7593bfe1c1
8 workstreams scoped per OpenSpec standards: 1. HashiCorp Vault integration (secret management) 2. Python SDK (sentryagent-idp) 3. Go SDK (idp-sdk-go) 4. Java SDK (ai.sentryagent:idp-sdk) 5. OPA policy engine (dynamic ABAC, hot-reload Rego) 6. Web Dashboard UI (React 18 + TypeScript) 7. Prometheus + Grafana monitoring (7 metrics, pre-built dashboard) 8. Multi-region Terraform deployment (AWS + GCP) Status: proposed — awaiting CEO dependency approvals (A0.1–A0.5) before any implementation begins. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1.6 KiB
1.6 KiB
Spec: Multi-Region Deployment (Terraform)
Status: Pending CEO approval Workstream: 8 of 8
Scope
terraform/directory at project root- Shared
agentidpmodule (compute, networking, secrets) environments/aws/— ECS Fargate + RDS PostgreSQL + ElastiCache Redisenvironments/gcp/— Cloud Run + Cloud SQL + Memorystore Redis- Deployment guide:
docs/devops/deployment.md
Module structure
terraform/
modules/
agentidp/
main.tf — compute (ECS task or Cloud Run service)
networking.tf — VPC, subnets, security groups
variables.tf — all configurable inputs
outputs.tf — service URL, DB endpoint, Redis endpoint
rds/ — managed PostgreSQL
redis/ — managed Redis
lb/ — ALB (AWS) or Cloud LB (GCP), TLS cert
environments/
aws/
main.tf — calls modules, sets AWS-specific vars
variables.tf
terraform.tfvars.example
gcp/
main.tf
variables.tf
terraform.tfvars.example
Acceptance Criteria
terraform validatepasses for both aws and gcp environmentsterraform planproduces no errors against a live AWS/GCP account (test in dev env)- JWT_PRIVATE_KEY and JWT_PUBLIC_KEY injected as environment secrets (not hardcoded)
- TLS termination at load balancer — HTTPS only in production modules
- PostgreSQL and Redis not publicly accessible — VPC-internal only
docs/devops/deployment.md— end-to-end deployment walkthrough for AWS and GCPterraform.tfvars.exampleprovided for both environments — no secrets in version control