🤖 feat: add Terraform EKS sandbox configuration (#26)

## Summary
Add a complete, plain-resource Terraform configuration under
`terraform/` to provision a cost-optimized Amazon EKS sandbox cluster in
`eu-central-1`, plus documentation for authentication and usage.

## Background
The goal is to provide a practical starting point for creating an EKS
cluster in a personal AWS account with reasonable default cost controls
(single NAT gateway, modest node sizing), while making setup reliable
for AWS CLI v2 `aws login` users.

## Implementation
- Added Terraform configuration files:
- `terraform/versions.tf` (Terraform/AWS provider requirements, default
tags)
- `terraform/variables.tf` (cluster/network/node variables with
defaults)
- `terraform/vpc.tf` (VPC, 2 public + 2 private subnets, IGW, single
NAT, route tables)
  - `terraform/iam.tf` (EKS control plane + node IAM roles/policies)
- `terraform/eks.tf` (EKS cluster, managed node group,
`coredns`/`kube-proxy`/`vpc-cni` add-ons)
- `terraform/outputs.tf` (endpoint, kubeconfig command, region, VPC,
etc.)
  - `terraform/.gitignore` (Terraform state/workdir ignores)
- Added and updated `terraform/README.md` to include:
  - usage + cost estimate
- safe AWS auth steps for `aws login` + `login_session` via
`credential_process`
  - guidance to avoid leaking credentials/config in git
- Addressed Codex review feedback by making networking inputs resilient:
- AZ selection is now derived from the selected region
(`data.aws_availability_zones`)
  - subnet CIDRs are now derived from the configurable `var.vpc_cidr`
- Addressed Codex lockfile feedback for reproducibility:
  - stopped ignoring `terraform/.terraform.lock.hcl`
- generated and committed provider lockfile so `terraform init` stays
deterministic across machines

## Validation
- `terraform -chdir=terraform fmt -recursive -check`
- `terraform -chdir=terraform init -backend=false -input=false`
- `terraform -chdir=terraform validate`
- local PR loop checks:
  - `make verify-vendor` ✅
  - `make test` ✅
  - `make build` ✅
- `make lint` ⚠️ fails in this environment because golangci-lint was
built with Go 1.24 while the repo targets Go 1.25.7

## Risks
Low-to-moderate operational risk:
- Provisions real billable infrastructure (EKS, EC2 nodes, NAT Gateway).
- Defaults are intentionally sandbox-oriented and cost-conscious, but
costs vary by workload and data transfer.
- Auth instructions are documentation-only and avoid embedding
account-specific secrets.

---

_Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking:
`xhigh` • Cost: `$0.53`_

<!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh
costs=0.53 -->

Author: ibetitsmike

terraform/.gitignore

@@ -0,0 +1,4 @@
+.terraform/
+*.tfstate
+*.tfstate.*
+*.tfplan

terraform/.terraform.lock.hcl

@@ -0,0 +1,98 @@
+# Terraform EKS Sandbox Configuration
+
+This directory provisions a cost-optimized Amazon EKS sandbox cluster in region `eu-central-1`.
+
+## What this sets up
+
+- A VPC (`10.0.0.0/16`) with:
+  - 2 public subnets across the first two availability zones in the selected region
+  - 2 private subnets across the first two availability zones in the selected region
+  - Internet Gateway
+  - Single NAT Gateway (lower cost than one per AZ)
+- IAM roles for EKS control plane and worker nodes
+- EKS cluster (`sandbox-eks`, Kubernetes `1.31`) with public and private API endpoint access
+- One managed node group:
+  - Instance type: `t3.medium`
+  - Desired/min/max size: `2/1/3`
+  - Disk size: `20 GiB`
+  - AMI type: `AL2023_x86_64_STANDARD`
+- EKS managed add-ons: `coredns`, `kube-proxy`, `vpc-cni`
+- Local Terraform state (no remote backend configured)
+
+## Prerequisites
+
+- Terraform `>= 1.5`
+- AWS CLI v2 installed
+- AWS identity with permissions to create VPC, IAM, EKS, and EC2 resources in your target account
+
+## AWS authentication (required before `terraform plan` / `terraform apply`)
+
+If you are using `aws login` and your AWS profile uses `login_session`, Terraform may not detect credentials directly. Use a Terraform-specific wrapper profile via `credential_process`.
+
+1. Sign in to your normal AWS login profile:
+
+```bash
+aws login --profile <your-login-profile>
+```
+
+2. Add a Terraform wrapper profile in `~/.aws/config`:
+
+```ini
+[profile terraform]
+credential_process = aws configure export-credentials --profile <your-login-profile> --format process
+region = eu-central-1
+```
+
+3. In the shell where you run Terraform, point tooling at that profile:
+
+```bash
+unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
+export AWS_PROFILE=terraform
+export AWS_REGION=eu-central-1
+export AWS_SDK_LOAD_CONFIG=1
+```
+
+4. Verify credentials before running Terraform:
+
+```bash
+aws sts get-caller-identity
+```
+
+> Security note: do not commit `~/.aws/config`, `~/.aws/credentials`, or any copied credential values to git.
+
+## Usage
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+## Configure kubectl
+
+After `terraform apply`, run the command from the Terraform output:
+
+```bash
+terraform output -raw kubeconfig_command
+```
+
+Then execute the printed command, for example:
+
+```bash
+aws eks update-kubeconfig --region eu-central-1 --name sandbox-eks
+```
+
+## Estimated cost (rough)
+
+- EKS control plane: **~$0.10/hour**
+- 2x `t3.medium` worker nodes: **~$0.08/hour**
+- 1x NAT Gateway: **~$0.045/hour**
+- **Total: ~ $0.225/hour (~$5.40/day)**
+
+> Note: Data transfer and NAT data processing charges are additional.
+
+## Cleanup
+
+```bash
+terraform destroy
+```

terraform/README.md

@@ -0,0 +1,61 @@
+resource "aws_eks_cluster" "this" {
+  name     = var.cluster_name
+  role_arn = aws_iam_role.eks_cluster.arn
+  version  = var.cluster_version
+
+  vpc_config {
+    subnet_ids              = aws_subnet.private[*].id
+    endpoint_public_access  = true
+    endpoint_private_access = true
+  }
+
+  depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
+}
+
+resource "aws_eks_node_group" "this" {
+  cluster_name    = aws_eks_cluster.this.name
+  node_group_name = "${var.cluster_name}-nodes"
+  node_role_arn   = aws_iam_role.node_group.arn
+  subnet_ids      = aws_subnet.private[*].id
+
+  instance_types = var.node_instance_types
+  ami_type       = "AL2023_x86_64_STANDARD"
+  disk_size      = var.node_disk_size
+
+  scaling_config {
+    desired_size = var.node_desired_size
+    min_size     = var.node_min_size
+    max_size     = var.node_max_size
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.node_group_worker_policy,
+    aws_iam_role_policy_attachment.node_group_cni_policy,
+    aws_iam_role_policy_attachment.node_group_ecr_readonly,
+  ]
+}
+
+# Core add-ons are explicitly managed for predictable cluster bootstrap behavior.
+resource "aws_eks_addon" "coredns" {
+  cluster_name                = aws_eks_cluster.this.name
+  addon_name                  = "coredns"
+  resolve_conflicts_on_create = "OVERWRITE"
+
+  depends_on = [aws_eks_node_group.this]
+}
+
+resource "aws_eks_addon" "kube_proxy" {
+  cluster_name                = aws_eks_cluster.this.name
+  addon_name                  = "kube-proxy"
+  resolve_conflicts_on_create = "OVERWRITE"
+
+  depends_on = [aws_eks_node_group.this]
+}
+
+resource "aws_eks_addon" "vpc_cni" {
+  cluster_name                = aws_eks_cluster.this.name
+  addon_name                  = "vpc-cni"
+  resolve_conflicts_on_create = "OVERWRITE"
+
+  depends_on = [aws_eks_node_group.this]
+}

terraform/eks.tf

@@ -0,0 +1,59 @@
+data "aws_iam_policy_document" "eks_cluster_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_cluster" {
+  name               = "${var.cluster_name}-cluster-role"
+  assume_role_policy = data.aws_iam_policy_document.eks_cluster_assume_role.json
+
+  tags = {
+    Name = "${var.cluster_name}-cluster-role"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
+  role       = aws_iam_role.eks_cluster.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+}
+
+data "aws_iam_policy_document" "node_group_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "node_group" {
+  name               = "${var.cluster_name}-node-role"
+  assume_role_policy = data.aws_iam_policy_document.node_group_assume_role.json
+
+  tags = {
+    Name = "${var.cluster_name}-node-role"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "node_group_worker_policy" {
+  role       = aws_iam_role.node_group.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "node_group_cni_policy" {
+  role       = aws_iam_role.node_group.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+}
+
+resource "aws_iam_role_policy_attachment" "node_group_ecr_readonly" {
+  role       = aws_iam_role.node_group.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}

terraform/iam.tf

@@ -0,0 +1,40 @@
+output "cluster_name" {
+  description = "Name of the EKS cluster."
+  value       = aws_eks_cluster.this.name
+}
+
+output "cluster_endpoint" {
+  description = "API server endpoint for the EKS cluster."
+  value       = aws_eks_cluster.this.endpoint
+}
+
+output "cluster_certificate_authority" {
+  description = "Base64-encoded certificate data required for kubeconfig setup."
+  value       = aws_eks_cluster.this.certificate_authority[0].data
+  sensitive   = true
+}
+
+output "cluster_security_group_id" {
+  description = "Cluster security group ID managed by EKS."
+  value       = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
+}
+
+output "node_group_name" {
+  description = "Name of the managed EKS node group."
+  value       = aws_eks_node_group.this.node_group_name
+}
+
+output "region" {
+  description = "AWS region where the cluster is deployed."
+  value       = var.aws_region
+}
+
+output "kubeconfig_command" {
+  description = "AWS CLI command to merge this cluster into local kubeconfig."
+  value       = "aws eks update-kubeconfig --region ${var.aws_region} --name ${aws_eks_cluster.this.name}"
+}
+
+output "vpc_id" {
+  description = "VPC ID used by the EKS cluster."
+  value       = aws_vpc.this.id
+}

terraform/outputs.tf

@@ -0,0 +1,53 @@
+variable "aws_region" {
+  description = "AWS region where the EKS cluster and networking resources will be created."
+  type        = string
+  default     = "eu-central-1"
+}
+
+variable "cluster_name" {
+  description = "Name of the EKS cluster."
+  type        = string
+  default     = "sandbox-eks"
+}
+
+variable "cluster_version" {
+  description = "Kubernetes version for the EKS control plane."
+  type        = string
+  default     = "1.31"
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC that hosts the EKS cluster."
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "node_instance_types" {
+  description = "EC2 instance types for the managed node group."
+  type        = list(string)
+  default     = ["t3.medium"]
+}
+
+variable "node_desired_size" {
+  description = "Desired number of worker nodes in the managed node group."
+  type        = number
+  default     = 2
+}
+
+variable "node_min_size" {
+  description = "Minimum number of worker nodes in the managed node group."
+  type        = number
+  default     = 1
+}
+
+variable "node_max_size" {
+  description = "Maximum number of worker nodes in the managed node group."
+  type        = number
+  default     = 3
+}
+
+variable "node_disk_size" {
+  description = "Disk size in GiB for each node in the managed node group."
+  type        = number
+  default     = 20
+}

terraform/variables.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      ManagedBy = "terraform"
+      Project   = "sandbox-eks"
+    }
+  }
+}