# Spec: Multi-Region Deployment (Terraform)

**Status**: Pending CEO approval
**Workstream**: 8 of 8

## Scope
- `terraform/` directory at project root
- Shared `agentidp` module (compute, networking, secrets)
- `environments/aws/` — ECS Fargate + RDS PostgreSQL + ElastiCache Redis
- `environments/gcp/` — Cloud Run + Cloud SQL + Memorystore Redis
- Deployment guide: `docs/devops/deployment.md`

## Module structure

```
terraform/
  modules/
    agentidp/
      main.tf       — compute (ECS task or Cloud Run service)
      networking.tf — VPC, subnets, security groups
      variables.tf  — all configurable inputs
      outputs.tf    — service URL, DB endpoint, Redis endpoint
    rds/            — managed PostgreSQL
    redis/          — managed Redis
    lb/             — ALB (AWS) or Cloud LB (GCP), TLS cert
  environments/
    aws/
      main.tf       — calls modules, sets AWS-specific vars
      variables.tf
      terraform.tfvars.example
    gcp/
      main.tf
      variables.tf
      terraform.tfvars.example
```

## Acceptance Criteria
- [ ] `terraform validate` passes for both aws and gcp environments
- [ ] `terraform plan` produces no errors against a live AWS/GCP account (test in dev env)
- [ ] JWT_PRIVATE_KEY and JWT_PUBLIC_KEY injected as environment secrets (not hardcoded)
- [ ] TLS termination at load balancer — HTTPS only in production modules
- [ ] PostgreSQL and Redis not publicly accessible — VPC-internal only
- [ ] `docs/devops/deployment.md` — end-to-end deployment walkthrough for AWS and GCP
- [ ] `terraform.tfvars.example` provided for both environments — no secrets in version control