6913d62648
AWS environment: - VPC (3-AZ, public + private subnets, NAT gateways, VPC endpoints for ECR/SM/CW) - ECS Fargate service (sentryagent/agentidp) — secrets from Secrets Manager - RDS PostgreSQL 14 (Multi-AZ, encrypted, VPC-internal, storage autoscaling) - ElastiCache Redis 7 (primary + replica, at-rest + in-transit encryption) - ALB with HTTPS/443, HTTP→HTTPS redirect, ACM certificate - Route 53 alias record GCP environment: - VPC + private services access + Serverless VPC connector - Cloud Run service — secrets from Secret Manager - Cloud SQL PostgreSQL 14 (private IP, no public endpoint) - Cloud Memorystore Redis 7 (VPC-internal, AUTH enabled) Shared: - 4 reusable modules: agentidp (dual AWS/GCP), rds, redis, lb - No hardcoded secrets; all sensitive vars marked sensitive=true - terraform.tfvars.example for both environments - docs/devops/deployment.md — AWS + GCP step-by-step walkthrough, rollback procedures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
71 lines
3.8 KiB
Plaintext
71 lines
3.8 KiB
Plaintext
# ─────────────────────────────────────────────────────────────────────────────
|
|
# terraform/environments/gcp/terraform.tfvars.example
|
|
#
|
|
# Copy this file to terraform.tfvars and fill in real values.
|
|
# NEVER commit terraform.tfvars to version control — it contains secrets.
|
|
#
|
|
# All sensitive variables (db_password, jwt_*, vault_token) must be provided
|
|
# via this file or as TF_VAR_* environment variables in your CI/CD pipeline.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ── GCP project & region ──────────────────────────────────────────────────────
|
|
|
|
project_id = "your-gcp-project-id"
|
|
region = "us-central1"
|
|
environment = "production"
|
|
project = "sentryagent-agentidp"
|
|
|
|
# ── Application image ─────────────────────────────────────────────────────────
|
|
|
|
app_image_tag = "1.0.0"
|
|
|
|
# ── Networking ────────────────────────────────────────────────────────────────
|
|
|
|
vpc_cidr = "10.1.0.0/24"
|
|
vpc_connector_cidr = "10.8.0.0/28"
|
|
|
|
# ── Database ──────────────────────────────────────────────────────────────────
|
|
|
|
db_tier = "db-g1-small"
|
|
db_name = "sentryagent_idp"
|
|
db_username = "sentryagent"
|
|
db_availability_type = "REGIONAL"
|
|
|
|
# ── Secrets — REPLACE ALL VALUES BELOW ───────────────────────────────────────
|
|
|
|
# Password for Cloud SQL PostgreSQL user
|
|
db_password = "REPLACE_WITH_STRONG_RANDOM_PASSWORD"
|
|
|
|
# RSA-2048 key pair for JWT signing/verification.
|
|
# Generate with:
|
|
# openssl genrsa -out private.pem 2048
|
|
# openssl rsa -in private.pem -pubout -out public.pem
|
|
jwt_private_key = "-----BEGIN RSA PRIVATE KEY-----\nREPLACE_WITH_ACTUAL_PRIVATE_KEY_CONTENTS\n-----END RSA PRIVATE KEY-----"
|
|
jwt_public_key = "-----BEGIN PUBLIC KEY-----\nREPLACE_WITH_ACTUAL_PUBLIC_KEY_CONTENTS\n-----END PUBLIC KEY-----"
|
|
|
|
# HashiCorp Vault (optional — leave empty strings to disable Vault integration)
|
|
vault_addr = ""
|
|
vault_token = ""
|
|
vault_mount = "secret"
|
|
|
|
# ── Application configuration ─────────────────────────────────────────────────
|
|
|
|
cors_origin = "*"
|
|
|
|
# ── Cloud Run scaling ─────────────────────────────────────────────────────────
|
|
|
|
cloud_run_min_instances = 1
|
|
cloud_run_max_instances = 10
|
|
cloud_run_cpu = "1"
|
|
cloud_run_memory = "512Mi"
|
|
|
|
# ── Memorystore Redis ─────────────────────────────────────────────────────────
|
|
|
|
memorystore_memory_size_gb = 1
|
|
memorystore_redis_version = "REDIS_7_0"
|
|
memorystore_tier = "STANDARD_HA"
|
|
|
|
# ── Protection ────────────────────────────────────────────────────────────────
|
|
|
|
deletion_protection = true
|