.medium"
+}
+
+variable "engine_version" {
+  description = "Redis engine version. Use 7.x for Redis 7."
+  type        = string
+  default     = "7.1"
+}
+
+variable "num_cache_clusters" {
+  description = "Total number of cache clusters in the replication group (1 primary + N replicas). Minimum 2 for HA."
+  type        = number
+  default     = 2
+}
+
+variable "automatic_failover_enabled" {
+  description = "Enable automatic failover. Required when num_cache_clusters > 1."
+  type        = bool
+  default     = true
+}
+
+variable "multi_az_enabled" {
+  description = "Enable Multi-AZ for the replication group."
+  type        = bool
+  default     = true
+}
+
+variable "at_rest_encryption_enabled" {
+  description = "Encrypt data at rest."
+  type        = bool
+  default     = true
+}
+
+variable "transit_encryption_enabled" {
+  description = "Enable TLS for data in transit."
+  type        = bool
+  default     = true
+}
+
+variable "auth_token" {
+  description = "AUTH token (password) for Redis AUTH command. Required when transit_encryption_enabled = true. Minimum 16 characters."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "maintenance_window" {
+  description = "Preferred weekly maintenance window (ddd:hh24:mi-ddd:hh24:mi in UTC)."
+  type        = string
+  default     = "sun:06:00-sun:07:00"
+}
+
+variable "snapshot_retention_limit" {
+  description = "Number of days to retain automatic Redis snapshots. 0 disables snapshots."
+  type        = number
+  default     = 7
+}
+
+variable "snapshot_window" {
+  description = "Daily time range for automatic snapshots (hh24:mi-hh24:mi in UTC). Must not overlap maintenance_window."
+  type        = string
+  default     = "04:00-05:00"
+}
+
+variable "apply_immediately" {
+  description = "Apply changes immediately. Set to false to wait for the next maintenance window in production."
+  type        = bool
+  default     = false
+}
+
+variable "log_delivery_enabled" {
+  description = "Enable delivery of Redis slow logs and engine logs to CloudWatch."
+  type        = bool
+  default     = true
+}
+
+variable "log_group_name" {
+  description = "CloudWatch log group name for Redis logs. Created if it does not exist."
+  type        = string
+  default     = "/elasticache/sentryagent-agentidp/redis"
+}