feat(infra): implement multi-environment deployment strategy

- Update CD workflow for branch-based environments (main -> Prod, dev -> Dev)
- Support Terraform workspaces for environment isolation
- Add manage_runtime_secrets flag to prevent accidental secret destruction
- Add infra management and secret setup utility scripts
- Prefix GitHub deployer identity with environment name
- Synchronize bot environment variables with latest runtime config

infra/terraform/main.tf

@@ -19,6 +19,14 @@ resource "google_artifact_registry_repository" "containers" {
 
   labels = local.common_labels
 
+  lifecycle {
+    ignore_changes = [
+      labels,
+      effective_labels,
+      terraform_labels,
+    ]
+  }
+
   depends_on = [google_project_service.enabled]
 }
 
@@ -41,7 +49,7 @@ resource "google_service_account" "scheduler_invoker" {
 }
 
 resource "google_secret_manager_secret" "runtime" {
-  for_each = local.runtime_secret_ids
+  for_each = var.manage_runtime_secrets ? local.runtime_secret_ids : toset([])
 
   project   = var.project_id
   secret_id = each.value
@@ -56,10 +64,10 @@ resource "google_secret_manager_secret" "runtime" {
 }
 
 resource "google_secret_manager_secret_iam_member" "bot_runtime_access" {
-  for_each = google_secret_manager_secret.runtime
+  for_each = local.runtime_secret_ids
 
   project   = var.project_id
-  secret_id = each.value.secret_id
+  secret_id = each.value
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${google_service_account.bot_runtime.email}"
 }
@@ -96,8 +104,11 @@ module "bot_api_service" {
     var.bot_assistant_model == null ? {} : {
       ASSISTANT_MODEL = var.bot_assistant_model
     },
-    var.bot_assistant_router_model == null ? {} : {
-      ASSISTANT_ROUTER_MODEL = var.bot_assistant_router_model
+    var.bot_topic_processor_model == null ? {} : {
+      TOPIC_PROCESSOR_MODEL = var.bot_topic_processor_model
+    },
+    var.bot_topic_processor_timeout_ms == null ? {} : {
+      TOPIC_PROCESSOR_TIMEOUT_MS = tostring(var.bot_topic_processor_timeout_ms)
     },
     var.bot_assistant_timeout_ms == null ? {} : {
       ASSISTANT_TIMEOUT_MS = tostring(var.bot_assistant_timeout_ms)
@@ -222,7 +233,7 @@ resource "google_service_account" "github_deployer" {
   count = var.create_workload_identity ? 1 : 0
 
   project      = var.project_id
-  account_id   = var.github_deploy_service_account_id
+  account_id   = "${var.environment}-${var.github_deploy_service_account_id}"
   display_name = "${local.name_prefix} GitHub deployer"
 }
 

infra/terraform/modules/cloud_run_service/main.tf

@@ -54,6 +54,12 @@ resource "google_cloud_run_v2_service" "this" {
     percent = 100
     type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
   }
+
+  lifecycle {
+    ignore_changes = [
+      template[0].scaling,
+    ]
+  }
 }
 
 resource "google_cloud_run_v2_service_iam_member" "public_invoker" {

infra/terraform/variables.tf

@@ -83,13 +83,20 @@ variable "bot_assistant_model" {
   nullable    = true
 }
 
-variable "bot_assistant_router_model" {
-  description = "Optional ASSISTANT_ROUTER_MODEL override for bot runtime"
+variable "bot_topic_processor_model" {
+  description = "Optional TOPIC_PROCESSOR_MODEL override for bot runtime"
   type        = string
   default     = null
   nullable    = true
 }
 
+variable "bot_topic_processor_timeout_ms" {
+  description = "Optional TOPIC_PROCESSOR_TIMEOUT_MS override for bot runtime"
+  type        = number
+  default     = null
+  nullable    = true
+}
+
 variable "bot_assistant_timeout_ms" {
   description = "Optional ASSISTANT_TIMEOUT_MS override for bot runtime"
   type        = number
@@ -217,6 +224,12 @@ variable "labels" {
   default     = {}
 }
 
+variable "manage_runtime_secrets" {
+  description = "Whether Terraform should manage the creation of runtime secrets (disable if secrets are created manually)"
+  type        = bool
+  default     = true
+}
+
 variable "create_workload_identity" {
   description = "Create GitHub OIDC Workload Identity resources"
   type        = bool