hearth/terraform/main.tf

# Foundation Infrastructure - Main Configuration
# RFC 0039: ADR-Compliant Foundation Infrastructure
#
# Architecture:
# - VPC with 3 AZs for high availability
# - EKS cluster with Karpenter for auto-scaling compute
# - CockroachDB 3-node cluster with FIPS 140-2
# - Shared NLB for all services
# - EBS gp3 and EFS storage
# - S3 for blob storage and backups

locals {
  name = "${var.project_name}-${var.environment}"

  common_tags = merge(var.tags, {
    Project     = var.project_name
    Environment = var.environment
    ManagedBy   = "terraform"
    RFC         = "0039"
    ADR         = "0003,0004,0005"
  })

  # Get available AZs in the region
  azs = slice(data.aws_availability_zones.available.names, 0, 3)
}

data "aws_availability_zones" "available" {
  state = "available"
  filter {
    name   = "opt-in-status"
    values = ["opt-in-not-required"]
  }
}

data "aws_caller_identity" "current" {}

# VPC Module - Multi-AZ networking
module "vpc" {
  source = "./modules/vpc"

  name               = local.name
  cidr               = var.vpc_cidr
  availability_zones = local.azs
  enable_nat_gateway = true
  single_nat_gateway = false # HA: one NAT per AZ

  tags = local.common_tags
}

# EKS Module - Kubernetes with Karpenter
module "eks" {
  source = "./modules/eks"

  cluster_name       = local.name
  cluster_version    = var.kubernetes_version
  vpc_id             = module.vpc.vpc_id
  private_subnet_ids = module.vpc.private_subnet_ids
  public_subnet_ids  = module.vpc.public_subnet_ids

  # Karpenter configuration
  enable_karpenter = true

  # FIPS compliance
  enable_fips = var.enable_fips

  tags = local.common_tags

  depends_on = [module.vpc]
}

# IAM Module - Roles and IRSA
module "iam" {
  source = "./modules/iam"

  cluster_name              = module.eks.cluster_name
  cluster_oidc_issuer_url   = module.eks.cluster_oidc_issuer_url
  cluster_oidc_provider_arn = module.eks.oidc_provider_arn

  tags = local.common_tags

  depends_on = [module.eks]
}

# Storage Module - EBS, EFS, S3
module "storage" {
  source = "./modules/storage"

  name               = local.name
  vpc_id             = module.vpc.vpc_id
  private_subnet_ids = module.vpc.private_subnet_ids
  availability_zones = local.azs

  # Enable encryption for FIPS compliance
  enable_encryption = var.enable_fips

  tags = local.common_tags

  depends_on = [module.vpc]
}

# NLB Module - Shared Network Load Balancer
# RFC 0046: Updated to support Elastic IPs for DNS glue records
module "nlb" {
  source = "./modules/nlb"

  name              = local.name
  vpc_id            = module.vpc.vpc_id
  public_subnet_ids = module.vpc.public_subnet_ids

  # RFC 0046: Enable static IPs for stable DNS glue records
  enable_static_ips = var.enable_dns_static_ips
  elastic_ip_ids    = var.enable_dns_static_ips ? aws_eip.dns[*].id : []

  tags = local.common_tags

  depends_on = [module.vpc]
}

# S3 Module - Additional blob storage buckets
module "s3" {
  source = "./modules/s3"

  name                 = local.name
  log_retention_days   = var.log_retention_days
  trace_retention_days = var.trace_retention_days

  tags = local.common_tags
}