infra: provision Aurora Serverless v2 via Pulumi

[sjawhar]

Context

The Docker test Postgres container is not a durable solution. Time to move to AWS Aurora Serverless v2, managed via Pulumi IaC in this repo.

Scope

Aurora Serverless v2

• Engine: Aurora PostgreSQL Serverless v2
• No public access — private VPC only
• Accessible from fleet EC2 instances (sami-agents-mx, sami-claude, sami, ghost-wispr)
• ACLs via security groups + instance tags (e.g., fleet:opencode tag → SG rule)
• Auto-scaling capacity (0.5–4 ACU is probably fine to start)
• The plugin connects via OPENCODE_SHARED_DB env var — Aurora endpoint goes there

Pulumi

• Pulumi project lives in this repo (e.g., infra/ directory)
• Resources to provision:
  • VPC (or use existing fleet VPC if one exists)
  • Aurora Serverless v2 cluster + instance
  • Security group allowing inbound from fleet EC2 instances
  • Secrets Manager entry for the DB credentials
  • SSM parameter or Pulumi output for the connection string
• Stack: prod (single environment for now)

Networking

• Fleet machines are on Tailscale — need to determine whether Aurora is reachable via Tailscale mesh or needs VPC peering / private endpoint
• If Tailscale: route the Aurora private IP through the Tailscale subnet router on one of the EC2 instances
• If VPC peering: peer the Aurora VPC with the fleet VPC

Integration

• After provisioning, set OPENCODE_SHARED_DB on each fleet machine's opencode config
• Existing Pulumi stack at packages/envoy/infra/ manages Docker containers — this is separate AWS infra, so a separate Pulumi project makes sense

Open questions

• Does the fleet already have a shared VPC, or are the EC2 instances in different VPCs/accounts?
• Is there a preferred AWS region?
• Should DB credentials be rotated automatically via Secrets Manager?

Related

• Graceful failure fix: plugin hooks now timeout and warn instead of blocking when Postgres is unavailable
• Pulumi evaluation issue: Evaluate Pulumi for infrastructure-as-code #2