diff --git a/terraform/modules/cicd_integration/README.md b/terraform/modules/cicd_integration/README.md
index bb8394d..2b430fc 100644
--- a/terraform/modules/cicd_integration/README.md
+++ b/terraform/modules/cicd_integration/README.md
@@ -1,4 +1,12 @@
+# cicd-integration
+
+This module sets up permissions for GitHub actions to perform actions within
+AWS, without the use of an IAM access key. With this module set up on a project,
+
+Once this module is set up in a project, jobs can use the `aws-actions/configure-aws-credentials`
+step with `role-to-assume` as `arn:aws:iam::035866691871:role/incubator-cicd-(project name)`
+
## Requirements
No requirements.
@@ -19,18 +27,17 @@ No modules.
|------|------|
| [aws_iam_role.builder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [project\_name](#input\_project\_name) | n/a | `string` | n/a | yes |
-| [repository\_name](#input\_repository\_name) | n/a | `string` | n/a | yes |
+| [project\_name](#input\_project\_name) | HfLA project name (vrms, home-unite-us, etc) | `string` | n/a | yes |
+| [repository\_name](#input\_repository\_name) | GitHub repository name, without any organizations or prefix - for example, `HomeUniteUs` | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| [role\_name](#output\_role\_name) | n/a |
+| [role\_name](#output\_role\_name) | IAM role name that will be assumed by GitHub actions when running |
\ No newline at end of file
diff --git a/terraform/modules/cicd_integration/main.tf b/terraform/modules/cicd_integration/main.tf
index 9acade6..e003c77 100644
--- a/terraform/modules/cicd_integration/main.tf
+++ b/terraform/modules/cicd_integration/main.tf
@@ -1,3 +1,14 @@
+/**
+ * # cicd-integration
+ *
+ * This module sets up permissions for GitHub actions to perform actions within
+ * AWS, without the use of an IAM access key. With this module set up on a project,
+ *
+ * Once this module is set up in a project, jobs can use the `aws-actions/configure-aws-credentials`
+ * step with `role-to-assume` as `arn:aws:iam::035866691871:role/incubator-cicd-(project name)`
+ */
+
+// terraform-docs-ignore
data "aws_caller_identity" "current" {}
resource "aws_iam_role" "builder" {
diff --git a/terraform/modules/cicd_integration/variables.tf b/terraform/modules/cicd_integration/variables.tf
index ee9a508..c3274b4 100644
--- a/terraform/modules/cicd_integration/variables.tf
+++ b/terraform/modules/cicd_integration/variables.tf
@@ -1,11 +1,14 @@
variable "project_name" {
type = string
+ description = "HfLA project name (vrms, home-unite-us, etc)"
}
variable "repository_name" {
type = string
+ description = "GitHub repository name, without any organizations or prefix - for example, `HomeUniteUs`"
}
output "role_name" {
value = aws_iam_role.builder.name
+ description = "IAM role name that will be assumed by GitHub actions when running"
}
\ No newline at end of file
diff --git a/terraform/modules/container/README.md b/terraform/modules/container/README.md
index f5ab0df..ecbca09 100644
--- a/terraform/modules/container/README.md
+++ b/terraform/modules/container/README.md
@@ -35,7 +35,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [additional\_host\_urls](#input\_additional\_host\_urls) | n/a | `list(string)` | `[]` | no |
| [application\_type](#input\_application\_type) | defines what type of application is running, fullstack, client, backend, etc. will be used for cloudwatch logs | `string` | n/a | yes |
-| [container\_cpu](#input\_container\_cpu) | n/a | `number` | `512` | no |
+| [container\_cpu](#input\_container\_cpu) | n/a | `number` | `256` | no |
| [container\_environment](#input\_container\_environment) | n/a | list(object({
name = string
value = string
})) | n/a | yes |
| [container\_environment\_secrets](#input\_container\_environment\_secrets) | n/a | list(object({
name = string
valueFrom = string
})) | `[]` | no |
| [container\_image](#input\_container\_image) | n/a | `string` | n/a | yes |
@@ -44,6 +44,7 @@ No modules.
| [environment](#input\_environment) | n/a | `string` | n/a | yes |
| [health\_check\_path](#input\_health\_check\_path) | n/a | `string` | `"/"` | no |
| [hostname](#input\_hostname) | n/a | `string` | n/a | yes |
+| [launch\_type](#input\_launch\_type) | n/a | `string` | `"fargate"` | no |
| [listener\_priority](#input\_listener\_priority) | n/a | `number` | n/a | yes |
| [path](#input\_path) | n/a | `string` | `null` | no |
| [project\_name](#input\_project\_name) | The overall name of the project using this infrastructure; used to group related resources by | `any` | n/a | yes |
diff --git a/terraform/modules/database/.terraform.docs.yml b/terraform/modules/database/.terraform.docs.yml
deleted file mode 100644
index b26f42a..0000000
--- a/terraform/modules/database/.terraform.docs.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-formatter: "markdown table" # this is required
-version: ""
-
-header-from: main.tf
-footer-from: ""
-
-recursive:
- enabled: false
- path: modules
-
-sections:
- hide: []
- show: []
-
-content: |-
- # Database
-
- Add description.
-
- {{ .Header }}
- {{ .Modules }}
- {{ .Resources }}
- {{ .Inputs }}
- {{ .Outputs }}
- {{ .Providers }}
- {{ .Requirements }}
- {{ .Footer }}
- To automatically update this documentation, install terraform-docs on your local machine run the following:
- cd
- terraform-docs -c .terraform.docs.yml .
-output:
- file: README.md
- mode: replace
- template: |-
-
- {{ .Content }}
-
-
-output-values:
- enabled: false
- from: ""
-
-sort:
- enabled: true
- by: name
-
-settings:
- anchor: true
- color: true
- default: true
- description: false
- escape: true
- hide-empty: true
- html: true
- indent: 2
- lockfile: true
- read-comments: true
- required: true
- sensitive: true
- type: true
diff --git a/terraform/modules/database/README.md b/terraform/modules/database/README.md
index c60eeda..e1a75d0 100644
--- a/terraform/modules/database/README.md
+++ b/terraform/modules/database/README.md
@@ -1,4 +1,19 @@
+# database
+
+Creates a database on a shared RDS posgresql instance. The name of the
+created database has the format `project-name_application-type_environment`.
+For example, for the production backend database of vrms, the created
+database name will be `vrms_backend_production`.
+
+This module also creates three posgresql users:
+1. viewer - read (SELECT) access
+1. user - read/write (SELECT, INSERT, UPDATE, DELETE) access
+1. owner - admin access (databse owner)
+
+The credentials get stored as secrets (SSM parameters). The ARNs of those
+parameters are output variables, listed below
+
## Requirements
| Name | Version |
@@ -9,7 +24,6 @@
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | n/a |
| [postgresql](#provider\_postgresql) | 1.25.0 |
## Modules
@@ -33,30 +47,29 @@
| [postgresql_role.db_owner](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
| [postgresql_role.db_user](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
| [postgresql_role.db_viewer](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
-| [aws_db_instance.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/db_instance) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [application\_type](#input\_application\_type) | n/a | `string` | n/a | yes |
-| [environment](#input\_environment) | n/a | `string` | n/a | yes |
-| [project\_name](#input\_project\_name) | n/a | `string` | n/a | yes |
+| [application\_type](#input\_application\_type) | frontend, backend, or fullstack | `string` | n/a | yes |
+| [environment](#input\_environment) | what environment this is for - staging, production, etc | `string` | n/a | yes |
+| [project\_name](#input\_project\_name) | HfLA project name (vrms, home-unite-us, etc) | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| [database](#output\_database) | n/a |
-| [host](#output\_host) | n/a |
-| [owner\_password](#output\_owner\_password) | n/a |
-| [owner\_password\_arn](#output\_owner\_password\_arn) | n/a |
-| [owner\_username](#output\_owner\_username) | n/a |
-| [port](#output\_port) | n/a |
-| [user\_password](#output\_user\_password) | n/a |
-| [user\_password\_arn](#output\_user\_password\_arn) | n/a |
-| [user\_username](#output\_user\_username) | n/a |
-| [viewer\_password](#output\_viewer\_password) | n/a |
-| [viewer\_password\_arn](#output\_viewer\_password\_arn) | n/a |
-| [viewer\_username](#output\_viewer\_username) | n/a |
+| [database](#output\_database) | name of created postgresql database |
+| [host](#output\_host) | hostname URL of RDS postgresql database |
+| [owner\_password](#output\_owner\_password) | 'owner' user password credential |
+| [owner\_password\_arn](#output\_owner\_password\_arn) | SSM parameter ARN of password for 'owner' user |
+| [owner\_username](#output\_owner\_username) | login username of 'owner' user |
+| [port](#output\_port) | running port of RDS postgresql database |
+| [user\_password](#output\_user\_password) | 'user' user password credential |
+| [user\_password\_arn](#output\_user\_password\_arn) | SSM parameter ARN of password for 'user' user |
+| [user\_username](#output\_user\_username) | login username of 'user' user |
+| [viewer\_password](#output\_viewer\_password) | 'viewer' user password credential |
+| [viewer\_password\_arn](#output\_viewer\_password\_arn) | SSM parameter ARN of password for 'viewer' user |
+| [viewer\_username](#output\_viewer\_username) | login username of 'viewer' user |
\ No newline at end of file
diff --git a/terraform/modules/database/main.tf b/terraform/modules/database/main.tf
index 7d03996..7412fcd 100644
--- a/terraform/modules/database/main.tf
+++ b/terraform/modules/database/main.tf
@@ -1,13 +1,26 @@
-
-
+/**
+ * # database
+ *
+ * Creates a database on a shared RDS posgresql instance. The name of the
+ * created database has the format `project-name_application-type_environment`.
+ * For example, for the production backend database of vrms, the created
+ * database name will be `vrms_backend_production`.
+ *
+ * This module also creates three posgresql users:
+ * 1. viewer - read (SELECT) access
+ * 1. user - read/write (SELECT, INSERT, UPDATE, DELETE) access
+ * 1. owner - admin access (databse owner)
+ *
+ * The credentials get stored as secrets (SSM parameters). The ARNs of those
+ * parameters are output variables, listed below
+ */
+
+// terraform-docs-ignore
data "aws_db_instance" "shared" {
db_instance_identifier = "incubator-prod-database"
}
-# "rds_dbowner_password"
-# "rds_dbuser_password"
-# "rds_dbviewer_password"
/*
@@ -65,11 +78,11 @@ resource "postgresql_role" "db_viewer" {
password = module.db_viewer_password.value
}
+
/*
* Usernames stored as secrets
*/
-
module "db_owner_username" {
source = "../secret"
application_type = var.application_type
@@ -99,9 +112,11 @@ module "db_viewer_username" {
name = "db-viewer-username"
}
+
/*
* Postgres Grants - apply permissions to generated roles
*/
+
resource "postgresql_grant" "user" {
database = postgresql_database.db.name
role = postgresql_role.db_user.name
@@ -119,7 +134,6 @@ resource "postgresql_grant" "viewer" {
}
-
/*
* Postgres DB, using generated owner
*/
diff --git a/terraform/modules/database/variables.tf b/terraform/modules/database/variables.tf
index 4e12202..c7bc206 100644
--- a/terraform/modules/database/variables.tf
+++ b/terraform/modules/database/variables.tf
@@ -1,13 +1,16 @@
variable "project_name" {
type = string
+ description = "HfLA project name (vrms, home-unite-us, etc)"
}
variable "application_type" {
type = string
+ description = "frontend, backend, or fullstack"
}
variable "environment" {
type = string
+ description = "what environment this is for - staging, production, etc"
}
@@ -15,51 +18,63 @@ variable "environment" {
output "host" {
value = data.aws_db_instance.shared.address
+ description = "hostname URL of RDS postgresql database"
}
output "port" {
value = 5432
+ description = "running port of RDS postgresql database"
}
output "database" {
value = postgresql_database.db.name
+ description = "name of created postgresql database"
}
output "owner_username" {
value = postgresql_role.db_owner.name
+ description = "login username of 'owner' user"
}
output "user_username" {
value = postgresql_role.db_owner.name
+ description = "login username of 'user' user"
}
output "viewer_username" {
value = postgresql_role.db_owner.name
+ description = "login username of 'viewer' user"
}
output "owner_password_arn" {
value = module.db_owner_password.arn
+ description = "SSM parameter ARN of password for 'owner' user"
}
output "user_password_arn" {
value = module.db_user_password.arn
+ description = "SSM parameter ARN of password for 'user' user"
}
output "viewer_password_arn" {
value = module.db_viewer_password.arn
+ description = "SSM parameter ARN of password for 'viewer' user"
}
output "owner_password" {
value = module.db_owner_password.value
sensitive = true
+ description = "'owner' user password credential"
}
output "user_password" {
value = module.db_user_password.value
sensitive = true
+ description = "'user' user password credential"
}
output "viewer_password" {
value = module.db_viewer_password.value
sensitive = true
+ description = "'viewer' user password credential"
}