Define Cloud Infrastructure with Pulumi Using Best Practices

Write a Pulumi program in [LANGUAGE] (TypeScript, Python, Go, or C#) to provision the following cloud infrastructure on [CLOUD_PROVIDER] for a [APPLICATION_DESCRIPTION]: **Resources to create:** - [RESOURCE_LIST] (e.g., VPC with public/private subnets, ECS Fargate service, RDS PostgreSQL instance, S3 bucket, CloudFront distribution) **Architecture Requirements:** 1. **Networking**: Create a VPC with [NUMBER_OF_AZS] availability zones, public subnets for load balancers, private subnets for compute and databases. Include NAT Gateway for outbound internet from private subnets. 2. **Compute**: Deploy [COMPUTE_TYPE] (e.g., ECS Fargate, Lambda, EKS, GKE) running [CONTAINER_IMAGE_OR_RUNTIME] with auto-scaling configured for min [MIN_INSTANCES] to max [MAX_INSTANCES] based on [SCALING_METRIC]. 3. **Data**: Provision [DATABASE_TYPE] with [INSTANCE_SIZE], automated backups with [RETENTION_DAYS]-day retention, encryption at rest, and placement in private subnets only. 4. **Security**: - Least-privilege IAM roles/policies for each service - Security groups restricting traffic to only necessary ports - Secrets stored in [SECRETS_MANAGER] and referenced dynamically - Enable encryption in transit and at rest for all applicable resources **Pulumi Best Practices:** - Organize resources using `ComponentResource` classes for logical grouping - Use `pulumi.Config` for environment-specific values (instance sizes, counts) - Export critical outputs (endpoints, ARNs, connection strings) via `pulumi.export` - Apply consistent tagging: `project`, `environment`, `managed-by: pulumi` - Use `dependsOn` only when implicit dependencies are insufficient - Include a `Pulumi.dev.yaml` stack config example Structure the code in separate files: `index.[ext]` for orchestration, `networking.[ext]`, `compute.[ext]`, and `database.[ext]` for resource modules. Add docstrings explaining architectural decisions.