refactor: remove Cloudflare dependencies and add multi-region infrastructure

This commit consolidates infrastructure changes for AWS-native certificate
management and expands multi-region deployment capabilities.

## Infrastructure Changes

### Certificate Management
- Remove unused Cloudflare API token configuration across all regions
- Simplify cert-manager, coder-proxy, and coder-server deployments
- All regions now use AWS ACM for SSL/TLS (kubernetes_create_ssl_secret=false)

### New Infrastructure
- Add Route53 DNS configuration for us-east-2 and us-west-2
- Add AWS ACM certificate management for us-west-2
- Add VPC peering configuration for us-east-2
- Add coder-server deployment for us-west-2 region

### Module Updates
- Update Kubernetes bootstrap modules (cert-manager, coder-proxy, coder-server)
- Update infrastructure modules (EBS controller, Karpenter, LB controller, metrics-server)
- Improve EKS configurations across eu-west-2, us-east-2, and us-west-2

## Documentation
- Add INFRASTRUCTURE_BEST_PRACTICES.md
- Add MULTI_REGION_DEPLOYMENT.md
- Update ARCHITECTURE_DIAGRAM.md with current infrastructure state

## Configuration
- Update .gitignore to exclude *.log files, backend.hcl, and terraform.tfvars.example
- Prevent accidental commits of sensitive logs and backend configurations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: Noah Boyers

.gitignore

@@ -5,16 +5,19 @@ terraform.tfstate*
 tf.plan
 tfplan
 *.tfplan
+*.log
 
 # Backend configuration (contains sensitive IDs)
 backend.tf
 backend.tfvars
 *.backend.tfvars
+backend.hcl
+*.backend.hcl
 
 # Terraform variable files (may contain sensitive IDs, ARNs, domains)
 *.tfvars
 !*.tfvars.example
-
+terraform.tfvars.example
 # Helm + Kubernetes
 infra/aws/us-east-2/apps/coder-ws/experiment/prometheus.yaml
 infra/aws/us-east-2/apps/coder-devel/build-and-push

docs/ARCHITECTURE_DIAGRAM.md

@@ -622,27 +622,44 @@ This section documents expected behaviors in the demo environment that optimize
 - No security risk (just UX delay)
 - Users who bookmark or click links use HTTPS directly
 
-**Workarounds:**
+**Why HSTS is NOT configured:**
 
-- Always share URLs as `https://coderdemo.io`
-- Bookmark uses HTTPS automatically
-- Browser remembers HTTPS after first visit
+HSTS (HTTP Strict Transport Security) headers would help eliminate the "not secure" warning by making browsers automatically use HTTPS after the first visit. However, **Coder's HSTS feature does not work when behind a reverse proxy.**
 
-**To eliminate (if needed):**
+**Investigation findings:**
+
+- Coder supports HSTS via `CODER_STRICT_TRANSPORT_SECURITY` environment variable
+- However, Coder only sends HSTS headers when it directly terminates TLS (`CODER_TLS_ENABLE=true`)
+- When behind an NLB/reverse proxy with `CODER_TLS_ENABLE=false`, Coder sees incoming HTTP traffic
+- Coder's help states: "This header should only be set if the server is accessed via HTTPS"
+- Since Coder doesn't detect it's behind an HTTPS proxy, it won't send HSTS headers
+
+**Workaround not possible without:**
 
-- Option A: Add CloudFront with HTTP→HTTPS redirect
-- Option B: Switch to ALB (loses NLB benefits)
-- Option C: Configure port 80 forwarding in Coder service
+- Switching to ALB (which can do HTTP→HTTPS redirect at load balancer level)
+- Having Coder terminate TLS directly (loses NLB benefits)
+- Waiting for Coder to add reverse-proxy awareness for HSTS feature
+- Using CloudFront in front of NLB for HTTP→HTTPS redirect
+
+**Alternative mitigation options:**
+
+- Option A: Add CloudFront with HTTP→HTTPS redirect (adds complexity and cost)
+- Option B: Switch to ALB (loses NLB benefits: lower latency, source IP preservation)
+- Option C: Configure port 80 forwarding in Coder service (complex, not standard)
+- Option D: Accept current behavior (recommended for demo environment)
 
 ### Summary of Expected Load Times
 
 | Scenario                  | Load Time       | Behavior                                           |
 | ------------------------- | --------------- | -------------------------------------------------- |
 | **First visit (HTTP)**    | 7-13 seconds    | HTTP:80 timeout (2-3s) + Aurora cold start (5-10s) |
 | **First visit (HTTPS)**   | 5-10 seconds    | Aurora cold start only                             |
-| **After warm-up**         | <100ms          | Instant, everything cached                         |
+| **Return visit (HTTP)**   | 7-13 seconds    | HTTP:80 timeout (2-3s) + Aurora cold start (5-10s) |
+| **After warm-up (HTTPS)** | <100ms          | Instant, everything cached                         |
 | **Bookmarked/HTTPS link** | <100ms or 5-10s | Instant if warm, cold start if idle                |
 
+**Note:** Always share URLs as `https://coderdemo.io` to avoid the 2-3 second HTTP:80 timeout delay.
+
 ---
 
 ## Infrastructure as Code
@@ -783,7 +800,11 @@ modules/
 
 ## Changelog
 
-- **2025-11-26**: Updated to reflect Aurora Serverless v2 configuration; added "Known Behaviors" section documenting cold start and HTTP redirect behavior for demo environment
+- **2025-11-26**:
+  - Updated to reflect Aurora Serverless v2 configuration
+  - Added "Known Behaviors" section documenting cold start and HTTP redirect behavior
+  - Investigated and documented why HSTS cannot be configured when Coder is behind reverse proxy
+  - Documented alternative mitigation options for HTTP→HTTPS redirect delay
 - **2025-11-25**: Initial architecture diagram created
 
 ---