[MOSIP-44628] Updated documentation and flow diagram for terraform profile based workflow

[abhishek-1809]

Summary by CodeRabbit

• Documentation
  • Introduced profile-scoped Terraform state layout and naming across guides, diagrams, and examples (profile segment in state filenames/paths).
  • Added INFRA_PROFILE parameter and required Profile selection (mosip/esignet) to workflows, destruction guides, and examples.
  • Documented GH_INFRA_PAT personal access token generation, permissions, and checklist inclusion.
  • Clarified backend behavior (S3 vs local), backup/cleanup for profile-based states, noted PostgreSQL/ActiveMQ options, and expanded workflow parameter walkthroughs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a3607602-fa41-4f6d-bd54-0868d904df20

📥 Commits

Reviewing files that changed from the base of the PR and between 389a4e6 and c743abd.

📒 Files selected for processing (1)

• docs/SECRET_GENERATION_GUIDE.md

---

Walkthrough

This PR updates infrastructure documentation to support profile-based Terraform state isolation across components: state file naming and directory layouts now include profile segments, INFRA_PROFILE workflow parameter added, GH_INFRA_PAT secret guidance added, and workflow, backup, cleanup, and architecture docs revised.

Changes

Terraform State Profile Isolation Documentation

Layer / File(s)	Summary
Profile-based state file naming and directory structure .github/workflows/README.md, terraform/README.md	State file naming patterns revised to include {profile} for infra components. Directory layout updated to terraform/implementations/{cloud}/profiles/{profile}/ for profile-isolated encrypted and decrypted state files.
INFRA_PROFILE parameter introduction docs/TERRAFORM_WORKFLOW_GUIDE.md, .github/workflows/README.md	New INFRA_PROFILE workflow parameter documented for isolated deployments and Terraform state separation. Multi-environment setup examples updated to include INFRA_PROFILE.
GitHub Actions workflow and Helmsman walkthroughs README.md	Main infra workflow steps updated to require Profile selection (mosip/esignet); base-infra backend behavior clarified (S3 bucket provided = remote state; bucket empty = local backend). Helmsman deployment walkthroughs expanded with profile and additional inputs.
State management backup and cleanup procedures docs/ENVIRONMENT_DESTRUCTION_GUIDE.md	State backup procedures extended to archive profile-isolated files under profiles/<profile>/terraform.tfstate*. Local cleanup commands extended to remove state files under terraform/implementations/aws/*/profiles/*/.
Architecture diagrams and module documentation docs/_images/ARCHITECTURE_DIAGRAMS.md, terraform/README.md	State isolation diagrams updated with -<profile>- segments in cloud-specific filenames and GCP object key patterns; AWS module list extended with activemq-setup/.
GH_INFRA_PAT secret guidance docs/SECRET_GENERATION_GUIDE.md, README.md	Added documentation for generating and storing a GitHub Personal Access Token (GH_INFRA_PAT) with required permissions, TOC/checklist updates, and visual guide updates showing the new repository secret.

Estimated code review effort:
🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs:

• mosip/infra#224: Related prior changes introducing profile-scoped Terraform state file paths and decrypt/encrypt workflow behavior.

Suggested reviewers:

• ckm007

"🐰
Profiles nest the state with care,
Filenames tidy, secrets shared,
Diagrams hop into their place,
Workflows trimmed with gentle grace,
Docs sing softly—operations spared."

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main purpose of the changeset: updating documentation and architecture diagrams to document a new terraform profile-based workflow implementation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/README.md (1)

172-190: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile placeholder creates ambiguity.

Line 190 states where <profile> = mosip/esignet, which suggests the profile value itself contains a forward slash. However:

1. The directory structure profiles/<profile>/ implies <profile> is a single directory name
2. State filenames like aws-infra-<profile>-<branch>-terraform.tfstate suggest <profile> is a single token
3. Other documentation suggests choosing between mosip OR esignet

Recommendation: Clarify whether:

• Profile is a single value (e.g., mosip or esignet separately), OR
• Profile intentionally supports slash-separated paths (e.g., mosip/esignet as one value)

If it's a single value, update line 190 and similar instances to show separate examples rather than combined.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/README.md around lines 172 - 190, The docs are ambiguous
about the profile placeholder; update the README so <profile> is clearly defined
as a single token (e.g., "mosip" or "esignet") rather than "mosip/esignet":
change the example at the `where <profile> = mosip/esignet` note to show
separate examples (e.g., `where <profile> = mosip` or `where <profile> =
esignet`) and ensure surrounding references like `profiles/<profile>/` and
filenames `aws-infra-<profile>-<branch>-terraform.tfstate` reflect that
<profile> is a single directory/name, not a slash-separated path.

docs/ENVIRONMENT_DESTRUCTION_GUIDE.md (1)

48-48: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile format inconsistency (same issue as README.md).

This shows Profile: esignet/mosip which is inconsistent with other documentation. See the detailed comment on README.md line 844 for the full explanation and recommendation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md` at line 48, The "Profile:
esignet/mosip" entry in ENVIRONMENT_DESTRUCTION_GUIDE.md uses a different
profile format than the rest of the docs; update this line to match the
canonical profile format used elsewhere (as noted in README.md) by replacing
"Profile: esignet/mosip" with the standardized profile syntax (use the same
casing, delimiter and structure as the README.md recommendation) so
documentation is consistent across files.

terraform/README.md (1)

293-330: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Profile placeholder ambiguity (same issue as other files).

Lines 307 and 330 state where <profile> = mosip/esignet, creating the same ambiguity noted in other files. See the detailed comment on .github/workflows/README.md lines 172-190 for full explanation.

Additionally, line 323 is missing a language identifier for the fenced code block (markdown linting issue MD040).

🔧 Fix for markdown linting issue

 
 Examples:
+```
 ├── aws-base-infra-main-terraform.tfstate.gpg # Production base infrastructure
 ├── profiles/<profile>/aws-infra-<profile>-staging-terraform.tfstate.gpg # Staging MOSIP cluster 

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@terraform/README.md` around lines 293 - 330, Replace the ambiguous
placeholder text "where <profile> = mosip/esignet" with an explicit explanation
such as "where <profile> can be either 'mosip' or 'esignet'" in both occurrences
(the two README paragraphs that reference profile values) and add a language
identifier to the fenced code block that shows example state filenames (e.g.,
change the opening backticks to ```text or ```bash) so markdown linting MD040 is
satisfied; update the example block and both profile notes (`where <profile>
...`) accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 844-854: The "Profile" field is documented inconsistently; update
the README's Profile section (the "Profile" bullet) to clearly show it expects a
single value (either "mosip" or "esignet") using a consistent choice notation
like "Profile: <select one: mosip | esignet>" and replace other variants such as
"esignet / mosip", "esignet/mosip", and "INFRA_PROFILE: mosip/esignet" with the
same single-value examples or explicit choice notation; ensure references to
state naming "{cloud}-{component}-{profile}-{branch}" and the
ENVIRONMENT_DESTRUCTION_GUIDE and INFRA_PROFILE examples all use the
single-value format so users understand to pass only "mosip" or "esignet".

---

Duplicate comments:
In @.github/workflows/README.md:
- Around line 172-190: The docs are ambiguous about the profile placeholder;
update the README so <profile> is clearly defined as a single token (e.g.,
"mosip" or "esignet") rather than "mosip/esignet": change the example at the
`where <profile> = mosip/esignet` note to show separate examples (e.g., `where
<profile> = mosip` or `where <profile> = esignet`) and ensure surrounding
references like `profiles/<profile>/` and filenames
`aws-infra-<profile>-<branch>-terraform.tfstate` reflect that <profile> is a
single directory/name, not a slash-separated path.

In `@docs/ENVIRONMENT_DESTRUCTION_GUIDE.md`:
- Line 48: The "Profile: esignet/mosip" entry in
ENVIRONMENT_DESTRUCTION_GUIDE.md uses a different profile format than the rest
of the docs; update this line to match the canonical profile format used
elsewhere (as noted in README.md) by replacing "Profile: esignet/mosip" with the
standardized profile syntax (use the same casing, delimiter and structure as the
README.md recommendation) so documentation is consistent across files.

In `@terraform/README.md`:
- Around line 293-330: Replace the ambiguous placeholder text "where <profile> =
mosip/esignet" with an explicit explanation such as "where <profile> can be
either 'mosip' or 'esignet'" in both occurrences (the two README paragraphs that
reference profile values) and add a language identifier to the fenced code block
that shows example state filenames (e.g., change the opening backticks to
```text or ```bash) so markdown linting MD040 is satisfied; update the example
block and both profile notes (`where <profile> ...`) accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 729a6f7a-3ca9-4cf9-bf0d-58e521e30e9c

📥 Commits

Reviewing files that changed from the base of the PR and between dd9cc42 and 07fb882.

⛔ Files ignored due to path filters (2)

• docs/_images/infra-terraform-apply.png is excluded by !**/*.png
• docs/_images/infra-terraform-destroy.png is excluded by !**/*.png

📒 Files selected for processing (6)

• .github/workflows/README.md
• README.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/TERRAFORM_WORKFLOW_GUIDE.md
• docs/_images/ARCHITECTURE_DIAGRAMS.md
• terraform/README.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 208-219: The README documents GH_INFRA_PAT but the Step 2
"Configure GitHub Secrets" actionable list omits it; update the Step 2 secrets
list to include GH_INFRA_PAT with a short note about its required scopes
(Contents: Read & write, Metadata: Read, Actions/Environments/Variables: Read &
write) and a brief pointer that it is a GitHub Personal Access Token
(fine-grained) used for repository operations; locate the Step 2 section and add
GH_INFRA_PAT alongside the other secret names so copy-paste setup instructions
and any examples reference this variable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 342d06c2-7d29-471b-8c86-2cff2918425d

📥 Commits

Reviewing files that changed from the base of the PR and between 07fb882 and 49d8228.

📒 Files selected for processing (2)

• README.md
• docs/SECRET_GENERATION_GUIDE.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/SECRET_GENERATION_GUIDE.md`:
- Line 308: Update the permission label wording in the string that currently
reads "- **Contents**: Read and write *(critical, Read only causes 403 on
push)*" so the parenthetical uses the hyphenated form "Read-only" (i.e., change
"Read only causes 403 on push" to "Read-only causes 403 on push") within
SECRET_GENERATION_GUIDE.md to keep the permission label consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 83a5a6be-127b-4f7c-b108-fa2ab22cf018

📥 Commits

Reviewing files that changed from the base of the PR and between 49d8228 and 389a4e6.

⛔ Files ignored due to path filters (3)

• docs/_images/esignet.png is excluded by !**/*.png
• docs/_images/helmsman-external-services.png is excluded by !**/*.png
• docs/_images/helmsman-testrigs.png is excluded by !**/*.png

📒 Files selected for processing (3)

• README.md
• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md
• docs/SECRET_GENERATION_GUIDE.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/ENVIRONMENT_DESTRUCTION_GUIDE.md