Add mkdocs docs and mermaid diagrams

Huzefaaa2 · Huzefaaa2 · commit 2e756720598f · 2026-01-27T08:24:08.000+05:30
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,38 @@
+name: terraform-deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment (dev/test/prod)"
+        required: true
+        default: "dev"
+      working_dir:
+        description: "Terraform root directory"
+        required: true
+        default: "examples/single-region"
+
+permissions:
+  contents: read
+
+jobs:
+  plan-apply:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.6.6"
+      - name: Terraform init
+        run: |
+          cd "${{ inputs.working_dir }}"
+          terraform init -input=false
+      - name: Terraform plan
+        run: |
+          cd "${{ inputs.working_dir }}"
+          terraform plan -out=tfplan
+      - name: Terraform apply
+        run: |
+          cd "${{ inputs.working_dir }}"
+          terraform apply -input=false tfplan
diff --git a/README.md b/README.md
@@ -35,9 +35,46 @@ Many Apigee Terraform examples are either low-level or incomplete for enterprise
 
 ## Architecture diagrams
 
-- **Single-region production**: `diagrams/png/apigee-single-region.png`
-- **Multi-region HA**: `diagrams/png/apigee-multi-region-ha.png`
-- **CI/CD + Policy**: `diagrams/png/apigee-cicd-policy.png`
+Mermaid renders (colorful by default):
+
+```mermaid
+%%{init: {"theme":"base","themeVariables":{"primaryColor":"#D9F0FF","primaryTextColor":"#0F172A","secondaryColor":"#FFE1D6","tertiaryColor":"#E6FFFA","lineColor":"#334155","fontFamily":"Inter, ui-sans-serif, system-ui"}}}%%
+flowchart LR
+  User((Client)) -->|HTTPS| Edge[Public DNS / Cert]
+  Edge -->|Private / Controlled| LB[Ingress (ILB / Gateway Pattern)]
+  LB --> Apigee[Apigee X Runtime]
+  Apigee -->|mTLS / Private| PSC[Private Service Connect]
+  PSC --> Backends[(GCP Services / Private Backends)]
+  Apigee --> Logs[Cloud Logging]
+  Apigee --> Mon[Cloud Monitoring]
+```
+
+```mermaid
+%%{init: {"theme":"base","themeVariables":{"primaryColor":"#E0F2FE","primaryTextColor":"#0F172A","secondaryColor":"#FCE7F3","tertiaryColor":"#ECFCCB","lineColor":"#334155","fontFamily":"Inter, ui-sans-serif, system-ui"}}}%%
+flowchart LR
+  User((Client)) --> DNS[Global DNS / Traffic Policy]
+  DNS --> R1[Region A Ingress]
+  DNS --> R2[Region B Ingress]
+  R1 --> A[Apigee X Instance A]
+  R2 --> B[Apigee X Instance B]
+  A --> Backends[(Private Backends)]
+  B --> Backends
+  A --> Obs[Central Observability]
+  B --> Obs
+```
+
+```mermaid
+%%{init: {"theme":"base","themeVariables":{"primaryColor":"#DCFCE7","primaryTextColor":"#0F172A","secondaryColor":"#FEF3C7","tertiaryColor":"#EDE9FE","lineColor":"#334155","fontFamily":"Inter, ui-sans-serif, system-ui"}}}%%
+flowchart LR
+  Dev[Developer] --> PR[Pull Request]
+  PR --> CI[CI: fmt/validate/security]
+  CI -->|pass| Plan[Terraform Plan]
+  Plan --> Review[Approval Gate]
+  Review --> Apply[Terraform Apply]
+  Apply --> Drift[Scheduled Drift Detection]
+  CI --> Policy[OPA/Conftest Policy Set]
+  Policy --> CI
+```
 
 Mermaid sources:
 - `diagrams/mermaid/apigee-single-region.mmd`
@@ -60,6 +97,11 @@ Deploy to GitHub Pages:
 mkdocs gh-deploy --force
 ```
 
+Suggested reading order:
+
+- `docs/index.md`
+- `docs/13-implementation.md`
+
 ---
 
 ## Repository layout
diff --git a/diagrams/png/apigee-cicd-policy.png b/diagrams/png/apigee-cicd-policy.png
diff --git a/diagrams/png/apigee-multi-region-ha.png b/diagrams/png/apigee-multi-region-ha.png
diff --git a/diagrams/png/apigee-single-region.png b/diagrams/png/apigee-single-region.png
diff --git a/docs/12-ci-cd.md b/docs/12-ci-cd.md
@@ -6,6 +6,8 @@ This repo includes copy-paste templates for enterprise pipelines.
 
 Template:
 - `ci-templates/github-actions.yml`
+Deploy workflow (manual):
+- `.github/workflows/deploy.yml`
 
 Stages:
 - fmt
diff --git a/docs/13-implementation.md b/docs/13-implementation.md
@@ -0,0 +1,133 @@
+# Implementation Guide (Enterprise)
+
+This guide explains why the stack exists, what each component does, why enterprises adopt this pattern, and the step-by-step implementation flow.
+
+## Why this stack is required
+
+Enterprises adopting Apigee X face the same problems:
+
+- Platform setup is fragmented across scripts, consoles, and partial Terraform examples.
+- Networking prerequisites and service networking peering are easy to misconfigure.
+- Security teams require least-privilege IAM, auditability, and CMEK where available.
+- Platform teams need consistent, repeatable rollouts across dev/test/prod.
+
+This stack addresses those issues by providing a single, opinionated baseline that is:
+
+- Secure-by-default
+- Repeatable across environments
+- Clear about dependencies and ordering
+- Compatible with Stacks or plain Terraform
+
+## What it does (component by component)
+
+### Networking
+
+- Enables required APIs for Apigee and Service Networking.
+- Creates a dedicated VPC for Apigee (or can be adapted for Shared VPC).
+- Reserves a peering range and establishes the Service Networking connection.
+
+### Apigee Organization
+
+- Creates the Apigee org bound to the GCP project.
+- Connects the org to the authorized network (VPC peering) for runtime.
+- Optionally sets CMEK for org runtime DB encryption.
+
+### Instances (runtime)
+
+- Creates Apigee runtime instances in one or more regions.
+- Optionally configures instance-level CMEK.
+
+### Environments and Attachments
+
+- Creates Apigee environments (dev/test/prod).
+- Attaches environments to one or more runtime instances.
+
+### Envgroups and Attachments
+
+- Creates envgroups with hostnames.
+- Attaches environments to envgroups to expose APIs.
+
+### IAM
+
+- Creates service accounts used by platform automation.
+- Binds project-level roles (least privilege by default).
+
+### KMS (CMEK)
+
+- Creates KMS key ring and crypto keys.
+- Optionally binds IAM to allow Apigee to use keys.
+
+## Why enterprises adopt this
+
+- **Compliance:** CMEK support and policy-as-code are mandatory for regulated industries.
+- **Governance:** Stacks and CI pipelines centralize approval gates and drift detection.
+- **Repeatability:** Standard patterns reduce on-call incidents and migration risk.
+- **Security:** Private ingress + least privilege IAM reduces attack surface.
+
+## Step-by-step implementation
+
+### 1) Decide deployment model
+
+- Use **Modules** for local runs and CI pipelines.
+- Use **Stacks** for multi-environment orchestration in Terraform Cloud/Enterprise.
+
+### 2) Select an example
+
+Single-region (recommended first):
+
+```
+cd examples/single-region
+cp terraform.tfvars.example terraform.tfvars
+```
+
+Multi-region HA:
+
+```
+cd examples/multi-region-ha
+cp terraform.tfvars.example terraform.tfvars
+```
+
+### 3) Configure required inputs
+
+- `project_id`, `region`, `analytics_region`
+- `network_name`, `peering_prefix_length`
+- `instance_name` or `primary_instance_name`/`secondary_instance_name`
+- `envgroup_hostnames`
+
+Optional (enterprise):
+
+- KMS key ring + crypto keys
+- IAM service accounts and project roles
+
+### 4) Run Terraform
+
+```
+terraform init
+terraform plan
+terraform apply
+```
+
+### 5) Validate outcomes
+
+- Apigee org exists and is bound to the VPC
+- Instances are active in the target regions
+- Environments are attached to instances
+- Envgroups are created and bound to hostnames
+
+### 6) Extend with runtime stack
+
+- Implement ingress, DNS, and observability in `stacks/runtime/components/*`.
+- Attach ingress to envgroups/hostnames.
+
+## Common pitfalls
+
+- Missing APIs (enable `apigee.googleapis.com` and `servicenetworking.googleapis.com`).
+- VPC peering range conflicts.
+- Missing IAM bindings for CMEK usage.
+- Incorrect attachment ordering (envs must exist before attachments).
+
+## Recommended next steps
+
+- Add CI pipelines (GitHub Actions or GitLab) using templates in `ci-templates/`.
+- Add policy gates with Conftest/OPA.
+- Split state per environment to reduce blast radius.
diff --git a/docs/index.md b/docs/index.md
@@ -32,6 +32,7 @@ Day-2 guides:
 - [Multi-Environment Strategy](10-multi-env.md)
 - [Security Posture](11-security-posture.md)
 - [CI/CD Templates](12-ci-cd.md)
+- [Implementation Guide](13-implementation.md)
 
 ## Reference architectures
 
@@ -41,7 +42,6 @@ Day-2 guides:
 ## Diagrams
 
 - Mermaid sources: [`/diagrams/mermaid`](../diagrams/mermaid)
-- PNG exports: [`/diagrams/png`](../diagrams/png)
 
 ## What gets deployed (core)
 
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -17,6 +17,7 @@ nav:
   - Multi-Environment Strategy: 10-multi-env.md
   - Security Posture: 11-security-posture.md
   - CI/CD Templates: 12-ci-cd.md
+  - Implementation Guide: 13-implementation.md
 
 theme:
   name: readthedocs
