aws-games · novekm · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
@@ -1,25 +1,11 @@
 formatter: markdown table
-sections:
-  show:
-    - header
-    - inputs
-    - providers
-    - modules
-    - resources
-    - footer
+sort:
+  enabled: true
+  by: required
 output:
   file: README.md
   mode: inject
   template: |-
     <!-- BEGIN_TF_DOCS -->
     {{ .Content }}
     <!-- END_TF_DOCS -->
-sort:
-  enabled: true
-  by: required
-settings:
-  indent: 4
-  escape: false
-  default: false
-  required: false
-  type: true
@@ -68,7 +68,7 @@ jobs:
 
           {
             echo "#!/usr/bin/bash"
-            echo "docker run --rm quay.io/terraform-docs/terraform-docs:0.20.0 \"\$@\""
+            echo "docker run --rm -v \$GITHUB_WORKSPACE:\$GITHUB_WORKSPACE -w \$GITHUB_WORKSPACE quay.io/terraform-docs/terraform-docs:0.20.0 \"\$@\""
           } >> $RUNNER_TEMP/docker-aliases/terraform-docs
           chmod +x $RUNNER_TEMP/docker-aliases/terraform-docs
 

@@ -17,14 +17,25 @@ repos:
     rev: "3.2.457"
     hooks:
       - id: checkov
-        args: ["--config-file", ".config/.checkov.yml"]
+        args: ["--config-file", ".config/.checkov.yml", "--quiet"]
+        env:
+          LOG_LEVEL: ERROR
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: "v1.99.5"
     hooks:
       - id: terraform_docs
         args:
-          - --hook-config=--add-to-existing-file=true
-          - --hook-config=--create-file-if-not-exist=false
+          # Uses antonbabenko/pre-commit-terraform (supports monorepo with multiple modules)
+          # --hook-config: antonbabenko wrapper settings for file handling
+          - --hook-config=--add-to-existing-file=true     # Update existing README.md files (requires BOTH <!-- BEGIN_TF_DOCS --> and <!-- END_TF_DOCS --> markers)
+          - --hook-config=--create-file-if-not-exist=false # Don't create new README.md files
+          # --args: terraform-docs binary arguments
+          - --args=--config=.config/.terraform-docs.yml   # Use our terraform-docs config file
+          - --args=--lockfile=false                        # Ignore .terraform.lock.hcl, use versions.tf instead (fixes version mismatches)
       - id: terraform_validate
+        args:
+          - --tf-init-args=-upgrade                       # Always upgrade to match versions.tf (source of truth)
+          - --hook-config=--retry-once-with-cleanup=true  # If validation fails, delete corrupted .terraform dirs and retry
+          - --args=-no-color                              # Cleaner output
       - id: terraform_fmt
       - id: terraform_tflint
@@ -96,10 +96,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_build_farm_subnets"></a> [build\_farm\_subnets](#input\_build\_farm\_subnets) | The subnets to deploy the build farms into. | `list(string)` | n/a | yes |
+| <a name="input_jenkins_alb_subnets"></a> [jenkins\_alb\_subnets](#input\_jenkins\_alb\_subnets) | A list of subnet ids to deploy the Jenkins load balancer into. Public subnets are recommended. | `list(string)` | n/a | yes |
+| <a name="input_jenkins_service_subnets"></a> [jenkins\_service\_subnets](#input\_jenkins\_service\_subnets) | A list of subnets to deploy the Jenkins service into. Private subnets are recommended. | `list(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the existing VPC you would like to deploy the Jenkins service and build farms into. | `string` | n/a | yes |
 | <a name="input_artifact_buckets"></a> [artifact\_buckets](#input\_artifact\_buckets) | List of Amazon S3 buckets you wish to create to store build farm artifacts. | <pre>map(<br>    object({<br>      name                 = string<br>      enable_force_destroy = optional(bool, true)<br>      enable_versioning    = optional(bool, true)<br>      tags                 = optional(map(string), {})<br>    })<br>  )</pre> | `null` | no |
 | <a name="input_build_farm_compute"></a> [build\_farm\_compute](#input\_build\_farm\_compute) | Each object in this map corresponds to an ASG used by Jenkins as build agents. | <pre>map(object(<br>    {<br>      ami = string<br>      #TODO: Support mixed instances / spot with custom policies<br>      instance_type     = string<br>      ebs_optimized     = optional(bool, true)<br>      enable_monitoring = optional(bool, true)<br>    }<br>  ))</pre> | `{}` | no |
 | <a name="input_build_farm_fsx_openzfs_storage"></a> [build\_farm\_fsx\_openzfs\_storage](#input\_build\_farm\_fsx\_openzfs\_storage) | Each object in this map corresponds to an FSx OpenZFS file system used by the Jenkins build agents. | <pre>map(object(<br>    {<br>      storage_capacity    = number<br>      throughput_capacity = number<br>      storage_type        = optional(string, "SSD") # "SSD", "HDD"<br>      deployment_type     = optional(string, "SINGLE_AZ_1")<br>      route_table_ids     = optional(list(string), null)<br>      tags                = optional(map(string), null)<br>    }<br>  ))</pre> | `{}` | no |
-| <a name="input_build_farm_subnets"></a> [build\_farm\_subnets](#input\_build\_farm\_subnets) | The subnets to deploy the build farms into. | `list(string)` | n/a | yes |
 | <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | The TLS certificate ARN for the Jenkins service load balancer. | `string` | `null` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The ARN of the cluster to deploy the Jenkins service into. Defaults to null and a cluster will be created. | `string` | `null` | no |
 | <a name="input_container_cpu"></a> [container\_cpu](#input\_container\_cpu) | The CPU allotment for the Jenkins container. | `number` | `1024` | no |
@@ -122,16 +125,13 @@ No modules.
 | <a name="input_jenkins_agent_secret_arns"></a> [jenkins\_agent\_secret\_arns](#input\_jenkins\_agent\_secret\_arns) | A list of secretmanager ARNs (wildcards allowed) that contain any secrets which need to be accessed by the Jenkins service. | `list(string)` | `null` | no |
 | <a name="input_jenkins_alb_access_logs_bucket"></a> [jenkins\_alb\_access\_logs\_bucket](#input\_jenkins\_alb\_access\_logs\_bucket) | ID of the S3 bucket for Jenkins ALB access log storage. If access logging is enabled and this is null the module creates a bucket. | `string` | `null` | no |
 | <a name="input_jenkins_alb_access_logs_prefix"></a> [jenkins\_alb\_access\_logs\_prefix](#input\_jenkins\_alb\_access\_logs\_prefix) | Log prefix for Jenkins ALB access logs. If null the project prefix and module name are used. | `string` | `null` | no |
-| <a name="input_jenkins_alb_subnets"></a> [jenkins\_alb\_subnets](#input\_jenkins\_alb\_subnets) | A list of subnet ids to deploy the Jenkins load balancer into. Public subnets are recommended. | `list(string)` | n/a | yes |
 | <a name="input_jenkins_cloudwatch_log_retention_in_days"></a> [jenkins\_cloudwatch\_log\_retention\_in\_days](#input\_jenkins\_cloudwatch\_log\_retention\_in\_days) | The log retention in days of the cloudwatch log group for Jenkins. | `string` | `365` | no |
 | <a name="input_jenkins_efs_performance_mode"></a> [jenkins\_efs\_performance\_mode](#input\_jenkins\_efs\_performance\_mode) | The performance mode of the EFS file system used by the Jenkins service. Defaults to general purpose. | `string` | `"generalPurpose"` | no |
 | <a name="input_jenkins_efs_throughput_mode"></a> [jenkins\_efs\_throughput\_mode](#input\_jenkins\_efs\_throughput\_mode) | The throughput mode of the EFS file system used by the Jenkins service. Defaults to bursting. | `string` | `"bursting"` | no |
 | <a name="input_jenkins_service_desired_container_count"></a> [jenkins\_service\_desired\_container\_count](#input\_jenkins\_service\_desired\_container\_count) | The desired number of containers running the Jenkins service. | `number` | `1` | no |
-| <a name="input_jenkins_service_subnets"></a> [jenkins\_service\_subnets](#input\_jenkins\_service\_subnets) | A list of subnets to deploy the Jenkins service into. Private subnets are recommended. | `list(string)` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name attached to Jenkins module resources. | `string` | `"jenkins"` | no |
 | <a name="input_project_prefix"></a> [project\_prefix](#input\_project\_prefix) | The project prefix for this workload. This is appeneded to the beginning of most resource names. | `string` | `"cgd"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources. | `map(any)` | <pre>{<br>  "iac-management": "CGD-Toolkit",<br>  "iac-module": "Jenkins",<br>  "iac-provider": "Terraform"<br>}</pre> | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the existing VPC you would like to deploy the Jenkins service and build farms into. | `string` | n/a | yes |
 
 ## Outputs
 

@@ -176,7 +176,9 @@ packer build perforce_x86.pkr.hcl
 | [aws_lb_listener.perforce_web_services](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener) | resource |
 | [aws_lb_listener.perforce_web_services_http_listener](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener) | resource |
 | [aws_lb_listener_rule.p4_code_review](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener_rule) | resource |
+| [aws_lb_listener_rule.p4_code_review_http](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_listener_rule.perforce_p4_auth](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener_rule) | resource |
+| [aws_lb_listener_rule.perforce_p4_auth_http](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_target_group.perforce](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_target_group) | resource |
 | [aws_lb_target_group_attachment.perforce](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/lb_target_group_attachment) | resource |
 | [aws_route53_record.internal_p4_server](https://registry.terraform.io/providers/hashicorp/aws/6.6.0/docs/resources/route53_record) | resource |
@@ -205,6 +207,7 @@ packer build perforce_x86.pkr.hcl
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID where the Perforce resources will be deployed. | `string` | n/a | yes |
 | <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | The ARN of the ACM certificate to be used with the HTTPS listener for the NLB. | `string` | `null` | no |
 | <a name="input_create_default_sgs"></a> [create\_default\_sgs](#input\_create\_default\_sgs) | Whether to create default security groups for the Perforce resources. | `bool` | `true` | no |
 | <a name="input_create_route53_private_hosted_zone"></a> [create\_route53\_private\_hosted\_zone](#input\_create\_route53\_private\_hosted\_zone) | Whether to create a private Route53 Hosted Zone for the Perforce resources. This private hosted zone is used for internal communication between the P4 Server, P4 Auth Service, and P4 Code Review Service. | `bool` | `true` | no |
@@ -229,7 +232,6 @@ packer build perforce_x86.pkr.hcl
 | <a name="input_shared_nlb_access_logs_prefix"></a> [shared\_nlb\_access\_logs\_prefix](#input\_shared\_nlb\_access\_logs\_prefix) | Log prefix for shared NLB access logs. | `string` | `"perforce-nlb-"` | no |
 | <a name="input_shared_nlb_subnets"></a> [shared\_nlb\_subnets](#input\_shared\_nlb\_subnets) | A list of subnets to attach to the shared network load balancer. | `list(string)` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources. | `map(any)` | <pre>{<br>  "IaC": "Terraform",<br>  "ModuleBy": "CGD-Toolkit",<br>  "ModuleName": "terraform-aws-perforce",<br>  "ModuleSource": "https://github.com/aws-games/cloud-game-development-toolkit/tree/main/modules/perforce/terraform-aws-perforce",<br>  "RootModuleName": "-"<br>}</pre> | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID where the Perforce resources will be deployed. | `string` | n/a | yes |
 
 ## Outputs
 

@@ -80,9 +80,9 @@ curl -X POST -H 'Authorization: Bearer <base64-encoded bearer token>' \
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.97.0 |
-| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | 1.34.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.7.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.6.0 |
+| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | 1.50.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.7.2 |
 
 ## Modules
 
@@ -136,6 +136,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnets to deploy the P4Auth ECS Service into. Private subnets are recommended. | `list(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the existing VPC you would like to deploy P4Auth into. | `string` | n/a | yes |
 | <a name="input_admin_password_secret_arn"></a> [admin\_password\_secret\_arn](#input\_admin\_password\_secret\_arn) | Optionally provide the ARN of an AWS Secret for the P4Auth Administrator password. | `string` | `null` | no |
 | <a name="input_admin_username_secret_arn"></a> [admin\_username\_secret\_arn](#input\_admin\_username\_secret\_arn) | Optionally provide the ARN of an AWS Secret for the P4Auth Administrator username. | `string` | `null` | no |
 | <a name="input_alb_access_logs_bucket"></a> [alb\_access\_logs\_bucket](#input\_alb\_access\_logs\_bucket) | ID of the S3 bucket for P4Auth ALB access log storage. If access logging is enabled and this is null the module creates a bucket. | `string` | `null` | no |
@@ -168,9 +170,7 @@ No modules.
 | <a name="input_project_prefix"></a> [project\_prefix](#input\_project\_prefix) | The project prefix for this workload. This is appended to the beginning of most resource names. | `string` | `"cgd"` | no |
 | <a name="input_s3_enable_force_destroy"></a> [s3\_enable\_force\_destroy](#input\_s3\_enable\_force\_destroy) | Enables force destroy for the S3 bucket for P4Auth access log storage. Defaults to true. | `bool` | `true` | no |
 | <a name="input_scim_bearer_token_arn"></a> [scim\_bearer\_token\_arn](#input\_scim\_bearer\_token\_arn) | If you would like to use SCIM to provision users and groups, you need to set this variable to the ARN of an AWS Secrets Manager secret containing the bearer token. | `string` | `null` | no |
-| <a name="input_subnets"></a> [subnets](#input\_subnets) | A list of subnets to deploy the P4Auth ECS Service into. Private subnets are recommended. | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources. | `map(any)` | <pre>{<br>  "IaC": "Terraform",<br>  "ModuleBy": "CGD-Toolkit",<br>  "ModuleName": "p4-auth",<br>  "ModuleSource": "https://github.com/aws-games/cloud-game-development-toolkit/tree/main/modules/perforce/terraform-aws-perforce",<br>  "RootModuleName": "terraform-aws-perforce"<br>}</pre> | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the existing VPC you would like to deploy P4Auth into. | `string` | n/a | yes |
 
 ## Outputs