Add Terraform AWS infrastructure and enhanced CI/CD pipeline (FRE-4574)

- Terraform modules: VPC, ECS Fargate, RDS PostgreSQL, ElastiCache Redis, S3, Secrets Manager, CloudWatch
- Multi-environment support: staging and production configs
- ECS auto-scaling: CPU-based scaling with configurable min/max
- CI/CD: pnpm caching, Docker Buildx, Trivy security scanning, Terraform plan on PR
- Deploy: ECS service updates with automatic rollback on health check failure
- Backup: automated RDS snapshots, S3 versioning, ElastiCache snapshots
- Monitoring: CloudWatch dashboards, CPU/memory/5xx alarms
- Rollback script for manual service rollback
- Infrastructure documentation with architecture overview

infra/main.tf

@@ -0,0 +1,107 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.30"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "shieldai-terraform-state"
+    key            = "global/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "shieldai-terraform-locks"
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      Project    = "ShieldAI"
+      ManagedBy  = "terraform"
+      Environment = var.environment
+    }
+  }
+}
+
+module "vpc" {
+  source = "./modules/vpc"
+
+  environment  = var.environment
+  vpc_cidr     = var.vpc_cidr
+  az_count     = var.az_count
+  project_name = var.project_name
+}
+
+module "ecs" {
+  source = "./modules/ecs"
+
+  environment        = var.environment
+  cluster_name       = "${var.project_name}-${var.environment}"
+  vpc_id             = module.vpc.vpc_id
+  subnet_ids         = module.vpc.private_subnet_ids
+  security_group_ids = [module.vpc.ecs_security_group_id]
+  services           = var.services
+  container_images   = var.container_images
+  secrets_arn        = module.secrets.secrets_manager_arn
+}
+
+module "rds" {
+  source = "./modules/rds"
+
+  environment      = var.environment
+  vpc_id           = module.vpc.vpc_id
+  subnet_ids       = module.vpc.private_subnet_ids
+  security_group_id = module.vpc.rds_security_group_id
+  db_name          = var.db_name
+  db_instance_class = var.db_instance_class
+  multi_az         = var.db_multi_az
+  backup_retention  = var.db_backup_retention
+  project_name     = var.project_name
+}
+
+module "elasticache" {
+  source = "./modules/elasticache"
+
+  environment       = var.environment
+  vpc_id            = module.vpc.vpc_id
+  subnet_ids        = module.vpc.private_subnet_ids
+  security_group_id = module.vpc.elasticache_security_group_id
+  node_type         = var.elasticache_node_type
+  num_nodes         = var.elasticache_num_nodes
+  project_name      = var.project_name
+}
+
+module "s3" {
+  source = "./modules/s3"
+
+  environment  = var.environment
+  project_name = var.project_name
+}
+
+module "secrets" {
+  source = "./modules/secrets"
+
+  environment  = var.environment
+  project_name = var.project_name
+  secrets      = var.secrets
+}
+
+module "cloudwatch" {
+  source = "./modules/cloudwatch"
+
+  environment    = var.environment
+  cluster_name   = "${var.project_name}-${var.environment}"
+  project_name   = var.project_name
+  rds_identifier = module.rds.db_instance_identifier
+  cache_endpoint = module.elasticache.cache_endpoint
+}