################################################################################ # Environment: aws # Variables ################################################################################ variable "region" { description = "AWS region for all resources." type = string default = "us-east-1" } variable "environment" { description = "Deployment environment (e.g. production, staging)." type = string default = "production" } variable "project" { description = "Project identifier — used in all resource names and tags." type = string default = "sentryagent-agentidp" } variable "app_image_tag" { description = "Docker image tag to deploy (e.g. '1.2.3' or a full SHA)." type = string } variable "domain_name" { description = "Primary domain name for the AgentIdP service (e.g. idp.sentryagent.ai)." type = string } variable "certificate_arn" { description = "ARN of the ACM certificate for the domain_name. Must be in the same region as the ALB." type = string } ################################################################################ # Networking ################################################################################ variable "vpc_cidr" { description = "CIDR block for the VPC." type = string default = "10.0.0.0/16" } variable "availability_zones" { description = "List of Availability Zones to use. Must contain at least 2 for Multi-AZ resources." type = list(string) default = ["us-east-1a", "us-east-1b", "us-east-1c"] } variable "public_subnet_cidrs" { description = "CIDR blocks for public subnets (ALB). One per AZ." type = list(string) default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] } variable "private_subnet_cidrs" { description = "CIDR blocks for private subnets (ECS, RDS, Redis). One per AZ." type = list(string) default = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"] } ################################################################################ # Secrets — all marked sensitive; provide via tfvars or environment variables ################################################################################ variable "db_password" { description = "Master password for the RDS PostgreSQL instance. Stored in AWS Secrets Manager." type = string sensitive = true } variable "redis_auth_token" { description = "AUTH token for ElastiCache Redis (minimum 16 characters). Stored in AWS Secrets Manager." type = string sensitive = true } variable "jwt_private_key" { description = "PEM-encoded RSA-2048 private key for signing JWTs. Stored in AWS Secrets Manager." type = string sensitive = true } variable "jwt_public_key" { description = "PEM-encoded RSA-2048 public key for verifying JWTs. Stored in AWS Secrets Manager." type = string sensitive = true } variable "vault_token" { description = "HashiCorp Vault token. Leave empty to disable Vault integration." type = string sensitive = true default = "" } ################################################################################ # Optional configuration ################################################################################ variable "vault_addr" { description = "HashiCorp Vault server address. Leave empty to disable Vault integration." type = string default = "" } variable "vault_mount" { description = "HashiCorp Vault KV v2 mount path." type = string default = "secret" } variable "cors_origin" { description = "CORS_ORIGIN value for the app (use * for public APIs or a specific origin)." type = string default = "*" } variable "ecs_desired_count" { description = "Number of ECS Fargate tasks to run." type = number default = 2 } variable "rds_instance_class" { description = "RDS instance class." type = string default = "db.t3.medium" } variable "redis_node_type" { description = "ElastiCache node type." type = string default = "cache.t3.medium" } variable "alb_access_logs_bucket" { description = "S3 bucket for ALB access logs. Leave empty to disable." type = string default = "" } variable "rds_backup_retention_days" { description = "Number of days to retain RDS automated backups." type = number default = 7 } variable "rds_deletion_protection" { description = "Enable RDS deletion protection." type = bool default = true } variable "rds_skip_final_snapshot" { description = "Skip final RDS snapshot on destroy. Keep false in production." type = bool default = false }