# aws-silo-tenant — single-tenant AWS cell with hard isolation.
#
# Mirrors deployments/kubernetes/cells/silo-reg-acme/. Targets
# regulated customers who require their own EKS cluster + their own
# data plane (RDS / ElastiCache / S3 / KMS keys). Per-cell Pomerium +
# per-cell Cloudflare tunnel + dedicated Entra Agent Identity.

name: alphaswarm-aws-silo-tenant
slug: aws-silo-tenant
module_kind: composite
description: |
  Single-tenant AlphaSwarm cell on AWS. Dedicated EKS cluster +
  dedicated RDS / ElastiCache / S3 with per-tenant KMS keys + per-cell
  Pomerium IAP + per-cell Cloudflare tunnel + per-cell Entra Agent
  Identity. Hard tenant isolation; no shared compute or storage.

cloud_provider: aws
environment: live

provider:
  kind: aws
  region: us-east-1

backend:
  kind: s3
  config:
    bucket: alphaswarm-tfstate
    key: alphaswarm_platform/cells/aws-silo-${tenant_id}/terraform.tfstate
    region: us-east-1
    encrypt: true
    use_lockfile: true

variables:
  - name: tenant_id
    type: string
    description: Required — the silo'd tenant's slug. Becomes part of the cell name + DNS + KMS aliases.
  - name: tenant_display_name
    type: string
    description: Human-readable tenant name (used in resource tags + Pomerium app name).
  - name: region
    type: string
    default: us-east-1
  - name: cell_name
    type: string
    default: silo-${var.tenant_id}-us-east-1a
  - name: cell_replicas
    type: number
    default: 2
  - name: tier
    type: string
    default: silo
  - name: ingress_host
    type: string
    default: aqp.${var.tenant_id}.alpha-swarm.ai
  - name: pomerium_authority
    type: string
    default: ${var.tenant_id}.manage.alpha-swarm.ai
  - name: entra_idp_url
    type: string
    default: ""
    sensitive: true

modules:
  - name: networking
    source: ../../modules/networking
    variables:
      cloud_provider: aws
      environment: live
  - name: kubernetes
    source: ../../modules/kubernetes
    variables:
      organization_slug: "${var.tenant_id}"
      workspace_slug: "${var.cell_name}"
  - name: storage
    source: ../../modules/storage
    variables:
      cloud_provider: aws
      environment: live
  - name: cell
    source: ../../modules/cell
    variables:
      cell_name: "${var.cell_name}"
      replicas: "${var.cell_replicas}"
      ingress_host: "${var.ingress_host}"
      tier: "${var.tier}"
  - name: observability
    source: ../../modules/observability_stack
  - name: mesh
    source: ../../modules/mesh_identity
    variables:
      pomerium_authority: "${var.pomerium_authority}"
      entra_idp_url: "${var.entra_idp_url}"
      cell_name: "${var.cell_name}"
  - name: edge
    source: ../../modules/edge_stack
    variables:
      cell_name: "${var.cell_name}"
      public_hostname: "${var.ingress_host}"

required_providers:
  aws:
    source: hashicorp/aws
    version: ~> 5.50
  kubernetes:
    source: hashicorp/kubernetes
    version: ~> 2.30
  helm:
    source: hashicorp/helm
    version: ~> 2.15
  cloudflare:
    source: cloudflare/cloudflare
    version: ~> 5.6

annotations:
  alphaswarm.io/template-name: aws-silo-tenant
  alphaswarm.io/template-kind: composite
  alphaswarm.io/cell-tier: silo
  alphaswarm.io/composition: networking + kubernetes + storage + cell (silo) + observability_stack + mesh_identity + edge_stack
  alphaswarm.io/target-cost-monthly: "$5000-$12000"