125 - terraform docs: database, cicd-integration

terraform/modules/cicd_integration/README.md

@@ -1,4 +1,12 @@
 <!-- BEGIN_TF_DOCS -->
+# cicd-integration
+
+This module sets up permissions for GitHub actions to perform actions within
+AWS, without the use of an IAM access key. With this module set up on a project,
+
+Once this module is set up in a project, jobs can use the `aws-actions/configure-aws-credentials`
+step with `role-to-assume` as `arn:aws:iam::035866691871:role/incubator-cicd-(project name)`
+
 ## Requirements
 
 No requirements.
@@ -19,18 +27,17 @@ No modules.
 |------|------|
 | [aws_iam_role.builder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | n/a | `string` | n/a | yes |
-| <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | n/a | `string` | n/a | yes |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | HfLA project name (vrms, home-unite-us, etc) | `string` | n/a | yes |
+| <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | GitHub repository name, without any organizations or prefix - for example, `HomeUniteUs` | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | n/a |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | IAM role name that will be assumed by GitHub actions when running |
 <!-- END_TF_DOCS -->

terraform/modules/cicd_integration/main.tf

@@ -1,3 +1,14 @@
+/**
+ * # cicd-integration
+ *
+ * This module sets up permissions for GitHub actions to perform actions within
+ * AWS, without the use of an IAM access key. With this module set up on a project,
+ * 
+ * Once this module is set up in a project, jobs can use the `aws-actions/configure-aws-credentials`
+ * step with `role-to-assume` as `arn:aws:iam::035866691871:role/incubator-cicd-(project name)`
+ */
+
+// terraform-docs-ignore
 data "aws_caller_identity" "current" {}
 
 resource "aws_iam_role" "builder" {

terraform/modules/cicd_integration/variables.tf

@@ -1,11 +1,14 @@
 variable "project_name" {
   type = string
+  description = "HfLA project name (vrms, home-unite-us, etc)"
 }
 
 variable "repository_name" {
   type = string
+  description = "GitHub repository name, without any organizations or prefix - for example, `HomeUniteUs`"
 }
 
 output "role_name" {
   value = aws_iam_role.builder.name
+  description = "IAM role name that will be assumed by GitHub actions when running"
 }

terraform/modules/container/README.md

@@ -35,7 +35,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_host_urls"></a> [additional\_host\_urls](#input\_additional\_host\_urls) | n/a | `list(string)` | `[]` | no |
 | <a name="input_application_type"></a> [application\_type](#input\_application\_type) | defines what type of application is running, fullstack, client, backend, etc. will be used for cloudwatch logs | `string` | n/a | yes |
-| <a name="input_container_cpu"></a> [container\_cpu](#input\_container\_cpu) | n/a | `number` | `512` | no |
+| <a name="input_container_cpu"></a> [container\_cpu](#input\_container\_cpu) | n/a | `number` | `256` | no |
 | <a name="input_container_environment"></a> [container\_environment](#input\_container\_environment) | n/a | <pre>list(object({<br/>    name = string<br/>    value = string<br/>  }))</pre> | n/a | yes |
 | <a name="input_container_environment_secrets"></a> [container\_environment\_secrets](#input\_container\_environment\_secrets) | n/a | <pre>list(object({<br/>    name = string<br/>    valueFrom = string<br/>  }))</pre> | `[]` | no |
 | <a name="input_container_image"></a> [container\_image](#input\_container\_image) | n/a | `string` | n/a | yes |
@@ -44,6 +44,7 @@ No modules.
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_health_check_path"></a> [health\_check\_path](#input\_health\_check\_path) | n/a | `string` | `"/"` | no |
 | <a name="input_hostname"></a> [hostname](#input\_hostname) | n/a | `string` | n/a | yes |
+| <a name="input_launch_type"></a> [launch\_type](#input\_launch\_type) | n/a | `string` | `"fargate"` | no |
 | <a name="input_listener_priority"></a> [listener\_priority](#input\_listener\_priority) | n/a | `number` | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | n/a | `string` | `null` | no |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | The overall name of the project using this infrastructure; used to group related resources by | `any` | n/a | yes |

terraform/modules/database/README.md

@@ -1,4 +1,19 @@
 <!-- BEGIN_TF_DOCS -->
+# database
+
+Creates a database on a shared RDS posgresql instance. The name of the
+created database has the format `project-name_application-type_environment`.
+For example, for the production backend database of vrms, the created
+database name will be `vrms_backend_production`.
+
+This module also creates three posgresql users:
+1. viewer - read (SELECT) access
+1. user - read/write (SELECT, INSERT, UPDATE, DELETE) access
+1. owner - admin access (databse owner)
+
+The credentials get stored as secrets (SSM parameters). The ARNs of those
+parameters are output variables, listed below
+
 ## Requirements
 
 | Name | Version |
@@ -9,7 +24,6 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_postgresql"></a> [postgresql](#provider\_postgresql) | 1.25.0 |
 
 ## Modules
@@ -33,30 +47,29 @@
 | [postgresql_role.db_owner](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
 | [postgresql_role.db_user](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
 | [postgresql_role.db_viewer](https://registry.terraform.io/providers/cyrilgdn/postgresql/1.25.0/docs/resources/role) | resource |
-| [aws_db_instance.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/db_instance) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_application_type"></a> [application\_type](#input\_application\_type) | n/a | `string` | n/a | yes |
-| <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
-| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | n/a | `string` | n/a | yes |
+| <a name="input_application_type"></a> [application\_type](#input\_application\_type) | frontend, backend, or fullstack | `string` | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | what environment this is for - staging, production, etc | `string` | n/a | yes |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | HfLA project name (vrms, home-unite-us, etc) | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_database"></a> [database](#output\_database) | n/a |
-| <a name="output_host"></a> [host](#output\_host) | n/a |
-| <a name="output_owner_password"></a> [owner\_password](#output\_owner\_password) | n/a |
-| <a name="output_owner_password_arn"></a> [owner\_password\_arn](#output\_owner\_password\_arn) | n/a |
-| <a name="output_owner_username"></a> [owner\_username](#output\_owner\_username) | n/a |
-| <a name="output_port"></a> [port](#output\_port) | n/a |
-| <a name="output_user_password"></a> [user\_password](#output\_user\_password) | n/a |
-| <a name="output_user_password_arn"></a> [user\_password\_arn](#output\_user\_password\_arn) | n/a |
-| <a name="output_user_username"></a> [user\_username](#output\_user\_username) | n/a |
-| <a name="output_viewer_password"></a> [viewer\_password](#output\_viewer\_password) | n/a |
-| <a name="output_viewer_password_arn"></a> [viewer\_password\_arn](#output\_viewer\_password\_arn) | n/a |
-| <a name="output_viewer_username"></a> [viewer\_username](#output\_viewer\_username) | n/a |
+| <a name="output_database"></a> [database](#output\_database) | name of created postgresql database |
+| <a name="output_host"></a> [host](#output\_host) | hostname URL of RDS postgresql database |
+| <a name="output_owner_password"></a> [owner\_password](#output\_owner\_password) | 'owner' user password credential |
+| <a name="output_owner_password_arn"></a> [owner\_password\_arn](#output\_owner\_password\_arn) | SSM parameter ARN of password for 'owner' user |
+| <a name="output_owner_username"></a> [owner\_username](#output\_owner\_username) | login username of 'owner' user |
+| <a name="output_port"></a> [port](#output\_port) | running port of RDS postgresql database |
+| <a name="output_user_password"></a> [user\_password](#output\_user\_password) | 'user' user password credential |
+| <a name="output_user_password_arn"></a> [user\_password\_arn](#output\_user\_password\_arn) | SSM parameter ARN of password for 'user' user |
+| <a name="output_user_username"></a> [user\_username](#output\_user\_username) | login username of 'user' user |
+| <a name="output_viewer_password"></a> [viewer\_password](#output\_viewer\_password) | 'viewer' user password credential |
+| <a name="output_viewer_password_arn"></a> [viewer\_password\_arn](#output\_viewer\_password\_arn) | SSM parameter ARN of password for 'viewer' user |
+| <a name="output_viewer_username"></a> [viewer\_username](#output\_viewer\_username) | login username of 'viewer' user |
 <!-- END_TF_DOCS -->    

terraform/modules/database/main.tf

@@ -1,13 +1,26 @@
-
-
+/**
+ * # database
+ *
+ * Creates a database on a shared RDS posgresql instance. The name of the 
+ * created database has the format `project-name_application-type_environment`.
+ * For example, for the production backend database of vrms, the created
+ * database name will be `vrms_backend_production`.
+ *
+ * This module also creates three posgresql users:
+ * 1. viewer - read (SELECT) access
+ * 1. user - read/write (SELECT, INSERT, UPDATE, DELETE) access
+ * 1. owner - admin access (databse owner)
+ *
+ * The credentials get stored as secrets (SSM parameters). The ARNs of those
+ * parameters are output variables, listed below
+ */
+
+// terraform-docs-ignore
 data "aws_db_instance" "shared" {
   db_instance_identifier = "incubator-prod-database"
 }
 
 
-# "rds_dbowner_password"
-# "rds_dbuser_password"
-# "rds_dbviewer_password"
 
 
 /*
@@ -65,11 +78,11 @@ resource "postgresql_role" "db_viewer" {
   password = module.db_viewer_password.value
 }
 
+
 /*
 * Usernames stored as secrets
 */ 
 
-
 module "db_owner_username" {
   source = "../secret"
   application_type = var.application_type
@@ -99,9 +112,11 @@ module "db_viewer_username" {
   name = "db-viewer-username"
 }
 
+
 /*
 *  Postgres Grants - apply permissions to generated roles
 */
+
 resource "postgresql_grant" "user" {
   database    = postgresql_database.db.name
   role        = postgresql_role.db_user.name
@@ -119,7 +134,6 @@ resource "postgresql_grant" "viewer" {
 }
 
 
-
 /*
 * Postgres DB, using generated owner
 */

terraform/modules/database/variables.tf

@@ -1,65 +1,80 @@
 variable "project_name" {
   type = string
+  description = "HfLA project name (vrms, home-unite-us, etc)"
 }
 
 variable "application_type" {
   type = string
+  description = "frontend, backend, or fullstack"
 }
 
 variable "environment" {
   type = string
+  description = "what environment this is for - staging, production, etc"
 }
 
 
 
 
 output "host" {
   value = data.aws_db_instance.shared.address
+  description = "hostname URL of RDS postgresql database"
 }
 
 output "port" {
   value = 5432
+  description = "running port of RDS postgresql database"
 }
 
 output "database" {
   value = postgresql_database.db.name
+  description = "name of created postgresql database"
 }
 
 output "owner_username" {
   value = postgresql_role.db_owner.name
+  description = "login username of 'owner' user"
 }
 
 output "user_username" {
   value = postgresql_role.db_owner.name
+  description = "login username of 'user' user"
 }
 
 output "viewer_username" {
   value = postgresql_role.db_owner.name
+  description = "login username of 'viewer' user"
 }
 
 output "owner_password_arn" {
   value = module.db_owner_password.arn
+  description = "SSM parameter ARN of password for 'owner' user"
 }
 
 output "user_password_arn" {
   value = module.db_user_password.arn
+  description = "SSM parameter ARN of password for 'user' user"
 }
 
 output "viewer_password_arn" {
   value = module.db_viewer_password.arn
+  description = "SSM parameter ARN of password for 'viewer' user"
 }
 
 output "owner_password" {
   value = module.db_owner_password.value
   sensitive = true
+  description = "'owner' user password credential"
 }
 
 output "user_password" {
   value = module.db_user_password.value
   sensitive = true
+  description = "'user' user password credential"
 }
 
 output "viewer_password" {
   value = module.db_viewer_password.value
   sensitive = true
+  description = "'viewer' user password credential"
 }