adds terraform scripts for deploying Bifrost (#1636)

## Summary

Add Terraform modules for deploying Bifrost on AWS, GCP, and Azure with a unified interface. This enables infrastructure-as-code deployments across multiple cloud providers and services.

## Changes

- Created a unified Terraform module structure with cloud-specific submodules
- Implemented deployment options for AWS (ECS, EKS), GCP (GKE, Cloud Run), and Azure (AKS, ACI)
- Added configuration handling that supports both file-based and variable-based approaches
- Included examples for each cloud provider with documentation
- Implemented resource provisioning for networking, compute, storage, and security components

## Type of change

- [x] Feature
- [x] Documentation

## Affected areas

- [x] Docs

## How to test

```sh
# AWS ECS Example
cd terraform/examples/aws-ecs
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform apply

# GCP GKE Example
cd terraform/examples/gcp-gke
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform apply

# Azure AKS Example
cd terraform/examples/azure-aks
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values
terraform init
terraform plan
terraform apply
```

## Breaking changes

- [x] No

## Security considerations

The modules handle sensitive configuration through cloud provider secret management services:
- AWS: Secrets Manager
- GCP: Secret Manager
- Azure: Key Vault

Configuration can be provided via Terraform variables or files, with proper sensitive marking to prevent exposure in logs.

## Checklist

- [x] I updated documentation where needed
- [x] I verified builds succeed

Author: akshaydeo

.gitignore

@@ -103,3 +103,10 @@ npm-debug.log*
 
 # Playwright
 playwright/.cache/
+
+# Terraform
+.terraform/
+terraform.tfstate
+terraform.tfstate.backup
+*.tfvars
+!*.tfvars.example

docs/deployment-guides/k8s.mdx

@@ -6,6 +6,21 @@ icon: "cloud"
 
 Deploy Bifrost on Kubernetes using Terraform. This guide breaks down the deployment into individual components for better understanding.
 
+<Note>
+Bifrost also provides a ready-to-use Terraform module that handles all the infrastructure setup for you.
+You can use it directly from GitHub:
+```hcl
+module "bifrost" {
+  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost?ref=terraform/v0.1.0"
+  cloud_provider = "aws"          # "aws" | "gcp" | "azure" | "kubernetes"
+  service        = "eks"          # AWS: "ecs" | "eks", GCP: "gke" | "cloud-run", Azure: "aks" | "aci", K8s: "deployment"
+  region         = "us-east-1"
+  image_tag      = "latest"
+}
+```
+See the [Terraform module README](https://github.com/maximhq/bifrost/tree/main/terraform) for full documentation and examples.
+</Note>
+
 <Note>
 If you are using Postgres/MySQL for config and log store, you can skip the Volume configuration and permission changes sections.
 </Note>

terraform/README.md

@@ -0,0 +1,112 @@
+# Bifrost Terraform Modules
+
+Deploy Bifrost on AWS, GCP, Azure, or any Kubernetes cluster using a single Terraform module.
+
+## Quick Start
+
+Reference the module directly from GitHub. Pin to a specific release tag using `?ref=`:
+
+```hcl
+module "bifrost" {
+  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost?ref=terraform/v0.1.0"
+  cloud_provider = "aws"       # "aws" | "gcp" | "azure" | "kubernetes"
+  service        = "ecs"       # AWS: "ecs" | "eks", GCP: "gke" | "cloud-run", Azure: "aks" | "aci", K8s: "deployment"
+  region         = "us-east-1"
+  image_tag      = "v1.4.6"
+
+  # Option A: Provide a config.json file
+  config_json_file = "./config.json"
+
+  # Option B: Build config from Terraform variables (overrides matching keys from file)
+  providers_config = {
+    openai = { keys = [{ value = var.openai_key, weight = 1 }] }
+  }
+  config_store = {
+    enabled = true
+    type    = "postgres"
+    config  = { host = var.db_host, port = "5432", user = "bifrost", password = var.db_password, db_name = "bifrost" }
+  }
+}
+```
+
+## Supported Deployments
+
+| Cloud | Service | Description |
+|-------|---------|-------------|
+| AWS | `ecs` | ECS Fargate with ALB, Secrets Manager, auto-scaling |
+| AWS | `eks` | EKS with K8s Deployment, PVC for SQLite, HPA |
+| GCP | `gke` | GKE with K8s Deployment, persistent disk, HPA |
+| GCP | `cloud-run` | Cloud Run v2 with Secret Manager, auto-scaling |
+| Azure | `aks` | AKS with K8s Deployment, managed disk, HPA |
+| Azure | `aci` | Azure Container Instances (single instance, dev/test) |
+| Kubernetes | `deployment` | Any K8s cluster with Deployment, PVC, HPA, Ingress |
+
+## Configuration
+
+Bifrost config can come from two sources simultaneously. Terraform variables override matching keys from the base file.
+
+1. **File-based**: Set `config_json_file` to a path or `config_json` to a raw JSON string.
+2. **Variable-based**: Set individual variables (`config_store`, `logs_store`, `providers_config`, `auth_config`, etc.) corresponding to top-level keys in [config.schema.json](../transports/config.schema.json).
+
+All 16 top-level config properties from the schema are supported as variables:
+`encryption_key`, `auth_config`, `client`, `framework`, `providers_config`, `governance`, `mcp`, `vector_store`, `config_store`, `logs_store`, `cluster_config`, `saml_config`, `load_balancer_config`, `guardrails_config`, `plugins`, `audit_logs`.
+
+## Directory Structure
+
+```text
+terraform/
+  modules/bifrost/              # Top-level module (the only thing you call)
+    aws/                        # AWS platform (VPC, SG, IAM, Secrets Manager)
+      services/ecs/             # ECS Fargate
+      services/eks/             # EKS + K8s resources
+    gcp/                        # GCP platform (VPC, firewall, Secret Manager, SA)
+      services/gke/             # GKE + K8s resources
+      services/cloud-run/       # Cloud Run v2
+    azure/                      # Azure platform (VNet, NSG, Key Vault, identity)
+      services/aks/             # AKS + K8s resources
+      services/aci/             # Azure Container Instances
+    kubernetes/                 # Generic K8s (any cluster, no cloud APIs)
+  examples/
+    aws-ecs/                    # Deploy on ECS Fargate
+    gcp-gke/                    # Deploy on GKE
+    azure-aks/                  # Deploy on AKS
+    kubernetes/                 # Deploy on any K8s cluster
+```
+
+## Examples
+
+Each example directory contains `main.tf`, `variables.tf`, `outputs.tf`, `terraform.tfvars.example`, and a `README.md`.
+
+```bash
+cd examples/aws-ecs
+cp terraform.tfvars.example terraform.tfvars
+# Edit terraform.tfvars with your values
+terraform init
+terraform plan
+terraform apply
+```
+
+## Key Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `cloud_provider` | (required) | `"aws"`, `"gcp"`, `"azure"`, or `"kubernetes"` |
+| `service` | (required) | Service type (see table above) |
+| `region` | (required) | Cloud region |
+| `image_tag` | `"latest"` | Bifrost Docker image tag |
+| `desired_count` | `1` | Number of replicas |
+| `cpu` | `512` | CPU units (ECS) or millicores (K8s) |
+| `memory` | `1024` | Memory in MB |
+| `create_load_balancer` | `false` | Create a load balancer |
+| `enable_autoscaling` | `false` | Enable auto-scaling |
+| `create_cluster` | `true` | Create new cluster (set `false` to use existing) |
+| `storage_class_name` | `"standard"` | K8s StorageClass for PVC (generic K8s only) |
+| `ingress_class_name` | `"nginx"` | Ingress controller class (generic K8s only) |
+| `ingress_annotations` | `{}` | Ingress annotations (generic K8s only) |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `service_url` | URL to access Bifrost |
+| `health_check_url` | Health endpoint URL |

terraform/examples/aws-ecs/.terraform.lock.hcl

@@ -0,0 +1,36 @@
+# Bifrost on AWS ECS
+
+Deploys Bifrost as an ECS Fargate service with optional ALB and autoscaling.
+
+## Prerequisites
+
+- AWS account with appropriate permissions
+- AWS CLI configured (`aws configure`)
+- Terraform >= 1.0
+
+## Usage
+
+```bash
+# Copy and edit the example variables file
+cp terraform.tfvars.example terraform.tfvars
+
+# Deploy
+terraform init
+terraform plan
+terraform apply
+```
+
+## Configuration
+
+Two approaches can be combined:
+
+1. **File-based** -- Set `config_json_file` to point to an existing `config.json`.
+2. **Variable-based** -- Set individual variables (`config_store`, `logs_store`, `providers_config`). These override matching keys from the file.
+
+See `terraform.tfvars.example` for examples of both.
+
+## Cleanup
+
+```bash
+terraform destroy
+```

terraform/examples/aws-ecs/README.md

@@ -0,0 +1,41 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+module "bifrost" {
+  source         = "../../modules/bifrost"
+  cloud_provider = "aws"
+  service        = "ecs"
+  region         = var.region
+  image_tag      = var.image_tag
+  name_prefix    = var.name_prefix
+
+  # Config: use a file as base, override with variables
+  config_json_file = var.config_json_file
+
+  # Override specific config sections
+  config_store     = var.config_store
+  logs_store       = var.logs_store
+  providers_config = var.providers_config
+
+  # Compute
+  desired_count        = var.desired_count
+  cpu                  = var.cpu
+  memory               = var.memory
+  create_load_balancer = var.create_load_balancer
+
+  # Autoscaling
+  enable_autoscaling = var.enable_autoscaling
+  min_capacity       = var.min_capacity
+  max_capacity       = var.max_capacity
+}

terraform/examples/aws-ecs/main.tf

@@ -0,0 +1,9 @@
+output "service_url" {
+  description = "URL to access the Bifrost service."
+  value       = module.bifrost.service_url
+}
+
+output "health_check_url" {
+  description = "URL to the Bifrost health check endpoint."
+  value       = module.bifrost.health_check_url
+}

terraform/examples/aws-ecs/outputs.tf

@@ -0,0 +1,62 @@
+# =============================================================================
+# AWS ECS Example — terraform.tfvars
+# WARNING: Do NOT commit this file with real secrets (API keys, passwords).
+#          Use environment variables, a secrets manager, or .gitignore this file.
+# =============================================================================
+
+region      = "us-east-1"
+image_tag   = "latest"
+name_prefix = "bifrost"
+
+# -----------------------------------------------------------------------------
+# Config approach 1: File-based
+# Point to an existing config.json. Variable overrides below will merge on top.
+# -----------------------------------------------------------------------------
+# config_json_file = "./config.json"
+
+# -----------------------------------------------------------------------------
+# Config approach 2: Variable-based
+# Define config sections directly. These override matching keys from the file.
+# -----------------------------------------------------------------------------
+config_store = {
+  enabled = true
+  type    = "sqlite"
+  config = {
+    path = "/app/data/bifrost.db"
+  }
+}
+
+logs_store = {
+  enabled = true
+  type    = "sqlite"
+  config = {
+    path = "/app/data/bifrost-logs.db"
+  }
+}
+
+providers_config = {
+  openai = {
+    api_key = "sk-..."
+  }
+  anthropic = {
+    api_key = "sk-ant-..."
+  }
+}
+
+# -----------------------------------------------------------------------------
+# Compute
+# -----------------------------------------------------------------------------
+desired_count        = 2
+cpu                  = 512
+memory               = 1024
+create_load_balancer = true
+
+# -----------------------------------------------------------------------------
+# Autoscaling
+# -----------------------------------------------------------------------------
+# NOTE: If you are using OSS version - running multiple nodes has an effect on
+# functionality of the system. Please read
+# https://docs.getbifrost.ai/deployment-guides/how-to/multinode
+enable_autoscaling = true
+min_capacity       = 1
+max_capacity       = 5