# Infrastructure — Terraform / OpenTofu

> **Sprint 1 note**: Infrastructure provisioning is skipped in Sprint 1 (OpenTofu not yet installed locally).
> See `docs/adr/001-terraform-vs-pulumi.md` for the tooling decision.

## Prerequisites

```bash
brew install opentofu
```

## Structure (to be implemented in Sprint 4+)

```
deploy/terraform/
├── main.tf          # Root module, providers, backend (S3 + DynamoDB lock)
├── variables.tf     # Input variables
├── outputs.tf       # VPC, cluster endpoint, kubeconfig
├── versions.tf      # Pinned provider versions
├── vpc/             # VPC, subnets, NAT gateway
├── eks/             # EKS cluster, node groups (terraform-aws-eks v20.x)
└── monitoring/      # CloudWatch, alerts
```

## Before first apply

Create the state backend manually:

```bash
aws s3 mb s3://veylant-terraform-state-eu-west-3 --region eu-west-3
aws dynamodb create-table \
  --table-name veylant-terraform-lock \
  --attribute-definitions AttributeName=LockID,AttributeType=S \
  --key-schema AttributeName=LockID,KeyType=HASH \
  --billing-mode PAY_PER_REQUEST \
  --region eu-west-3
```