docs: update terraform documentation for #432

.github/release-drafter.yml

@@ -11,7 +11,9 @@ categories:
       - 'bugfix'
       - 'bug'
   - title: 'Maintenance'
-    label: 'chore'
+    labels: 
+      - 'chore'
+      - 'documentation'
   - title: 'Dependencies'
     label: 'dependencies'
 change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
@@ -32,6 +34,7 @@ version-resolver:
       - 'chore'
       - 'dependencies'
       - 'enhancement'
+      - 'documentation'
   default: patch
 template: |
   ## Changes

.github/workflows/enforce-pr-labels.yaml

@@ -13,7 +13,7 @@ jobs:
         with:
           script: |
             const requiredLabels = [
-              'feature', 'enhancement', 'fix', 'bugfix', 'bug', 'chore', 'dependencies', 'major', 'minor', 'patch'
+              'feature', 'enhancement', 'documentation','fix', 'bugfix', 'bug', 'chore', 'dependencies', 'major', 'minor', 'patch'
             ];
             const prLabels = context.payload.pull_request.labels.map(label => label.name);
             const hasRequiredLabel = prLabels.some(label => requiredLabels.includes(label));

.github/workflows/terraform-docs.yml

@@ -0,0 +1,67 @@
+name: Generate terraform docs
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Install Task
+      uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
+      with:
+        version: '3.43.3'
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Generate Terraform docs
+      run: task docs
+
+    - name: Create or update PR
+      if: success()
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        script: |
+          const sourcePR = context.payload.pull_request;
+          const branchName = `docs/${sourcePR.head.ref}`;
+
+          // Configure git
+          await exec.exec('git', ['config', '--local', 'user.name', 'GitHub Action']);
+          await exec.exec('git', ['config', '--local', 'user.email', 'action@github.com']);
+
+          // Create or update branch
+          await exec.exec('git', ['checkout', '-B', branchName]);
+          await exec.exec('git', ['add', 'docs/terraform/']);
+
+          const { stdout: diffOutput } = await exec.exec('git', ['diff', '--staged', '--quiet'], { ignoreReturnCode: true });
+          if (diffOutput !== '') {
+            await exec.exec('git', ['commit', '-m', `docs: update terraform documentation for #${sourcePR.number}`]);
+            await exec.exec('git', ['push', '-f', 'origin', branchName]);
+
+            // Create PR if it doesn't exist
+            const { data: existingPRs } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:${branchName}`,
+              base: 'main'
+            });
+
+            if (existingPRs.length === 0) {
+              await github.rest.pulls.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: `docs: update terraform documentation for #${sourcePR.number}`,
+                body: `Automated documentation update for PR #${sourcePR.number}: ${sourcePR.title}\n\n${sourcePR.html_url}`,
+                head: branchName,
+                base: 'main',
+                labels: ['documentation']
+              });
+            }
+          } else {
+            console.log('No changes to commit');
+          } 

Taskfile.yaml

@@ -24,4 +24,20 @@ tasks:
   fmt:
     desc: Check Terraform formatting
     cmds:
-      - terraform fmt -recursive
+      - terraform fmt -recursive
+
+  docs:
+    desc: Generate Terraform documentation
+    cmds:
+      - rm -rf docs/terraform/*
+      - |
+        find terraform -type d -exec test -e '{}/main.tf' -a -e '{}/variables.tf' \; -print | while read -r dir; do
+          rel_path="${dir#terraform/}"
+          output_file="docs/terraform/$rel_path/$(basename "$dir").md"
+          mkdir -p "$(dirname "$output_file")"
+          if [ -f "$dir/README.md" ]; then
+            cat "$dir/README.md" > "$output_file"
+            echo >> "$output_file"
+          fi
+          docker run --rm -v "$(pwd):/src" -w "/src/$dir" quay.io/terraform-docs/terraform-docs:0.20.0 markdown . >> "$output_file"
+        done

docs/terraform/backend/azurerm/azurerm.md

@@ -0,0 +1,46 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.28.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.28.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.5.3 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/resource_group) | resource |
+| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/storage_container) | resource |
+| [azurerm_user_assigned_identity.storage](https://registry.terraform.io/providers/hashicorp/azurerm/4.28.0/docs/resources/user_assigned_identity) | resource |
+| [local_file.backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allow_public_access"></a> [allow\_public\_access](#input\_allow\_public\_access) | Allow public access to the storage account | `bool` | `true` | no |
+| <a name="input_allowed_ip_ranges"></a> [allowed\_ip\_ranges](#input\_allowed\_ip\_ranges) | List of IP ranges to allow access to the storage account | `list(string)` | `[]` | no |
+| <a name="input_container_name"></a> [container\_name](#input\_container\_name) | Name of the blob container for Terraform state | `string` | `""` | no |
+| <a name="input_context_id"></a> [context\_id](#input\_context\_id) | Context ID for the resources | `string` | n/a | yes |
+| <a name="input_context_path"></a> [context\_path](#input\_context\_path) | The path to the context folder | `string` | `""` | no |
+| <a name="input_enable_cmk"></a> [enable\_cmk](#input\_enable\_cmk) | Enable customer managed key encryption | `bool` | `false` | no |
+| <a name="input_key_vault_key_id"></a> [key\_vault\_key\_id](#input\_key\_vault\_key\_id) | The ID of the Key Vault Key to use for CMK encryption | `string` | `""` | no |
+| <a name="input_location"></a> [location](#input\_location) | Azure region where resources will be created | `string` | `"eastus2"` | no |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group where the storage account will be created | `string` | `""` | no |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Name of the storage account. If not provided, a default name will be generated | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.

docs/terraform/backend/s3/s3.md

@@ -0,0 +1,53 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.97.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.97.0 |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.5.2 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_dynamodb_table.terraform_locks](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/dynamodb_table) | resource |
+| [aws_kms_alias.terraform_state_alias](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/kms_alias) | resource |
+| [aws_kms_key.terraform_state](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/resources/s3_bucket_versioning) | resource |
+| [local_file.backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.97.0/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_context_id"></a> [context\_id](#input\_context\_id) | Context ID for the resources | `string` | `null` | no |
+| <a name="input_context_path"></a> [context\_path](#input\_context\_path) | The path to the context folder | `string` | `""` | no |
+| <a name="input_enable_dynamodb"></a> [enable\_dynamodb](#input\_enable\_dynamodb) | Feature flag to enable DynamoDB table creation | `bool` | `true` | no |
+| <a name="input_enable_kms"></a> [enable\_kms](#input\_enable\_kms) | Feature flag to enable KMS encryption | `bool` | `true` | no |
+| <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | The KMS key ID for encrypting the S3 bucket | `string` | `""` | no |
+| <a name="input_kms_policy_override"></a> [kms\_policy\_override](#input\_kms\_policy\_override) | Override for the KMS policy document (for testing) | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region for the S3 Bucket and DynamoDB Table | `string` | `"us-east-2"` | no |
+| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the S3 bucket for storing Terraform state, overrides the default bucket name | `string` | `""` | no |
+| <a name="input_s3_log_bucket_name"></a> [s3\_log\_bucket\_name](#input\_s3\_log\_bucket\_name) | Name of a pre-existing, centralized S3 logging bucket to receive access logs. Must be created outside this module. | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to resources (default is empty). | `map(string)` | `{}` | no |
+| <a name="input_terraform_state_iam_roles"></a> [terraform\_state\_iam\_roles](#input\_terraform\_state\_iam\_roles) | List of IAM role ARNs that should have access to the Terraform state bucket | `list(string)` | `[]` | no |
+
+## Outputs
+
+No outputs.