Add Terraform AWS infrastructure and enhanced CI/CD pipeline (FRE-4574)

- Terraform modules: VPC, ECS Fargate, RDS PostgreSQL, ElastiCache Redis, S3, Secrets Manager, CloudWatch
- Multi-environment support: staging and production configs
- ECS auto-scaling: CPU-based scaling with configurable min/max
- CI/CD: pnpm caching, Docker Buildx, Trivy security scanning, Terraform plan on PR
- Deploy: ECS service updates with automatic rollback on health check failure
- Backup: automated RDS snapshots, S3 versioning, ElastiCache snapshots
- Monitoring: CloudWatch dashboards, CPU/memory/5xx alarms
- Rollback script for manual service rollback
- Infrastructure documentation with architecture overview

infra/environments/production/main.tf

@@ -0,0 +1,57 @@
+terraform {
+  backend "s3" {
+    bucket         = "shieldai-production-terraform-state"
+    key            = "production/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "shieldai-terraform-locks"
+  }
+}
+
+module "shieldai" {
+  source = "../.."
+
+  environment     = "production"
+  aws_region      = "us-east-1"
+  project_name    = "shieldai"
+  vpc_cidr        = "10.1.0.0/16"
+  az_count        = 3
+
+  db_instance_class     = "db.r6g.large"
+  db_multi_az           = true
+  db_backup_retention   = 14
+
+  elasticache_node_type = "cache.r6g.large"
+  elasticache_num_nodes = 3
+
+  secrets = {
+    HIBP_API_KEY = var.hibp_api_key
+    RESEND_API_KEY = var.resend_api_key
+    SENTRY_DSN   = var.sentry_dsn
+    DATADOG_API_KEY = var.datadog_api_key
+  }
+}
+
+variable "hibp_api_key" {
+  description = "Have I Been Pwned API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "resend_api_key" {
+  description = "Resend API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "sentry_dsn" {
+  description = "Sentry DSN"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_api_key" {
+  description = "Datadog API key"
+  type        = string
+  sensitive   = true
+}

infra/environments/production/terraform.tfvars.example

@@ -0,0 +1,4 @@
+hibp_api_key     = "YOUR_HIBP_API_KEY"
+resend_api_key   = "YOUR_RESEND_API_KEY"
+sentry_dsn       = "YOUR_SENTRY_DSN"
+datadog_api_key  = "YOUR_DATADOG_API_KEY"

infra/environments/staging/main.tf

@@ -0,0 +1,57 @@
+terraform {
+  backend "s3" {
+    bucket         = "shieldai-staging-terraform-state"
+    key            = "staging/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "shieldai-terraform-locks"
+  }
+}
+
+module "shieldai" {
+  source = "../.."
+
+  environment     = "staging"
+  aws_region      = "us-east-1"
+  project_name    = "shieldai"
+  vpc_cidr        = "10.0.0.0/16"
+  az_count        = 2
+
+  db_instance_class     = "db.t3.medium"
+  db_multi_az           = false
+  db_backup_retention   = 3
+
+  elasticache_node_type = "cache.t3.small"
+  elasticache_num_nodes = 1
+
+  secrets = {
+    HIBP_API_KEY = var.hibp_api_key
+    RESEND_API_KEY = var.resend_api_key
+    SENTRY_DSN   = var.sentry_dsn
+    DATADOG_API_KEY = var.datadog_api_key
+  }
+}
+
+variable "hibp_api_key" {
+  description = "Have I Been Pwned API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "resend_api_key" {
+  description = "Resend API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "sentry_dsn" {
+  description = "Sentry DSN"
+  type        = string
+  sensitive   = true
+}
+
+variable "datadog_api_key" {
+  description = "Datadog API key"
+  type        = string
+  sensitive   = true
+}

infra/environments/staging/terraform.tfvars.example

@@ -0,0 +1,4 @@
+hibp_api_key     = "YOUR_HIBP_API_KEY"
+resend_api_key   = "YOUR_RESEND_API_KEY"
+sentry_dsn       = "YOUR_SENTRY_DSN"
+datadog_api_key  = "YOUR_DATADOG_API_KEY"