vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
sentryagent-idp/terraform/environments/aws/terraform.tfvars.example
SentryAgent.ai Developer 6913d62648 feat(phase-2): workstream 8 — Multi-Region Terraform Deployment 
AWS environment:
- VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW)
- ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager
- RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling)
- ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption)
- ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate
- Route 53 alias record

GCP environment:
- VPC + private services access + Serverless VPC connector
- Cloud Run service — secrets from Secret Manager
- Cloud SQL PostgreSQL 14 (private IP, no public endpoint)
- Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled)

Shared:
- 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb
- No hardcoded secrets; all sensitive vars marked sensitive=true
- terraform.tfvars.example for both environments
- docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-29 06:25:14 +00:00

77 lines
4.4 KiB
Plaintext
Raw Permalink Blame History

# ─────────────────────────────────────────────────────────────────────────────
# terraform/environments/aws/terraform.tfvars.example
#
# Copy this file to terraform.tfvars and fill in real values.
# NEVER commit terraform.tfvars to version control — it contains secrets.
#
# All sensitive variables (db_password, jwt_*, vault_token) must be provided
# via this file or as TF_VAR_* environment variables in your CI/CD pipeline.
# ─────────────────────────────────────────────────────────────────────────────
# ── Region & environment ──────────────────────────────────────────────────────
region = "us-east-1"
environment = "production"
project = "sentryagent-agentidp"
# ── Application image ─────────────────────────────────────────────────────────
# Docker image tag to deploy. Update this to roll out a new version.
app_image_tag = "1.0.0"
# ── DNS & TLS ─────────────────────────────────────────────────────────────────
# The ACM certificate must already exist in the same region as the ALB.
# Create it with: aws acm request-certificate --domain-name idp.example.com --validation-method DNS
domain_name = "idp.example.com"
certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# ── Networking ────────────────────────────────────────────────────────────────
vpc_cidr = "10.0.0.0/16"
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
private_subnet_cidrs = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
# ── Secrets — REPLACE ALL VALUES BELOW ───────────────────────────────────────
# Use strong, randomly generated values. Do NOT use these placeholders in production.
# Master password for RDS PostgreSQL (min 8 chars, no special chars that break URLs)
db_password = "REPLACE_WITH_STRONG_RANDOM_PASSWORD"
# AUTH token for ElastiCache Redis (min 16 chars)
redis_auth_token = "REPLACE_WITH_STRONG_RANDOM_TOKEN_AT_LEAST_16_CHARS"
# RSA-2048 key pair for JWT signing/verification.
# Generate with:
# openssl genrsa -out private.pem 2048
# openssl rsa -in private.pem -pubout -out public.pem
jwt_private_key = "-----BEGIN RSA PRIVATE KEY-----\nREPLACE_WITH_ACTUAL_PRIVATE_KEY_CONTENTS\n-----END RSA PRIVATE KEY-----"
jwt_public_key = "-----BEGIN PUBLIC KEY-----\nREPLACE_WITH_ACTUAL_PUBLIC_KEY_CONTENTS\n-----END PUBLIC KEY-----"
# HashiCorp Vault (optional — leave empty strings to disable Vault integration)
vault_addr = ""
vault_token = ""
vault_mount = "secret"
# ── Application configuration ─────────────────────────────────────────────────
cors_origin = "*"
ecs_desired_count = 2
# ── Infrastructure sizing ─────────────────────────────────────────────────────
rds_instance_class = "db.t3.medium"
redis_node_type = "cache.t3.medium"
# ── ALB access logs (optional) ────────────────────────────────────────────────
# Create the S3 bucket and enable ALB log delivery permissions before setting this.
alb_access_logs_bucket = ""
# ── RDS settings ──────────────────────────────────────────────────────────────
rds_backup_retention_days = 7
rds_deletion_protection = true
rds_skip_final_snapshot = false
Reference in New Issue View Git Blame Copy Permalink